I am trying to set up a ssh connection through a jump host. It should go like this A -> B -> C. I can connect fine from A to B and from B to C but I would like to have a single connection from A to C directly (I want to use some tools over ssh.) I'm on mac OSx. These command work fine: ssh hostB and then from hostB ssh hostC or ssh -t hostB ssh hostC I am able to get on hostC. I have another tunnel set up to a cluster and it works fine. ssh cluster This is my .ssh/config file: Host hostB Hostname xxx.xxx.xxx.xxx User userB ForwardAgent yes IdentityFile ~/.ssh/id_rsa_macbook_air Host cluster Hostname clusterHostname User clusterUser ProxyCommand ssh hostB -W %h:%p IdentityFile ~/.ssh/id_rsa Host hostC Hostname xxx.xxx.xxx.xxx User userC ProxyCommand ssh hostB -W %h:%p IdentityFile ~/.ssh/id_rsa_macbook_air Host *+* ProxyCommand ssh -W $(echo %h | sed 's/^.*+//;s/^\([^:]*$\)/\1:22/') $(echo %h | sed 's/+[^+]*$//;s/\([^+%%]*\)%%\([^+]*\)$/\2 -l \1/;s/:\([^:+]*\)$/ -p \1/') I get the following error when I try to connect to hostC: ssh hostC -v OpenSSH_6.9p1, LibreSSL 2.1.8 debug1: Reading configuration data /Users/userC/.ssh/config debug1: /Users/userC/.ssh/config line 28: Applying options for hostC debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: /etc/ssh/ssh_config line 56: Applying options for * debug1: Executing proxy command: exec ssh hostB -W xxx.xxx.xxx.xxx:22 debug1: permanently_drop_suid: 501 debug1: identity file /Users/userC/.ssh/id_rsa_macbook_air type 1 debug1: key_load_public: No such file or directory debug1: identity file /Users/userC/.ssh/id_rsa_macbook_air-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.9 channel 0: open failed: administratively prohibited: open failed stdio forwarding failed ssh_exchange_identification: Connection closed by remote host I get the same output when I run: ssh -l userC userB%hostB+hostC I don't have and cannot install netcat or any other software on hostB. I have full access on my start machine and on hostC. Thank you for your help!

I have a computer server and a laptop guest, both running Ubuntu. I set SSH multiplexing and control master in the laptop's .ssh/config like the following: Host servername User username Port 22 HostName servername.ddns.net ControlMaster auto ControlPersist 1h ControlPath /tmp/ssh_mux_%r@%n:%p When the laptop connects to the server via ssh servername.ddns.net, a control file is created. However, if the laptop exists the connection to the server and tries to connect again while using a different Wifi network, the ssh attempt hangs. I suppose because there's some conflict with the control file that was created originally. How could I set up SSH multiplexing and control master in a way that is robust to connecting and re-connecting to the server using different WiFi networks?

I'm seeing in the **ssh_config** man page and on the **openssh** website that I should be able to use a **%n token** when locating the identity file for a given host entry. percent_expand tokens used by OpenSSH's ssh(1) and sshd(8) GitHub allows using ssh tokens as deploy tokens but prevents you from using a token more than once on multiple repositories. So I wanted to use globbing to create a single profile regardless of how many individual project keys I had to create: host github-* Hostname github.com User git IdentityFile %d/.ssh/github/%n IdentitiesOnly yes Then I put a github-MyPackage public/private key pair under the ~/.ssh/github/ directory. It finds the globbed profile and the %d works fine but if I try to do a git clone with the %n to find the Identity file name from the original command-line specified host-alias: > git clone github-MyPackage:/myorganization/MyPackage.git Cloning into 'MyPackage'... percent_expand: unknown key %n fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. This is not simply how git accesses it as it also fails with just a simple ssh command: > ssh github-MyPackage percent_expand: unknown key %n I tried googling but didn't find anything on %n. Is this not fully implemented or is there something I'm doing wrong?

