This page is about OpenSSH client configuration. For OpenSSH server configuration, see sshd_config. For Tectia SSH configuration, see Tectia SSH Server Administrator Manual. For configuring passwordless public key authentication, see ssh-keygen. The ssh program on a host receives its configuration from either the command line or from configuration files Command-line options take precedence over configuration files. The user-specific configuration file Commonly used configuration options Enabling X11 forwarding and agent forwarding Port forwarding Configuring public key authentication Certificate-based authentication Format of SSH client config file ssh_config Listing of client configuration options There are many configuration options available. In practice, only a few of them are ever changed, and user-specific configuration files are rarely used. In most cases, just Developers, students, and researchers often want to enable X11 forwarding and SSH agent forwarding. These allow running graphical applications remotely and eliminate the need for typing a password whenever moving from one server to another, respectively. Setting these options in Local and remote port forwarding can be used for tunneling applications, accessing intranet web services from home, tunneling database access, and many other purposes. For instructions on configuring port forwarding, see the port forwarding configuration page. Note, however, that port forwarding can also be used to tunnel traffic from the external Internet into a corporate intranet. Employees sometimes do this to be able to work from home even when company policy does not permit it. Hackers use it to leave permanent backdoor. See the page on SSH tunneling for more information. Public authentication is used for passwordless logins between systems. It is often used for automated processes, such as backups, configuration management, and file transfers. It is also used by sophisticated end users and system administrators for single sign-on. See the public key authentication for configuring it. When a user has created more than one SSH key for authentication, the OpenSSH certificates can be used for authentication either using ssh-agent or by specifying the The Empty lines and lines starting with '#' are comments. Each line begins with a keyword, followed by argument(s). Configuration options may be separated by whitespace or optional whitespace and exactly one =. Arguments may be enclosed in double quotes (") in order to specify arguments that contain spaces. The following keywords can be used in SSH client configuration files. Keywords are case-insensitive and arguments are case-sensitive. Any algorithm or method names that include an at sign (@) are for experimental use only and not recommended for production. Host Restricts the following declarations to be only for those hosts that match one of the patterns given after the keyword. The pattern is matched against the host name given on the command line. Match Restricts the following declarations to apply only for hosts that match the specified criteria. For detailed information, see SSH man page. AddressFamily Specifies which address family to use when connecting. Valid arguments are: BatchMode If set to BindAddress Specifies to use the specified address on the local machine as the source address of the connection. ChallengeResponseAuthentication Specifies whether to use challenge-response authentication. This is mostly a legacy method and has been replaced by CheckHostIP Directs ssh to additionally check the host IP address in the Cipher Specifies the cipher to use for encrypting the session in protocol version 1. Note that use of protocol 1 is not recommended. Ciphers Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma-separated. The ClearAllForwardings Specifies that all local, remote, and dynamic port forwardings specified in the configuration files or on the command line be cleared. Compression Specifies whether to use compression. CompressionLevel Specifies the compression level to use if compression is enabled. ConnectionAttempts Specifies the number of attempts to make before exiting. ConnectTimeout Specifies the timeout (in seconds) used when connecting to the SSH server, instead of using the default system TCP timeout. ControlMaster Enables the sharing of multiple sessions over a single network connection. ControlPath Specify the path to the control socket used for connection sharing as described in the ControlMaster section above or the string DynamicForward Specifies that a TCP port on the local machine be forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. EscapeChar Sets the escape character. ExitOnForwardFailure Specifies whether ssh should terminate the connection if it cannot set up all requested dynamic, tunnel, local, and remote port forwardings. ForwardAgent Specifies whether the connection to the authentication agent will be forwarded to the remote machine. ForwardX11 Specifies whether X11 connections will be automatically redirected over the secure channel and DISPLAY