SSH config file syntax and how-tos for configuring the OpenSSH client (2024)

Table of Contents
Contents Commonly used configuration options Enabling X11 forwarding and agent forwarding Port forwarding Configuring public key authentication Certificate-based authentication Format of SSH client config file ssh_config Listing of client configuration options FAQs

This page is about OpenSSH client configuration. For OpenSSH server configuration, see sshd_config. For Tectia SSH configuration, see Tectia SSH Server Administrator Manual. For configuring passwordless public key authentication, see ssh-keygen.

The ssh program on a host receives its configuration from either the command line or from configuration files ~/.ssh/config and /etc/ssh/ssh_config.

Command-line options take precedence over configuration files. The user-specific configuration file ~/.ssh/config is used next. Finally, the global /etc/ssh/ssh_config file is used. The first obtained value for each configuration parameter will be used.

Contents

Commonly used configuration options Enabling X11 forwarding and agent forwarding Port forwarding Configuring public key authentication Certificate-based authentication Format of SSH client config file ssh_config Listing of client configuration options

Commonly used configuration options

There are many configuration options available. In practice, only a few of them are ever changed, and user-specific configuration files are rarely used. In most cases, just /etc/ssh/ssh_config is edited.

Enabling X11 forwarding and agent forwarding

Developers, students, and researchers often want to enable X11 forwarding and SSH agent forwarding. These allow running graphical applications remotely and eliminate the need for typing a password whenever moving from one server to another, respectively. Setting these options in /etc/ssh/ssh_config makes life easier for end users, saves overhead, and reduces support load. However, they increase the risk of an attack spreading from a compromised server to a user's desktop, so the most security-critical environments may want to leave them disabled. There is generally no reason to enable them on production servers in enterprises.

ForwardAgent yes ForwardX11 yes

Port forwarding

Local and remote port forwarding can be used for tunneling applications, accessing intranet web services from home, tunneling database access, and many other purposes. For instructions on configuring port forwarding, see the port forwarding configuration page. Note, however, that port forwarding can also be used to tunnel traffic from the external Internet into a corporate intranet. Employees sometimes do this to be able to work from home even when company policy does not permit it. Hackers use it to leave permanent backdoor. See the page on SSH tunneling for more information.

Configuring public key authentication

Public authentication is used for passwordless logins between systems. It is often used for automated processes, such as backups, configuration management, and file transfers. It is also used by sophisticated end users and system administrators for single sign-on. See the public key authentication for configuring it.

When a user has created more than one SSH key for authentication, the -i command line option may be helpful for specifying which key to use. In the client configuration file, this can be specified using the IdentityFile options.

Certificate-based authentication

OpenSSH certificates can be used for authentication either using ssh-agent or by specifying the CertificateFile option in the client configuration file. See SSH certificates for more information.

Format of SSH client config file ssh_config

The ssh_config client configuration file has the following format. Both the global /etc/ssh/ssh_config and per-user ~/ssh/config have the same format.

  • Empty lines and lines starting with '#' are comments.

  • Each line begins with a keyword, followed by argument(s).

  • Configuration options may be separated by whitespace or optional whitespace and exactly one =.

  • Arguments may be enclosed in double quotes (") in order to specify arguments that contain spaces.

SSH config file syntax and how-tos for configuring the OpenSSH client (1)Listing of client configuration options

The following keywords can be used in SSH client configuration files. Keywords are case-insensitive and arguments are case-sensitive. Any algorithm or method names that include an at sign (@) are for experimental use only and not recommended for production.

Host

Restricts the following declarations to be only for those hosts that match one of the patterns given after the keyword. The pattern is matched against the host name given on the command line.

Match

Restricts the following declarations to apply only for hosts that match the specified criteria. For detailed information, see SSH man page.

AddressFamily

Specifies which address family to use when connecting. Valid arguments are: any, inet, inet6.

BatchMode

If set to yes, passphrase/password querying will be disabled. This is useful for running the ssh client from shell script that do not have an interactive user, and prevents accidentally blocking on a password prompt.

BindAddress

Specifies to use the specified address on the local machine as the source address of the connection.

ChallengeResponseAuthentication

Specifies whether to use challenge-response authentication. This is mostly a legacy method and has been replaced by KbdInteractiveAuthentication.

CheckHostIP

Directs ssh to additionally check the host IP address in the known_hosts file.

