1ssh_config(4) File Formats ssh_config(4)
2
6 ssh_config - ssh configuration file
7
9 /etc/ssh/ssh_config
10 $HOME/.ssh/config
13
16 The first ssh_config path, above, provides the system-wide defaults for
17 ssh(1). The second version is user-specific defaults for ssh.
18 ssh obtains configuration data from the following sources, in this
21 order: command line options, user's configuration file ($HOME/.ssh/con‐
22 fig), and system-wide configuration file (/etc/ssh/ssh_config). For
23 each parameter, the first obtained value is used. The configuration
24 files contain sections bracketed by Host specifications, and that sec‐
25 tion is applied only for hosts that match one of the patterns given in
26 the specification. The matched host name is the one given on the com‐
27 mand line.
28 Since the first obtained value for each parameter is used, host-spe‐
31 cific declarations should be given near the beginning of the file, and
32 general defaults at the end.
33 The configuration file has the following format and syntax:
36 o Empty lines and lines starting with # are comments.
38 o Non-commented lines are of the form:
40 keyword arguments
42 o Configuration options can be separated by white space or
46 optional whitespace and exactly one equal sign. The latter
47 format allows you to avoid the need to quote white space
48 when specifying configuration options using the -o option to
49 ssh, scp, and sftp.
50 The possible keywords and their meanings are listed in the following
53 list.Keywords are case-insensitive and arguments are case-sensitive.
54 BatchMode
56 The argument must be yes or no. If set to yes, passphrase/password
58 querying is disabled. This option is useful in scripts and other
59 batch jobs where you have no user to supply the password.
60 BindAddress
63 Specify the interface to transmit from on machines with multiple
65 interfaces or aliased addresses. This option does not work if
66 UsePrivilegedPort is set to yes.
67 CheckHostIP
70 If this flag is set to yes, ssh additionally checks the host IP
72 address in the known_hosts file. This allows ssh to detect if a
73 host key changed due to DNS spoofing. If the option is set to no,
74 the check is not executed.
75 Cipher
78 Specifies the cipher to use for encrypting the session in protocol
80 version 1. Only a single cipher can be specified. Currently, blow‐
81 fish, 3des, and des are supported. 3des (triple-des) is an encrypt-
82 decrypt-encrypt triple with three different keys. It is believed to
83 be secure. blowfish is a fast block cipher. It appears very secure
84 and is much faster than 3des. des is only supported in the ssh
85 client for interoperability with legacy protocol 1 implementations
86 that do not support the 3des cipher. Its use is strongly discour‐
87 aged due to cryptographic weaknesses. The default is 3des.
88 Ciphers
91 Specifies the ciphers allowed for protocol version 2 in order of
93 preference. Multiple ciphers must be comma separated.
94 The default cipher list contains all supported ciphers in this
96 order:
97 aes128-ctr, aes192-ctr, aes256-ctr, arcfour128, arcfour256, arcfour, aes128-cbc,
99 aes192-cbc, aes256-cbc, arcfour, 3des-cbc,blowfish-cbc
100 While CBC modes are not considered as secure as other modes in con‐
103 nection with the SSH protocol 2 they are present at the back of the
104 default client cipher list for backward compatibility with SSH
105 servers that do not support other cipher modes.
106 ClearAllForwardings
109 Specifies that all local, remote, and dynamic port forwardings
111 specified in the configuration files or on the command line be
112 cleared. This option is primarily useful when used from the ssh
113 command line to clear port forwardings set in configuration files
114 and is automatically set by scp(1) and sftp(1). The argument must
115 be yes or no. The default is no.
116 Compression
119 Specifies whether to use compression. The argument must be yes or
121 no. Defaults to no.
122 CompressionLevel
125 Specifies the compression level to use if compression is enabled.
127 The argument must be an integer from 1 (fast) to 9 (slow, best).
128 The default level is 6, which is good for most applications. This
129 option applies to protocol version 1 only.
130 ConnectionAttempts
133 Specifies the number of tries (one per second) to make before fall‐
135 ing back to rsh or exiting. The argument must be an integer. This
136 can be useful in scripts if the connection sometimes fails. The
137 default is 1.