set. ForwardX11Trusted If this option is set to GatewayPorts Specifies whether remote hosts are allowed to connect to local forwarded ports. GlobalKnownHostsFile Specifies a file to use for the global host key database instead of GSSAPIAuthentication Specifies whether user authentication based on GSSAPI is allowed. GSSAPI is typically used for Kerberos authentication, e.g., with Active Directory. GSSAPIKeyExchange Specifies whether key exchange based on GSSAPI may be used. GSSAPIClientIdentity If set, specifies the GSSAPI client identity that ssh should use when connecting to the server. GSSAPIDelegateCredentials Forward (delegate) credentials to the server. GSSAPIRenewalForcesRekey If set to GSSAPITrustDns Set to HashKnownHosts Indicates that ssh should hash host names and addresses when they are added to HostbasedAuthentication Specifies whether to try rhosts based authentication with public key authentication, using the HostKeyAlgorithms Specifies the protocol version 2 host key algorithms that the client wants to use in order of preference. The following values are supported in OpenSSH 6.7: ssh-ed25519 ssh-ed25519-cert-v01@openssh.com ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-rsa-cert-v01@openssh.com ssh-dss-cert-v01@openssh.com ecdsa-sha2-nistp256-cert-v01@openssh.com ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp521-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com ssh-dss-cert-v00@openssh.com HostKeyAlias Specifies an alias that should be used instead of the real host name when looking up or saving the host key in the host key database files. HostName Specifies the real host name to log into. This can be used to specify nicknames or abbreviations for hosts. The default is the name given on the command line. Numeric IP addresses are also permitted (both on the command line and in HostName specifications). IdentitiesOnly Specifies that ssh should only use the identity keys configured in the IdentityFile Specifies a file from which the user's identity key is read when using public key authentication. The default for protocol version 1 is KbdInteractiveAuthentication Specifies whether to use keyboard-interactive authentication. This is a common method for password authentication, one-time passwords, and multi-factor authentication. KbdInteractiveDevices Specifies the list of methods to use in keyboard-interactive authentication. LocalCommand Specifies a command to execute on the local machine after successfully connecting to the server. LocalForward Specifies that a TCP port on the local machine be forwarded over the secure channel to the specified host and port from the remote machine. The first argument must be LogLevel Specifies the verbosity level of logging messages from ssh. The possible values are: MACs Specifies the MAC (message authentication code) algorithms in order of preference. The NoHostAuthenticationForLocalhost This option can be used if the home directory is shared across machines. In this case localhost will refer to a different machine on each of the machines and the user will get many warnings about changed host keys. PreferredAuthentications Specifies the order in which the client should try protocol 2 authentication methods. Protocol Specifies the protocol versions in order of preference. The possible values are '1' and '2'. Multiple versions must be comma-separated. Use of protocol version 1 is NOT RECOMMENDED for security reasons. There is reason to believe it may be susceptible to man-in-the-middle attacks. ProxyCommand Specifies the command to use to connect to the server. The SSH client communicates with the proxy command using its standard input and standard output, and the proxy command should pass the communication to an SSH server. PubkeyAuthentication Specifies whether to try public key authentication using SSH keys. Valid values are RemoteForward Specifies that a TCP port on the remote machine be forwarded over the secure channel to the specified host and port from the local machine. The first argument must be: RhostsRSAAuthentication Specifies whether to try rhosts based authentication with RSA host authentication. This is for protocol version 1 only and is deprecated. RSAAuthentication Specifies whether to try RSA authentication. This is for protocol version 1 only and is deprecated. SendEnv Specifies what environment variables should be sent to the server. ServerAliveCountMax Sets the number of keepalive messages that may be sent by the client without the client receiving any messages back from the server. When this threshold is reached the client will terminate the session. ServerAliveInterval Specifies interval for sending keepalive messages to the server. The messages are sent through the encrypted channel, and serve to detect if the server has crashed or the network has gone down. SmartcardDevice Specifies which smartcard device to use. StrictHostKeyChecking Specifies if ssh should never automatically add host keys to the TCPKeepAlive Specifies whether to send TCP keepalives to the other side. These operate on the level of the