I'm working with a lot of remote Ubuntu hosts that are changing a lot. To have a streamlined workflow on all hosts I'm downloading my personal dotfiles with bash aliases, small exes and configurations onto these servers upon login and source the new bash files. For this I have aliased my ssh command to this: ssh() { command ssh -t -o RemoteCommand="git -C '/tmp/myuser/dotfiles' pull --rebase \ || git clone https://github.com/MyUser/dotfiles.git '/tmp/myuser/dotfiles'; \ bash --rcfile '/tmp/myuser/dotfiles/.bashrc' -i" "$@" } This worked reliably so far, however the issue here is that this alias sometimes gets in the way. One case is for example if I want to execute a command on the remote host from my local machine without logging into the host: ssh foreign.host 'curl http://localhost:8888/say/hello' In that case ssh will complain with Cannot execute command-line and remote command. (since the remote command is already given). Is there a way to configure OpenSSh so that only when executing a *bash login shell* on a host my dotfiles are fetched and sourced?

I wanted to use CanonicalizeHostname in my ssh config which would make it possible to add and remove hosts without having to edit the file. Host bastion ProxyJump none Match canonical ProxyJump bastion ForwardAgent yes Host * ForwardAgent no CanonicalizeHostname always CanonicalDomains mydomain.co.uk CanonicalizeMaxDots 0 CanonicalizeFallbackLocal yes ssh-agent was not being forwarded to any of my servers. If I changed ForwardAgent under Host * to "yes" then it would be forwarded. As ForwardAgent under Match canonical was not being parsed I thought there was a bug and I made a report to OpenSSH (which was deleted). It was explained to me that it was working as intended: > When hostname canonicalisation is enabled, the configuration is parsed > twice. An initial pass to collect options and then a second pass after > the hostnames are finalised. Most configuration options operate as > "first match wins" > > So what's happening here is that, on the first pass, your "Host *" > block is being parsed and the ForwardAgent option is being set to > "no". On the subsequent pass, the ForwardAgent directive in the "Match > canonical" block is ignored because it's already set. I can understand that. I knew it was parsed twice with CanonicalizeHostname enabled, but I didn't realise this consequence of that. What I don't understand is the way to avoid that "by only setting the fallback ForwardAgent on the final pass": Host bastion ProxyJump none Match canonical ProxyJump bastion ForwardAgent yes Match all CanonicalizeHostname always CanonicalDomains mydomain.co.uk CanonicalizeMaxDots 0 CanonicalizeFallbackLocal yes Match canonical all ForwardAgent no **My questions:** * How is Match All different to Host *? * What does Match canonical all mean? Why would the canonical hosts be directed to parse that option again when it has already been set for them in a different way? If it was !canonical it would make more sense to me, although seemingly redundant, as in this case the single directive under it has already been set. I have a lot of other options to add, which were mostly under Host * and have nothing to do with CanonicalizeHostname, so I had left them out, but now I don't know where to put them.

I'd like to set ssh_config so after just typing ssh my_hostname i end up in specific folder. Just like I would type cd /folder/another_one/much_much_deeper/. How can i achieve that? EDIT. It's have been marked as duplicate of "How to ssh into dir..." yet it is **not** my question. I know i can execute any commands by tailing them to ssh command. My question is about /ssh_config file not the command.

Cross-posting from [here](https://stackoverflow.com/questions/78737977/git-ls-remote-to-github-fails-with-classic-sha-1-not-supported-on-tunneled-ssh?noredirect=1#comment138823224_78737977) as suggested by the community. A bit of context: At my company we do tunneling to ssh into EC2 boxes. This tunneling command is as usual, uses ForwardAgent and the proxycommand is something like this: ProxyCommand ssh tunnelhost exec nc %h 22. Some other configs are:

AddKeysToAgent yes
UseKeychain yes
IdentitiesOnly yes
UserKnownHostsFile ~/.ssh/known_hosts
HostKeyAlgorithms +ssh-rsa,ssh-dss,ssh-ed25519
PubkeyAcceptedAlgorithms +ssh-rsa,ssh-ed25519
KexAlgorithms +diffie-hellman-group1-sha1
PubKeyAuthentication yes
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_ed25519
IdentityFile ~/.ssh/id_ecdsa

As you can see, I already tried RSA, ED25519 and ECDSA keys (all of them added to GitHub) and it seems like my key is not the issue. **The problem:** The issue is that, if I do a git ls-remote --heads git@github.com:company_org/repository.git I keep getting the error:

ERROR: You're using an RSA key with SHA-1, which is no longer allowed.
Please use a newer client or a different key type.
Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/  for more information.

I know my key is not SHA-1 but still keep getting this error. To confirm my theory (that my key is fine) I used (following github's guidance) the ssh -T git@github.com command and I see it's working as I receive the correct response:

Hi stoicAlchemist! You've successfully authenticated, but GitHub does not provide shell access.

I have a feeling that the server might have a conflicting config somewhere but I don't know where to look. More Context: It seems that I'm the only one on my team that is having this issue, the other engineers don't have an issue, that's why I'm leaning towards a config. I already tried changing keys, and even tried different types, changed configs to see if any of them were to blame but with no luck.

My VPS listens to SSH on port 222. On my clients I created a ssh_config such that the non-default port needs not to be explicitly provided on the command line every time. (Some daemons which internally use SSH and must connect to my server do not even allow to specify a different port). Matching of the DNS name and IPv4 address works as expected, but IPv6 is not matched. How do I specify IPv6 addresses in ssh_config? My configuration looks like

Host my-server.my-domain.tld x.y.w.z [xxxx:yyyy::zzzz]
    HostName my-server.my-domain.tld
    Port 222

Currently, when some process tries to connect to my server, I see an error that the server refused the connection on port 22 via IPv6 and then the process falla back to IPv4 and successfully connect to the server on port 222. I have already tried to specify the IPv6 adress without the square brackets, but then SSH complains about an syntactically invalid DNS or IPv4 address. I also have tried to move the IPv6 address to its own Host-block without success.

I have a number of entries in ~/.ssh/config: Host github.com Hostname github.com User git IdentityFile ~/.ssh/github Host mydomain.com User name IdentityFile ~/.ssh/id_rsa Host full.name@work.com Hostname work.com User full.name IdentityFile ~/.ssh/work_rsa If none match, the default fallback is id_rsa. But I'd like a different fallback. The following attempt failed, because it catches everything, overriding any previous settings. Host '*' IdentityFile ~/.ssh/fallback What is the correct way to express "none of the above"?

I have a script which retrieves private keys from a repository database and adds them to the ssh-agent with ssh-add -

I have a repeating setting remoteCommand, that I'd like to add in the wild card host if possible. Here is a truncated snippet:

host container-server

host container-1 
  remoteCommand docker exec -it containerHostname-01 bash

host container-2
  remoteCommand docker exec -it containerHostname-02 bash

host container-2
  remoteCommand docker exec -it containerHostname-02 bash

host * 
  user 
  requestTTY yes
  identityFile ~/.ssh/key
  strictHostkeyChecking no
  userKnownHostsFile /dev/null
  preferredAuthentications publicKey
  hostname

As containerHostname-0 all differ by an integer, I'm assuming it can't be done, and I've researched for days and came back with nothing, so is it possible?

I have 2 sets of hosts who I want to use settings from 2 seperate wildcard hosts. I also have a huge number of hosts so need help on which style is best for this scenario. The hosts are mostly in the format of x1 x2 x3... ### My attempts: 1:

host one
  user cat

host two
  hostname 2

host three
  hostname 3

host one two three
  user apple
  identityFile ~/.ssh/id_rsa

host x1
  hostname 7

host y2
  hostname 8

host z3
  hostname 9

host x1 y2 z3
  user duck
  identityFile ~/.ssh/quack

### Omitting the hosts only using the wild card hosts but they apply to the hosts. 2:

host x* y* z*
  user duck
  identityFile ~/.ssh/

# for hosts one two three

host * 
  user apple
  IdentityFile ~/.ssh/quack

Are these methods correct and Any suggestions for a better methods? Please critique.