Cipher

Specifies the cipher to use for encrypting the session in protocol version 1. Note that use of protocol 1 is not recommended.

Ciphers

Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma-separated. The ssh -Q cipher command can be used to query supported ciphers. The following list is supported in OpenSSH 6.7:

See Also
How to Configure SSH Certificate-Based Authentication (Tutorial)10 Useful Steps To Install And Secure SSH Server In Linux | LinuxTeckAdding SSH Key to SSH AgentConfigure password-based SSH authentication

3des-cbc blowfish-cbc cast128-cbc arcfour arcfour128 arcfour256 aes128-cbc aes192-cbc aes256-cbc
[email protected] aes128-ctr aes192-ctr aes256-ctr [email protected]
[email protected] [email protected]

ClearAllForwardings

Specifies that all local, remote, and dynamic port forwardings specified in the configuration files or on the command line be cleared.

Compression

Specifies whether to use compression. yes enables compression.

CompressionLevel

Specifies the compression level to use if compression is enabled.

ConnectionAttempts

Specifies the number of attempts to make before exiting.

ConnectTimeout

Specifies the timeout (in seconds) used when connecting to the SSH server, instead of using the default system TCP timeout.

ControlMaster

Enables the sharing of multiple sessions over a single network connection.

ControlPath

Specify the path to the control socket used for connection sharing as described in the ControlMaster section above or the string none to disable connection sharing.

DynamicForward

Specifies that a TCP port on the local machine be forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine.

EscapeChar

Sets the escape character.

ExitOnForwardFailure

Specifies whether ssh should terminate the connection if it cannot set up all requested dynamic, tunnel, local, and remote port forwardings.

ForwardAgent

Specifies whether the connection to the authentication agent will be forwarded to the remote machine.

ForwardX11

Specifies whether X11 connections will be automatically redirected over the secure channel and DISPLAY set.

ForwardX11Trusted

If this option is set to yes, remote X11 clients will have full access to the original X11 display.

GatewayPorts

Specifies whether remote hosts are allowed to connect to local forwarded ports.

GlobalKnownHostsFile

Specifies a file to use for the global host key database instead of /etc/ssh/ssh_known_hosts.

GSSAPIAuthentication

Specifies whether user authentication based on GSSAPI is allowed. GSSAPI is typically used for Kerberos authentication, e.g., with Active Directory.

GSSAPIKeyExchange

Specifies whether key exchange based on GSSAPI may be used.

GSSAPIClientIdentity

If set, specifies the GSSAPI client identity that ssh should use when connecting to the server.

See Also
Connecting to a Linux device with SSH

GSSAPIDelegateCredentials

Forward (delegate) credentials to the server.

GSSAPIRenewalForcesRekey

If set to yes then renewal of the client's GSSAPI credentials will force the rekeying of the ssh connection.

GSSAPITrustDns

Set to yes to indicate that the DNS is trusted to securely canonicalize the name of the host being connected to. If no, the hostname entered on the command line will be passed untouched to the GSSAPI library.

HashKnownHosts

Indicates that ssh should hash host names and addresses when they are added to ~/.ssh/known_hosts. These hashed names may be used normally by ssh and sshd, but they do not reveal identifying information should the file's contents be disclosed.

HostbasedAuthentication

Specifies whether to try rhosts based authentication with public key authentication, using the .rhosts or .shosts files in the user's home directory and /etc/hosts.equiv and /etc/shosts.equiv in global configuration.

HostKeyAlgorithms

Specifies the protocol version 2 host key algorithms that the client wants to use in order of preference. The following values are supported in OpenSSH 6.7:

ssh-ed25519 [email protected] ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

HostKeyAlias

Specifies an alias that should be used instead of the real host name when looking up or saving the host key in the host key database files.

HostName

Specifies the real host name to log into. This can be used to specify nicknames or abbreviations for hosts. The default is the name given on the command line. Numeric IP addresses are also permitted (both on the command line and in HostName specifications).

IdentitiesOnly

Specifies that ssh should only use the identity keys configured in the ssh_config files, even if ssh-agent offers more identities.

IdentityFile

Specifies a file from which the user's identity key is read when using public key authentication. The default for protocol version 1 is ~/.ssh/identity; and ~/.ssh/id_rsa or ~/.ssh/id_dsa for protocol version 2.

