ssh_config - OpenSSH SSH client configuration files
ssh obtains configuration data from in order:
- command-line options
- user's configuration file (
- system-wide configuration file (
For each parameter, the first obtained value will be used.
The configuration files contain sections bracketed by
Host specifications, and
that section is only applied for hosts that match one of the patterns
given in the specification. The matched host name is the one given on the command line.
Since the first obtained value for each parameter is used, more host-specific declarations should be given near the beginning of the file, and general defaults at the end.
Format: <(small> Empty lines and lines starting with '#' are comments. )
options may be separated by whitespace or optional whitespace and exactly one
useful to avoid the need to quote whitespace when specifying configuration options using the
ssh, scp and sftp -o
Keywords are case-insensitive and arguments are case-sensitive.
|Restricts the following declarations (up to the next Host keyword) to be only for those hosts that match one of the patterns
given after the keyword. |
? can be used as wildcards in the patterns.
*' as pattern provides defaults for all hosts.
The host is the hostname argument given on the command line (i.e., the name is not converted to a canonicalized host name before matching).
| to remote host, protocol version 1 only.
yes, passphrase/password querying will be disabled, Useful in scripts and other batch jobs where no
user is present to supply the password. default
interface to transmit from on machines with multiple interfaces or aliased addresses.
Only if |
| default |
yes: additionally check the host IP address in
known_hosts detects if a host key changed due to DNS spoofing.
| protocol version 1. , |
des is only supported for interoperability with legacy protocol 1 implementations that do
not support 3des . Its use is strongly discouraged due to cryptographic weaknesses.
| for protocol version 2 in order of preference, comma-separated. |
aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, arcfour, aes192‑cbc, aes256‑cbc
all local, remote and dynamic port forwardings specified in the configuration files or on the command line be
cleared. Primarily useful when used from the ssh
command line to clear port forwardings set in configuration files. |
Default for scp(1) and sftp(1). The default is
| default |
| 1 (fast) to 9 (slow, best).
Default:6, which is good for most applications. See gzip for details. Protocol version 1 only.
| one per second, before exiting. Default 1.
TCP/IP port on the local machine be forwarded over the secure channel, and the application protocol is then
used to determine where to connect to from the remote machine.|
SOCKS4 protocol is supported, and ssh will act as a SOCKS4 server.
Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports.
a single character or |
^ followed by a letter or
none to disable the escape character making the connection transparent for binary data.
Can be set on the command line.
whether the connection to the authentication agent (if any) will be forwarded to the remote machine. |
Caution: Users with the ability to bypass file permissions on the remote host (for the
agent's Unix-domain socket) can access the local agent through
the forwarded connection. An attacker cannot obtain key material
from the agent, however they can perform operations on the keys
that enable them to authenticate using the identities loaded into the agent.
connections will be redirected over the secure channel and |
DISPLAY set. default is
Caution: Users with the
ability to bypass file permissions on the remote host (for the
user's X authorization database) can access the local X11 display
through the forwarded connection. An attacker may then be able
to perform activities such as keystroke monitoring.
whether remote hosts are allowed to connect to local forwarded ports. |
By default, ssh binds local port forwardings to the loopback address. preventing other remote hosts from connecting to forwarded ports.
GatewayPorts can be used to specify that ssh should bind local port forwardings to the wildcard
address, thus allowing remote hosts to connect to forwarded
The default is
to use for the global host key database instead of |
try rhosts based authentication with public key authentication. |
no. protocol version 2 and is similar to
HostKeyAlgorithms alg1[,alg2 …
protocol version 2 host key algorithms that the client wants to use in order of preference. |
used when looking up or saving the host key. useful for tunneling ssh connections or for multiple servers running on a single host.
to log into, for nicknames or abbreviations . |
Numeric IP addresses are permitted (both on the command line and in HostName specifications).
Default : the name given on the command line.