### Simplified Example:

host one
  user cat

host two
  hostname 2

host three
  hostname 3

host *
  hostname 1
  

host *
  user apple
  identityFile ~/.ssh/id_rsa

host y
  hostname 7

host t
  hostname 8

host * 
  user duck
  identityFile ~/.ssh/quack

Is this possible? The hosts above the 1st host * would inherit it's values only, and the 2nd hosts would only inherent the host * beneath them. If not is there a way to achieve this?

### I have many of these kinds of aliases, the part before = is the host in ssh config

alias sshConfigHost='ssh -t hostname docker exec -it containerName bash'

Could I add these to some sort of config file? The hostname is defined in ssh config so it's being used twice in a way, could I have a place holder like % that it would take the hostname from ssh config. If not then could I at least have the container name in my ssh config, then pull it into the cmd using a placeholder?

Here is my standard work ssh config which everyone uses:

host go
  User user
  ProxyJump otherHostname
  StrictHostKeyChecking=no
  UserKnownHostsFile=/dev/null
  IdentityFile ./ssh/key
  ProxyCommand ssh -i ~/.ssh/key -W %h:%p otherUser@OtherHostname

The proxyCommand part bothers me as the whole point of an ssh config is to have no use for commands. Are there options for the command parameter which would mean there wouldn't be an ssh command in the config? ### proxyCommand uses the identityFile and ProxyJump values for the command:

ssh -i ~/.ssh/key -W %h:%p otherUser@OtherHostname

### In other words:

ssh -i IdentityFile -W %h:%p differe tUser@ProxyJump

I am trying to simplify the following part:

Host sandbox*
   Port 22
   User myUser
   ProxyCommand=nc -X 5 -x gateway.test.io:1080 %h %p

Host sandbox9
   HostName 1.0.9.10

Host sandbox10
   HostName 1.0.10.10

Host sandbox11
   HostName 1.0.11.10

I read, that I can use %h in HostName, which would then look like that:

Host sandbox*
   Port 22
   User myUser
   ProxyCommand=nc -X 5 -x gateway.test.io:1080 %h %p
   HostName 1.0.%h.10

But then I get the following error when trying to use ssh:

❯ ssh sandbox9
nc: connection failed, SOCKS error 8
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535

ChatGPT first told me that the first approach should work, but then tells me this: > The %h placeholder cannot be directly used in the HostName directive of the SSH configuration file to substitute a variable for the hostname. Using placeholders in this specific directive is not supported. Am I doing something wrong?

I recently found out about ssh config file where one can setup frequently used ssh connections. However, I am having troubles transforming one command which connects my computer to VNCServer running on my server which is hidden behind intermediate server. Basically transform this command (which works):

ssh -t -L port1:localhost:port2 user1@machine1.com ssh -L port2:localhost:port3 user2@machine.com

with vncviewer localhost:0 in separate window, into ssh config file. I managed to create a config which connect to the machine without throwing any Failed to set up port messages, but when I run in separate terminal window

vncviewer localhost:0

I get an error. In case the ~/.ssh/config is set in this way (my own try):

Host machine1
   HostName machine1.com
   User user1
   LocalForward port1 localhost:port2
   RequestTTY force

 Host machine2
   HostName machine2.com
   User user2
   LocalForward port2 localhost:port3
   ProxyJump machine1

and ran by running ssh machine2 and then vncviewer localhost:0 in new terminal window the error is "Failed to connect to localhost:0": unable to connect to socket: Connection refused (111). In the case I set it up as mention [here](https://unix.stackexchange.com/questions/303993/reverse-ssh-tunnel-in-with-ssh-config) :

