SSH_CONFIG(5) File Formats Manual SSH_CONFIG(5) ssh_config - OpenSSH ssh(1) : 1. 2. (~/.ssh/config) 3. (/etc/ssh/ssh_config) , . , Host, , , . , , , ( . CanonicalizeHostname). , , -- . -, . , `#', . (") , . ' `='; ssh, scp sftp -o. ( , , ): Host ( Host Match) , , . , . `*' . hostname, ( . CanonicalizeHostname). , (`!'). , Host , , . . . PATTERNS . Match ( Host Match), , Match. all, . : canonical, final, exec, localnetwork, host, originalhost, Tag, user localuser. all ' canonical final. . , all, canonical final, . , (`!'). canonical , (. CanonicalizeHostname). , . final ( , CanonicalizeHostname), . CanonicalizeHostname , canonical final . exec . , . , . exec , . localnetwork CIDR. , . , (, DHCP), . , , - , PATTERNS. host - Hostname CanonicalizeHostname. originalhost , . tagged , Tag ssh(1) -P. user . localuser , ssh(1) ( ssh_config). AddKeysToAgent , ssh-agent(1). yes, , , ssh-add(1). ask, ssh(1) SSH_ASKPASS (. ssh-add(1), ). confirm, , -c ssh-add(1). no, . , , sshd_config(5), ssh-agent(1), . no (<<>>, ), yes (<<>>), confirm (<<>>, ), ask (<<>>) . AddressFamily , '. any (), inet ( IPv4) inet6 ( IPv6). BatchMode yes, , , , . , ssh(1). yes no (). BindAddress , '. . BindInterface ' . CanonicalDomains CanonicalizeHostname, , . CanonicalizeFallbackLocal , , . , yes, . no , ssh(1) , CanonicalizeHostname , CanonicalDomains. CanonicalizeHostname , . , no, - . yes, ', ProxyCommand ProxyJump, ssh(1) , CanonicalDomains CanonicalizePermittedCNAMEs. CanonicalizeHostname always, - '. , - Host Match. none ProxyJump. CanonicalizeMaxDots , , . 1, (: _.). CanonicalizePermittedCNAMEs , CNAME . __:__, __ , CNAME , __ , . , "*.a.example.com:*.b.example.com,*.c.example.com" , "*.a.example.com", "*.b.example.com" "*.c.example.com". "none" , CNAME . . CASignatureAlgorithms , (CA). : ssh-ed25519,ecdsa-sha2-nistp256, ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com, rsa-sha2-512,rsa-sha2-256 `+', , . `-', ( ) , . ssh(1) , , . CertificateFile , . IdentityFile, -i ssh(1), ssh-agent(1), PKCS11Provider SecurityKeyProvider. CertificateFile , , , . ; . CertificateFile, , . ChannelTimeout , ssh(1) . "=", , "" ( ), -. "" - , . , "session=5m" , , ' . . : agent-connection ' ssh-agent(1). direct-tcpip, direct-streamlocal@openssh.com ' TCP Unix (), ssh(1), LocalForward DynamicForward. forwarded-tcpip, forwarded-streamlocal@openssh.com ' TCP Unix (), sshd(8) ssh(1), RemoteForward. session , , , scp(1), sftp(1) . tun-connection ' TunnelForward. x11-connection X11. , , ' , , X11, ' , . , ' ' SSH . , . , . CheckHostIP yes, ssh(1) IP- known_hosts. , DNS, ~/.ssh/known_hosts, StrictHostKeyChecking. no (), . Ciphers . . `+', , . `-', ( ) , . `^', . : 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com : chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr,aes256-ctr, aes128-gcm@openssh.com,aes256-gcm@openssh.com "ssh -Q cipher". ClearAllForwardings , , , , . , , ssh(1) , , scp(1) sftp(1). yes no ( ). Compression , . yes no ( ). ConnectionAttempts ( ), . . , . 