TCP protocol. Sending keepalives helps properly close the socket when the network or server goes down. On the other hand, without it, the connection may stay alive and any windows open, even if the network is down for a while. Tunnel If TunnelDevice Specifies the tun devices to open on the client (local_tun) and the server (remote_tun). UsePrivilegedPort Specifies whether or not to use a privileged port for outgoing connections. The client must run as root to use a privileged port. A privileged port is required for host-based authentication. UserKnownHostsFile Specifies a file to use for per-user known host key database instead of the default VerifyHostKeyDNS Specifies whether to verify the remote key using DNS and SSHFP resource records. VisualHostKey Specifies whether an ASCII art representation of the remote host key fingerprint is printed in addition to the hex fingerprint string at login and for unknown host keys.~/.ssh/config
and /etc/ssh/ssh_config
.~/.ssh/config
is used next. Finally, the global /etc/ssh/ssh_config
file is used. The first obtained value for each configuration parameter will be used.Contents
Commonly used configuration options
/etc/ssh/ssh_config
is edited.Enabling X11 forwarding and agent forwarding
/etc/ssh/ssh_config
makes life easier for end users, saves overhead, and reduces support load. However, they increase the risk of an attack spreading from a compromised server to a user's desktop, so the most security-critical environments may want to leave them disabled. There is generally no reason to enable them on production servers in enterprises.ForwardAgent yes ForwardX11 yes
Port forwarding
Configuring public key authentication
-i
command line option may be helpful for specifying which key to use. In the client configuration file, this can be specified using the IdentityFile
options.Certificate-based authentication
CertificateFile
option in the client configuration file. See SSH certificates for more information.Format of SSH client config file
ssh_config
ssh_config
client configuration file has the following format. Both the global /etc/ssh/ssh_config
and per-user ~/ssh/config
have the same format.Listing of client configuration options
any
, inet
, inet6
.yes
, passphrase/password querying will be disabled. This is useful for running the ssh client from shell script that do not have an interactive user, and prevents accidentally blocking on a password prompt.KbdInteractiveAuthentication
.known_hosts
file.ssh -Q cipher
command can be used to query supported ciphers. The following list is supported in OpenSSH 6.7:3des-cbc blowfish-cbc cast128-cbc arcfour arcfour128 arcfour256 aes128-cbc aes192-cbc aes256-cbc
rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com
aes256-gcm@openssh.com chacha20-poly1305@openssh.com
yes
enables compression.none
to disable connection sharing.yes
, remote X11 clients will have full access to the original X11 display./etc/ssh/ssh_known_hosts
.yes
then renewal of the client's GSSAPI credentials will force the rekeying of the ssh connection.yes
to indicate that the DNS is trusted to securely canonicalize the name of the host being connected to. If no
, the hostname entered on the command line will be passed untouched to the GSSAPI library.~/.ssh/known_hosts
. These hashed names may be used normally by ssh and sshd, but they do not reveal identifying information should the file's contents be disclosed..rhosts
or .shosts
files in the user's home directory and /etc/hosts.equiv
and /etc/shosts.equiv
in global configuration.ssh_config
files, even if ssh-agent offers more identities.~/.ssh/identity
; and ~/.ssh/id_rsa
or ~/.ssh/id_dsa
for protocol version 2.[bind_address:]port
and the second argument must be host:port
.QUIET
, FATAL
, ERROR
, INFO
, VERBOSE
, DEBUG
, DEBUG1
, DEBUG2
, and DEBUG3
.ssh -Q mac
command can be used to query supported MAC algorithms. The following list is supported in OpenSSH 6.7:hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 hmac-md5 hmac-md5-96 hmac-ripemd160
hmac-ripemd160@openssh.com umac-64@openssh.com umac-128@openssh.com hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com
hmac-md5-etm@openssh.com hmac-md5-96-etm@openssh.com hmac-ripemd160-etm@openssh.com umac-64-etm@openssh.com
umac-128-etm@openssh.com
yes
and no
. When public key authentication is used in a production environment, a proper SSH key management system should also be put in place.[bind_address:]port
and the second argument must be host:port
. SSH tunneling is a powerful tool, but see security considerations on SSH tunneling.~/.ssh/known_hosts
file, and refuses to connect to hosts whose host key has changed.yes
, request tun
device forwarding between the client and the server. This used for implementing a VPN over SSH.~/.ssh/known_hosts
.
FAQs
How to config SSH config file? ›
The SSH config file is divided into Host sections with specific configuration options for every host. The argument is the exact hostname, IP address, or a match pattern. Use whitespace as a separator between parameters and arguments or an equals sign ( = ).