138 ConnectTimeout
141 Specifies the timeout (in seconds) used when connecting to the ssh
143 server, instead of using the default system TCP timeout. This value
144 is used only when the target is down or truly unreachable, not when
145 it refuses the connection.
146 DisableBanner
149 If set to yes, disables the display of the banner message. If set
151 to in-exec-mode, disables the display of banner message when in
152 remote command mode only.
153 The default value is no, which means that the banner is displayed
155 unless the log level is QUIET, FATAL, or ERROR. See also the Banner
156 option in sshd_config(4). This option applies to protocol version 2
157 only.
158 DynamicForward
161 Specifies that a TCP/IP port on the local machine be forwarded over
163 the secure channel. The application protocol is then used to deter‐
164 mine where to connect to from the remote machine.
165 The argument must be [bind_address:]port. IPv6 addresses can be
167 specified by enclosing addresses in square brackets or by using an
168 alternative syntax: [bind_address/]port. By default, the local port
169 is bound in accordance with the GatewayPorts setting. However, an
170 explicit bind_address can be used to bind the connection to a spe‐
171 cific address. The bind_address of localhost indicates that the
172 listening port be bound for local use only, while an empty address
173 or * indicates that the port should be available from all inter‐
174 faces.
175 Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh
177 acts as a SOCKS server. Multiple forwardings can be specified and
178 additional forwardings can be specified on the command line. Only a
179 user with enough privileges can forward privileged ports.
180 EscapeChar
183 Sets the escape character. The default is tilde (~). The escape
185 character can also be set on the command line. The argument should
186 be a single character, ^, followed by a letter, or none to disable
187 the escape character entirely (making the connection transparent
188 for binary data).
189 FallBackToRsh
192 Specifies that if connecting with ssh fails due to a connection
194 refused error (there is no sshd(1M) listening on the remote host),
195 rsh(1) should automatically be used instead (after a suitable warn‐
196 ing about the session being unencrypted). The argument must be yes
197 or no.
198 ForwardAgent
201 Specifies whether the connection to the authentication agent (if
203 any) is forwarded to the remote machine. The argument must be yes
204 or no. The default is no.
205 Agent forwarding should be enabled with caution. Users with the
207 ability to bypass file permissions on the remote host (for the
208 agent's Unix-domain socket) can access the local agent through the
209 forwarded connection. An attacker cannot obtain key material from
210 the agent, however he can perform operations on the keys that
211 enable him to authenticate using the identities loaded into the
212 agent.
213 ForwardX11
216 Specifies whether X11 connections are automatically redirected over
218 the secure channel and DISPLAY set. The argument must be yes or no.
219 The default is no.
220 X11 forwarding should be enabled with caution. Users with the abil‐
222 ity to bypass file permissions on the remote host (for the user's X
223 authorization database) can access the local X11 display through
224 the forwarded connection. An attacker might then be able to perform
225 activities such as keystroke monitoring. See the ForwardX11Trusted
226 option for more information how to prevent this.
227 ForwardX11Trusted
230 If this option is set to yes, remote X11 clients have full access
232 to the original X11 display. This option is set to yes by default.
233 If this option is set to no, remote X11 clients are considered
235 untrusted and prevented from stealing or tampering with data
236 belonging to trusted X11 clients. Furthermore, the xauth(1) token
237 used for the session is set to expire after 20 minutes. Remote
238 clients are refused access after this time.
239 See the X11 SECURITY extension specification for full details on
241 the restrictions imposed on untrusted clients.
242 GatewayPorts
245 Specifies whether remote hosts are allowed to connect to local for‐
247 warded ports. By default, ssh binds local port forwardings to the
248 loopback address. This prevents other remote hosts from connecting
249 to forwarded ports. GatewayPorts can be used to specify that ssh
250 should bind local port forwardings to the wildcard address, thus
251 allowing remote hosts to connect to forwarded ports. The argument
252 must be yes or no. The default is no.
253 GlobalKnownHostsFile
256 Specifies a file to use instead of /etc/ssh/ssh_known_hosts.
258 GSSAPIAuthentication
261 Enables/disables GSS-API user authentication. The default is yes.
263 GSSAPIDelegateCredentials
266 Enables/disables GSS-API credential forwarding. The default is no.
268 GSSAPIKeyExchange
271 Enables/disables GSS-API-authenticated key exchanges. The default
273 is yes.