1. ConnectTimeout ( ), ' SSH, TCP . ' ' SSH . ControlMaster ' . yes, ssh(1) ' , ControlPath. ' ControlPath ControlMaster no ( ). ' , '. ' , , , , '. ask , ssh(1) ', ssh-askpass(1). ControlPath, ssh(1) ' . X11 ssh-agent(1) '. , , ', . ' : ', ', . : auto autoask. , ask. ControlPath , ', ControlMaster , none '. ControlPath , , , , . , - ControlPath, ' ', %h, %p %r ( %C), , . '. ControlPersist ControlMaster, , ' ( ' ) , ' . no ( ), ' -- , '. yes 0, ' ( , "ssh -O exit"). - , sshd_config(5), ' , ( ') . DynamicForward , TCP , , ' . [bind_address:]. IPv6- . , ' GatewayPorts. , bind_address, ' ' . bind_address localhost , ' , `*' , . SOCKS4 SOCKS5, ssh(1) SOCKS. , . . EnableEscapeCommandline EscapeChar ( `~C'). , . EnableSSHKeysign yes /etc/ssh/ssh_config ssh-keysign(8) HostbasedAuthentication. yes no ( ). , . . ssh-keysign(8), . EscapeChar ( `~'). , . `^', , none, ( ' ). ExitOnForwardFailure , ssh(1) ', , , (, - ' ). , ExitOnForwardFailure ', , , , ssh(1), ' TCP . yes no ( ). FingerprintHash . : md5 sha256 ( ). ForkAfterAuthentication ssh . , ssh , , . StdinNull "yes". X11 ssh -f host xterm, , ssh host xterm, ForkAfterAuthentication "yes". ExitOnForwardFailure "yes", , ForkAfterAuthentication, "yes", , ', , . yes ( , -f) no ( ). ForwardAgent , ' ( ) . yes, no (), ( `$'), . ( UNIX ) '. , , , . ForwardX11 , ' X11 DISPLAY. yes no ( ). X11. ( X11) X11 '. , , ForwardX11Trusted. ForwardX11Timeout X11 , TIME FORMATS sshd_config(5). ' X11, ssh(1) . ForwardX11Timeout X11 '. X11 20 . ForwardX11Trusted yes, X11 X11. no ( ) X11 , , , X11. , xauth(1), 20 . . , , . SECURITY X11. GatewayPorts . , ssh(1) ' ' (loopback). . GatewayPorts , ssh ' , , . yes no ( ). GlobalKnownHostsFile . /etc/ssh/ssh_known_hosts, /etc/ssh/ssh_known_hosts2. GSSAPIAuthentication , GSSAPI. no (). GSSAPIDelegateCredentials () . no (). HashKnownHosts , ssh(1) , ~/.ssh/known_hosts. ssh(1) sshd(8), , . no. , , ssh-keygen(1). HostbasedAcceptedAlgorithms , . , `+', , . `-', ( , ) , . `^', . : ssh-ed25519-cert-v01@openssh.com, ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, ssh-ed25519, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com, rsa-sha2-512,rsa-sha2-256 -Q ssh(1). HostbasedKeyTypes. HostbasedAuthentication , rhosts . yes no ( ). HostKeyAlgorithms , . , `+', , . `-', ( , ) , . `^', . : ssh-ed25519-cert-v01@openssh.com, ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, ssh-ed25519, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com, rsa-sha2-512,rsa-sha2-256 , . "ssh -Q HostKeyAlgorithms". HostKeyAlias , . ' SSH . Hostname . . Hostname , . IP- ( Hostname). , . IdentitiesOnly , ssh(1) ( , , ssh_config ssh(1)), ssh-agent(1), PKCS11Provider SecurityKeyProvider . yes no ( ). , ssh-agent . IdentityAgent UNIX-domain, . SSH_AUTH_SOCK. . none . "SSH_AUTH_SOCK" SSH_AUTH_SOCK. , `$', , . IdentityAgent , , , . IdentityFile , DSA, ECDSA, ECDSA, Ed25519, Ed25519 RSA. , , ssh-agent(1), . ~/.ssh/id_rsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519, ~/.ssh/id_ed25519_sk ~/.ssh/id_dsa. , , , , IdentitiesOnly. CertificateFile, ssh(1) , -cert.pub IdentityFile. IdentityFile , . , none , . ; . IdentityFile, , ( ). IdentityFile IdentitiesOnly , . IdentityFile CertificateFile - , . IgnoreUnknown , , . , ssh_config , ssh(1). IgnoreUnknown , , . Include . , glob(7) , , `~' . . ~/.ssh, , /etc/ssh, . Include Match Host . IPQoS IPv4 DSCP '. af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, ef, le, lowdelay, throughput, reliability, none, . , . , . , , -- . af21 ( ) cs1 ( ) . KbdInteractiveAuthentication , . yes ( ) no. ChallengeResponseAuthentication. KbdInteractiveDevices , . , . . . OpenSSH bsdauth pam. KexAlgorithms KEX (Key Exchange ). , . `+', , . `-', ( , ) , . `^', . : sntrup761x25519-sha512@openssh.com, curve25519-sha256,curve25519-sha256@libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256 "ssh -Q kex". KnownHostsCommand , , UserKnownHostsFile GlobalKnownHostsFile. . , ( ssh(1)). KnownHostsCommand , . ': , , , , CheckHostIP, , . , ' . LocalCommand , ' . . . LocalCommand , . ssh(1), . . , PermitLocalCommand. LocalForward , TCP . , [_':] UNIX. . :_ UNIX, . IPv6 . , . . , ' GatewayPorts. , bind_address ' ' . bind_address localhost , ' , `*' , . UNIX , , . LogLevel , ssh(1). : QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 DEBUG3. INFO. DEBUG DEBUG1 . DEBUG2 DEBUG3 . LogVerbose LogLevel. -, , . : kex.c:*:1000,*:kex_exchange_identification():*,packet.c:* 1000 kex.c, kex_exchange_identification() packet.c. . , . MACs MAC (message authentication code ) . MAC . . `+', , . `-', ( , ) , . `^', . , "-etm", MAC (encrypt-then-mac). . : umac-64-etm@openssh.com,umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com,umac-128@openssh.com, hmac-sha2-256,hmac-sha2-512,hmac-sha1 MAC "ssh -Q mac". NoHostAuthenticationForLocalhost ( (loopback)). yes no ( ). NumberOfPasswordPrompts , . . 3. ObscureKeystrokeTiming , ssh(1) . , ssh(1) . yes, no interval: ( interval:80 80 ). 20 . , . PasswordAuthentication , . yes ( ) no. PermitLocalCommand LocalCommand !command ssh(1). yes no ( ). PermitRemoteOpen , TCP, - SOCKS RemoteForward. : PermitRemoteOpen : PermitRemoteOpen _IPv4: PermitRemoteOpen [_IPv6]: . any - . none . , , `*'. . PKCS11Provider , PKCS#11 , none, , ( ). PKCS#11, ssh(1) PKCS#11, . Port , ' . 22. PreferredAuthentications , . (, keyboard-interactive) ( password). : gssapi-with-mic,hostbased,publickey, keyboard-interactive,password ProxyCommand , ' . . `exec' . ProxyCommand , . -. . , ' sshd(8), , sshd -i. Hostname , ' ( , ). none . , CheckHostIP ' -. nc(1) -. , ' - HTTP 192.0.2.0: ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p ProxyJump - [@][:], ssh. -. . , ssh(1) ' , ' ssh(1) ProxyJump, TCP . none . , ProxyCommand -- , , . , ( , ) . ~/.ssh/config , . ProxyUseFdpass , ProxyCommand ' ssh(1), . no. PubkeyAcceptedAlgorithms , . . `+', , . `-', ( , ) , . `^', . : ssh-ed25519-cert-v01@openssh.com, ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, ssh-ed25519, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com, rsa-sha2-512,rsa-sha2-256 "ssh -Q PubkeyAcceptedAlgorithms". PubkeyAuthentication , . yes (, ), no (), unbound ( ') host-bound (' ). , ' OpenSSH, ssh-agent(1). RekeyLimit ' , , , . `K', `M' `G' , , . `1G' `4G', . ' . - , << >> sshd_config(5). RekeyLimit default none (), , ' , . RemoteCommand , ' . . . RemoteCommand , . RemoteForward , TCP . , - SOCKS 4/5, ' . . -- [_':] , , UNIX. , :_ UNIX. , , - SOCKS. - SOCKS ' PermitRemoteOpen. IPv6 . , . root . UNIX , , . 0, , '. _' , ' (loopback) . _' `*' , . _' , GatewayPorts (. sshd_config(5)). RequestTTY , -tty . : no ( TTY), yes ( TTY, TTY), force ( TTY) auto ( TTY ). -t -T ssh(1). RequiredRSASize RSA ( ), ssh(1). , , . ' , , , . 