Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia

SSH Tectia Client (Unix)

For further details on the configuration options, see the ssh2_config(5) man page.



Name of the configuration. The name will be used in the management system only. It does not affect how the client operates.


Description of the configuration. The description will be used in the management system only; it does not affect how the client operates.


A free form comment field that is included in the generated configuration files. The value of this field is always quoted so that it is never interpreted as configuration.


Causes ssh2 to print debugging messages about its progress. This is helpful when debugging connection, authentication, and configuration problems. This option is disabled by default.


All warnings and diagnostic messages are suppressed. Only fatal errors are displayed. This option is disabled by default.


Redirects input from /dev/null, that is, does not read stdin. This option is disabled by default.


Specifies whether ssh2 disables password/passhphrase querying. This is useful in scripts and other batch jobs where there is no user to supply the password. If the StrictHostKeyChecking parameter is set to ask, ssh2 assumes a no answer to queries (this is because ssh does not even try to get user input when invoked when BatchMode is enabled. BatchMode is disabled by default.


Specifies whether to use compression. Compression is disabled by default.


Specifies whether a tty is allocated even if a command is given. This option is disabled by default.


Requests ssh2 to go to the background after authentication is done and the forwardings have been established. This is useful if ssh2 is going to ask for passwords or passphrases but the user wants it in the background. The options are yes, no and oneshot, which means that connection is closed when all channels are closed. The default is no.


Sets the escape character (default: ˜). The escape character can also be set on the command line. The argument should be a single character, or none to disable the escape character entirely (making the connection transparent for binary data).


Write debug messages to the specified file. Remember to enable debugging.


Specify an environment variable to set in the server before executing a shell or command. The value should be of the format VAR=val where val can be empty.

Setting the variable may fail at the server end, for example because of policy decisions (see the SettableEnvironmentVars) server option.


Specifies the default domain name. This is used by ssh2 and ssh-signer2 to find out the system name, if only the base part of the system name is available by normal means (those used by, for example, the hostname command). This is appended to the found system name, if the system name returned does not contain a dot (.).

General / SSH1


Specifies whether to use the internal SSH1 emulation code. With this option, ssh2 can also communicate with SSH1 servers, without using an external ssh1 program. This option is disabled by default to disable SSH1 connections.


Specifies whether to send SSHMSGIGNORE packets to mask the password length (otherwise, it is very easy to get, as the SSH1 protocol does not encrypt the length fields of packets). This option is enabled by default.


Specifies whether to also forward an SSH1 agent connection. Legal values for this option are none, traditional, and ssh2.

With the value none (default), the SSH1 agent connection is not forwarded at all.

With the value traditional, the SSH1 agent connection is forwarded transparently like in SSH1. This value can always be used, but it constitutes a security risk, because the agent does not get the information about the forwarding path.

The value ssh2 makes SSH1 agent forwarding similar to SSH2 agent forwarding and in this mode, the agent gets the information about the agent forwarding path. Note that this value can only be used if ssh-agent2 is used in the SSH1 compatibility mode.


Specifies whether to use SSH1 compatibility. With this option, ssh1 is executed when the server supports only SSH 1.x protocols. This option is disabled by default to disable SSH1 connections. Note that SSH1 protocol software has to be installed if this option is enabled.


Specifies the path to an SSH1 client, which is executed if the server supports only SSH 1.x protocols. The arguments for SSH2 are passed to the SSH1 client.

General / Advanced

Special Extensions

Per host client configurations etc. can be included here. Be careful with the syntax as a broken configuration may prevent ssh2 from working.



Specifies the port on the server to connect to. The default is 22.


If selected, enables the socket option TCPNODELAY. This option is disabled by default.


Specifies whether to enable or disable the TCP keepalive mechanism. The keepalive mechanism causes the client to detect and close dead connections after a while.

To disable keepalives, they must be disabled in both the server and the client configuration files.


Uses SOCKS5 instead of SOCKS4 when connecting to the remote host. Note that you have to set SocksServer to a meaningful value. This option is disabled by default (uses SOCKS4).


Specifies the firewall settings in the URL format. Overrides the value of the SSHSOCKSSERVER environment variable.

Also HTTP can be used instead of SOCKS.

Example URL (a SOCKS server with directly connected networks):


The argument syntax is described in the ssh2(1) man page.



Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. This option is enabled by default.


This keyword specifies the authentication methods that are allowed. This is a comma-separated list currently consisting of the following words: hostbased, password, publickey, gssapi, and keyboard-interactive.

Each specifies an authentication method. The default is "publickey, password". The authentication methods are tried in the order in which they are specified with this configuration parameter. This means that the least interactive methods should be placed first in this list, for example, "hostbased, publickey, password" (because public-key authentication can be automated by the user, with ssh-agent).


Specifies the allowed submethods for GSSAPI. The only available submethod is Kerberos.


Specifies whether GSSAPI authentication is allowed without message integrity checking. The legacy GSSAPI method is vulnerable to replay attacks. Enable this option for backwards compatibility with SSH Tectia Server versions 4.1.0 and earlier.