274 This option is intended primarily to allow users to disable the use
276 of GSS-API key exchange for SSHv2 when it would otherwise be
277 selected and then fail (due to server misconfiguration, for exam‐
278 ple). SSHv2 key exchange failure always results in disconnection.
279 This option also enables the use of the GSS-API to authenticate the
281 user to the server after the key exchange. GSS-API key exchange can
282 succeed but the subsequent authentication using the GSS-API fail if
283 the server does not authorize the user's GSS principal name to the
284 target user account.
285 HashKnownHosts
288 Indicates that ssh(1), should hash host names and addresses when
290 they are added to ~/.ssh/known_hosts. These hashed names can be
291 used normally by ssh(1) and sshd(1M), but they do not reveal iden‐
292 tifying information should the file's contents be disclosed. The
293 default is no. Existing names and addresses in known hosts files
294 are not be converted automatically, but can be manually hashed
295 using ssh-keygen(1).
296 Host
299 Restricts the following declarations (up to the next Host keyword)
301 to be only for those hosts that match one of the patterns given
302 after the keyword. An asterisk (*) and a question mark (?) can be
303 used as wildcards in the patterns. A single asterisk as a pattern
304 can be used to provide global defaults for all hosts. The host is
305 the host name argument given on the command line (that is, the name
306 is not converted to a canonicalized host name before matching).
307 HostbasedAuthentication
310 Specifies whether to try rhosts-based authentication with public
312 key authentication. The argument must be yes or no. The default is
313 no. This option applies to protocol version 2 only and is similar
314 to RhostsRSAAuthentication.
315 HostKeyAlgorithms
318 Specifies the protocol version 2 host key algorithms that the
320 client wants to use in order of preference. The default for this
321 option is: ssh-rsa,ssh-dss.
322 HostKeyAlias
325 Specifies an alias that should be used instead of the real host
327 name when looking up or saving the host key in the host key data‐
328 base files. This option is useful for tunneling ssh connections or
329 for multiple servers running on a single host.
330 HostName
333 Specifies the real host name to log into. This can be used to spec‐
335 ify nicknames or abbreviations for hosts. Default is the name given
336 on the command line. Numeric IP addresses are also permitted (both
337 on the command line and in HostName specifications).
338 IdentityFile
341 Specifies a file from which the user's RSA or DSA authentication
343 identity is read. The default is $HOME/.ssh/identity for protocol
344 version 1 and $HOME/.ssh/id_rsa and $HOME/.ssh/id_dsa for protocol
345 version 2. Additionally, any identities represented by the authen‐
346 tication agent is used for authentication. The file name can use
347 the tilde syntax to refer to a user's home directory. It is possi‐
348 ble to have multiple identity files specified in configuration
349 files; all these identities is tried in sequence.
350 IgnoreIfUnknown
353 Specifies a comma-separated list of ssh_config parameters, which,
355 if unknown to ssh(1), are to be ignored by ssh.
356 This parameter is primarily intended to be used in the per-user
358 ssh_config, ~/.ssh/config. While this parameter can also be used in
359 the system wide /etc/ssh/ssh_config file, it is generally useless
360 as the capabilities of the ssh(1) client on that host should match
361 that file.
362 KeepAlive
365 Specifies whether the system should send TCP keepalive messages to
367 the other side. If they are sent, death of the connection or crash
368 of one of the machines is properly noticed. However, this means
369 that connections die if the route is down temporarily, which can be
370 a source of annoyance.
371 The default is yes (to send keepalives), which means the client
373 notices if the network goes down or the remote host dies. This is
374 important in scripts, and many users want it too. To disable
375 keepalives, the value should be set to no in both the server and
376 the client configuration files.
377 LocalForward
380 Specifies that a TCP/IP port on the local machine be forwarded over
382 the secure channel to a given host:port from the remote machine.