1024 . , . RevokedHostKeys . . , , . , , OpenSSH (KRL), ssh-keygen(1). KRL, << >> ssh-keygen(1). RevokedHostKeys , , , . SecurityKeyProvider , - FIDO . HID USB. `$', , . SendEnv , environ(7), . , . , TERM , , . AcceptEnv sshd_config(5), , . , -. SendEnv. . PATTERNS . SendEnv -. - . ServerAliveCountMax ' (. ), ssh(1) - . ' , ssh ' , '. , ' TCPKeepAlive (). ' , , . ' TCP, TCPKeepAlive, . ' , , ' . 3. , , ServerAliveInterval (. ) 15, ServerAliveCountMax , , ssh ' 45 . ServerAliveInterval , , , ssh(1) . 0 , . SessionType , . , . none ( , -N), subsystem ( , -s) default ( ). SetEnv , . SendEnv, TERM, . StdinNull /dev/null (, ). ssh , , -n. yes ( , -n) no ( ). StreamLocalBindMask (umask), UNIX . UNIX. 0177. UNIX, . , UNIX . StreamLocalBindUnlink , UNIX . , StreamLocalBindUnlink , ssh UNIX. UNIX. yes no ( ). StrictHostKeyChecking yes, ssh(1) ~/.ssh/known_hosts ' , . (MITM). , , /etc/ssh/ssh_known_hosts ' . . accept-new, ssh known_hosts , ' , . no off, ssh ' . ask ( ), , , ssh ' , . . SyslogFacility , ssh(1) . : DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. USER. TCPKeepAlive , ' TCP '. , ' . , , ' , . yes ( ' TCP), , . , . ' TCP, no. . ServerAliveInterval, ' . Tag , Match . Tunnel tun(4) . yes, point-to-point ( 3), ethernet ( 2) no ( ). yes, , point-to-point. TunnelDevice tun(4), (local_tun) (remote_tun) . _[:_]. any, , . _ , any. any:any. UpdateHostKeys , ssh(1) , , UserKnownHostsFile. yes, no ask. - , . , , , , UserKnownHostsFile ( GlobalKnownHostsFile) , . , UpdateHostKeys , UserKnownHostsFile VerifyHostKeyDNS. UpdateHostKeys no. UpdateHostKeys ask, known_hosts. ControlPersist, , , . , "hostkeys@openssh.com", , sshd(8) OpenSSH 6.8 . User , . , . ' . UserKnownHostsFile , . , , , , . none ssh(1) - . ~/.ssh/known_hosts, ~/.ssh/known_hosts2. VerifyHostKeyDNS , DNS SSHFP. yes, , DNS. , ask. ask, , StrictHostKeyChecking. no. . in ssh(1). VisualHostKey yes, ASCII . no ( ) , . XAuthLocation xauth(1). /usr/bin/xauth. , , `*' (, ) `?' (-, ). , - ".co.uk", : Host *.co.uk - 192.168.0.[0-9]: Host 192.168.0.? -- . (`!'). , - , "dialup", ( authorized_keys): from="!*.dialup.example.com,*.example.com" , . , "host3" : from="!host1,!host2" , , : from="!host1,!host2,*" , : %% `%'. %C - %l%h%p%r%j. %d . %f . %H known_hosts, . %h . %I , KnownHostsCommand: ADDRESS ( CheckHostIP), HOSTNAME , ORDER . %i . %j ProxyJump , . %K base64. %k , ; , , . %L . %l , . %n , . %p . %r ' . %T tun(4) tap(4), , "NONE" . %t , , ssh-ed25519. %u ' . CertificateFile, ControlPath, IdentityAgent, IdentityFile, KnownHostsCommand, LocalForward, Match exec, RemoteCommand, RemoteForward, RevokedHostKeys, UserKnownHostsFile %%, %C, %d, %h, %i, %j, %k, %L, %l, %n, %p, %r %u. KnownHostsCommand, , %f, %H, %I, %K %t. Hostname %% %h. LocalCommand . ProxyCommand ProxyJump %%, %h, %n, %p %r. , . ssh(1) , ( ), , ssh(1) , , . , ${}, , ${HOME}/.ssh .ssh . , , . CertificateFile, ControlPath, IdentityAgent, IdentityFile, KnownHostsCommand UserKnownHostsFile . LocalForward RemoteForward UNIX. ~/.ssh/config . . SSH. , : / . /etc/ssh/ssh_config . , , , . . . ssh(1) OpenSSH ssh 12.12, Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt and Dug Song , OpenSSH. Markus Friedl SSH 1.5 2.0. lxlalexlxl , Yuri Chornoivan Andriy Rysin ; , GNU General Public License Version 3: https://www.gnu.org/licenses/gpl-3.0.html. . , , : trans-uk@lists.fedoraproject.org Linux 6.8.2-arch2-1 $Mdocdate: 12 2023 $ Linux 6.8.2-arch2-1