＜Linux＞《OpenSSH client configuration file ssh_config detailed explanation》

1. SSH obtains configuration data sequence

1、命令行选项
2、用户的配置文件(~/. ssh/config)
3、系统范围的配置文件(/etc/ssh/ssh _ config)

Unless otherwise stated, for each parameter, the first obtained value will be used. The configuration file contains sections separated by a Host specification, which should only be applied to hosts that match one of the patterns given in the specification. The matching hostname is usually the name given on the command line (see the CanonicalizeHostname option for exceptions).

Since the first obtained value of each parameter is used, more host-specific declarations should be given near the beginning of the file and general default values ​​at the end of the file.

The file contains pairs of keyword arguments, one per line. Lines starting with "#" and empty lines are interpreted as comments. Parameters may optionally be enclosed in double quotes (") to indicate parameters containing spaces. Configuration options may be separated by spaces or optionally spaces and only a single "="; the latter format is useful to avoid using ssh, scp, and The sftp -o option is useful to quote spaces when specifying configuration options.

2. Keywords

Possible keywords and their meanings are as follows (note that keywords are not case-sensitive and parameters are case-sensitive):

2.1 Host

Restricts the following declarations (until the next Host or Match
keyword) to only those hosts that match one of the patterns given after the keyword. If multiple patterns are provided, they should be separated by spaces. Single Room
*
’ as a mode that can be used to provide global defaults for all hosts. The host is usually the hostname argument given on the command line (see the CanonicalizeHostname keyword). A pattern entry can be made by preceding it with an exclamation point (’!). If a negated entry is matched, the Host entry will be ignored, regardless of whether there are other pattern matches on the line. Therefore, negative matching is useful for providing exceptions for wildcard matches.

For more information about patterns, see Patterns.

2.2 Match

Restricts the following declarations (until the next Host or Match keyword) to be used only if the Match
keyword is met. Specify matching conditions using one or more conditions or a single tag
all The available condition keywords are: canonical, final, exec, host, originalhost, user and localuser. The all criterion must appear alone or immediately following canonical or final. Other criteria can be combined in any combination. All standards, but all, canonical and � final require an argument. A criterion may be negated by presupposing an exclamation mark (" !"). �
The Canonical keyword only matches when the configuration file is reparsed after hostname canonicalization (see the CanonicalizeHostname option). This may be useful for specifying conditions that only use canonical hostnames.

The Final keyword requests a reparse of the configuration (regardless of whether CanonicalizeHostname is enabled) and is matched only on the last pass. If CanonicalizeHostname is enabled, canonical matching and final matching are enabled in the same pass.

The Exec keyword executes the specified command under the user's shell. The condition is considered true if the command returns a zero exit status. Commands containing space characters must be quoted. The parameters to execute accept the tokens described in the TOKENS section.

The criteria for other keywords must be a single entry or a comma-separated list, and can use wildcards and negation operators as described in the PATTERNS section. After any substitution using the Hostname or CanonicalizeHostname options, the host keyword's condition matches the target hostname. Because the hostname was specified on the command line, the Origalhost keyword matches the hostname. The User keyword matches the target username on the remote host. The Localuser keyword matches the name of the local user running ssh(1) (this keyword may be useful in a system-wide ssh_config file).

2.3 AddKeysToAgent

Specifies whether keys should be automatically added to running ssh-agent (1). If you set this option to yes and load a key from a file, the key and its passphrase will be added to the agent with a default lifetime, just like via ssh-add (1). If this option is set to ask, SSH(1) will require confirmation using the SSH_ASKPASS program before adding the key (see SSH-add(1) for details). If this option is set to confirm, each use of the key must be confirmed as if the -c option was specified for ssh-add (1). If this option is set to no, no keys are added to the agent. Alternatively, this option can be specified as a time interval using the format described in the TIME FORMATS section of sshd_config(5) to specify the lifetime of the key in ssh-agent (1) after which it will be automatically deleted. key. The argument must be no (default), yes (optionally followed by a time interval), ask or a time interval.

2.4 AddressFamily

Specifies which address family to use when connecting. Valid parameters can be any (default), inet (only uses IPv4) or inet6 (only uses IPv6).

2.5 BatchMode

If set to yes, user interaction such as password prompts and host key confirmation requests is disabled. This option is useful in scripts and other batch jobs where no user interacts with ssh(1). Parameter must be yes or no (default).

2.6 BindAddress

Uses the specified address on the local computer as the source address of the connection. Only useful on systems with multiple addresses.

2.7 BindInterface

Use the address of the specified interface on the local computer as the source address of the connection.

2.8 CanonicalDomains

When CanonicalizeHostname is enabled, this option specifies a list of domain suffixes in which to search for the specified target host.

2.9 CanonicalizeFallbackLocal

Specifies whether hostname normalization fails with an error when it fails. By default, yes, an attempt will be made to find unqualified hostnames using the system resolver's search rules. If CanonicalizeHostname is enabled and the target hostname is not found in any of the domains specified by CanonicalDomains, a no value will cause ssh(1) to fail immediately.

2.10 CanonicalizeHostname

controls whether explicit hostname normalization is performed, no
does not perform any name rewriting and lets the system resolver handle all hostname lookups. If set to
yes then, without using ProxyCommand or ProxyJump, Ssh(1) will attempt to canonicalize the hostname specified on the command line with the CanonicalDomains suffix and CanonicalizePermittedCNAMEs rules if CanonicalizeHostname is set to always, then Normalization is also applied to proxy connections.
If this option is enabled, the configuration file is processed again using the new target name to obtain any new configuration in the matching Host and Match sections. A value of none disables the use of proxy jump hosts.

2.11 CanonicalizeMaxDots

Specifies the maximum number of dot characters in a hostname before normalization is disabled. The default value of 1 allows one dot (i.e. hostname.subdomain).