KbdInteractiveAuthentication

Specifies whether to use keyboard-interactive authentication. This is a common method for password authentication, one-time passwords, and multi-factor authentication.

KbdInteractiveDevices

Specifies the list of methods to use in keyboard-interactive authentication.

LocalCommand

Specifies a command to execute on the local machine after successfully connecting to the server.

LocalForward

Specifies that a TCP port on the local machine be forwarded over the secure channel to the specified host and port from the remote machine. The first argument must be [bind_address:]port and the second argument must be host:port.

LogLevel

Specifies the verbosity level of logging messages from ssh. The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.

MACs

Specifies the MAC (message authentication code) algorithms in order of preference. The ssh -Q mac command can be used to query supported MAC algorithms. The following list is supported in OpenSSH 6.7:

hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 hmac-md5 hmac-md5-96 hmac-ripemd160 
[email protected] [email protected] [email protected] [email protected]
[email protected] [email protected] [email protected]
[email protected] [email protected] [email protected] [email protected]
[email protected]

NoHostAuthenticationForLocalhost

This option can be used if the home directory is shared across machines. In this case localhost will refer to a different machine on each of the machines and the user will get many warnings about changed host keys.

PreferredAuthentications

Specifies the order in which the client should try protocol 2 authentication methods.

Protocol

Specifies the protocol versions in order of preference. The possible values are '1' and '2'. Multiple versions must be comma-separated. Use of protocol version 1 is NOT RECOMMENDED for security reasons. There is reason to believe it may be susceptible to man-in-the-middle attacks.

ProxyCommand

Specifies the command to use to connect to the server. The SSH client communicates with the proxy command using its standard input and standard output, and the proxy command should pass the communication to an SSH server.

PubkeyAuthentication

Specifies whether to try public key authentication using SSH keys. Valid values are yes and no. When public key authentication is used in a production environment, a proper SSH key management system should also be put in place.

RemoteForward

Specifies that a TCP port on the remote machine be forwarded over the secure channel to the specified host and port from the local machine. The first argument must be: [bind_address:]port and the second argument must be host:port. SSH tunneling is a powerful tool, but see security considerations on SSH tunneling.

RhostsRSAAuthentication

Specifies whether to try rhosts based authentication with RSA host authentication. This is for protocol version 1 only and is deprecated.

RSAAuthentication

Specifies whether to try RSA authentication. This is for protocol version 1 only and is deprecated.

SendEnv

Specifies what environment variables should be sent to the server.

ServerAliveCountMax

Sets the number of keepalive messages that may be sent by the client without the client receiving any messages back from the server. When this threshold is reached the client will terminate the session.

ServerAliveInterval

Specifies interval for sending keepalive messages to the server. The messages are sent through the encrypted channel, and serve to detect if the server has crashed or the network has gone down.

SmartcardDevice

Specifies which smartcard device to use.

StrictHostKeyChecking

Specifies if ssh should never automatically add host keys to the ~/.ssh/known_hosts file, and refuses to connect to hosts whose host key has changed.

TCPKeepAlive

Specifies whether to send TCP keepalives to the other side. These operate on the level of the TCP protocol. Sending keepalives helps properly close the socket when the network or server goes down. On the other hand, without it, the connection may stay alive and any windows open, even if the network is down for a while.

Tunnel

If yes, request tun device forwarding between the client and the server. This used for implementing a VPN over SSH.

TunnelDevice

Specifies the tun devices to open on the client (local_tun) and the server (remote_tun).

UsePrivilegedPort

Specifies whether or not to use a privileged port for outgoing connections. The client must run as root to use a privileged port. A privileged port is required for host-based authentication.

UserKnownHostsFile

Specifies a file to use for per-user known host key database instead of the default ~/.ssh/known_hosts.

VerifyHostKeyDNS

Specifies whether to verify the remote key using DNS and SSHFP resource records.

VisualHostKey

Specifies whether an ASCII art representation of the remote host key fingerprint is printed in addition to the hex fingerprint string at login and for unknown host keys.

SSH config file syntax and how-tos for configuring the OpenSSH client (2024)

FAQs

How to config SSH config file? ›

The SSH config file is divided into Host sections with specific configuration options for every host. The argument is the exact hostname, IP address, or a match pattern. Use whitespace as a separator between parameters and arguments or an equals sign ( = ).

