OpenSSH SSH client configuration files

  1. command-line options
  2. user's $HOME/.ssh/config
  3. system-wide /etc/ssh/ssh_config

The first value for each parameter is used.

A host specific section, bracketed by Host, is applied for hosts that match one of the patterns with the host given on the command line.
Host-specific declarations should be given near the beginning of the file, and general defaults afterwards.

keyword arguments. Options may be separated by whitespace or optional whitespace and exactly one = useful to avoid the need to quote whitespace when specifying configuration options using the ssh, scp and sftp -o option.

Keywords are case-insensitive and arguments are case-sensitive.

HostName altHostName to log into, for nicknames or abbreviations .
Numeric IP addresses are permitted Default : name on command line.
Host hhhhPAT Restricts the following (up to the next Host ) for hosts that match Host hhhhPAT , * and ? can be used.
A single * as pattern provides defaults for all hosts.
The host is the hostname argument given on the command line (i.e., the name is not converted to a canonicalized host name before matching).
User uname useful when host uname not the same as curent uname
PasswordAuthentication yes|no Default yes.
NumberOfPasswordPrompts n Default 3.
ChallengeResponseAuthentication Default yes.
ConnectionAttempts n one per second, before exiting. Default 1.
ConnectTimeout sss instead of the system TCP timeout.
EscapeChar x | ^x | none a single character or ^ followed by a letter or none which disables the escape character making the connection transparent for binary data. Can be set on the command line.
Default: ~.
AFSTokenPassing no|yes to remote host, protocol version 1 only.
BatchMode no|yes If yes, passphrase/password querying will be disabled, Useful in scripts and other batch jobs where no user is present to supply the password. default no.
CheckHostIP yes|no yes: check IP address in known_hosts detects if a host key changed due to DNS spoofing. Default yes.
GlobalKnownHostsFile file Default /etc/ssh/ssh_known_hosts
Cipher crypttype protocol version 1. , blowfish, 3des, and des
(des is only supported for interoperability with legacy protocol 1 implementations that do not support 3des . Its use is strongly discouraged due to cryptographic weaknesses.
Default 3des.
Ciphers cipher for protocol version 2 in order of preference, comma-separated.
Default : aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, arcfour, aes192‑cbc, aes256‑cbc
ClearAllForwardings no|yes all local, remote and dynamic port forwardings specified in the configuration files or on the command line be cleared. useful from ssh command line to clear port forwardings set in configuration files.
Default for scp(1) and sftp(1). The default is no.
Compression no|yes default no.
CompressionLevel n 1 (fast) to 9 (slow, best). Default:6, See gzip. Protocol version 1 only.
DynamicForward TCP/IP port on the local machine be forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine.
the SOCKS4 protocol is supported, and ssh will act as a SOCKS4 server.
Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports.
ForwardAgent no|yes whether the connection to the authentication agent (if any) will be forwarded to the remote machine.
default no.

Caution: Users with the ability to bypass file permissions on the remote host (for the agent's Unix-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.

ForwardX11 no|yes connections will be redirected over the secure channel and $DISPLAY set. default is no.

Caution: Users with the ability to bypass file permissions on the remote host (for the user's X authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring.