2.12 CanonicalizePermittedCNAMEs

Specifies rules to determine whether CNAME should be followed when normalizing host names. A rule consists of one or more
Source_domain_list source_domain_list:Target_domain_list, where Source_domain_list source_domain_list is possible during normalization A list of patterns for domains that follow the CNAME, and Target_domain_list is a list of patterns for the domains they may resolve to.
For example, "*.a.example.com:*.b.example.com,*.c.example.com" will allow hosts matching "*.a.example.com" The name is normalized to the name in the "*.b.example.com" or "*.c.example.com" domain.

A "none" parameter will cause the CNAME to not be considered for normalization. This is the default behavior.

2.13 CASignatureAlgorithms

Specifies which algorithms the certificate authority (CA) is allowed to use to sign the certificate. The default value is:

Ssh-ed25519 ecdsa-sha2-nistp256,
ecdsa-sha2-nistp384 ecdsa-sha2-nistp521,
sk-ssh-ed25519@openssh.com,
sk-ecdsa-sha2-nistp256@openssh.com,
rsa-sha2-512 rsa-sha2-256

If the specified list starts with a "+" character, then the specified algorithms will be appended to the default set instead of replacing them. If the specified list begins with a "-" character, then the specified algorithms (including wildcards) are removed from the default set instead of replacing them.

Ssh(1) will not accept host certificates signed with an algorithm other than the one specified.

2.14 CertificateFile

Specifies that the file from which the user certificate is read must separately provide the corresponding private key to use this certificate
The IdentityFile command or the -i flag � Ssh (1), via � Ssh- agent (1) or via a PKCS11Provider or � SecurityKeyProvider. Parameters to CericateFile may use tilde syntax to reference the user's home directory, the tokens described in the TOKENS section, and the ENVIRONMENT VARIABLES section. environment variables.

Multiple certificate files can be specified in the configuration file; the certificates will be tried sequentially. Multiple certificate file directives will be added to the list of certificates used for authentication.

2.15 CheckHostIP

If set to yes, ssh(1) will additionally check the known_hosts file for the host IP address. This allows it to detect if a host key has been changed due to DNS spoofing and add the target host's address to ~/. Ssh/known_hosts regardless of the StrictHostKeyChecking setting. If the option is set to no (the default), no check is performed.

2.16 Ciphers

Specifies the order of allowed passwords and their preferences. Passwords must be separated by commas. If the specified list begins with characters, the specified passwords will be appended instead of replacing them. If the specified list begins with the "-" character, the specified passwords (including Department. �
Supported passwords include:

3des-cbc
128-cbc
192-cbc
256-cbc
128-ctr
192-ctr
256-ctr
Es128-gcm@openssh.com
Es256-gcm@openssh.com
Chacha20-poly1305@openssh.com

The default value is:

电子邮件: chacha20-poly1305@openssh.com,
128-ctr，192-ctr，256-ctr,
es128-gcm@openssh.com，es256-gcm@openssh.com

You can also use "ssh -Q ciphers" to get a list of available ciphers.

2.17 ClearAllForwardings

Specifies that all local, remote, and dynamic port forwarding specified in the configuration file or command line be cleared. This option is useful when used from the ssh (1) command line to clear port forwarding set in a configuration file, and is set automatically by scp (1) and sftp (1). Parameter must be yes or no (default).

2.18 Compression

Specifies whether to use compression. Argument must be yes or no (default).

2.19 ConnectionAttempts

Specifies the number of attempts to make before exiting (once per second). Parameters must be integers. This may be useful in scripts if the connection sometimes fails. The default value is 1.

2.20 ConnectTimeout

Specifies the timeout (in seconds) to use when connecting to the SSH server instead of using the default system TCP timeout. This timeout applies both to establishing the connection and performing the initial SSH protocol handshake and key exchange.

2.21 ControlMaster

Enable sharing of multiple sessions over a single network connection yes, Ssh (1) The connection on the control socket specified by the ControlPath method other sessions can use the same ControlPath and ControlMaster ready no (default). These sessions will attempt to reuse the master instance's network connection instead of initiating a new network connection, but will fall back to the normal connection if the control socket does not exist, or is not listening.
Setting this to ask will cause ssh(1) to listen for control connections, but require confirmation using ssh-askpass(1). If the ControlPath cannot be opened, ssh(1) will continue to run without connecting to the master instance.

X11 and ssh-agent (1) forwarding are supported on these multi-path connections, but the forwarded displays and agents will belong to the main connection, i.e. it is not possible to forward multiple displays or agents.

There are two additional options that allow opportunistic multiplexing: Try to use the main connection, but fall back and create a new connection if there isn't one yet. The options are: Automatic and Automatic Request. The latter requires confirmation just like the ask option.

2.22 ControlPath

Specify the path to the control socket used for connection sharing, as described in the ControlMaster section above, or specify the string none to disable connection sharing. Parameters to ControlPath can use tilde syntax to reference the user's home directory, tokens described in the TOKENS section, and environment variables described in the ENVIRONMENT VARIABLES section. It is recommended that any ControlPath used for an opportunistic connection share include at least %h, %p, and %r (or %C) and be placed in a directory that is not writable by other users. This ensures a unique identification of the shared connection.

2.23 ControlPersist

When used with ControlMaster, specifies that after the initial client connection is closed, the master connection should remain open in the background (waiting for future client connections). If set to no (the default), the main connection will not be placed in the background and will be closed immediately when the initial client connection is closed. If set to yes or 0, the main connection will remain in the background indefinitely (until closed or terminated via a mechanism such as "ssh -O exit"). If set to a time in seconds, or in any of the formats documented in sshd_config(5), the background master connection will automatically terminate after remaining idle (no clients connected) for the specified time.

2.24 DynamicForward

Specifies that the TCP port on the local computer is forwarded to a secure channel and then uses the application protocol to determine where to connect from the remote computer. �
The parameter must be [ bind _ address: ] port. IPv6 addresses can be specified by placing the address in square brackets. By default, the local port is bound based on the GatewayPorts setting. However, you can use explicit bind_address to bind a connection to a specific address. bind_address for Localhost means that the listening port is bound for local use only, while an empty address or "*" means that the port should be available from all interfaces.