How to configure SSH client? ›File Location
The SSH client-side configuration file is named config which is stored in the . ssh directory under the user's home directory. By default, the config file will not be present and the user needs to create it using the touch command.
Both the global /etc/ssh/ssh_config and per-user ~/ssh/config have the same format. Empty lines and lines starting with '#' are comments. Each line begins with a keyword, followed by argument(s). Configuration options may be separated by whitespace or optional whitespace and exactly one =.
How to configure custom connection options for your SSH client? ›- Open terminal.
- ssh-keygen -t rsa.
- Press enter when you are prompted to Enter a file in which to sae the key.
- Type a passport when you are prompted to Enter passphrase (empty for no passphrase):
- Type the same passport when you are prompted to Enter same passphrase again:
- User configuration file location: $HOME/.ssh/config.
- System-wide configuration file default location: /etc/ssh/ssh_config.
- Press the Windows key or open up the Start Menu. Type “cmd”.
- Under “Best Match”, click “Command Prompt”.
- In the command prompt, use the ssh-keygen command: ...
- The system will now generate the key pair and display the key fingerprint and a randomart image. ...
- Open your file explorer.
- Configure the hostname command.
- Configure the DNS domain.
- Generate the SSH key.
- Enable SSH transport support for the vty.
Type of key | Minimum key size (bits) | Example |
---|---|---|
Ed25519 (ed25519) | 256 | 1 ssh-keygen -t ed25519 -b 256 |
ECDSA (ecdsa) | 256 | 1 ssh-keygen -t ecdsa -b 256 |
RSA (rsa) | 2048 | 1 ssh-keygen -t rsa -b 2048 |
DSA / DSS (dsa) | 1024 | 1 ssh-keygen -t dsa -b 1024 |
- Open the command line/terminal window and run the following ssh command: ssh [username]@[host_ip_address] ...
- When connecting to the server for the first time, a message appears asking to confirm the connection. ...
- Provide the password when prompted and press Enter.
To edit the SSH client config file in Vim, open the terminal and enter vim ~/. ssh/config. This opens the file in Vim, where you can edit it according to your requirements.
How to check current SSH config? ›
Open the /etc/ssh/sshd_config with a supported editor. To enable the password or key authentication, make sure the related parameter is set to "yes". To enable both, set both of these parameters to "yes". To enable the password authentication, check if the parameter PasswordAuthentication is set to "yes".
What permissions should SSH config file have? ›- . ssh/ directory: 700 ( drwx------ )
- public key ( . pub file): 644 ( -rw-r--r-- )
- private key ( id_rsa ): 600 ( -rw------- )
- Your home directory should not be writeable by the group or others: 755 ( drwxr-xr-x ).
- Configuration file: . ssh/config : 600 ( -rw------- ) Resources.
The ssh command is used to securely log into a remote machine and execute commands on that machine. The basic syntax of the command is “ssh user@host”, where user is the username on the remote machine and host is the address or hostname of the remote machine.
How to install and configure SSH? ›- Step1: Install and enable SSH Server. ...
- Step2: Enable SSH Protocol Version 2. ...
- Step 3: Customize the default SSH port (22) ...
- Step4: Disable root login (SSH) ...
- Step 5: Use ssh keys (Public and Private) ...
- Step 6: Disable X11 Forwarding. ...
- Step 7: Disable Empty Passwords. ...
- Step 8: Set Max Authentication Attempts.
Host specifies the command line argument, and could be thought of as a) actual host name/IP, b) shorthand, c) alias. The HostName is the real hostname/IP of the machine you are connecting to.
How to open sshd_config file? ›- By launching ssh.exe with the -F parameter, specifying a path to a configuration file and an entry name from that file.
- A user's configuration file at %userprofile%\. ssh\config.
- The system-wide configuration file at %programdata%\ssh\ssh_config.
- Install or enable SSH server on your Windows machine. ...
- To enable the built-in SSH server for older Windows versions, see Install Win32 OpenSSH.
- Configure and start your SSH server.
- If you have firewall, open the SSH port in your firewall.
- Log into your server via SSH.
- Navigate to the directory location you wish to create the file in or edit an existing file.
- Type in vim followed by the name of the file. ...
- Press the letter i on your keyboard to enter INSERT mode in vim. ...
- Start typing into the file.