This element defines the ciphers that the client will propose to
the server. The
ciphers element can contain multiple
The ciphers are tried in the order they are specified.
This element selects a cipher
name that the client
requests for data encryption.
The supported ciphers are
none (no encryption).
The default ciphers used by the SOCKS Proxy are, in order:
<cipher name="aes128-cbc" />
This element defines the MACs that the client will propose to
the server. The
macs element can contain multiple
The MACs are tried in the order they are specified.
This element selects a MAC
name that the client
requests for data integrity verification.
The supported MAC algorithms are
none (no data integrity verification).
The default MACs used by the SOCKS Proxy are, in order:
<mac name="hmac-sha1" />
This setting defines the number of transport channels used
by the Secure Shell connection. Using more than one transport may
increase the throughput over low bandwidth connections.
The number of transports is given as value of the
num-transports attribute. Currently, a value of 1 to 8
transports is supported. On Unix, the default is
<transport-distribution num-transports="1" />
This element specifies the number of transferred
after which the key exchange is done again. The value
turns rekey requests off. This does not prevent the server from requesting
rekeys, however. The default is 1000000000 (1 GB).
<rekey bytes="1000000000" />
This element specifies the authentication methods that are
requested by the client. The
authentication-methods element can
The authentication methods are tried in the order of the
authentication-method elements. This means that the least
interactive methods should be placed first.
This element specifies an authentication method
The allowed authentication method names are:
<authentication-method name="hostbased" />
<authentication-method name="publickey" />
<authentication-method name="keyboard-interactive" />
<authentication-method name="password" />
This element specifies the host's default domain name (as
name). This element is used to make sure the fully qualified
domain name (FQDN) of the client host is transmitted to the server when
using host-based user authentication.
The default domain name is appended to the short hostname before
transmitting it to the server. This is needed because some platforms
(Solaris for instance) use the short format of the hostname, and with
that the signature cannot be created.
The allowed formats of domain names are:
example.com (without the leading dot).
<hostbased-default-domain name=".ssh.hostname.example.com" />
This element specifies whether to use compression.
name of the compression algorithm and the
level can be given as attributes. Currently
zlib is supported as the algorithm. The
level can be an integer from
9. By default, compression is not used.
<compression name="none" />
This element defines rules for HTTP or SOCKS proxy servers the
SOCKS Proxy will use for connections. It has a single attribute:
The format of the attribute value is a sequence of rules
delimited by semicolons (
;). Each rule has a format
that resembles the URL format. In a rule, the connection type is
given first. The type can be
socks is a synonym for
socks4). This is followed by the server address and
port. If the port is not given, the default ports 1080 for SOCKS and
80 for HTTP are used.
After the address, zero or more conditions delimited by commas
,) are given. The conditions can specify IP addresses
or DNS names.
The IP address/port conditions have an address pattern and an
optional port range:
ip_pattern may have one of the following forms:
a single IP address
an IP address range of the form
an IP sub-network mask of the form
The DNS name conditions consist of a hostname which may be a regular
expression containing the characters "*" and "?" and a port range:
proxy element is shown below. It causes
the server to access the callback address and the
domain directly, access
*.example with HTTP CONNECT, and
all other destinations with SOCKS4.
This element specifies how long idle time (after all connection
channels are closed) is allowed for a connection before
automatically closing the connection. The
time is given
The default setting is 5 seconds. Setting a longer time allows the
connection to the server to remain open even after a session (for example,
transparent tunneling) is closed. During this time, a new session to the
server can be initiated without re-authentication. Setting the time to 0
(zero) terminates the connection immediately when the last channel to the
server is closed.
<idle-timeout time="5" />