Currently supporting SOCKS4 and SOCKS5 protocols, ssh(1) will act as a SOCKS server. Multiple forwards can be specified, and additional forwards can be given on the command line. Only superusers can forward privileged ports.

2.25 EnableEscapeCommandline

Enables the command line option in the EscapeChar menu for interactive sessions (default is '~C'). By default, the command line is disabled.

2.26 EnableSSHKeysign

Setting this option to yes in the global client configuration file /etc/ssh/ssh_config enables the use of the helper ssh-keysign(8) during HostbasedAuthentication. Parameter must be yes or no (default). This option should be placed in the non-host specific section. See ssh-keysign(8) for more information.

2.27 EscapeChar

Set the escape character (default: ‘ ~’). Escape characters can also be set on the command line. The argument should be a single character, "^" followed by a letter, or no character to completely disable escape characters (making the connection transparent to binary data).

2.28 ExitOnForwardFailure

Specifies whether the connection should be terminated if ssh(1) cannot set up dynamic, tunneled, local and remote port forwarding for all requests (e.g. if either end cannot bind and listen on the specified port). Note that ExitOnForwardfalse does not apply to connections established via port forwarding, e.g. it will not cause ssh(1) to exit if the TCP connection to the final forwarding destination fails. Parameter must be yes or no (default).

2.29 FingerprintHash

Specifies the hash algorithm used when displaying the key fingerprint. Valid options are: md5 and sha256 (default).

2.30 ForkAfterAuthentication

Request ssh to go to the background before the command is executed. ssh
will ask for a password or passphrase, but the user wants it to be in the background. This means that the
StdinNull
configuration option is set to "Yes". The recommended way to start an X11 program at a remote site is ssh -f host xterm, which is the same as ssh host xterm if the ForkAfterAuthentication configuration option is set to "Yes". If the ExitOnForwardFalse configuration option is set to "yes" and the ForkAfterAuthentication configuration option is set to "yes" when the client starts, the client will wait for all remote port forwarding to be successfully established before Put yourself in the background. The argument to this keyword must be yes (same as the -f option) or no (the default).

2.31 ForwardAgent

Specifies whether connections to the authentication proxy (if any) are forwarded to the remote computer. The reason may be
yes, no
(the default), an explicit path to the proxy socket, or the name of an environment variable to lookup the path (started by " $ "beginning).
Proxy forwarding should be enabled with caution. Users who are able to bypass file permissions on the remote host (the proxy's Unix domain socket) can access the local proxy via a forwarded connection. An attacker cannot obtain the key material from the proxy, but they can perform operations on the keys that allow them to authenticate using the identity loaded into the proxy.

2.32 ForwardX11

specifies whether to automatically redirect X11 connections to the secure channel and the DISPLAY argument must be yes or no (the default).
X11 forwarding should be enabled with caution. Users with file permissions that bypass the remote host (for the user's X11 authorization database) can access the local X11 display via a forwarded connection. If the ForwardX11Trusted option is also enabled, an attacker can perform activities such as keystroke monitoring.

2.33 ForwardX11Timeout

Specify timeouts for untrusted X11 forwarding using the format described in the TIME FORMATS section of sshd_config(5). X11 connections received by ssh(1) from this point forward will be rejected. Setting ForwardX11Timeout to zero will disable the timeout and allow X11 forwarding for the life of the connection. By default, untrusted X11 forwarding is disabled after 20 minutes.

2.34 ForwardX11Trusted

If this option is set to yes, remote X11 clients will have full access to the original X11 display.
If this option is set to no (the default), remote X11 clients will be treated as untrusted, and data belonging to trusted X11 clients will be prevented from being stolen or tampered with. Additionally, the xauth(1) token used for the session will expire after 20 minutes. Remote client access will be denied thereafter.

See the X11SECURITY extension specification for details on restrictions imposed on untrusted clients.

2.35 GatewayPorts

Specifies whether remote hosts are allowed to connect to the local forwarded port. By default, ssh(1) binds local port forwarding to the loopback address. This will prevent other remote hosts from connecting to the forwarded port. GatewayPorts can be used to specify that ssh should bind local port forwarding to a wildcard address, allowing remote hosts to connect to the forwarded port. Parameter must be yes or no (default).

2.36 GlobalKnownHostsFile

Specifies one or more files to be used for the global host key database, separated by spaces. The default value is /etc/ssh/ssh_known_hosts,/etc/ssh/ssh_known_hosts2.

2.37 GSSAPIAuthentication

Specifies whether GSSAPI-based user authentication is allowed. The default value is no.
GSSAPIDelegateCredentials
Forward (delegate) credentials to the server. The default value is no.

2.38 HashKnownHosts

instructs ssh(1) that it should hash hostnames and addresses when adding them to ~/. Ssh/known_hosts.Ssh (1) and sshd (8) can usually use these hash names, but they do not visually reveal identifying information if the file's contents are exposed. The default value is negative. Note that existing names and addresses in the known hosts file are not automatically converted, but can be hashed manually using ssh-keygen (1).
HostbasedAcceptedAlgorithms
Specifies the signature algorithms used for host-based authentication as a comma-separated list of patterns. Alternatively, if the specified list begins with a "+" character, then the specified signature algorithms will be appended to the default set instead of replacing them. If the specified list begins with a "-" character, then the specified signature algorithms (including wildcards) are removed from the default set instead of replacing them. If the specified list begins with the "^" character, then the specified signature algorithm will be placed in front of the default set. The default value for this option is:

Ssh-ed25519-cert-v01@openssh.com,
ecdsa-sha2-nistp256-cert-v01@openssh.com,
ecdsa-sha2-nistp384-cert-v01@openssh.com,
ecdsa-sha2-nistp521-cert-v01@openssh.com,
sk-ssh-ed25519-cert-v01@openssh.com,
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
rsa-sha2-512-cert-v01@openssh.com,
rsa-sha2-256-cert-v01@openssh.com,
ssh-ed25519,
ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521,
sk-ssh-ed25519@openssh.com,
sk-ecdsa-sha2-nistp256@openssh.com,
rsa-sha2-512 rsa-sha2-256

The -Q option to Ssh(1) can be used to list supported signature algorithms.

