1SSH_CONFIG(5)               BSD File Formats Manual              SSH_CONFIG(5)
2

NAME

4     ssh_config — OpenSSH client configuration file
5

DESCRIPTION

7     ssh(1) obtains configuration data from the following sources in the fol‐
8     lowing order:
9
10           1.   command-line options
11           2.   user's configuration file (~/.ssh/config)
12           3.   system-wide configuration file (/etc/ssh/ssh_config)
13
14     For each parameter, the first obtained value will be used.  The configu‐
15     ration files contain sections separated by Host specifications, and that
16     section is only applied for hosts that match one of the patterns given in
17     the specification.  The matched host name is usually the one given on the
18     command line (see the CanonicalizeHostname option for exceptions).
19
20     Since the first obtained value for each parameter is used, more host-spe‐
21     cific declarations should be given near the beginning of the file, and
22     general defaults at the end.
23
24     The file contains keyword-argument pairs, one per line.  Lines starting
25     with ‘#’ and empty lines are interpreted as comments.  Arguments may
26     optionally be enclosed in double quotes (") in order to represent argu‐
27     ments containing spaces.  Configuration options may be separated by
28     whitespace or optional whitespace and exactly one ‘=’; the latter format
29     is useful to avoid the need to quote whitespace when specifying configu‐
30     ration options using the ssh, scp, and sftp -o option.
31
32     The possible keywords and their meanings are as follows (note that key‐
33     words are case-insensitive and arguments are case-sensitive):
34
35     Host    Restricts the following declarations (up to the next Host or
36             Match keyword) to be only for those hosts that match one of the
37             patterns given after the keyword.  If more than one pattern is
38             provided, they should be separated by whitespace.  A single ‘*’
39             as a pattern can be used to provide global defaults for all
40             hosts.  The host is usually the hostname argument given on the
41             command line (see the CanonicalizeHostname keyword for excep‐
42             tions).
43
44             A pattern entry may be negated by prefixing it with an exclama‐
45             tion mark (‘!’).  If a negated entry is matched, then the Host
46             entry is ignored, regardless of whether any other patterns on the
47             line match.  Negated matches are therefore useful to provide
48             exceptions for wildcard matches.
49
50             See PATTERNS for more information on patterns.
51
52     Match   Restricts the following declarations (up to the next Host or
53             Match keyword) to be used only when the conditions following the
54             Match keyword are satisfied.  Match conditions are specified
55             using one or more criteria or the single token all which always
56             matches.  The available criteria keywords are: canonical, final,
57             exec, host, originalhost, user, and localuser.  The all criteria
58             must appear alone or immediately after canonical or final.  Other
59             criteria may be combined arbitrarily.  All criteria but all,
60             canonical, and final require an argument.  Criteria may be
61             negated by prepending an exclamation mark (‘!’).
62
63             The canonical keyword matches only when the configuration file is
64             being re-parsed after hostname canonicalization (see the
65             CanonicalizeHostname option).  This may be useful to specify con‐
66             ditions that work with canonical host names only.
67
68             The final keyword requests that the configuration be re-parsed
69             (regardless of whether CanonicalizeHostname is enabled), and
70             matches only during this final pass.  If CanonicalizeHostname is
71             enabled, then canonical and final match during the same pass.
72
73             The exec keyword executes the specified command under the user's
74             shell.  If the command returns a zero exit status then the condi‐
75             tion is considered true.  Commands containing whitespace charac‐
76             ters must be quoted.  Arguments to exec accept the tokens
77             described in the TOKENS section.
78
79             The other keywords' criteria must be single entries or comma-sep‐
80             arated lists and may use the wildcard and negation operators
81             described in the PATTERNS section.  The criteria for the host
82             keyword are matched against the target hostname, after any sub‐
83             stitution by the Hostname or CanonicalizeHostname options.  The
84             originalhost keyword matches against the hostname as it was spec‐
85             ified on the command-line.  The user keyword matches against the
86             target username on the remote host.  The localuser keyword
87             matches against the name of the local user running ssh(1) (this
88             keyword may be useful in system-wide ssh_config files).
89
90     AddKeysToAgent
91             Specifies whether keys should be automatically added to a running
92             ssh-agent(1).  If this option is set to yes and a key is loaded
93             from a file, the key and its passphrase are added to the agent
94             with the default lifetime, as if by ssh-add(1).  If this option
95             is set to ask, ssh(1) will require confirmation using the
96             SSH_ASKPASS program before adding a key (see ssh-add(1) for
97             details).  If this option is set to confirm, each use of the key
98             must be confirmed, as if the -c option was specified to
99             ssh-add(1).  If this option is set to no, no keys are added to
100             the agent.  The argument must be yes, confirm, ask, or no (the
101             default).
102
103     AddressFamily
104             Specifies which address family to use when connecting.  Valid
105             arguments are any (the default), inet (use IPv4 only), or inet6
106             (use IPv6 only).
107
108     BatchMode
109             If set to yes, user interaction such as password prompts and host
110             key confirmation requests will be disabled.  This option is use‐
111             ful in scripts and other batch jobs where no user is present to
112             interact with ssh(1).  The argument must be yes or no (the
113             default).
114
115     BindAddress
116             Use the specified address on the local machine as the source
117             address of the connection.  Only useful on systems with more than
118             one address.
119
120     BindInterface
121             Use the address of the specified interface on the local machine
122             as the source address of the connection.
123
124     CanonicalDomains
125             When CanonicalizeHostname is enabled, this option specifies the
126             list of domain suffixes in which to search for the specified des‐
127             tination host.
128
129     CanonicalizeFallbackLocal
130             Specifies whether to fail with an error when hostname canonical‐
131             ization fails.  The default, yes, will attempt to look up the
132             unqualified hostname using the system resolver's search rules.  A
133             value of no will cause ssh(1) to fail instantly if
134             CanonicalizeHostname is enabled and the target hostname cannot be
135             found in any of the domains specified by CanonicalDomains.
136
137     CanonicalizeHostname
138             Controls whether explicit hostname canonicalization is performed.
139             The default, no, is not to perform any name rewriting and let the
140             system resolver handle all hostname lookups.  If set to yes then,
141             for connections that do not use a ProxyCommand or ProxyJump,
142             ssh(1) will attempt to canonicalize the hostname specified on the
143             command line using the CanonicalDomains suffixes and
144             CanonicalizePermittedCNAMEs rules.  If CanonicalizeHostname is
145             set to always, then canonicalization is applied to proxied con‐
146             nections too.
