ssh_config - OpenSSH SSH client configuration files
ssh obtains configuration data from in order:
- command-line options
- user's configuration file (
- system-wide configuration file (
For each parameter, the first obtained value will be used.
A host specific section, bracketed by
Host, is only applied for hosts that match one of the patterns with the host
given on the command line.
Since the first obtained value for each parameter is used, more host-specific declarations should be given near the beginning of the file, and general defaults at the end.
options may be separated by whitespace or optional whitespace and exactly one
useful to avoid the need to quote whitespace when specifying configuration options using the
ssh, scp and sftp -o
Keywords are case-insensitive and arguments are case-sensitive.
| to log into, for nicknames or abbreviations . |
Numeric IP addresses are permitted Default : name on command line.
|Restricts the following (up to the next |
Host ) for hosts that match
Host hhhhPAT ,
? can be used.
* as pattern provides defaults for all hosts.
The host is the hostname argument given on the command line (i.e., the name is not converted to a canonicalized host name before matching).
| useful when host |
uname not the same as curent
| Default |
| Default 3.
| Default |
| one per second, before exiting. Default 1.
EscapeChar x | ^x | none
a single character or |
^ followed by a letter or
none which disables the escape character making the connection transparent for binary data.
Can be set on the command line.
INFO| QUIET| FATAL| ERROR| VERBOSE| DEBUG| DEBUG2 | DEBUG3 Default
| to remote host, protocol version 1 only.
yes, passphrase/password querying will be disabled, Useful in scripts and other batch jobs where no
user is present to supply the password. default
yes: check IP address in
known_hosts detects if a host key changed due to DNS spoofing. Default
| Default |
| protocol version 1. , |
des is only supported for interoperability with legacy protocol 1 implementations that do
not support 3des . Its use is strongly discouraged due to cryptographic weaknesses.
| for protocol version 2 in order of preference, comma-separated. |
aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, arcfour, aes192‑cbc, aes256‑cbc
all local, remote and dynamic port forwardings specified in the configuration files or on the command line be
cleared. useful from ssh command line to clear port forwardings set in configuration files. |
Default for scp(1) and sftp(1). The default is
| default |
| 1 (fast) to 9 (slow, best). Default:6, See gzip. Protocol version 1 only.
TCP/IP port on the local machine be forwarded over the secure channel, and the application protocol is then
used to determine where to connect to from the remote machine.|
SOCKS4 protocol is supported, and ssh will act as a SOCKS4 server.
Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports.
whether the connection to the authentication agent (if any) will be forwarded to the remote machine. |
Caution: Users with the ability to bypass file permissions on the remote host (for the
agent's Unix-domain socket) can access the local agent through
the forwarded connection. An attacker cannot obtain key material
from the agent, however they can perform operations on the keys
that enable them to authenticate using the identities loaded into the agent.
connections will be redirected over the secure channel and |
$DISPLAY set. default is
Caution: Users with the
ability to bypass file permissions on the remote host (for the
user's X authorization database) can access the local X11 display
through the forwarded connection. An attacker may then be able
to perform activities such as keystroke monitoring.
whether remote hosts are allowed to connect to local forwarded ports. |
By default, ssh binds local port forwardings to the loopback address. preventing other remote hosts from connecting to forwarded ports.
GatewayPorts can be used to specify that ssh should bind local port forwardings to the wildcard
address, thus allowing remote hosts to connect to forwarded
The default is
try rhosts based authentication with public key authentication. |
no. protocol version 2 and is similar to
HostKeyAlgorithms alg1[,alg2 …
protocol version 2 host key algorithms that the client wants to use in order of preference. |
used when looking up or saving the host key. useful for tunneling ssh connections or for multiple servers running on a single host.
| from which the user's RSA or DSA authentication identity is read. |
Default for protocol 1
for protocol 2 $HOME/.ssh/id_rsa and $HOME/.ssh/id_dsa . Additionally, any identities represented by the
authentication agent will be used for authentication. Tilde refers to i
Multiple identity files will be tried in sequence.
| Default |
yes important in scripts
| a Kerberos TGT(Ticket Granting Ticket ) will be forwarded to the server. only if AFS kaserver.
LocalForward port host:port
The port on the local machine be forwarded to the host:port from the remote machine. |
IPv6 addresses are specified :
Multiple forwardings may be specified, and additional forwardings can be given on the command line.
Only the superuser can forward privileged ports.
| Message Authentication Code algorithms in
order of preference. used in protocol version 2 for data integrity protection. |
Multiple algorithms must be comma-separated.
Disables Host Authentication for |
Used if the home directory is shared across machines. In this case localhost will refer to a different
machine on each of the machines and the user will get warnings about changed host keys.
The argument to this keyword must
Default: check the host key for localhost.
| port number to connect on the remote host. Default: 22.
| interface to transmit from Only if |
protocol 2:order in which the client should try authentication methods, allowing client to prefer one method
(e.g. keyboard-interactive) over another method (e.g. password)|
protocol versions should support in order of preference. |
2,1. This means try version 2 and falls back to 1 if 2 is not available.
Commands to use to connect to the server, extends to the end of the line, and is executed with |
%h will be substituted by the host name to connect and
%p by the port.
The command should read from its standard input and write to its standard output.
Finally connecting to an
sshd or execute
sshd -i some where.
Host key management will use the
HostName of the host being connected (defaulting to the name typed by the
Setting the command to
none disables this option.
CheckHostIP is not available for connects with a proxy command.
yes. Protocol version 2 only.
RemoteForward port host:port …
TCP/IP port on the remote machine be forwarded
to the specified host :port from the local machine.
The first argument must be a port number, and the|
second must be host:port. IPv6 addresses use
Multiple forwardings may be specified, and additional forwardings can be given on the command
Only the superuser can forward privileged ports.
Try rhosts based authentication, only affects the client side and has no effect on security. |
Most servers do not permit RhostsAuthentication because it is not secure (see RhostsRSAAuthentication).
protocol version 1 only and requires ssh to be setuid root and UsePrivilegedPort to
be set to
try rhosts based authentication with RSA host authentication. |
protocol version 1 only and requires ssh to be setuid root.
RSA authentication will only be attempted if the identity file exists, or an authentication agent is running. |
protocol version 1 only.
The argument is the device to use to communicate with a smart card used for storing the user's private RSA key.|
By default, no device is specified and smartcard support is not activated.
yes never automatically add host keys to
$HOME/.ssh/known_hosts, and refuses to connect to hosts whose host key has changed. This provides maximum protection against trojan horse attacks, can be annoying
/etc/ssh/ssh_known_hosts file is poorly maintained, or
connections to new hosts are frequently made. forces
the user to manually add all new hosts.
no automatically add new host keys to the user's known hosts files.
ask new host keys will be added to the user's known host files after the user has confirmed.
refuse to connect to hosts whose host key has changed.
The host keys of known hosts will be verified in all cases.
Specifies whether to use a privileged port for outgoing connections.
yes ssh must be setuid root.
RhostsRSAAuthentication are needed with older servers.
| instead of |
full pathname of |
Default : /usr/X11R6/bin/xauth.
per-user configuration file. permissions should be read/write for the user, and not accessible by others.
Systemwide configuration file. Must be world-readable.
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
de Raadt and Dug Song removed many bugs, re-added newer features and created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.