2.39 HostbasedAuthentication

Specifies whether to attempt rhosts-based authentication using public key authentication. Parameter must be yes or no (default).
HostKeyAlgorithms
Specifies the host key signing algorithms that the client wishes to use, in order of preference. Alternatively, if the specified list begins with a "+" character, then the specified signature algorithms will be appended to the default set instead of replacing them. If the specified list begins with a "-" character, then the specified signature algorithms (including wildcards) are removed from the default set instead of replacing them. If the specified list begins with the "^" character, then the specified signature algorithm will be placed in front of the default set. The default value for this option is:

19-cert-v01@openssh.com，ecdsa-sha2-nistp256-cert-v01@openssh.com，ecdsa-sha2-nistp384-cert-v01@openssh.com，ecdsa-sha2-nistp521-cert-v01@openssh.com，sk-ssh-ed25519-cert-v01@openssh.com，sk-ssh-ed25519-cert-v01@openssh.com，sk-ecdsa-sha2-512-cert-v01@openssh.com，rsa-sha2-256-cert-v01@openssh.com，ssh-ed25519，ecdsa-sha2-nistp256，ecdsa-sha2-nistp384，ecdsa-sha2-nistp521，sk-ecdsa-sha2-nistp256@openssh.com，sk-ssh-ed25519@openssh.com，rsa-sha2-512，rsa-sha2-256

If the target host's host key is known, then this default will be modified to prefer their algorithm.

The list of available signature algorithms is also available using "ssh-Q HostKey algorithm".

2.40 in HostKeyAlias

Specifies an alias that should be used instead of the real host name when locating or saving the host key in the host key database file and verifying the host certificate. This option is useful for tunneling SSH connections or multiple servers running on a single host.

2.41 Hostname

Specify the actual hostname to log in to. This can be used to specify a nickname or abbreviation for the host. The Hostname parameter accepts the tokens described in the TOKENS section. Numeric IP addresses are also allowed (in command line and hostname specifications). The default value is the name given on the command line.

2.42 IdentitiesOnly

Specifies that ssh(1) should only use the configured authentication identity and certificate file (the default one, or one explicitly configured in the ssh_config file) even if more identities are provided by ssh-agent(1) or PKCS11Provider or SecurityKeyProvider. Or a file passed on the ssh (1) command line). The argument to this keyword must be yes or no (the default). This option is useful when ssh-agent provides many different identities.

2.43 IdentityAgent

Specifies the UNIX-domain socket used for communication with the authentication agent.
This option overrides the SSH_AUTH_SOCK environment variable and can be used to select a specific proxy. Setting the socket name to no will disable the use of the authentication proxy. If the string "SSH_AUTH_SOCK" is specified, the socket's location is read from the SSH_AUTH_SOCK environment variable. Otherwise, if the specified value begins with a "$" character, then it is treated as an environment variable containing the socket location.

Parameters to IdentityAgent can use tilde syntax to reference the user's home directory, tokens described in the TOKENS section, and environment variables described in the ENVIRONMENT VARIABLES section.

2.44 IdentityFile

Specifies the file from which to read the user's DSA, ECDSA, authenticator-managed ECDSA, Ed25519, authenticator-managed ed25519, or RSA authentication identity. You can also specify a public key file to use with the corresponding private key loaded into it
Ssh-agent (1) when the private key file is not local. The default values ​​are ~/.ssh/id_rsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519, ~/.ssh/id_ed25519_ sk also has ~/.ssh/id_dsa. Additionally, any identity represented by the authentication agent will be used for authentication unless IdentitiesOnly is used. If no certificate is explicitly specified, then CertificateFile, Ssh(1) will attempt to pass Appends the course bar to the specified IdentityFile.
Parameters to IdentityFile can use tilde syntax to reference the user's home directory or a token as described in the TOKENS section.

Multiple identity files can be specified in the configuration file; all these identities will be tried in order. Multiple IdentityFile directives are added to the list of attempted identities (this behavior differs from that of other configuration directives).

IdentityFile can be used in conjunction with IdentitiesOnly to select which identities from the proxy are provided during authentication. IdentityFile can also be used with CericateFile to provide any certificates required for authentication using an identity.

2.45 IgnoreUnknown

A list of patterns specifying unknown options to be ignored when unknown options are encountered during configuration parsing. This method can be used to suppress errors if ssh_config contains options that ssh(1) does not recognize. It is recommended to list IgnoreUnknown early in the configuration file as it will not be applied to unknown options that appear before it.

2.46 Include

Includes the specified configuration file. Multiple pathnames can be specified, each pathname can contain the globb (7) wildcard character, and for user configuration, a shell-like "~" reference points to the user's home directory. Wildcards will be expanded and processed in lexical order. Files without absolute paths are assumed to be located in ~/. Ssh (if included in the user profile) or /etc/ssh (if included in the system profile). Header files can appear in Match or Host blocks to perform conditional inclusion.

2.47 IPQoS

Specify the IPv4 service type or DSCP class for the connection. Accepted values ​​are af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, ef, le, lowlate, Throughput, reliability, numerical, or no operating system defaults are used. This option can take one or two arguments, separated by spaces. If an argument is specified, it is used unconditionally as the packet class. If two values ​​are specified, the first value is automatically selected for interactive sessions and the second value for non-interactive sessions. The default is af21 (low latency data) for interactive sessions and cs1 (lower workload) for non-interactive sessions.