147
148             If this option is enabled, then the configuration files are pro‐
149             cessed again using the new target name to pick up any new config‐
150             uration in matching Host and Match stanzas.
151
152     CanonicalizeMaxDots
153             Specifies the maximum number of dot characters in a hostname
154             before canonicalization is disabled.  The default, 1, allows a
155             single dot (i.e. hostname.subdomain).
156
157     CanonicalizePermittedCNAMEs
158             Specifies rules to determine whether CNAMEs should be followed
159             when canonicalizing hostnames.  The rules consist of one or more
160             arguments of source_domain_list:target_domain_list, where
161             source_domain_list is a pattern-list of domains that may follow
162             CNAMEs in canonicalization, and target_domain_list is a pattern-
163             list of domains that they may resolve to.
164
165             For example, "*.a.example.com:*.b.example.com,*.c.example.com"
166             will allow hostnames matching "*.a.example.com" to be canonical‐
167             ized to names in the "*.b.example.com" or "*.c.example.com"
168             domains.
169
170     CASignatureAlgorithms
171             The default is handled system-wide by crypto-policies(7).  To see
172             the defaults and how to modify this default, see manual page
173             update-crypto-policies(8).
174
175             Specifies which algorithms are allowed for signing of certifi‐
176             cates by certificate authorities (CAs).  ssh(1) will not accept
177             host certificates signed using algorithms other than those speci‐
178             fied.
179
180     CertificateFile
181             Specifies a file from which the user's certificate is read.  A
182             corresponding private key must be provided separately in order to
183             use this certificate either from an IdentityFile directive or -i
184             flag to ssh(1), via ssh-agent(1), or via a PKCS11Provider or
185             SecurityKeyProvider.
186
187             Arguments to CertificateFile may use the tilde syntax to refer to
188             a user's home directory or the tokens described in the TOKENS
189             section.
190
191             It is possible to have multiple certificate files specified in
192             configuration files; these certificates will be tried in
193             sequence.  Multiple CertificateFile directives will add to the
194             list of certificates used for authentication.
195
196     ChallengeResponseAuthentication
197             Specifies whether to use challenge-response authentication.  The
198             argument to this keyword must be yes (the default) or no.
199
200     CheckHostIP
201             If set to yes (the default), ssh(1) will additionally check the
202             host IP address in the known_hosts file.  This allows it to
203             detect if a host key changed due to DNS spoofing and will add
204             addresses of destination hosts to ~/.ssh/known_hosts in the
205             process, regardless of the setting of StrictHostKeyChecking.  If
206             the option is set to no, the check will not be executed.
207
208     Ciphers
209             The default is handled system-wide by crypto-policies(7).  To see
210             the defaults and how to modify this default, see manual page
211             update-crypto-policies(8).
212
213             Specifies the ciphers allowed and their order of preference.
214             Multiple ciphers must be comma-separated.  If the specified list
215             begins with a ‘+’ character, then the specified ciphers will be
216             appended to the built-in default set instead of replacing them.
217             If the specified list begins with a ‘-’ character, then the spec‐
218             ified ciphers (including wildcards) will be removed from the
219             built-in default set instead of replacing them.  If the specified
220             list begins with a ‘^’ character, then the specified ciphers will
221             be placed at the head of the built-in default set.
222
223             The supported ciphers are:
224
225                   3des-cbc
226                   aes128-cbc
227                   aes192-cbc
228                   aes256-cbc
229                   aes128-ctr
230                   aes192-ctr
231                   aes256-ctr
232                   aes128-gcm@openssh.com
233                   aes256-gcm@openssh.com
234                   chacha20-poly1305@openssh.com
235
236             The list of available ciphers may also be obtained using "ssh -Q
237             cipher".
238
239     ClearAllForwardings
240             Specifies that all local, remote, and dynamic port forwardings
241             specified in the configuration files or on the command line be
242             cleared.  This option is primarily useful when used from the
243             ssh(1) command line to clear port forwardings set in configura‐
244             tion files, and is automatically set by scp(1) and sftp(1).  The
245             argument must be yes or no (the default).
246
247     Compression
248             Specifies whether to use compression.  The argument must be yes
249             or no (the default).
250
251     ConnectionAttempts
252             Specifies the number of tries (one per second) to make before
253             exiting.  The argument must be an integer.  This may be useful in
254             scripts if the connection sometimes fails.  The default is 1.
255
256     ConnectTimeout
257             Specifies the timeout (in seconds) used when connecting to the
258             SSH server, instead of using the default system TCP timeout.
259             This timeout is applied both to establishing the connection and
260             to performing the initial SSH protocol handshake and key
261             exchange.
262
263     ControlMaster
264             Enables the sharing of multiple sessions over a single network
265             connection.  When set to yes, ssh(1) will listen for connections
266             on a control socket specified using the ControlPath argument.
267             Additional sessions can connect to this socket using the same
268             ControlPath with ControlMaster set to no (the default).  These
269             sessions will try to reuse the master instance's network connec‐
270             tion rather than initiating new ones, but will fall back to con‐
271             necting normally if the control socket does not exist, or is not
272             listening.
273
274             Setting this to ask will cause ssh(1) to listen for control con‐
275             nections, but require confirmation using ssh-askpass(1).  If the
276             ControlPath cannot be opened, ssh(1) will continue without con‐
277             necting to a master instance.
278
279             X11 and ssh-agent(1) forwarding is supported over these multi‐
280             plexed connections, however the display and agent forwarded will
281             be the one belonging to the master connection i.e. it is not pos‐
282             sible to forward multiple displays or agents.
283
284             Two additional options allow for opportunistic multiplexing: try
285             to use a master connection but fall back to creating a new one if
286             one does not already exist.  These options are: auto and autoask.
287             The latter requires confirmation like the ask option.
288
289     ControlPath
290             Specify the path to the control socket used for connection shar‐
291             ing as described in the ControlMaster section above or the string
292             none to disable connection sharing.  Arguments to ControlPath may
293             use the tilde syntax to refer to a user's home directory or the
294             tokens described in the TOKENS section.  It is recommended that
295             any ControlPath used for opportunistic connection sharing include
296             at least %h, %p, and %r (or alternatively %C) and be placed in a
297             directory that is not writable by other users.  This ensures that
298             shared connections are uniquely identified.