GatewayPorts no|yes whether remote hosts are allowed to connect to local forwarded ports.
By default, ssh binds local port forwardings to the loopback address. preventing other remote hosts from connecting to forwarded ports.
GatewayPorts can be used to specify that ssh should bind local port forwardings to the wildcard address, thus allowing remote hosts to connect to forwarded ports.
> The default is no.
HostbasedAuthentication no|yes try rhosts based authentication with public key authentication.
default :no. protocol version 2 and is similar to RhostsRSAAuthentication.
HostKeyAlgorithms alg1[,alg2 … protocol version 2 host key algorithms that the client wants to use in order of preference.
Default : ssh-rsa,ssh-dss.
HostKeyAlias alias used when looking up or saving the host key. useful for tunneling ssh connections or for multiple servers running on a single host.
IdentityFile from which the user's RSA or DSA authentication identity is read.
Default for protocol 1 $HOME/.ssh/identity ,
for protocol 2 $HOME/.ssh/id_rsa and $HOME/.ssh/id_dsa . Additionally, any identities represented by the authentication agent will be used for authentication. Tilde refers to i$HOME.
Multiple identity files will be tried in sequence.
KeepAlive yes|no Default yes important in scripts
KerberosAuthentication no|yes
KerberosTgtPassing no|yes a Kerberos TGT(Ticket Granting Ticket ) will be forwarded to the server. only if AFS kaserver.
LocalForward port host:port The port on the local machine be forwarded to the host:port from the remote machine.
IPv6 addresses are specified : host/port.
Multiple forwardings may be specified, and additional forwardings can be given on the command line.
Only the superuser can forward privileged ports.
MACs list, Message Authentication Code algorithms in order of preference. used in protocol version 2 for data integrity protection.
Multiple algorithms must be comma-separated.
Default is hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96.
NoHostAuthenticationForLocalhost no|yes Disables Host Authentication for localhost.
Used if the home directory is shared across machines. In this case localhost will refer to a different machine on each of the machines and the user will get warnings about changed host keys.
The argument to this keyword must Default: check the host key for localhost.
Port ppp port number to connect on the remote host. Default: 22.
BindAddress iface interface to transmit from Only if UsePrivilegedPort is yes.
PreferredAuthentications list, protocol 2:order in which the client should try authentication methods, allowing client to prefer one method (e.g. keyboard-interactive) over another method (e.g. password)
Default : hostbased,publickey,keyboard-interactive,password.
Protocol 2,1 protocol versions should support in order of preference.
Default: 2,1. This means try version 2 and falls back to 1 if 2 is not available.
ProxyCommand none|commands Commands to use to connect to the server, extends to the end of the line, and is executed with /bin/sh.
%h will be substituted by the host name to connect and %p by the port.
The command should read from its standard input and write to its standard output.
Finally connecting to an sshd or execute sshd -i some where.
Host key management will use the HostName of the host being connected (defaulting to the name typed by the user).
Setting the command to none disables this option.
CheckHostIP is not available for connects with a proxy command.
PubkeyAuthentication yes|no Default: yes. Protocol version 2 only.
RemoteForward port host:port … TCP/IP port on the remote machine be forwarded to the specified host :port from the local machine. The first argument must be a port number, and the
second must be host:port. IPv6 addresses use host/port.
Multiple forwardings may be specified, and additional forwardings can be given on the command line.
Only the superuser can forward privileged ports.
RhostsAuthentication no|yes Try rhosts based authentication, only affects the client side and has no effect on security.
Most servers do not permit RhostsAuthentication because it is not secure (see RhostsRSAAuthentication).
protocol version 1 only and requires ssh to be setuid root and UsePrivilegedPort to be set to yes. Default : no.
RhostsRSAAuthentication no|yes try rhosts based authentication with RSA host authentication.
protocol version 1 only and requires ssh to be setuid root. Default :no.
RSAAuthentication yes|no RSA authentication will only be attempted if the identity file exists, or an authentication agent is running.
protocol version 1 only. Default : yes.
SmartcardDevice /dev/smcard The argument is the device to use to communicate with a smart card used for storing the user's private RSA key.
By default, no device is specified and smartcard support is not activated.
StrictHostKeyChecking ask|yes|no yes never automatically add host keys to $HOME/.ssh/known_hosts, and refuses to connect to hosts whose host key has changed. This provides maximum protection against trojan horse attacks, can be annoying when the /etc/ssh/ssh_known_hosts file is poorly maintained, or connections to new hosts are frequently made. forces the user to manually add all new hosts.
no automatically add new host keys to the user's known hosts files.
ask new host keys will be added to the user's known host files after the user has confirmed. refuse to connect to hosts whose host key has changed.
The host keys of known hosts will be verified in all cases.
Default: ask.
UsePrivilegedPort no|yes Specifies whether to use a privileged port for outgoing connections. Default: no. yes ssh must be setuid root.
Set to yes if RhostsAuthentication and RhostsRSAAuthentication are needed with older servers.
UserKnownHostsFile file instead of $HOME/.ssh/known_hosts.
XAuthLocation /path/...progname full pathname of xauth program.
Default : /usr/X11R6/bin/xauth.
ControlMaster yes|no|ask|
               auto | autoask
Share of multiple sessions over a single network connection.

  • yes: ssh listens for connections on a control socket using ControlPath .
    Additional sessions can connect to this socket using the same ControlPath
  • no (the default). sessions will try to reuse the master instance's network connection rather than initiating new ones, but will fall back to connecting normally if the control socket does not exist, or is not listening.

  • ask: ssh listens for control connections and require confirmation using ssh-askpass.
    If the ControlPath cannot be opened, ssh will continue without connecting to a master instance.

    X11 and ssh-agent forwarding is supported over these multiplexed connections,
    The display and agent forwarded will be the one belonging to the master connection.

  • auto allow for opportunistic multiplexing: try to use a master connection but fall back to creating a new one if one does not already exist.
  • autoask requires confirmation
ControlPath string path to the control socket used for connection sharing. Use none to disable connection sharing.
Use a ~ for a user's home directory or the tokens described in the TOKENS section.
ControlPath used for opportunistic connection sharing should include at least %h, %p, and %r (or alternatively %C) and be placed in a directory that is not writable by other users to ensures that shared connections are unique.
ControlPersist yes|no|sss|hh:mm:ss With ControlMaster waiting for future client connections:

yes or 0, the master connection remains open until closed with ssh -O exit).
no the master connection closes as soon as the initial client connection is closed.
For sss seconds or until hh:mm:ss the backgrounded master connection will terminate after it has remained idle (with no client connections) for the specified time.


per-user configuration file. permissions should be read/write for the user, and not accessible by others.

Systemwide configuration file. Must be world-readable.