Host machine2
  HostName machine2.com
  User user2
  LocalForward port1 user1@machine1:port2
  LocalForward port2 user2@machine2:port3
  RequestTTY force

I get an error saying The connection was dropped by the server before the session could be established. In both cases I connect to machine2 in terminal window and can browse stuff. But I would like to connect to the vncserver also. Can you please explain what am I doing wrong here? I was consulting these sources when creating any other ssh config: https://linuxize.com/post/using-the-ssh-config-file/ --- beginners guide https://man7.org/linux/man-pages/man1/ssh.1.html --- to look definition of every -t -L I used https://phoenixnap.com/kb/ssh-config --- to translate -t -L to ssh config command https://www.ssh.com/academy/ssh/tunneling-example --- to explain wheter I need LocalForward or Remote Forward

Right now I have the following ~/.ssh/config to reach an embedded device via its link-local IPv6:

Host someDevice
    # Hostname fe80::dcad:beff:feef:cafe%%eth0
    Hostname fe80::dcad:beff:feef:cafe%%enxf875a44106f9
    User root
    [some more options...]

I don't want manual interaction every time my network interface changes. - With both commented in, SSH will simply use the first. - Using a different host for each is impractical. Has anyone already automated this? Right now, I'm looking into match as well as /etc/hosts file to achieve this. I prefer, if the configuration happens in the SSH config file.

How can I use SetEnv in ~/.ssh/config (and the same config on various systems), but not throw an error when ssh is too old to support it? I've tried adding a Match exec statement to exclude that setting when ssh is too old (OpenSSH &1 | sed -nE '/^OpenSSH_(7\.(8|9|\d\d+)|(8|9|\d\d+\.))/!{q7}'" SetEnv LANG=C

But it seems like the SetEnv line is parsed and throws an error anyway:

$ ssh -vvv anyhost OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 ... debug2: checking match for 'host "server.example.com webhost" exec "ssh -V 2>&1 | sed -nE '/^OpenSSH_(7\\.(8|9|\\d\\d+)|(8|9|\\d\\d+\\.))/!{q7}'"' host anyhost originally anyhost debug3: /home/jacktose/.ssh/config line 37: not matched 'host "anyhost"' debug3: /home/jacktose/.ssh/config line 37: skipped exec "ssh -V 2>&1 | sed -nE '/^OpenSSH_(7\\.(8|9|\\d\\d+)|(8|9|\\d\\d+\\.))/!{q7}'" debug2: match not found /home/jacktose/.ssh/config: line 38: Bad configuration option: setenv ... /home/jacktose/.ssh/config: terminating, 1 bad configuration options ```

As I was reviewing my current OpenSSH client configuration file and intensively reading the ssh_config(5) man page, I found that, from my understanding, both Match all and Host * will achieve the same result. Thus I was wondering if the fact that they cover the same need is a side effect of other usage for both Match and Host block, or if there are subtle differences between the two? Edit: After reading the answer to the question (https://unix.stackexchange.com/questions/741771/in-ssh-config-what-does-match-canonical-all-mean) (thank you @muru for your proposal), I still have some doupt: In it, @BlockchainOffice first say that: > The Match all block matches all hosts and is equivalent to Host *. I understand that as "they can be used in the exact same way". However, later he adds: > How is Match All different to Host *? > > Host * matches all hosts, thus the configuration directives that follow will be applied to all hosts. The hostname can appear anywhere in the pattern you use (either as part of the pattern itself, or at the end after an asterisk). > > A "Match All" keyword is used to group all the configuration directives that apply to a particular host. When you use "Match All", you don't need to specify a pattern, as it will match all hosts by default. And now I’m a bit lost. The two paragraphs seems to say they are different, but I don’t understand how. Mainly I don’t get the "The hostname can appear anywhere in the pattern you use (either as part of the pattern itself, or at the end after an asterisk)." about the Host *. I’m not sure what the hostname here is refering to and how it can appears in the pattern (what pattern?) or after the asterisk.