299
300     ControlPersist
301             When used in conjunction with ControlMaster, specifies that the
302             master connection should remain open in the background (waiting
303             for future client connections) after the initial client connec‐
304             tion has been closed.  If set to no (the default), then the mas‐
305             ter connection will not be placed into the background, and will
306             close as soon as the initial client connection is closed.  If set
307             to yes or 0, then the master connection will remain in the back‐
308             ground indefinitely (until killed or closed via a mechanism such
309             as the "ssh -O exit").  If set to a time in seconds, or a time in
310             any of the formats documented in sshd_config(5), then the back‐
311             grounded master connection will automatically terminate after it
312             has remained idle (with no client connections) for the specified
313             time.
314
315     DynamicForward
316             Specifies that a TCP port on the local machine be forwarded over
317             the secure channel, and the application protocol is then used to
318             determine where to connect to from the remote machine.
319
320             The argument must be [bind_address:]port.  IPv6 addresses can be
321             specified by enclosing addresses in square brackets.  By default,
322             the local port is bound in accordance with the GatewayPorts set‐
323             ting.  However, an explicit bind_address may be used to bind the
324             connection to a specific address.  The bind_address of localhost
325             indicates that the listening port be bound for local use only,
326             while an empty address or ‘*’ indicates that the port should be
327             available from all interfaces.
328
329             Currently the SOCKS4 and SOCKS5 protocols are supported, and
330             ssh(1) will act as a SOCKS server.  Multiple forwardings may be
331             specified, and additional forwardings can be given on the command
332             line.  Only the superuser can forward privileged ports.
333
334     EnableSSHKeysign
335             Setting this option to yes in the global client configuration
336             file /etc/ssh/ssh_config enables the use of the helper program
337             ssh-keysign(8) during HostbasedAuthentication.  The argument must
338             be yes or no (the default).  This option should be placed in the
339             non-hostspecific section.  See ssh-keysign(8) for more informa‐
340             tion.
341
342     EscapeChar
343             Sets the escape character (default: ‘~’).  The escape character
344             can also be set on the command line.  The argument should be a
345             single character, ‘^’ followed by a letter, or none to disable
346             the escape character entirely (making the connection transparent
347             for binary data).
348
349     ExitOnForwardFailure
350             Specifies whether ssh(1) should terminate the connection if it
351             cannot set up all requested dynamic, tunnel, local, and remote
352             port forwardings, (e.g. if either end is unable to bind and lis‐
353             ten on a specified port).  Note that ExitOnForwardFailure does
354             not apply to connections made over port forwardings and will not,
355             for example, cause ssh(1) to exit if TCP connections to the ulti‐
356             mate forwarding destination fail.  The argument must be yes or no
357             (the default).
358
359     FingerprintHash
360             Specifies the hash algorithm used when displaying key finger‐
361             prints.  Valid options are: md5 and sha256 (the default).
362
363     ForwardAgent
364             Specifies whether the connection to the authentication agent (if
365             any) will be forwarded to the remote machine.  The argument may
366             be yes, no (the default), an explicit path to an agent socket or
367             the name of an environment variable (beginning with ‘$’) in which
368             to find the path.
369
370             Agent forwarding should be enabled with caution.  Users with the
371             ability to bypass file permissions on the remote host (for the
372             agent's Unix-domain socket) can access the local agent through
373             the forwarded connection.  An attacker cannot obtain key material
374             from the agent, however they can perform operations on the keys
375             that enable them to authenticate using the identities loaded into
376             the agent.
377
378     ForwardX11
379             Specifies whether X11 connections will be automatically redi‐
380             rected over the secure channel and DISPLAY set.  The argument
381             must be yes or no (the default).
382
383             X11 forwarding should be enabled with caution.  Users with the
384             ability to bypass file permissions on the remote host (for the
385             user's X11 authorization database) can access the local X11 dis‐
386             play through the forwarded connection.  An attacker may then be
387             able to perform activities such as keystroke monitoring if the
388             ForwardX11Trusted option is also enabled.
389
390     ForwardX11Timeout
391             Specify a timeout for untrusted X11 forwarding using the format
392             described in the TIME FORMATS section of sshd_config(5).  X11
393             connections received by ssh(1) after this time will be refused.
394             Setting ForwardX11Timeout to zero will disable the timeout and
395             permit X11 forwarding for the life of the connection.  The
396             default is to disable untrusted X11 forwarding after twenty min‐
397             utes has elapsed.
398
399     ForwardX11Trusted
400             If this option is set to yes, remote X11 clients will have full
401             access to the original X11 display.
402
403             If this option is set to no (the default), remote X11 clients
404             will be considered untrusted and prevented from stealing or tam‐
405             pering with data belonging to trusted X11 clients.  Furthermore,
406             the xauth(1) token used for the session will be set to expire
407             after 20 minutes.  Remote clients will be refused access after
408             this time.
409
410             See the X11 SECURITY extension specification for full details on
411             the restrictions imposed on untrusted clients.
412
413     GatewayPorts
414             Specifies whether remote hosts are allowed to connect to local
415             forwarded ports.  By default, ssh(1) binds local port forwardings
416             to the loopback address.  This prevents other remote hosts from
417             connecting to forwarded ports.  GatewayPorts can be used to spec‐
418             ify that ssh should bind local port forwardings to the wildcard
419             address, thus allowing remote hosts to connect to forwarded
420             ports.  The argument must be yes or no (the default).
421
422     GlobalKnownHostsFile
423             Specifies one or more files to use for the global host key data‐
424             base, separated by whitespace.  The default is
425             /etc/ssh/ssh_known_hosts, /etc/ssh/ssh_known_hosts2.
426
427     GSSAPIAuthentication
428             Specifies whether user authentication based on GSSAPI is allowed.
429             The default is no.
430
431     GSSAPIClientIdentity
432             If set, specifies the GSSAPI client identity that ssh should use
433             when connecting to the server. The default is unset, which means
434             that the default identity will be used.
435
436     GSSAPIDelegateCredentials
437             Forward (delegate) credentials to the server.  The default is no.
438
439     GSSAPIKeyExchange
440             Specifies whether key exchange based on GSSAPI may be used. When
441             using GSSAPI key exchange the server need not have a host key.
442             The default is “no”.
443
444     GSSAPIRenewalForcesRekey
445             If set to “yes” then renewal of the client's GSSAPI credentials
446             will force the rekeying of the ssh connection. With a compatible
447             server, this will delegate the renewed credentials to a session
448             on the server.
449
450             Checks are made to ensure that credentials are only propagated
451             when the new credentials match the old ones on the originating
452             client and where the receiving server still has the old set in
453             its cache.
454
455             The default is “no”.
456
457             For this to work GSSAPIKeyExchange needs to be enabled in the
458             server and also used by the client.