2.48 KbdInteractiveAuthentication

Specifies whether to use keyboard interactive authentication. The argument to this keyword must be yes (the default) or no. ChallengeResponseAuthentication is this.

2.49 KbdInteractiveDevices

Specifies a list of methods to use in keyboard interactive authentication. Multiple method names must be separated by commas. By default a server-specified list is used. The methods available vary depending on what the server supports. For OpenSSH servers, it may be 0 or more: bsdauth, pam, and skey.

2.50 KexAlgorithms

Specify available KEX (key exchange) algorithms. Multiple algorithms must be separated by commas. If the specified list starts with a "+" character, then the specified algorithms will be appended to the default set instead of replacing them. If the specified list begins with a "-" character, then the specified algorithms (including wildcards) are removed from the default set instead of replacing them. If the specified list begins with the "^" character, then the specified algorithm will be placed in front of the default set. The default value is:

Sntrup761x25519-sha512@openssh.com，curve25519-sha256，curve25519-sha256@libssh.org，ecdh-sha2-nistp256，ecdh-sha2-nistp384，ecdh-sha2-nistp521，defie-hellman-group-exchange-sha256，defie-hellman-group16-sha512，defie-hellman-group18-sha512，defie-hellman-group14-sha256

You can also use "ssh -Q kex" to get a list of available key exchange algorithms.

2.51 KnownHostsCommand

Specifies the command used to obtain a list of host keys, as well as the commands listed in UserKnownHostsFile and GlobalKnownHostsFile. This command is executed after reading the file. It can write host key lines to standard output in the same format as a usual file (described in section VERIFYING HOST KEYS in ssh(1)). The parameters of KnownHostsCommand accept the tokens described in the TOKENS section. This command can be called multiple times per connection: once when preparing a preference list of host key algorithms to use, another time to obtain a host key for the requested hostname, if CheckHostIP is enabled, and another time to Obtain the host key that matches the server address. If the command exits abnormally or returns a non-zero exit status, the connection is terminated.

2.52 LocalCommand

specifies the command to be executed on the local computer after a successful connection to the server. The command string is expanded to lines and executed using the user's shell �
LocalCommand accepts the � token part. �
This command runs synchronously and does not have access to the ssh (1) session that spawned it. It should not be used with interactive commands.

This directive is ignored unless PermitLocalCommand is enabled.

2.53 LocalForward

Specifies that the TCP port on the local computer is forwarded to protect the channel from the remote computer to the specified host and port. The first parameter specifies the listener and can be [
Bind _ address:] port or Unix domain socket path. The second parameter is the target, which can be �host:airport or Unix_domain_socket_path, if the remote host supports it. �
IPv6 addresses can be specified by placing the address in square brackets. Multiple forwards can be specified, and additional forwards can be given on the command line. Only superusers can forward privileged ports. By default, the local port is bound based on the GatewayPorts setting. However, you can use explicit bind_address to bind a connection to a specific address. bind_address for Localhost means that the listening port is bound for local use only, while an empty address or "*" means that the port should be available from all interfaces. Unix domain socket paths can use tokens described in the TOKENS section and environment variables described in the ENVIRONMENT VARIABLES section.

2.54 LogLevel

Gives the verbosity level to use when logging messages from ssh (1). Possible values ​​are: QUIEET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default value is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 respectively specify higher levels of verbose output.

2.55 LogVerbose

Specifies one or more overrides of LogLevel that match the source file, function, and line number to force verbose logging. For example, the rewrite mode is: �
C: * : 1000, * : kex _ exchange _ Identity () : * , packet.c: *
will Enable verbose logging for line 1000 of kex.c, everything in the kex_exchange_Identity() function, and all code in the packet.c file. This option is for debugging and does not enable rewriting by default.

2.56 MACs

Specify the MAC (Message Authentication Code) algorithm in order of priority. The MAC algorithm is used for data integrity protection. Multiple algorithms must be separated by commas. If the specified list starts with a "+" character, then the specified algorithms will be appended to the default set instead of replacing them. If the specified list begins with a "-" character, then the specified algorithms (including wildcards) are removed from the default set instead of replacing them. If the specified list begins with the "^" character, then the specified algorithm will be placed in front of the default set.
Algorithms containing "-etm" compute the MAC after encryption (and then encrypt the MAC). These algorithms are considered more secure and are recommended for use.

The default value is:

[email protected]，[email protected]，[email protected]，[email protected]，[email protected] [email protected]，hmac-sha2-256，hmac-sha2-512，[email protected]，hmac-sha2-512，[email protected]，hmac-sha2-512， hmac-sha1，[email protected]，hmac-sha2-512，hmac

A list of available MAC algorithms is also available using "ssh -Q MAC".

2.57 NoHostAuthenticationForLocalhost

Disable host authentication for localhost (loopback address). The argument to this keyword must be yes or no (the default).

2.58 NumberOfPasswordPrompts

Specifies the number of password prompts before giving up. The argument to this keyword must be an integer. The default value is 3.

2.59 PasswordAuthentication

Specifies whether to use password authentication. The argument to this keyword must be yes (the default) or no.

2.60PermitLocalCommand

Allowed via LocalCommand option or using ! Command escape sequences in Ssh (1). Parameter must be yes or no (default).

2.61 PermitRemoteOpen

Specifies the time allowed for remote TCP port forwarding to the destination RemoteForward
Used as a sock forwarding specification, it must be one of the following tables: �
PermitRemoteOpen host: port
PermitRemoteOpen IPv4_addr: port
PermitRemoteOpen [ IPv6_addr ] : port
You can separate them by using spaces to specify multiple forwards. The any parameter can be used to remove all restrictions and allow any forwarded requests. No parameters can be used to suppress all forwarding requests. The wildcard character '*' can be used for hosts or ports to allow all hosts or ports respectively. Otherwise, no pattern matching or address lookup is performed on the supplied name.