383 The first argument must be [bind_address:]port and the second must
384 be host:port. IPv6 addresses can be specified by enclosing
385 addresses in square brackets or by using an alternative syntax:
386 [bind_address/]port and host/port. Multiple forwardings can be
387 specified and additional forwardings can be given on the command
388 line. Only a user with enough privileges can forward privileged
389 ports. By default, the local port is bound in accordance with the
390 GatewayPorts setting. However, an explicit bind_address can be used
391 to bind the connection to a specific address. The bind_address of
392 localhost indicates that the listening port be bound for local use
393 only, while an empty address or * indicates that the port should be
394 available from all interfaces.
395 LogLevel
398 Gives the verbosity level that is used when logging messages from
400 ssh. The possible values are: FATAL, ERROR, QUIET, INFO, VERBOSE,
401 DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and
402 DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels
403 of verbose output.
404 MACs
407 Specifies the MAC (message authentication code) algorithms in order
409 of preference. The MAC algorithm is used in protocol version 2 for
410 data integrity protection. Multiple algorithms must be comma-sepa‐
411 rated. The default is hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96.
412 NoHostAuthenticationForLocalhost
415 This option can be used if the home directory is shared across
417 machines. In this case localhost refers to a different machine on
418 each of the machines and the user gets many warnings about changed
419 host keys. However, this option disables host authentication for
420 localhost. The argument to this keyword must be yes or no. The
421 default is to check the host key for localhost.
422 NumberOfPasswordPrompts
425 Specifies the number of attempts before giving up for password and
427 keyboard-interactive methods. Attempts for each method are counted
428 separately. The argument to this keyword must be an integer. The
429 default is 3.
430 PasswordAuthentication
433 Specifies whether to use password authentication. The argument to
435 this keyword must be yes or no. This option applies to both proto‐
436 col versions 1 and 2. The default is yes.
437 Port
440 Specifies the port number to connect on the remote host. The
442 default is 22.
443 PreferredAuthentications
446 Specifies the order in which the client should try protocol 2
448 authentication methods. This allows a client to prefer one method
449 (for example, keyboard-interactive) over another method (for exam‐
450 ple, password). The default for this option is: hostbased,pub‐
451 lickey,keyboard-interactive,password.
452 Protocol
455 Specifies the protocol versions ssh should support in order of
457 preference. The possible values are 1 and 2. Multiple versions must
458 be comma-separated. The default is 2,1. This means that ssh tries
459 version 2 and falls back to version 1 if version 2 is not avail‐
460 able.
461 ProxyCommand
464 Specifies the command to use to connect to the server. The command
466 string extends to the end of the line, and is executed with
467 /bin/sh. In the command string, %h is substituted by the host name
468 to connect and %p by the port. The string can be any valid command,
469 and should read from its standard input and write to its standard
470 output. It should eventually connect an sshd(1M) server running on
471 some machine, or execute sshd -i somewhere. Host key management is
472 done using the HostName of the host being connected (defaulting to
473 the name typed by the user). CheckHostIP is not available for con‐
474 nects with a proxy command.
475 PubkeyAuthentication
478 Specifies whether to try public key authentication. The argument to
480 this keyword must be yes or no. The default is yes. This option
481 applies to protocol version 2 only.
482 RekeyLimit
485 Specifies the maximum amount of data that can be transmitted before
487 the session key is renegotiated. The argument is the number of
488 bytes, with an optional suffix of K, M, or G to indicate Kilobytes,
489 Megabytes, or Gigabytes, respectively. The default is between 1G
490 and 4G, depending on the cipher. This option applies to protocol
491 version 2 only.
492 RemoteForward
495 Specifies that a TCP/IP port on the remote machine be forwarded
497 over the secure channel to a given host:port from the local
498 machine. The first argument must be [bind_address:]port and the
499 second argument must be host:port. IPv6 addresses can be specified
500 by enclosing addresses in square brackets or by using an alterna‐
501 tive syntax: [bind_address/]port and host/port. You can specify
502 multiple forwardings and give additional forwardings on the command
503 line. Only a user with enough privileges can forward privileged
504 ports.
505 If the bind_address is not specified, the default is to only bind
507 to loopback addresses. If the bind_address is * or an empty string,
508 then the forwarding is requested to listen on all interfaces. Spec‐
509 ifying a remote bind_address only succeeds if the server's Gateway‐
510 Ports option is enabled. See sshd_config(4).
511 RhostsAuthentication
514 Specifies whether to try rhosts-based authentication. This declara‐
516 tion affects only the client side and has no effect whatsoever on
517 security. Disabling rhosts authentication can reduce authentication
518 time on slow connections when rhosts authentication is not used.