459
460     GSSAPIServerIdentity
461             If set, specifies the GSSAPI server identity that ssh should
462             expect when connecting to the server. The default is unset, which
463             means that the expected GSSAPI server identity will be determined
464             from the target hostname.
465
466     GSSAPITrustDns
467             Set to “yes” to indicate that the DNS is trusted to securely
468             canonicalize the name of the host being connected to. If “no”,
469             the hostname entered on the command line will be passed untouched
470             to the GSSAPI library.  The default is “no”.
471
472     GSSAPIKexAlgorithms
473             The default is handled system-wide by crypto-policies(7).  To see
474             the defaults and how to modify this default, see manual page
475             update-crypto-policies(8).
476
477             The list of key exchange algorithms that are offered for GSSAPI
478             key exchange. Possible values are
479
480                gss-gex-sha1-,
481                gss-group1-sha1-,
482                gss-group14-sha1-,
483                gss-group14-sha256-,
484                gss-group16-sha512-,
485                gss-nistp256-sha256-,
486                gss-curve25519-sha256-
487
488             This option only applies to connections using GSSAPI.
489
490     HashKnownHosts
491             Indicates that ssh(1) should hash host names and addresses when
492             they are added to ~/.ssh/known_hosts.  These hashed names may be
493             used normally by ssh(1) and sshd(8), but they do not visually
494             reveal identifying information if the file's contents are dis‐
495             closed.  The default is no.  Note that existing names and
496             addresses in known hosts files will not be converted automati‐
497             cally, but may be manually hashed using ssh-keygen(1).
498
499     HostbasedAuthentication
500             Specifies whether to try rhosts based authentication with public
501             key authentication.  The argument must be yes or no (the
502             default).
503
504     HostbasedKeyTypes
505             Specifies the key types that will be used for hostbased authenti‐
506             cation as a comma-separated list of patterns.  Alternately if the
507             specified list begins with a ‘+’ character, then the specified
508             key types will be appended to the default set instead of replac‐
509             ing them.  If the specified list begins with a ‘-’ character,
510             then the specified key types (including wildcards) will be
511             removed from the default set instead of replacing them.  If the
512             specified list begins with a ‘^’ character, then the specified
513             key types will be placed at the head of the default set.  The
514             default for this option is:
515
516                ecdsa-sha2-nistp256-cert-v01@openssh.com,
517                ecdsa-sha2-nistp384-cert-v01@openssh.com,
518                ecdsa-sha2-nistp521-cert-v01@openssh.com,
519                sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
520                ssh-ed25519-cert-v01@openssh.com,
521                sk-ssh-ed25519-cert-v01@openssh.com,
522                rsa-sha2-512-cert-v01@openssh.com,
523                rsa-sha2-256-cert-v01@openssh.com,
524                ssh-rsa-cert-v01@openssh.com,
525                ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
526                sk-ecdsa-sha2-nistp256@openssh.com,
527                ssh-ed25519,sk-ssh-ed25519@openssh.com,
528                rsa-sha2-512,rsa-sha2-256,ssh-rsa
529
530             The -Q option of ssh(1) may be used to list supported key types.
531
532     HostKeyAlgorithms
533             Specifies the host key algorithms that the client wants to use in
534             order of preference.  Alternately if the specified list begins
535             with a ‘+’ character, then the specified key types will be
536             appended to the default set instead of replacing them.  If the
537             specified list begins with a ‘-’ character, then the specified
538             key types (including wildcards) will be removed from the default
539             set instead of replacing them.  If the specified list begins with
540             a ‘^’ character, then the specified key types will be placed at
541             the head of the default set.  The default for this option is:
542
543                ecdsa-sha2-nistp256-cert-v01@openssh.com,
544                ecdsa-sha2-nistp384-cert-v01@openssh.com,
545                ecdsa-sha2-nistp521-cert-v01@openssh.com,
546                sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
547                ssh-ed25519-cert-v01@openssh.com,
548                sk-ssh-ed25519-cert-v01@openssh.com,
549                rsa-sha2-512-cert-v01@openssh.com,
550                rsa-sha2-256-cert-v01@openssh.com,
551                ssh-rsa-cert-v01@openssh.com,
552                ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
553                sk-ecdsa-sha2-nistp256@openssh.com,
554                ssh-ed25519,sk-ssh-ed25519@openssh.com,
555                rsa-sha2-512,rsa-sha2-256,ssh-rsa
556
557             If hostkeys are known for the destination host then this default
558             is modified to prefer their algorithms.
559
560             The list of available key types may also be obtained using "ssh
561             -Q HostKeyAlgorithms".
562
563     HostKeyAlias
564             Specifies an alias that should be used instead of the real host
565             name when looking up or saving the host key in the host key data‐
566             base files and when validating host certificates.  This option is
567             useful for tunneling SSH connections or for multiple servers run‐
568             ning on a single host.
569
570     Hostname
571             Specifies the real host name to log into.  This can be used to
572             specify nicknames or abbreviations for hosts.  Arguments to
573             Hostname accept the tokens described in the TOKENS section.
574             Numeric IP addresses are also permitted (both on the command line
575             and in Hostname specifications).  The default is the name given
576             on the command line.
577
578     IdentitiesOnly
579             Specifies that ssh(1) should only use the configured authentica‐
580             tion identity and certificate files (either the default files, or
581             those explicitly configured in the ssh_config files or passed on
582             the ssh(1) command-line), even if ssh-agent(1) or a
583             PKCS11Provider or SecurityKeyProvider offers more identities.
584             The argument to this keyword must be yes or no (the default).
585             This option is intended for situations where ssh-agent offers
586             many different identities.
587
588     IdentityAgent
589             Specifies the UNIX-domain socket used to communicate with the
590             authentication agent.
591
592             This option overrides the SSH_AUTH_SOCK environment variable and
593             can be used to select a specific agent.  Setting the socket name
594             to none disables the use of an authentication agent.  If the
595             string "SSH_AUTH_SOCK" is specified, the location of the socket
596             will be read from the SSH_AUTH_SOCK environment variable.  Other‐
597             wise if the specified value begins with a ‘$’ character, then it
598             will be treated as an environment variable containing the loca‐
599             tion of the socket.
600
601             Arguments to IdentityAgent may use the tilde syntax to refer to a
602             user's home directory or the tokens described in the TOKENS sec‐
603             tion.