Specifies a file from which the user's RSA or DSA authentication
identity is read. |
Default for protocol version 1
for protocol version 2 $HOME/.ssh/id_rsa and $HOME/.ssh/id_dsa . Additionally, any identities represented by the
authentication agent will be used for authentication. The file
name may use tilde to refer to a user's home directory.
Multiple identity files will be tried in sequence.
If they are sent, death of the connection or crash of one of the machines will be properly noticed.
yes important in scripts
a Kerberos TGT will be forwarded to the server. only if it is an AFS kaserver.
LocalForward port host:port
The port on the local machine be forwarded to the host:port from the remote machine. |
IPv6 addresses are specified :
Multiple forwardings may be specified, and additional forwardings can be given on the command line.
Only the superuser can forward privileged ports.
LogLevel INFO| QUIET| FATAL| ERROR| VERBOSE| DEBUG| DEBUG2 | DEBUG3
verbosity used when logging messages The default is INFO.
DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of verbose output.
| Message Authentication Code algorithms in
order of preference. used in protocol version 2 for data integrity protection. |
Multiple algorithms must be comma-separated.
Disables Host Authentication for |
Used if the home directory is shared across machines. In this case localhost will refer to a different
machine on each of the machines and the user will get warnings about changed host keys.
The argument to this keyword must
Default: check the host key for localhost.
number of password prompts before giving up. |
Default is 3.
The default is |
| port number to connect on the remote host. Default: 22.
protocol 2:order in which the client should try authentication methods, allowing client to prefer one method
(e.g. keyboard-interactive) over another method (e.g. password)|
protocol versions should support in order of preference. |
2,1. This means try version 2 and falls back to 1 if 2 is not available.
Commands to use to connect to the server, extends to the end of the line, and is executed with |
%h will be substituted by the host name to connect and
%p by the port.
The command should read from its standard input and write to its standard output.
Finally connecting to an
sshd or execute
sshd -i some where.
Host key management will use the
HostName of the host being connected (defaulting to the name typed by the
Setting the command to
none disables this option.
CheckHostIP is not available for connects with a proxy command.
yes. Protocol version 2 only.
RemoteForward port host:port …
TCP/IP port on the remote machine be forwarded
to the specified host :port from the local machine.
The first argument must be a port number, and the|
second must be host:port. IPv6 addresses use
Multiple forwardings may be specified, and additional forwardings can be given on the command
Only the superuser can forward privileged ports.
Try rhosts based authentication, only affects the client side and has no effect on security. |
Most servers do not permit RhostsAuthentication because it is not secure (see RhostsRSAAuthentication).
protocol version 1 only and requires ssh to be setuid root and UsePrivilegedPort to
be set to
try rhosts based authentication with RSA host authentication. |
protocol version 1 only and requires ssh to be setuid root.
RSA authentication will only be attempted if the identity file exists, or an authentication agent is running. |
protocol version 1 only.
The argument is the device to use to communicate with a smart card used for storing the user's private RSA key.|
By default, no device is specified and smartcard support is not activated.
yes never automatically add host keys to
$HOME/.ssh/known_hosts, and refuses to connect to hosts whose host key has changed. This provides maximum protection against trojan horse attacks, can be annoying
/etc/ssh/ssh_known_hosts file is poorly maintained, or
connections to new hosts are frequently made. forces
the user to manually add all new hosts.
no automatically add new host keys to the user's known hosts files.
ask new host keys will be added to the user's known host files after the user has confirmed.
refuse to connect to hosts whose host key has changed.
The host keys of known hosts will be verified in all cases.
Specifies whether to use a privileged port for outgoing connections.
yes ssh must be setuid root.
RhostsRSAAuthentication are needed with older servers.
The user to log in as. Useful when a different user name is used on different machines. |
This saves the trouble of having to remember to give the user name on the command line.
| instead of |
full pathname of |
Default : /usr/X11R6/bin/xauth.
per-user configuration file. permissions should be read/write for the user, and not accessible by others.
Systemwide configuration file. Must be world-readable.
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
de Raadt and Dug Song removed many bugs, re-added newer features and created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.