Read On
How to configure SSH client? ›

File Location

The SSH client-side configuration file is named config which is stored in the . ssh directory under the user's home directory. By default, the config file will not be present and the user needs to create it using the touch command.

Discover More Details
What should my SSH config look like? ›

Both the global /etc/ssh/ssh_config and per-user ~/ssh/config have the same format. Empty lines and lines starting with '#' are comments. Each line begins with a keyword, followed by argument(s). Configuration options may be separated by whitespace or optional whitespace and exactly one =.

Continue Reading
How to configure custom connection options for your SSH client? ›

How to Configure Custom SSH Connection
  1. Open terminal.
  2. ssh-keygen -t rsa.
  3. Press enter when you are prompted to Enter a file in which to sae the key.
  4. Type a passport when you are prompted to Enter passphrase (empty for no passphrase):
  5. Type the same passport when you are prompted to Enter same passphrase again:
Jul 30, 2020

See Details
Where is the SSH custom config file? ›

SSH client and SSH server configuration files
  1. User configuration file location: $HOME/.ssh/config.
  2. System-wide configuration file default location: /etc/ssh/ssh_config.
May 31, 2019

Find Out More
How to create a SSH file? ›

For Windows 10 & 11
  1. Press the Windows key or open up the Start Menu. Type “cmd”.
  2. Under “Best Match”, click “Command Prompt”.
  3. In the command prompt, use the ssh-keygen command: ...
  4. The system will now generate the key pair and display the key fingerprint and a randomart image. ...
  5. Open your file explorer.

Tell Me More
What are the four steps needed to configure SSH? ›

There are four steps required to enable SSH support on a Cisco IOS router:
  • Configure the hostname command.
  • Configure the DNS domain.
  • Generate the SSH key.
  • Enable SSH transport support for the vty.
Aug 9, 2023

Show Me More
What is the format of SSH client key? ›

Supported SSH key formats
Type of keyMinimum key size (bits)Example
Ed25519 (ed25519)2561 ssh-keygen -t ed25519 -b 256
ECDSA (ecdsa)2561 ssh-keygen -t ecdsa -b 256
RSA (rsa)20481 ssh-keygen -t rsa -b 2048
DSA / DSS (dsa)10241 ssh-keygen -t dsa -b 1024

Explore More
How to connect via SSH with client? ›

How to Connect via SSH
  1. Open the command line/terminal window and run the following ssh command: ssh [username]@[host_ip_address] ...
  2. When connecting to the server for the first time, a message appears asking to confirm the connection. ...
  3. Provide the password when prompted and press Enter.
Nov 23, 2023

Continue Reading
How do I edit the SSH config file? ›

To edit the SSH client config file in Vim, open the terminal and enter vim ~/. ssh/config. This opens the file in Vim, where you can edit it according to your requirements.

Show Me More

How to check current SSH config? ›

Open the /etc/ssh/sshd_config with a supported editor. To enable the password or key authentication, make sure the related parameter is set to "yes". To enable both, set both of these parameters to "yes". To enable the password authentication, check if the parameter PasswordAuthentication is set to "yes".

Read The Full Story
What permissions should SSH config file have? ›

Permissions on folder and files should read:
  • . ssh/ directory: 700 ( drwx------ )
  • public key ( . pub file): 644 ( -rw-r--r-- )
  • private key ( id_rsa ): 600 ( -rw------- )
  • Your home directory should not be writeable by the group or others: 755 ( drwxr-xr-x ).
  • Configuration file: . ssh/config : 600 ( -rw------- ) Resources.

See Details
What is the SSH command syntax? ›

The ssh command is used to securely log into a remote machine and execute commands on that machine. The basic syntax of the command is “ssh user@host”, where user is the username on the remote machine and host is the address or hostname of the remote machine.

Get More Info Here
How to install and configure SSH? ›

  1. Step1: Install and enable SSH Server. ...
  2. Step2: Enable SSH Protocol Version 2. ...
  3. Step 3: Customize the default SSH port (22) ...
  4. Step4: Disable root login (SSH) ...
  5. Step 5: Use ssh keys (Public and Private) ...
  6. Step 6: Disable X11 Forwarding. ...
  7. Step 7: Disable Empty Passwords. ...
  8. Step 8: Set Max Authentication Attempts.
Mar 17, 2023

Continue Reading
What is the difference between SSH config file host and hostname? ›

Host specifies the command line argument, and could be thought of as a) actual host name/IP, b) shorthand, c) alias. The HostName is the real hostname/IP of the machine you are connecting to.