604
605     IdentityFile
606             Specifies a file from which the user's DSA, ECDSA, authenticator-
607             hosted ECDSA, Ed25519, authenticator-hosted Ed25519 or RSA
608             authentication identity is read.  The default is ~/.ssh/id_dsa,
609             ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519,
610             ~/.ssh/id_ed25519_sk and ~/.ssh/id_rsa.  Additionally, any iden‐
611             tities represented by the authentication agent will be used for
612             authentication unless IdentitiesOnly is set.  If no certificates
613             have been explicitly specified by CertificateFile, ssh(1) will
614             try to load certificate information from the filename obtained by
615             appending -cert.pub to the path of a specified IdentityFile.
616
617             Arguments to IdentityFile may use the tilde syntax to refer to a
618             user's home directory or the tokens described in the TOKENS sec‐
619             tion.
620
621             It is possible to have multiple identity files specified in con‐
622             figuration files; all these identities will be tried in sequence.
623             Multiple IdentityFile directives will add to the list of identi‐
624             ties tried (this behaviour differs from that of other configura‐
625             tion directives).
626
627             IdentityFile may be used in conjunction with IdentitiesOnly to
628             select which identities in an agent are offered during authenti‐
629             cation.  IdentityFile may also be used in conjunction with
630             CertificateFile in order to provide any certificate also needed
631             for authentication with the identity.
632
633             The authentication identity can be also specified in a form of
634             PKCS#11 URI starting with a string pkcs11:.  There is supported a
635             subset of the PKCS#11 URI as defined in RFC 7512 (implemented
636             path arguments id, manufacturer, object, token and query argu‐
637             ments module-path and pin-value ). The URI can not be in quotes.
638
639     IgnoreUnknown
640             Specifies a pattern-list of unknown options to be ignored if they
641             are encountered in configuration parsing.  This may be used to
642             suppress errors if ssh_config contains options that are unrecog‐
643             nised by ssh(1).  It is recommended that IgnoreUnknown be listed
644             early in the configuration file as it will not be applied to
645             unknown options that appear before it.
646
647     Include
648             Include the specified configuration file(s).  Multiple pathnames
649             may be specified and each pathname may contain glob(7) wildcards
650             and, for user configurations, shell-like ‘~’ references to user
651             home directories.  Files without absolute paths are assumed to be
652             in ~/.ssh if included in a user configuration file or /etc/ssh if
653             included from the system configuration file.  Include directive
654             may appear inside a Match or Host block to perform conditional
655             inclusion.
656
657     IPQoS   Specifies the IPv4 type-of-service or DSCP class for connections.
658             Accepted values are af11, af12, af13, af21, af22, af23, af31,
659             af32, af33, af41, af42, af43, cs0, cs1, cs2, cs3, cs4, cs5, cs6,
660             cs7, ef, le, lowdelay, throughput, reliability, a numeric value,
661             or none to use the operating system default.  This option may
662             take one or two arguments, separated by whitespace.  If one argu‐
663             ment is specified, it is used as the packet class uncondition‐
664             ally.  If two values are specified, the first is automatically
665             selected for interactive sessions and the second for non-interac‐
666             tive sessions.  The default is af21 (Low-Latency Data) for inter‐
667             active sessions and cs1 (Lower Effort) for non-interactive ses‐
668             sions.
669
670     KbdInteractiveAuthentication
671             Specifies whether to use keyboard-interactive authentication.
672             The argument to this keyword must be yes (the default) or no.
673
674     KbdInteractiveDevices
675             Specifies the list of methods to use in keyboard-interactive
676             authentication.  Multiple method names must be comma-separated.
677             The default is to use the server specified list.  The methods
678             available vary depending on what the server supports.  For an
679             OpenSSH server, it may be zero or more of: bsdauth and pam.
680
681     KexAlgorithms
682             The default is handled system-wide by crypto-policies(7).  To see
683             the defaults and how to modify this default, see manual page
684             update-crypto-policies(8).
685
686             Specifies the available KEX (Key Exchange) algorithms.  Multiple
687             algorithms must be comma-separated.  If the specified list begins
688             with a ‘+’ character, then the specified methods will be appended
689             to the built-in default set instead of replacing them.  If the
690             specified list begins with a ‘-’ character, then the specified
691             methods (including wildcards) will be removed from the built-in
692             default set instead of replacing them.  If the specified list
693             begins with a ‘^’ character, then the specified methods will be
694             placed at the head of the built-in default set.
695
696             The list of available key exchange algorithms may also be
697             obtained using "ssh -Q kex".
698
699     LocalCommand
700             Specifies a command to execute on the local machine after suc‐
701             cessfully connecting to the server.  The command string extends
702             to the end of the line, and is executed with the user's shell.
703             Arguments to LocalCommand accept the tokens described in the
704             TOKENS section.
705
706             The command is run synchronously and does not have access to the
707             session of the ssh(1) that spawned it.  It should not be used for
708             interactive commands.
709
710             This directive is ignored unless PermitLocalCommand has been
711             enabled.
712
713     LocalForward
714             Specifies that a TCP port on the local machine be forwarded over
715             the secure channel to the specified host and port from the remote
716             machine.  The first argument must be [bind_address:]port and the
717             second argument must be host:hostport.  IPv6 addresses can be
718             specified by enclosing addresses in square brackets.  Multiple
719             forwardings may be specified, and additional forwardings can be
720             given on the command line.  Only the superuser can forward privi‐
721             leged ports.  By default, the local port is bound in accordance
722             with the GatewayPorts setting.  However, an explicit bind_address
723             may be used to bind the connection to a specific address.  The
724             bind_address of localhost indicates that the listening port be
725             bound for local use only, while an empty address or ‘*’ indicates
726             that the port should be available from all interfaces.
727
728     LogLevel
729             Gives the verbosity level that is used when logging messages from
730             ssh(1).  The possible values are: QUIET, FATAL, ERROR, INFO, VER‐
731             BOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.  The default is INFO.
732             DEBUG and DEBUG1 are equivalent.  DEBUG2 and DEBUG3 each specify
733             higher levels of verbose output.
734
735     MACs    The default is handled system-wide by crypto-policies(7).  To see
736             the defaults and how to modify this default, see manual page
737             update-crypto-policies(8).
738
739             Specifies the MAC (message authentication code) algorithms in
740             order of preference.  The MAC algorithm is used for data
741             integrity protection.  Multiple algorithms must be comma-sepa‐
742             rated.  If the specified list begins with a ‘+’ character, then
743             the specified algorithms will be appended to the built-in default
744             set instead of replacing them.  If the specified list begins with
745             a ‘-’ character, then the specified algorithms (including wild‐
746             cards) will be removed from the built-in default set instead of
747             replacing them.  If the specified list begins with a ‘^’ charac‐
748             ter, then the specified algorithms will be placed at the head of
749             the built-in default set.
