ssh_config - OpenSSH SSH client configuration files


ssh obtains configuration data from in order:

  1. command-line options
  2. user's configuration file ($HOME/.ssh/config)
  3. system-wide configuration file (/etc/ssh/ssh_config)

For each parameter, the first obtained value will be used.
The configuration files contain sections bracketed by Host specifications, and that section is only applied for hosts that match one of the patterns given in the specification. The matched host name is the one given on the command line.

Since the first obtained value for each parameter is used, more host-specific declarations should be given near the beginning of the file, and general defaults at the end.

Format: <(small> Empty lines and lines starting with '#' are comments. )
keyword arguments. options may be separated by whitespace or optional whitespace and exactly one = useful to avoid the need to quote whitespace when specifying configuration options using the ssh, scp and sftp -o option.

Keywords are case-insensitive and arguments are case-sensitive.

Host hhhhPAT Restricts the following declarations (up to the next Host keyword) to be only for those hosts that match one of the patterns given after the keyword. * and ? can be used as wildcards in the patterns.
A single *' as pattern provides defaults for all hosts.
The host is the hostname argument given on the command line (i.e., the name is not converted to a canonicalized host name before matching).
AFSTokenPassing no|yes to remote host, protocol version 1 only.
BatchMode no|yes If yes, passphrase/password querying will be disabled, Useful in scripts and other batch jobs where no user is present to supply the password. default no.
BindAddress iface interface to transmit from on machines with multiple interfaces or aliased addresses. Only if UsePrivilegedPort is yes.
ChallengeResponseAuthentication default yes.
CheckHostIP yes|no yes: additionally check the host IP address in known_hosts detects if a host key changed due to DNS spoofing.
Default yes.
Cipher crypttype protocol version 1. , blowfish, 3des, and des
(des is only supported for interoperability with legacy protocol 1 implementations that do not support 3des . Its use is strongly discouraged due to cryptographic weaknesses.
Default 3des.
Ciphers cipher for protocol version 2 in order of preference, comma-separated.
Default : aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, arcfour, aes192‑cbc, aes256‑cbc
ClearAllForwardings no|yes all local, remote and dynamic port forwardings specified in the configuration files or on the command line be cleared. Primarily useful when used from the ssh command line to clear port forwardings set in configuration files.
Default for scp(1) and sftp(1). The default is no.
Compression no|yes default no.
CompressionLevel n 1 (fast) to 9 (slow, best). Default:6, which is good for most applications. See gzip for details. Protocol version 1 only.
ConnectionAttempts n one per second, before exiting. Default 1.
DynamicForward TCP/IP port on the local machine be forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine.
the SOCKS4 protocol is supported, and ssh will act as a SOCKS4 server.
Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports.
EscapeChar x|none a single character or ^ followed by a letter or
none to disable the escape character making the connection transparent for binary data. Can be set on the command line.
Default: ~.
ForwardAgent no|yes whether the connection to the authentication agent (if any) will be forwarded to the remote machine.
default no.

Caution: Users with the ability to bypass file permissions on the remote host (for the agent's Unix-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.

ForwardX11 no|yes connections will be redirected over the secure channel and DISPLAY set. default is no.

Caution: Users with the ability to bypass file permissions on the remote host (for the user's X authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring.