519 Most servers do not permit RhostsAuthentication because it is not
520 secure (see RhostsRSAAuthentication). The argument to this keyword
521 must be yes or no. This option applies only to the protocol version
522 1 and requires that ssh be setuid root and that UsePrivilegedPort
523 be set to yes.
524 RhostsRSAAuthentication
527 Specifies whether to try rhosts-based authentication with RSA host
529 authentication. This is the primary authentication method for most
530 sites. The argument must be yes or no. This option applies only to
531 the protocol version 1 and requires that ssh be setuid root and
532 that UsePrivilegedPort be set to yes.
533 ServerAliveCountMax
536 Sets the number of server alive messages which can be sent without
538 ssh(1) receiving messages back from the server. If this threshold
539 is reached while server alive messages are being sent, ssh discon‐
540 nects from the server, terminating the session. The use of server
541 alive messages differs from TCPKeepAlive. Server alive messages are
542 sent through the encrypted channel and are not spoofable. The TCP
543 keep alive option enabled by TCPKeepAlive is spoofable. The server
544 alive mechanism is valuable when the client or server depend on
545 knowing when a connection has become inactive.
546 The default value is 3. If, for example, ServerAliveInterval is set
548 to 15 and ServerAliveCountMax is left at the default, ssh discon‐
549 nects in 45-60 seconds if the server becomes unresponsive. This
550 option applies to protocol version 2 only.
551 ServerAliveInterval
554 Sets a timeout interval in seconds after which if no data has been
556 received from the server, ssh(1) sends a message through the
557 encrypted channel to request a response from the server. The
558 default is 0, indicating that these messages are not sent to the
559 server. This option applies to protocol version 2 only.
560 StrictHostKeyChecking
563 If this flag is set to yes, ssh never automatically adds host keys
565 to the $HOME/.ssh/known_hosts file, and refuses to connect hosts
566 whose host key has changed. This provides maximum protection
567 against trojan horse attacks. However, it can be a source of incon‐
568 venience if you do not have good /etc/ssh/ssh_known_hosts files
569 installed and frequently connect new hosts. This option forces the
570 user to manually add any new hosts. Normally this option is dis‐
571 abled, and new hosts are automatically added to the known host
572 files. The host keys of known hosts are verified automatically in
573 either case. The argument must be yes or no or ask. The default is
574 ask.
575 UseOpenSSLEngine
578 Specifies whether ssh should use the OpenSSL PKCS#11 engine for
580 offloading cryptographic operations to the Cryptographic Framework.
581 Cryptographic operations are accelerated according to the available
582 installed plug-ins. When no suitable plug-ins are present this
583 option does not have an effect. The default is yes.
584 UsePrivilegedPort
587 Specifies whether to use a privileged port for outgoing connec‐
589 tions. The argument must be yes or no. The default is yes. Setting
590 this option to no turns off RhostsAuthentication and RhostsRSAAu‐
591 thentication. If set to yes ssh must be setuid root. Defaults to
592 no.
593 User
596 Specifies the user to log in as. This can be useful if you have
598 different user names on different machines. This saves you the
599 trouble of having to remember to enter the user name on the command
600 line.
601 UserKnownHostsFile
604 Specifies a file to use instead of $HOME/.ssh/known_hosts.
606 UseRsh
609 Specifies that rlogin or rsh should be used for this host. It is
611 possible that the host does not support the ssh protocol. This
612 causes ssh to immediately execute rsh(1). All other options (except
613 HostName) are ignored if this has been specified. The argument must
614 be yes or no.
615 XAuthLocation
618 Specifies the location of the xauth(1) program. The default is
620 /usr/openwin/bin/xauth.
621
624 rsh(1), ssh(1), ssh-http-proxy-connect(1), ssh-keygen(1), ssh-
625 socks5-proxy-connect(1), sshd(1M), sshd_config(4), kerberos(5)
626 RFC 4252
629SunOS 5.11 20 Apr 2009 ssh_config(4)