750
751             The algorithms that contain "-etm" calculate the MAC after
752             encryption (encrypt-then-mac).  These are considered safer and
753             their use recommended.
754
755             The list of available MAC algorithms may also be obtained using
756             "ssh -Q mac".
757
758     NoHostAuthenticationForLocalhost
759             Disable host authentication for localhost (loopback addresses).
760             The argument to this keyword must be yes or no (the default).
761
762     NumberOfPasswordPrompts
763             Specifies the number of password prompts before giving up.  The
764             argument to this keyword must be an integer.  The default is 3.
765
766     PasswordAuthentication
767             Specifies whether to use password authentication.  The argument
768             to this keyword must be yes (the default) or no.
769
770     PermitLocalCommand
771             Allow local command execution via the LocalCommand option or
772             using the !command escape sequence in ssh(1).  The argument must
773             be yes or no (the default).
774
775     PKCS11Provider
776             Specifies which PKCS#11 provider to use or none to indicate that
777             no provider should be used (the default).  The argument to this
778             keyword is a path to the PKCS#11 shared library ssh(1) should use
779             to communicate with a PKCS#11 token providing keys for user
780             authentication.
781
782     Port    Specifies the port number to connect on the remote host.  The
783             default is 22.
784
785     PreferredAuthentications
786             Specifies the order in which the client should try authentication
787             methods.  This allows a client to prefer one method (e.g.
788             keyboard-interactive) over another method (e.g. password).  The
789             default is:
790
791                   gssapi-with-mic,hostbased,publickey,
792                   keyboard-interactive,password
793
794     ProxyCommand
795             Specifies the command to use to connect to the server.  The com‐
796             mand string extends to the end of the line, and is executed using
797             the user's shell ‘exec’ directive to avoid a lingering shell
798             process.
799
800             Arguments to ProxyCommand accept the tokens described in the
801             TOKENS section.  The command can be basically anything, and
802             should read from its standard input and write to its standard
803             output.  It should eventually connect an sshd(8) server running
804             on some machine, or execute sshd -i somewhere.  Host key manage‐
805             ment will be done using the Hostname of the host being connected
806             (defaulting to the name typed by the user).  Setting the command
807             to none disables this option entirely.  Note that CheckHostIP is
808             not available for connects with a proxy command.
809
810             This directive is useful in conjunction with nc(1) and its proxy
811             support.  For example, the following directive would connect via
812             an HTTP proxy at 192.0.2.0:
813
814                ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
815
816     ProxyJump
817             Specifies one or more jump proxies as either [user@]host[:port]
818             or an ssh URI.  Multiple proxies may be separated by comma char‐
819             acters and will be visited sequentially.  Setting this option
820             will cause ssh(1) to connect to the target host by first making a
821             ssh(1) connection to the specified ProxyJump host and then estab‐
822             lishing a TCP forwarding to the ultimate target from there.
823
824             Note that this option will compete with the ProxyCommand option -
825             whichever is specified first will prevent later instances of the
826             other from taking effect.
827
828             Note also that the configuration for the destination host (either
829             supplied via the command-line or the configuration file) is not
830             generally applied to jump hosts.  ~/.ssh/config should be used if
831             specific configuration is required for jump hosts.
832
833     ProxyUseFdpass
834             Specifies that ProxyCommand will pass a connected file descriptor
835             back to ssh(1) instead of continuing to execute and pass data.
836             The default is no.
837
838     PubkeyAcceptedKeyTypes
839             The default is handled system-wide by crypto-policies(7).  To see
840             the defaults and how to modify this default, see manual page
841             update-crypto-policies(8).
842
843             Specifies the key types that will be used for public key authen‐
844             tication as a comma-separated list of patterns.  If the specified
845             list begins with a ‘+’ character, then the key types after it
846             will be appended to the built-in default instead of replacing it.
847             If the specified list begins with a ‘-’ character, then the spec‐
848             ified key types (including wildcards) will be removed from the
849             built-in default set instead of replacing them.  If the specified
850             list begins with a ‘^’ character, then the specified key types
851             will be placed at the head of the built-in default set.
852
853             The list of available key types may also be obtained using "ssh
854             -Q PubkeyAcceptedKeyTypes".
855
856     PubkeyAuthentication
857             Specifies whether to try public key authentication.  The argument
858             to this keyword must be yes (the default) or no.
859
860     RekeyLimit
861             Specifies the maximum amount of data that may be transmitted
862             before the session key is renegotiated, optionally followed a
863             maximum amount of time that may pass before the session key is
864             renegotiated.  The first argument is specified in bytes and may
865             have a suffix of ‘K’, ‘M’, or ‘G’ to indicate Kilobytes,
866             Megabytes, or Gigabytes, respectively.  The default is between
867             ‘1G’ and ‘4G’, depending on the cipher.  The optional second
868             value is specified in seconds and may use any of the units docu‐
869             mented in the TIME FORMATS section of sshd_config(5).  The
870             default value for RekeyLimit is default none, which means that
871             rekeying is performed after the cipher's default amount of data
872             has been sent or received and no time based rekeying is done.
873
874     RemoteCommand
875             Specifies a command to execute on the remote machine after suc‐
876             cessfully connecting to the server.  The command string extends
877             to the end of the line, and is executed with the user's shell.
878             Arguments to RemoteCommand accept the tokens described in the
879             TOKENS section.
880
881     RemoteForward
882             Specifies that a TCP port on the remote machine be forwarded over
883             the secure channel.  The remote port may either be forwarded to a
884             specified host and port from the local machine, or may act as a
885             SOCKS 4/5 proxy that allows a remote client to connect to arbi‐
886             trary destinations from the local machine.  The first argument
887             must be [bind_address:]port If forwarding to a specific destina‐
888             tion then the second argument must be host:hostport, otherwise if
889             no destination argument is specified then the remote forwarding
890             will be established as a SOCKS proxy.
891
892             IPv6 addresses can be specified by enclosing addresses in square
893             brackets.  Multiple forwardings may be specified, and additional
894             forwardings can be given on the command line.  Privileged ports
895             can be forwarded only when logging in as root on the remote
896             machine.
897
898             If the port argument is 0, the listen port will be dynamically
899             allocated on the server and reported to the client at run time.
900
901             If the bind_address is not specified, the default is to only bind
902             to loopback addresses.  If the bind_address is ‘*’ or an empty
903             string, then the forwarding is requested to listen on all inter‐
904             faces.  Specifying a remote bind_address will only succeed if the
905             server's GatewayPorts option is enabled (see sshd_config(5)).