View More
How to open sshd_config file? ›

OpenSSH configuration files
  1. By launching ssh.exe with the -F parameter, specifying a path to a configuration file and an entry name from that file.
  2. A user's configuration file at %userprofile%\. ssh\config.
  3. The system-wide configuration file at %programdata%\ssh\ssh_config.
Jul 29, 2022

View Details
How to set SSH config file in Windows? ›

To configure SSH on Windows:
  1. Install or enable SSH server on your Windows machine. ...
  2. To enable the built-in SSH server for older Windows versions, see Install Win32 OpenSSH.
  3. Configure and start your SSH server.
  4. If you have firewall, open the SSH port in your firewall.

See More
How to edit SSH file? ›

Using 'vim' to create and edit a file
  1. Log into your server via SSH.
  2. Navigate to the directory location you wish to create the file in or edit an existing file.
  3. Type in vim followed by the name of the file. ...
  4. Press the letter i on your keyboard to enter INSERT mode in vim. ...
  5. Start typing into the file.
Mar 12, 2024

Learn More
Top Articles
25 Do’s And Don’ts For Your Pinterest Marketing Strategy
What Is Mortgage Delinquency?
Maxtrack Live
Kevin Cox Picks
Ups Dropoff Location Near Me
Week 2 Defense (DEF) Streamers, Starters & Rankings: 2024 Fantasy Tiers, Rankings
Lamb Funeral Home Obituaries Columbus Ga
New Slayer Boss - The Araxyte
America Cuevas Desnuda
How Much Is 10000 Nickels
Kristine Leahy Spouse
Jonathan Freeman : "Double homicide in Rowan County leads to arrest" - Bgrnd Search
Craigslist Cars And Trucks Buffalo Ny
What Was D-Day Weegy
Housework 2 Jab
Luna Lola: The Moon Wolf book by Park Kara
Craigslist Sparta Nj
Daytonaskipthegames
Marine Forecast Sandy Hook To Manasquan Inlet
Universal Stone Llc - Slab Warehouse & Fabrication
Laveen Modern Dentistry And Orthodontics Laveen Village Az
‘The Boogeyman’ Review: A Minor But Effectively Nerve-Jangling Stephen King Adaptation
Talk To Me Showtimes Near Marcus Valley Grand Cinema
Ecampus Scps Login
Ontdek Pearson support voor digitaal testen en scoren
Spectrum Outage in Queens, New York
Pokémon Unbound Starters
Craigslist Boerne Tx
Lawrence Ks Police Scanner
Issue Monday, September 23, 2024
The Bold and the Beautiful
Mg Char Grill
Kokomo Mugshots Busted
Lowell Car Accident Lawyer Kiley Law Group
Uhaul Park Merced
Jennifer Reimold Ex Husband Scott Porter
Agematch Com Member Login
Asian Grocery Williamsburg Va
Daily Jail Count - Harrison County Sheriff's Office - Mississippi
8005607994
Walgreens Agrees to Pay $106.8M to Resolve Allegations It Billed the Government for Prescriptions Never Dispensed
Red Dead Redemption 2 Legendary Fish Locations Guide (“A Fisher of Fish”)
Final Fantasy 7 Remake Nexus
Todd Gutner Salary
Blue Beetle Showtimes Near Regal Evergreen Parkway & Rpx
Graduation Requirements
What your eye doctor knows about your health
Hampton Inn Corbin Ky Bed Bugs
Marion City Wide Garage Sale 2023
Adams County 911 Live Incident
Shad Base Elevator
Latest Posts
Will I Get a Stimulus Check if I Owe Taxes?
Common port numbers for your game console
Article information

Author: Greg O'Connell

Last Updated:

Views: 5859

Rating: 4.1 / 5 (42 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Greg O'Connell

Birthday: 1992-01-10

Address: Suite 517 2436 Jefferey Pass, Shanitaside, UT 27519

Phone: +2614651609714

Job: Education Developer

Hobby: Cooking, Gambling, Pottery, Shooting, Baseball, Singing, Snowboarding

Introduction: My name is Greg O'Connell, I am a delightful, colorful, talented, kind, lively, modern, tender person who loves writing and wants to share my knowledge and understanding with you.