Specifies whether to delegate a token with the Kerberos GSSAPI method.


Specifies the dynamic libraries used in GSSAPI authentication as a comma-separated list. By default, the MIT KerberosV5 libraries available at the time of software installation are used. The libraries are loaded in the given order to satisfy any dependencies. For example: /usr/local/lib/, /usr/local/lib/


Specifies whether to print "Authentication successful." after authentication has been completed successfully. This is mainly to prevent malicious servers from getting information from the user by displaying additional password or passphrase prompts.


Specifies the number of password prompts before giving up. The argument must be an integer. Note that the server also limits the number of attempts, so setting this value to a higher value than the server's value does not have any effect. The default value is three (3).

The keyword is distributed only to software versions earlier than 4.1.0.


Sets the password prompt that the user sees when connecting to a host. Variables U and H can be used to give the user's login name and host, respectively.


Specifies where user-specific configuration data is found. This is given as a pattern string which is expanded by ssh2. %D is the user's home directory, %U is the user's login name, %IU is the user's user ID (uid), and %IG is user's group ID (gid). The default is %D\.ssh2.


Name of the user's identification file typically in the $HOME/.ssh2/ directory that contains file names of the user's private key(s) offered to the server in public-key authentication, for example idkey id_dsa_2048_a.


The name of the user's key file used in public key authentication. If multiple IdentityKeyFile options are defined, all are used in authentication. Additional key files can still be given from the command line.


The name of the user's random-seed file typically in the $HOME/.ssh2/ directory that contains random data used for cryptographic operations.


Specifies whether ssh2 should check file modes of credentials during public-key authentication. Specifically, this checks the user's .ssh2 directory and private keys for invalid permissions. .ssh2 must only be writable by the user and the private keys must only be readable and writable by the user. The permission check of the user's .ssh2 directory can be further controlled by using the StrictModes.UserDirMaskBits configuration option.


Specifies the permission mask for the user's .ssh2 directory if the StrictModes configuration option is used. The bits set with this option are not allowed to be set in the actual permissions. This means that with StrictModes and this option set to "077", the user's .ssh2 directory may not include any permissions for groups or others (only for the user). The default is "022".



Specifies the encryption algorithms that the client is willing to negotiate. If the client and the server have no algorithms in common, the connection fails. Usually the default AnyStdCipher works just fine.


Specifies the MAC (Message Authentication Code) algorithms the client is willing to negotiate. If the client and the server have no algorithms in common, the connection fails. Usually the default AnyStdMac works just fine.


Specifies how often the key exchange will be repeated, and all encryption keys changed. Normally, there is no need to change this setting. Disabling rekey for the client does not prevent the server from requesting rekey. Value 0 disables rekey. The default is once per hour.


If this flag is set to Yes, ssh2 will never automatically add host keys to the $HOME/.ssh2/hostkeys directory, and it refuses to connect to hosts whose key has changed. This provides maximum protection against man-in-the-middle attacks. However, it can be somewhat annoying if you frequently connect to new hosts.

The argument must be Yes, No, or Ask.

The default is Ask, which means that new hosts will automatically be added to the known host files after you have acknowledged this. If a host key has changed, you will be asked whether you want to accept the new host key as the only valid one.

If set to No, the new host will automatically be added to $HOME/.ssh2/hostkeys.

Yes forces the user to add all new hosts manually. The host keys of known hosts will be verified automatically in any case.


An advanced PKI option that defines for pre-3.2.9 versions which hash scheme is used when signing with an RSA private key during certificate authentication. Usually the default MD5 works just fine.



The format is port:host:hostport. See -L in the ssh2(1) man page for more detailed information on forward definitions.


This option cannot be set in the global configuration.


The argument format is port:host:hostport. See -R in the ssh2(1) man page for more detailed information on forward definitions.

Example: 3000:localhost:22

This option cannot be set in the global configuration.


Specifies that also remote hosts may connect to locally forwarded ports. This option is disabled by default. This option cannot be set in the global configuration.


Specifies whether to clear all remote and local forwarded ports defined so far. Note that SCP always automatically clears all forwarded ports.


Specifies whether X11 connections will be automatically redirected over the secure channel and DISPLAY set. X11 forwarding is requested by default.


Specifies whether the X server should treat X11 client applications as trusted (with forwarding X11). Treating X11 applications as "untrusted" avoids the problem that logging into a compromised host allows applications on that host to "sniff" any input operations (for example key strokes, mouse movements, drag and drop and clipboard data transfers etc.) via the forwarded X11 connection (unless the security policy for this X server allows these operations for untrusted clients). You should only need this option if the X client program you are running needs exceptional privileges for the X server. Note that the internal SSH1 emulation mode does not support the SECURITY extension. This option is disabled by default.


Specifies where to find the xauth program. This option is mostly useful if you are using binaries and your X11 programs are installed in a location unknown to ssh2. The default is set by the configure script.




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now