906
907     RequestTTY
908             Specifies whether to request a pseudo-tty for the session.  The
909             argument may be one of: no (never request a TTY), yes (always
910             request a TTY when standard input is a TTY), force (always
911             request a TTY) or auto (request a TTY when opening a login ses‐
912             sion).  This option mirrors the -t and -T flags for ssh(1).
913
914     RevokedHostKeys
915             Specifies revoked host public keys.  Keys listed in this file
916             will be refused for host authentication.  Note that if this file
917             does not exist or is not readable, then host authentication will
918             be refused for all hosts.  Keys may be specified as a text file,
919             listing one public key per line, or as an OpenSSH Key Revocation
920             List (KRL) as generated by ssh-keygen(1).  For more information
921             on KRLs, see the KEY REVOCATION LISTS section in ssh-keygen(1).
922
923     SecurityKeyProvider
924             Specifies a path to a library that will be used when loading any
925             FIDO authenticator-hosted keys, overriding the default of using
926             the built-in USB HID support.
927
928             If the specified value begins with a ‘$’ character, then it will
929             be treated as an environment variable containing the path to the
930             library.
931
932     SendEnv
933             Specifies what variables from the local environ(7) should be sent
934             to the server.  The server must also support it, and the server
935             must be configured to accept these environment variables.  Note
936             that the TERM environment variable is always sent whenever a
937             pseudo-terminal is requested as it is required by the protocol.
938             Refer to AcceptEnv in sshd_config(5) for how to configure the
939             server.  Variables are specified by name, which may contain wild‐
940             card characters.  Multiple environment variables may be separated
941             by whitespace or spread across multiple SendEnv directives.
942
943             See PATTERNS for more information on patterns.
944
945             It is possible to clear previously set SendEnv variable names by
946             prefixing patterns with -.  The default is not to send any envi‐
947             ronment variables.
948
949     ServerAliveCountMax
950             Sets the number of server alive messages (see below) which may be
951             sent without ssh(1) receiving any messages back from the server.
952             If this threshold is reached while server alive messages are
953             being sent, ssh will disconnect from the server, terminating the
954             session.  It is important to note that the use of server alive
955             messages is very different from TCPKeepAlive (below).  The server
956             alive messages are sent through the encrypted channel and there‐
957             fore will not be spoofable.  The TCP keepalive option enabled by
958             TCPKeepAlive is spoofable.  The server alive mechanism is valu‐
959             able when the client or server depend on knowing when a connec‐
960             tion has become unresponsive.
961
962             The default value is 3.  If, for example, ServerAliveInterval
963             (see below) is set to 15 and ServerAliveCountMax is left at the
964             default, if the server becomes unresponsive, ssh will disconnect
965             after approximately 45 seconds.
966
967     ServerAliveInterval
968             Sets a timeout interval in seconds after which if no data has
969             been received from the server, ssh(1) will send a message through
970             the encrypted channel to request a response from the server.  The
971             default is 0, indicating that these messages will not be sent to
972             the server.
973
974     SetEnv  Directly specify one or more environment variables and their con‐
975             tents to be sent to the server.  Similarly to SendEnv, the server
976             must be prepared to accept the environment variable.
977
978     StreamLocalBindMask
979             Sets the octal file creation mode mask (umask) used when creating
980             a Unix-domain socket file for local or remote port forwarding.
981             This option is only used for port forwarding to a Unix-domain
982             socket file.
983
984             The default value is 0177, which creates a Unix-domain socket
985             file that is readable and writable only by the owner.  Note that
986             not all operating systems honor the file mode on Unix-domain
987             socket files.
988
989     StreamLocalBindUnlink
990             Specifies whether to remove an existing Unix-domain socket file
991             for local or remote port forwarding before creating a new one.
992             If the socket file already exists and StreamLocalBindUnlink is
993             not enabled, ssh will be unable to forward the port to the Unix-
994             domain socket file.  This option is only used for port forwarding
995             to a Unix-domain socket file.
996
997             The argument must be yes or no (the default).
998
999     StrictHostKeyChecking
1000             If this flag is set to yes, ssh(1) will never automatically add
1001             host keys to the ~/.ssh/known_hosts file, and refuses to connect
1002             to hosts whose host key has changed.  This provides maximum pro‐
1003             tection against man-in-the-middle (MITM) attacks, though it can
1004             be annoying when the /etc/ssh/ssh_known_hosts file is poorly
1005             maintained or when connections to new hosts are frequently made.
1006             This option forces the user to manually add all new hosts.
1007
1008             If this flag is set to “accept-new” then ssh will automatically
1009             add new host keys to the user known hosts files, but will not
1010             permit connections to hosts with changed host keys.  If this flag
1011             is set to “no” or “off”, ssh will automatically add new host keys
1012             to the user known hosts files and allow connections to hosts with
1013             changed hostkeys to proceed, subject to some restrictions.  If
1014             this flag is set to ask (the default), new host keys will be
1015             added to the user known host files only after the user has con‐
1016             firmed that is what they really want to do, and ssh will refuse
1017             to connect to hosts whose host key has changed.  The host keys of
1018             known hosts will be verified automatically in all cases.
1019
1020     SyslogFacility
1021             Gives the facility code that is used when logging messages from
1022             ssh(1).  The possible values are: DAEMON, USER, AUTH, LOCAL0,
1023             LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  The
1024             default is USER.
1025
1026     TCPKeepAlive
1027             Specifies whether the system should send TCP keepalive messages
1028             to the other side.  If they are sent, death of the connection or
1029             crash of one of the machines will be properly noticed.  However,
1030             this means that connections will die if the route is down tempo‐
1031             rarily, and some people find it annoying.
1032
1033             The default is yes (to send TCP keepalive messages), and the
1034             client will notice if the network goes down or the remote host
1035             dies.  This is important in scripts, and many users want it too.
1036
1037             To disable TCP keepalive messages, the value should be set to no.
1038             See also ServerAliveInterval for protocol-level keepalives.
1039
1040     Tunnel  Request tun(4) device forwarding between the client and the
1041             server.  The argument must be yes, point-to-point (layer 3),
1042             ethernet (layer 2), or no (the default).  Specifying yes requests
1043             the default tunnel mode, which is point-to-point.
1044
1045     TunnelDevice
1046             Specifies the tun(4) devices to open on the client (local_tun)
1047             and the server (remote_tun).