GatewayPorts no|yes whether remote hosts are allowed to connect to local forwarded ports.
By default, ssh binds local port forwardings to the loopback address. preventing other remote hosts from connecting to forwarded ports.
GatewayPorts can be used to specify that ssh should bind local port forwardings to the wildcard address, thus allowing remote hosts to connect to forwarded ports.
> The default is no.
GlobalKnownHostsFile file to use for the global host key database instead of /etc/ssh/ssh_known_hosts
HostbasedAuthentication no|yes try rhosts based authentication with public key authentication.
default :no. protocol version 2 and is similar to RhostsRSAAuthentication.
HostKeyAlgorithms alg1[,alg2 … protocol version 2 host key algorithms that the client wants to use in order of preference.
Default : ssh-rsa,ssh-dss.
HostKeyAlias alias used when looking up or saving the host key. useful for tunneling ssh connections or for multiple servers running on a single host.
HostName altHostName to log into, for nicknames or abbreviations .
Numeric IP addresses are permitted (both on the command line and in HostName specifications).
Default : the name given on the command line.
IdentityFile Specifies a file from which the user's RSA or DSA authentication identity is read.
Default for protocol version 1 $HOME/.ssh/identity ,
for protocol version 2 $HOME/.ssh/id_rsa and $HOME/.ssh/id_dsa . Additionally, any identities represented by the authentication agent will be used for authentication. The file name may use tilde to refer to a user's home directory.
Multiple identity files will be tried in sequence.
KeepAlive yes|no If they are sent, death of the connection or crash of one of the machines will be properly noticed. Default yes important in scripts
KerberosAuthentication no|yes
KerberosTgtPassing no|yes a Kerberos TGT will be forwarded to the server. only if it is an AFS kaserver.
LocalForward port host:port The port on the local machine be forwarded to the host:port from the remote machine.
IPv6 addresses are specified : host/port.
Multiple forwardings may be specified, and additional forwardings can be given on the command line.
Only the superuser can forward privileged ports.
LogLevel INFO| QUIET| FATAL| ERROR| VERBOSE| DEBUG| DEBUG2 | DEBUG3 verbosity used when logging messages The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of verbose output.
MACs list, Message Authentication Code algorithms in order of preference. used in protocol version 2 for data integrity protection.
Multiple algorithms must be comma-separated.
Default is hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96.
NoHostAuthenticationForLocalhost no|yes Disables Host Authentication for localhost.
Used if the home directory is shared across machines. In this case localhost will refer to a different machine on each of the machines and the user will get warnings about changed host keys.
The argument to this keyword must Default: check the host key for localhost.
NumberOfPasswordPrompts n number of password prompts before giving up.
Default is 3.
PasswordAuthentication yes|no The default is yes.
Port ppp port number to connect on the remote host. Default: 22.
PreferredAuthentications list, protocol 2:order in which the client should try authentication methods, allowing client to prefer one method (e.g. keyboard-interactive) over another method (e.g. password)
Default : hostbased,publickey,keyboard-interactive,password.
Protocol 2,1 protocol versions should support in order of preference.
Default: 2,1. This means try version 2 and falls back to 1 if 2 is not available.
ProxyCommand none|commands Commands to use to connect to the server, extends to the end of the line, and is executed with /bin/sh.
%h will be substituted by the host name to connect and %p by the port.
The command should read from its standard input and write to its standard output.
Finally connecting to an sshd or execute sshd -i some where.
Host key management will use the HostName of the host being connected (defaulting to the name typed by the user).
Setting the command to none disables this option.
CheckHostIP is not available for connects with a proxy command.
PubkeyAuthentication yes|no Default: yes. Protocol version 2 only.
RemoteForward port host:port … TCP/IP port on the remote machine be forwarded to the specified host :port from the local machine. The first argument must be a port number, and the
second must be host:port. IPv6 addresses use host/port.
Multiple forwardings may be specified, and additional forwardings can be given on the command line.
Only the superuser can forward privileged ports.
RhostsAuthentication no|yes Try rhosts based authentication, only affects the client side and has no effect on security.
Most servers do not permit RhostsAuthentication because it is not secure (see RhostsRSAAuthentication).
protocol version 1 only and requires ssh to be setuid root and UsePrivilegedPort to be set to yes. Default : no.
RhostsRSAAuthentication no|yes try rhosts based authentication with RSA host authentication.
protocol version 1 only and requires ssh to be setuid root. Default :no.
RSAAuthentication yes|no RSA authentication will only be attempted if the identity file exists, or an authentication agent is running.
protocol version 1 only. Default : yes.
SmartcardDevice /dev/smcard The argument is the device to use to communicate with a smart card used for storing the user's private RSA key.
By default, no device is specified and smartcard support is not activated.
StrictHostKeyChecking ask|yes|no yes never automatically add host keys to $HOME/.ssh/known_hosts, and refuses to connect to hosts whose host key has changed. This provides maximum protection against trojan horse attacks, can be annoying when the /etc/ssh/ssh_known_hosts file is poorly maintained, or connections to new hosts are frequently made. forces the user to manually add all new hosts.
no automatically add new host keys to the user's known hosts files.
ask new host keys will be added to the user's known host files after the user has confirmed. refuse to connect to hosts whose host key has changed.
The host keys of known hosts will be verified in all cases.
Default: ask.
UsePrivilegedPort no|yes Specifies whether to use a privileged port for outgoing connections. Default: no. yes ssh must be setuid root.
Set to yes if RhostsAuthentication and RhostsRSAAuthentication are needed with older servers.
User uname The user to log in as. Useful when a different user name is used on different machines.
This saves the trouble of having to remember to give the user name on the command line.
UserKnownHostsFile file instead of $HOME/.ssh/known_hosts.
XAuthLocation /path/...progname full pathname of xauth program.
Default : /usr/X11R6/bin/xauth.
FILES $HOME/.ssh/config
per-user configuration file. permissions should be read/write for the user, and not accessible by others.

Systemwide configuration file. Must be world-readable.

AUTHORS OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt and Dug Song removed many bugs, re-added newer features and created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0.