2.62 PKCS11Provider

Specify which PKCS #11 provider to use or use no provider to indicate that the provider should not be used (by default). The argument to this keyword is the path to the PKCS #11 shared library ssh(1) that should be used to communicate with the PKCS #11 token providing the user's authentication key.

2.63 Port

Specify the port number to connect to on the remote host. Default is 22.

2.64 PreferredAuthentications

Specifies the order in which the client attempts authentication methods. This allows the client to choose a method (e.g.
keyboard-interactive).password), the default is:
Gssapi-with-mic, host-based , public key, keyboard interaction, password

2.65 ProxyCommand

Specifies the command used to connect to the server. The command string is extended to the end of the line and uses the user’s shell’s exec command to avoid delayed shell processes. The parameters of ProxyCommand accept the tokens described in the TOKENS section. The command can be basically anything and should read from its standard input and write to its standard output. It should eventually connect to an sshd (8) server running on some machine, or execute sshd -i somewhere. Host key management will be done using the hostname of the connected host (defaults to the name typed by the user). Setting the command to none will completely disable this option. Note that CheckHostIP is not suitable for connecting using the proxy command.

This directive is useful in conjunction with nc(1) and its proxy support. For example, the following command will connect to 192.0.2.0 via HTTP proxy:

ProxyCommand/usr/bin/nc-X connect-x 192.0.2.0:8080%h%p

2.66 ProxyJump

Specifies one or more jump proxies as either [user@]host[:port] or an ssh URI. Multiple proxies may be separated by comma characters and will be visited sequentially. Setting this option will cause ssh(1) to connect to the target host by first making a ssh(1) connection to the specified ProxyJump host and then establishing a TCP forwarding to the ultimate target from there. Setting the host to none disables this option entirely.
Note that this option will compete with the ProxyCommand option - whichever is specified first will prevent later instances of the other from taking effect.

Note also that the configuration for the destination host (either supplied via the command-line or the configuration file) is not generally applied to jump hosts. ~/.ssh/config should be used if specific configuration is required for jump hosts.

2.67 ProxyUseFdpass

Specifies that ProxyCommand will pass a connected file descriptor back to ssh(1) instead of continuing to execute and pass data. The default is no.

2.68 PubkeyAcceptedAlgorithms

Specifies the signature algorithms that will be used for public key authentication as a comma-separated list of patterns. If the specified list begins with a ‘+’ character, then the algorithms after it will be appended to the default instead of replacing it. If the specified list begins with a ‘-’ character, then the specified algorithms (including wildcards) will be removed from the default set instead of replacing them. If the specified list begins with a ‘^’ character, then the specified algorithms will be placed at the head of the default set. The default for this option is:

ssh-ed25519-cert-v01@openssh.com,
ecdsa-sha2-nistp256-cert-v01@openssh.com,
ecdsa-sha2-nistp384-cert-v01@openssh.com,
ecdsa-sha2-nistp521-cert-v01@openssh.com,
sk-ssh-ed25519-cert-v01@openssh.com,
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
rsa-sha2-512-cert-v01@openssh.com,
rsa-sha2-256-cert-v01@openssh.com,
ssh-ed25519,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
sk-ssh-ed25519@openssh.com,
sk-ecdsa-sha2-nistp256@openssh.com,
rsa-sha2-512,rsa-sha2-256

The list of available signature algorithms can also be obtained using "ssh-QPubkeyAccepted".

2.69 PubkeyAuthentication

Specifies whether to attempt public key authentication. The argument to this keyword must be yes (the default), no, unbound, or host-bound. The last two options enable public key authentication while respectively disabling or enabling restricted ssh-agent (1) forwarding required OpenSSH host-binding authentication protocol extensions.

2.70 RekeyLimit

Specify the maximum amount of data that can be transmitted or received before the session key is renegotiated, and optionally the maximum amount of time that can be transmitted or received before the session key is renegotiated. The first parameter is specified in bytes, and the suffix can be 'K', 'M' or 'G', meaning kilobytes, megabytes or gigabytes respectively. The default value is between "1G" and "4G", depending on the password. The optional second value is in seconds and can use any of the units documented in the TIME FORMATS section of sshd_config(5). The default value for RekeyLimit is default none, which means that key updates are performed after the default amount of data for the password is sent or received, and no time-based key updates are performed.

2.71 RemoteCommand

Specifies the command to be executed on the remote computer after a successful connection to the server. The command string is extended to the end of the line and executed using the user's shell. RemoteCommand's parameters accept tokens as described in the TOKENS section.

2.72 RemoteForward

specifies that the TCP port on the remote computer will be forwarded to the remote port. The remote port can be forwarded to the specified host and port from the local machine, or can be used as a SOCKS 4/5 proxy, allowing remote clients to connect to any target from the local machine. The first argument is the listening specification, which can be [
Bind_address:]port
or, if the remote host supports Unix domain socket paths then the second argument Must be �
host:airport
or a Unix domain socket path, otherwise if no target parameter is specified, the remote forward will establish SOCKS as a SOCKS proxy Proxy, the destination of the connection can be specified via PermitRemoteOpen. IPv6 addresses can be specified by placing the address in square brackets. Multiple forwards can be specified, and additional forwards can be given on the command line. Privileged ports can only be forwarded when logged in as root on the remote machine. Unix domain socket paths can use tokens described in the TOKENS section and environment variables described in the ENVIRONMENT VARIABLES section.

If the port parameter is 0, the listening port will be dynamically allocated on the server and reported to the client at runtime.

If bind_address is not specified, the default is to bind only to the loopback address. If bind_address is "*" or the empty string, request forwarding listens on all interfaces. Specifying a remote bind_address will only succeed if the server's GatewayPorts option is enabled (see sshd_config(5)).

2.73 RequestTTY

Specifies whether to request a pseudo tty for the session. The argument could be: no (never request a TTY), yes (always request a TTY when standard input is a TTY), force (always request a TTY) or auto (request a TTY when opening a login session). This option mirrors the -t and -T flags of ssh(1).