1048
1049             The argument must be local_tun[:remote_tun].  The devices may be
1050             specified by numerical ID or the keyword any, which uses the next
1051             available tunnel device.  If remote_tun is not specified, it
1052             defaults to any.  The default is any:any.
1053
1054     UpdateHostKeys
1055             Specifies whether ssh(1) should accept notifications of addi‐
1056             tional hostkeys from the server sent after authentication has
1057             completed and add them to UserKnownHostsFile.  The argument must
1058             be yes, no or ask.  This option allows learning alternate
1059             hostkeys for a server and supports graceful key rotation by
1060             allowing a server to send replacement public keys before old ones
1061             are removed.  Additional hostkeys are only accepted if the key
1062             used to authenticate the host was already trusted or explicitly
1063             accepted by the user.
1064
1065             UpdateHostKeys is enabled by default if the user has not overrid‐
1066             den the default UserKnownHostsFile setting, otherwise
1067             UpdateHostKeys will be set to ask.
1068
1069             If UpdateHostKeys is set to ask, then the user is asked to con‐
1070             firm the modifications to the known_hosts file.  Confirmation is
1071             currently incompatible with ControlPersist, and will be disabled
1072             if it is enabled.
1073
1074             Presently, only sshd(8) from OpenSSH 6.8 and greater support the
1075             "hostkeys@openssh.com" protocol extension used to inform the
1076             client of all the server's hostkeys.
1077
1078     User    Specifies the user to log in as.  This can be useful when a dif‐
1079             ferent user name is used on different machines.  This saves the
1080             trouble of having to remember to give the user name on the com‐
1081             mand line.
1082
1083     UserKnownHostsFile
1084             Specifies one or more files to use for the user host key data‐
1085             base, separated by whitespace.  The default is
1086             ~/.ssh/known_hosts, ~/.ssh/known_hosts2.
1087
1088     VerifyHostKeyDNS
1089             Specifies whether to verify the remote key using DNS and SSHFP
1090             resource records.  If this option is set to yes, the client will
1091             implicitly trust keys that match a secure fingerprint from DNS.
1092             Insecure fingerprints will be handled as if this option was set
1093             to ask.  If this option is set to ask, information on fingerprint
1094             match will be displayed, but the user will still need to confirm
1095             new host keys according to the StrictHostKeyChecking option.  The
1096             default is no.
1097
1098             See also VERIFYING HOST KEYS in ssh(1).
1099
1100     VisualHostKey
1101             If this flag is set to yes, an ASCII art representation of the
1102             remote host key fingerprint is printed in addition to the finger‐
1103             print string at login and for unknown host keys.  If this flag is
1104             set to no (the default), no fingerprint strings are printed at
1105             login and only the fingerprint string will be printed for unknown
1106             host keys.
1107
1108     XAuthLocation
1109             Specifies the full pathname of the xauth(1) program.  The default
1110             is /usr/bin/xauth.
1111

PATTERNS

1113     A pattern consists of zero or more non-whitespace characters, ‘*’ (a
1114     wildcard that matches zero or more characters), or ‘?’ (a wildcard that
1115     matches exactly one character).  For example, to specify a set of decla‐
1116     rations for any host in the ".co.uk" set of domains, the following pat‐
1117     tern could be used:
1118
1119           Host *.co.uk
1120
1121     The following pattern would match any host in the 192.168.0.[0-9] network
1122     range:
1123
1124           Host 192.168.0.?
1125
1126     A pattern-list is a comma-separated list of patterns.  Patterns within
1127     pattern-lists may be negated by preceding them with an exclamation mark
1128     (‘!’).  For example, to allow a key to be used from anywhere within an
1129     organization except from the "dialup" pool, the following entry (in
1130     authorized_keys) could be used:
1131
1132           from="!*.dialup.example.com,*.example.com"
1133
1134     Note that a negated match will never produce a positive result by itself.
1135     For example, attempting to match "host3" against the following pattern-
1136     list will fail:
1137
1138           from="!host1,!host2"
1139
1140     The solution here is to include a term that will yield a positive match,
1141     such as a wildcard:
1142
1143           from="!host1,!host2,*"
1144

TOKENS

1146     Arguments to some keywords can make use of tokens, which are expanded at
1147     runtime:
1148
1149           %%    A literal ‘%’.
1150           %C    Hash of %l%h%p%r.
1151           %d    Local user's home directory.
1152           %h    The remote hostname.
1153           %i    The local user ID.
1154           %L    The local hostname.
1155           %l    The local hostname, including the domain name.
1156           %n    The original remote hostname, as given on the command line.
1157           %p    The remote port.
1158           %r    The remote username.
1159           %T    The local tun(4) or tap(4) network interface assigned if tun‐
1160                 nel forwarding was requested, or "NONE" otherwise.
1161           %u    The local username.
1162
1163     Match exec accepts the tokens %%, %h, %i, %L, %l, %n, %p, %r, and %u.
1164
1165     CertificateFile accepts the tokens %%, %d, %h, %i, %l, %r, and %u.
1166
1167     ControlPath accepts the tokens %%, %C, %h, %i, %L, %l, %n, %p, %r, and
1168     %u.
1169
1170     Hostname accepts the tokens %% and %h.
1171
1172     IdentityAgent and IdentityFile accept the tokens %%, %d, %h, %i, %l, %r,
1173     and %u.
1174
1175     LocalCommand accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, %T,
1176     and %u.
1177
1178     ProxyCommand accepts the tokens %%, %h, %n, %p, and %r.
1179
1180     RemoteCommand accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, and
1181     %u.
1182

FILES

1184     ~/.ssh/config
1185             This is the per-user configuration file.  The format of this file
1186             is described above.  This file is used by the SSH client.
1187             Because of the potential for abuse, this file must have strict
1188             permissions: read/write for the user, and not writable by others.
1189
1190     /etc/ssh/ssh_config
1191             Systemwide configuration file.  This file provides defaults for
1192             those values that are not specified in the user's configuration
1193             file, and for those users who do not have a configuration file.
1194             This file must be world-readable.
1195

SEE ALSO

1197     ssh(1)
1198

AUTHORS

1200     OpenSSH is a derivative of the original and free ssh 1.2.12 release by
1201     Tatu Ylonen.  Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
1202     de Raadt and Dug Song removed many bugs, re-added newer features and cre‐
1203     ated OpenSSH.  Markus Friedl contributed the support for SSH protocol
1204     versions 1.5 and 2.0.
1205
1206BSD                              May 10, 2020                              BSD
Impressum