2.74 RequiredRSASize

Specifies the minimum RSA key size (in bits) that ssh(1) will accept. User authentication keys smaller than this limit will be ignored. Servers presenting host keys smaller than this limit will cause the connection to be terminated. The default value is 1024 bits. Note that this limit can only be raised from the default value.

2.75 RevokedHostKeys

Specifies the revoked host public key. For host authentication, keys listed in this file will be rejected. Note that if this file does not exist or is not readable, host authentication will be denied for all hosts. Keys can be specified as a text file listing one public key per line, or as an OpenSSH Key Revocation List (KRL) generated by ssh-keygen (1). For more information about KRL, see the KEY REVOCATION LISTS section in ssh-keygen (1). Parameters to RevokedHostKeys can use tilde syntax to reference the user's home directory, tokens described in the TOKENS section, and environment variables described in the ENVIRONMENT VARIABLES section.

2.76 SecurityKeyProvider

Specifies the path to the library that will be used when loading any FIDO authenticator-managed keys, overriding the default to use built-in USB HID support.
If the specified value begins with the "$" character, then it is treated as an environment variable containing the library path.

2.77 SendEnv

Specifies that from local environment(7)
should be sent to the server. The server must also support it, and the server must be configured to accept these environment variables. Please note that the
TERM
environment variable is always sent when requesting a pseudo terminal according to the protocol, see
AcceptEnv in. Sshd_config (5) How to configure the server is specified by a name, which may contain wildcards. Environment variables may be space-separated or dispersed. Multiple SendEnv directives . � For more information about patterns, see Patterns.

A previously set SendEnv variable name can be cleared by prefixing the pattern with -. By default no environment variables are sent.

2.78 ServerAliveCountMax

Set the number of server activity messages that can be sent (see below) No Ssh (1)
� Receive any messages returned from the server. If this threshold is reached, ssh will terminate the session from the server, when a server active message is sent with the server active message associated with TCPKeepAlive (below). Server activity messages are sent over an encrypted channel, so the TCP Keepalive option will not be enabled. TCPKeepAlive is spoofable and the server is alive when the client or server Rely on knowing the connection has become unresponsive. � The default value is 3. For example, if ServerAliveInterval (see below) is set to 15 and ServerAliveCountMax is left at the default value, then ssh will disconnect after approximately 45 seconds if the server is unresponsive.

2.79 ServerAliveInterval

Set a timeout interval (in seconds). If no data is received from the server after the timeout, ssh(1) will send a message over the encrypted channel, requesting a response from the server. The default value is 0, which means these messages will not be sent to the server.

2.80 SessionType

Can be used to request a subsystem call on the remote system, or can be used to not execute the remote command at all. The latter is only used for forwarding ports. The argument to this keyword must be none (same as -N option), subsystem (same as -s option), or default (shell or command execution).

2.81 SetEnv

Directly specify one or more environment variables and their contents to be sent to the server. Similar to SendEnv, the server must be prepared to accept environment variables in addition to the TERM variable.

2.82 StdinNull

Redirect stdin from /dev/null (in effect, prevent reading from stdin). This option or the equivalent -n option must be used when running ssh in the background. The argument to this keyword must be yes (same as the -n option) or no (the default).

2.83 StreamLocalBindMask

Sets the octal file creation mode mask (umask) used when creating Unix domain socket files for local or remote port forwarding. This option is only used for port forwarding to Unix domain socket files.
The default value is 0177, which creates a Unix domain socket file that can only be read and written by the owner. Note that not all operating systems follow the file model for Unix domain socket files.

2.84 StreamLocalBindUnlink

Specifies whether to delete existing Unix domain socket files for local port forwarding or remote port forwarding before creating a new Unix domain socket file. If the socket file already exists and StreamLocalBindUnlink is not enabled, ssh will not be able to forward the port to the Unix domain socket file. This option is only used for port forwarding to Unix domain socket files. Parameter must be yes or no (default).

2.85 StrictHostKeyChecking

If this flag is set to yes, Ssh(1) will never automatically add the host key to the ~/.ssh/known_hosts
file and refuse to connect to Hosts whose host keys have been changed. This provides maximum protection against man-in-the-middle (MITM) attacks, although when the /etc/ssh/ssh _ known _ hosts file is poorly maintained, or often associated with The new host establishes a connection. This option forces users to add all new hosts manually. If this flag is set to accept -new, then ssh will automatically add the new host key to the user's known_hosts file, but will not allow connections to the host with the changed host key . If this flag is set to no or off, ssh will automatically add the new host key to the hosts file known to the user and allow continued connections to hosts with changed host keys, with some restrictions. If this flag is set to ask (which is the default), the new host key will not be added to the user's known hosts file and ssh will refuse to connect to the host until the user confirms what they actually want to do. Hosts whose keys have been changed. Host keys for known hosts will be automatically verified in all cases.

2.86 SyslogFacility

Gives code for the tool used when logging messages from ssh (1). Possible values ​​are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default value is USER.

2.87 TCPKeepAlive

Specifies whether the system should send TCP reserved messages to the other end. If they are sent, a dead connection or a crash on one of the machines will be noted appropriately. However, this means that if the route is temporarily down, the connection will be interrupted, which some people find annoying.
Default is yes (for sending TCP save messages), the client will notice if the network goes down or the remote host dies. This is important in scripts and expected by many users.

To disable TCP keep-alive messages, this value should be set to no.

2.88 Tunnel

Request tun (4) Forwarding of the device between the client and the server. The parameter must be yes, point-to-point (layer 3), Ethernet (layer 2), or no (default). Specifying yes will request the default tunnel mode, which is point-to-point mode.
TunnelDevice
Specifies the device (local) and server (remote switch) opened on the client (4).
The parameter must be local_tun[:remote_tun]. These devices can be specified by a numeric ID or the any keyword, which uses the next available tunneling device. If remote_tun is not specified, it defaults to any. The default value is any: any.

2.89 UpdateHostKeys

Specifies whether Ssh(1)
should accept additional host key notifications sent from the server after authentication is complete and add them to
UserKnownHostsFile. The argument must be yes, no or � ask
. This option allows learning of a replacement server's host key, by allowing the server to send a replacement public key before deleting the old one. �
Only when the key used to authenticate the host has been trusted or explicitly accepted by the user, the host is authenticated via UserKnownHostsFile (i.e. not GlobalKnownHostsFile), and the host is authenticated using a normal key instead of a certificate , to accept other host keys.

If the user does not override the default UserKnownHostsFile setting and does not enable VerifyHostKeyDNS, UpdateHostKeys is enabled by default, otherwise UpdateHostKeys is set to no.

If UpdateHostKeys is set to Ask, the user will be asked to confirm modifications to the known_hosts file. Confirmed that it is currently incompatible with ControlPerst and will disable it if enabled.

Currently, only sshd (8) from OpenSSH 6.8 and greater supports the "[email protected]" protocol extension, which is used to notify clients of all server's host keys.

2.90 User

Specify as. This can be useful when using different usernames on different computers. This saves you the trouble of providing the username on the command line.

2.91 UserKnownHostsFile

Specifies one or more files to use for the user host key database, separated by spaces. Each file name can use tilde notation to reference the user's home directory, the tokens described in the TOKENS section, and the environment variables described in the ENVIRONMENT VARIABLES section. Without a value, ssh(1) will ignore any user-specific known hosts files. The default value is ~/. Ssh/known_hosts, ~/.Ssh/known_hosts2.

2.92 VerifyHostKeyDNS

Specifies whether to use DNS and SSHFP resource records to verify remote keys. If this option is set to
yes
, clients will implicitly trust keys that match DNS's security fingerprint. Unsafe fingerprints will be handled as if this option were set to
ask. If this option is set to ask
, fingerprint matching data will be displayed, but the user must still follow the
StrictHostKeyChecking option. The default value is no.
See also verifying host keys in ssh (1).

2.93 VisualHostKey

If this flag is set to yes, an ASCII artistic representation of the remote host key fingerprint will be printed in addition to the fingerprint string at login and the unknown host key. If this flag is set to no (the default), then the fingerprint string will not be printed at login, only the fingerprint string for the unknown host key will be printed.

2.94 XAuthLocation

Specifies the full pathname of the xauth (1) program. The default value is /usr/X11R6/bin/xauth.

3 modes

A pattern consists of zero or more non-whitespace characters, '*' (a wildcard that matches zero or more characters), or '?' (a wildcard that matches exactly one character). Any host in specifies a set of claims. "co.uk" domain name collection, the following patterns are available:

Host * . co.uk 主持人 * . co.uk

The following pattern will match any host within the 192.168.0.[0-9] network range:

主机192.168.0？

Pattern list is a comma separated list of patterns. Patterns in the pattern list can be preceded by an exclamation point ('!). For example, to allow a certain key to be used anywhere in the organization, except for the "dial-up" pool, the following entry (in Authored_keys) can be used :

来自 = “ ! * . dialup.example.com ，* . example.com”

Note that a negative match by itself never produces a positive result. For example, trying to match "host3" with the following list of patterns will fail:

From = “ ! host1，! host2”

The solution here is to include a term that will produce a positive match, like a wildcard:

From = “ ! host1，! host2，*”

3.1 Symbols

Arguments for certain keywords can use markers that are expanded at runtime:

%%
Literal "%".
% C
% l% h% p% r Hash.
% d
The home directory of the local user.
% f
The fingerprint of the server's host key.
% H
The known _ hosts hostname or address being searched.
% h
The remote host name.
% I
A string describing the reason for executing the KnownHostsCommand: ADDRESS when looking up a host by address (only when CheckHostIP is enabled), when looking up by host name HOSTNAME, or ORDER when preparing a list of host key algorithm preferences for the target host.
% i
Local user ID.
% K
Base64 encoded host key.
% k
If a host key alias is specified, the original remote host name specified on the command line.
% L
local host name.
% l
The local host name, including the domain name.
% n
The original remote host name given on the command line.
% p
Remote port.
% r
Remote username.
% T
The specified local forwarding (4) or hit (4) network interface if tunnel forwarding is requested, otherwise "NONE".
% t
The type of server host key, for example ssh-ed25519.
% u
Local username.
CericateFile, ControlPath, IdentityAgent, IdentityFile, KnownHostsCommand, LocalForward, Match exec, RemoteCommand, RemoteForward, RevokedHostKeys, and UserKnownHostsFile accept tags %%, %C, %d, %h, %i, %k , % L, % l, % n, % p, % r and % u.

KnownHostsCommand also accepts the tokens %f, %H, %I, %K, and %t.

The hostname accepts the tokens %% and %h.

LocalCommand accepts all tokens.

ProxyCommand and ProxyJump accept the tokens %%, %h, %n, %p, and %r.

3.2 Environment variables

Certain keyword arguments can be expanded at runtime from environment variables on the client by enclosing them in ${}, such as ${ HOME }/. Ssh will reference the user's. SSH directory. If the specified environment variable does not exist, an error will be returned and the setting of this keyword will be ignored.

Environment variables are supported for the keywords Certificate File, Control Path, IdentityAgent, IdentityFile, KnownHostsCommand, and UserKnownHostsFile. The keywords LocalForward and RemoteForward only support environment variables for Unix domain socket paths.

3.3 Archives

~/. ssh/config
This is a per-user configuration file. The format of this file is as described above. This file is used by SSH clients. Due to the potential for abuse, this file must have strict permissions: read/write permissions for the user, but no writable permissions for other users.
/etc/ssh/ssh _ config
System-wide configuration file. This file provides default values ​​for those values ​​that are not specified in the user's profile and for those users who do not have a profile. This file must be world-readable.