13.6 ssh Command Line Options

The syntax for ssh is:

ssh [-4] [-6] [-a] [-c cipher] [-C] [-d debug_level] [-e character][-f] [-fo] [-F file] [-g] [-h] [‑i  file] [-l username][-L] [protocol/]listening_port:host:hostport] [-m mac_algorithm] [‑n] [‑o option] [-p port] [-q] [-R] [protocol/]listening_port:host:hostport] [-s subsystem] [-S] [‑t] [-v] [-V] [-W] [-x] [-X] [-Y] [[username@]host[#port]] [remote_command [arguments] ...]

Options are available in both a single-character form (such as -o) and a descriptive equivalent (--option). Single characters are shown here. To view the descriptive equivalents, use the -h command line option.

Caution: All options specified on the command line (including user names, host names, and other sensitive information) will show up in a process status (ps) listing. Exercise care when specifying sensitive options and switches so that other users cannot easily see that information. A more secure alternative is to set these options in a configuration file and to protect the configuration file using recommended file permissions (configuration file = 600, directory containing the file = 700).

-4

Forces connections using IPv4 addresses only. You can also configure IP address requirements using the AddressFamily keyword.

-6

Forces connections using IPv6 addresses only. You can also configure IP address requirements using the AddressFamily keyword.

-a

Disables authentication agent forwarding. Authentication agent forwarding is enabled using the ForwardAgent keyword, which is set to 'yes' by default. You can use -a to override the configuration file setting.

-c cipher

Specifies one or more (comma-separated) encryption algorithms supported by the client.

The cipher used for a given session is the cipher highest in the client's order of preference that is also supported by the server. Allowed values are 'aes128-ctr', 'aes128-cbc', 'aes192-ctr', 'aes192-cbc', 'aes256-ctr', 'aes256-cbc', 'blowfish-cbc', 'arcfour', 'arcfour128', 'arcfour256', 'cast128-cbc', and '3des-cbc'.

You can also set this value to 'none'. When 'none' is the agreed on cipher, data is not encrypted. Note that this method provides no confidentiality protection, and is not recommended.

The following values are provided for convenience: 'aes' (all supported aes ciphers), 'blowfish' (equivalent to 'blowfish-cbc'), 'cast' (equivalent to 'cast128-cbc'), '3des' (equivalent to '3des-cbc'), 'Any' or 'AnyStd' (all available ciphers plus 'none'), and 'AnyCipher' or 'AnyStdCipher' (all available ciphers).

You can also configure encryption algorithms in the configuration file using the Ciphers keyword; the default is 'AnyStdCipher'.

-C

Disables compression. Compression is desirable on modem lines and other slow connections, but will slow down response rates on fast networks. Compression also adds extra randomness to the packet, making it harder for a malicious person to decrypt the packet. Compression can be enabled using the Compression keyword in the configuration file. Using -C overrides the configuration file setting.

-d debug_level

Sets the debug level. Increasing the value increases the amount of information displayed. Use 1, 2, 3, or 99. (Values 4-98 are accepted, but are equivalent to 3.)

Note: Setting logging to 99 can increase your security risk. At this level, information leakage is a concern, as unencrypted protocol information may be written out. Also, the volume of information written may fill up disk space rapidly, potentially causing the host or Reflection for Secure IT to stop responding.

-e character

Sets the escape character for the terminal session. The default character is a tilde (~). Setting the escape character to 'none' means that no escape character is available and the tilde acts like any other character. For details, see ESCAPE SEQUENCES below. You can also set the escape character in the configuration file using the EscapeChar keyword.

-f

Use this option when you have configured port forwarding and you want the Secure Shell session to run in the background. If at least one port forwarding rule is configured, this option sends the Secure Shell session to the background after authentication is complete. The session remains in the background and continues to accept forward requests indefinitely until you manually kill the process. (This is equivalent to setting GoBackground=yes in the configuration file.)

-fo

The options works like -f, but in this case the background session waits for only one forwarded connection to occur and exits as soon as the forwarded connection is closed. (This is equivalent to setting GoBackground=oneshot in the configuration file.)

-F file

Specifies an additional configuration file. Settings are read from this file in addition to the default user-specific file (~/.ssh2/ssh2_config and/or the system-wide file (/etc/ssh2/ssh2_config).Settings in this file override settings in both the user-specific file and the system-wide file.

-g

Enables gateway ports. Remote hosts are allowed to connect to local forwarded ports. You can also configure this in the configuration file using the GatewayPorts keyword.

Caution: This option should be used with extreme caution (and never with Internet-facing network adapters), because the client performs no authentication of remote host connections. If the application to which this connection is forwarded does not perform its own authentication, then all remote hosts connections are allowed unrestricted access to that application.

-h

Displays a brief summary of command options.

-i file

Specifies an alternate identification file to use for public key authentication. The file location is assumed to be in the current working directory unless you specify a fully-qualified or relative path. The default identity file is ~/.ssh2/identification. You can also specify an identity file in the configuration file using the IdentificationFile keyword.

-l username

Specifies a name to use for login on the remote computer. You can also specify a user name in the configuration file using the Username keyword. (Note: If you include the optional [user@] as part of your host specification, -l overrides the specified user name.)

-L [protocol/][listening_host:] listening_port:host:hostport

Redirects data from the specified local port, through the secure tunnel to the specified destination host and port. When a Secure Shell connection is established, the Secure Shell client opens a socket on the Secure Shell client host using the designated local port (listening_port). (On client hosts with multiple interfaces, use listening_host to specify which interface.) Configure your application client (the one whose data you want to forward) to send data to the forwarded socket (rather than directly to the destination host and port). When that client establishes a connection, all data sent to the forwarded port is redirected through the secure tunnel to the Secure Shell server, which decrypts it and then directs it to the destination socket (host,hostport). Unless the gateway ports option is enabled, the forwarded local port is available only to clients running on the same computer as the Secure Shell client. The optional protocol can be tcp or ftp. Multiple client applications can use the forwarded port, but the forward is active only while ssh is running.

Note: If the final destination host and port are not on the Secure Shell server host, data is sent in the clear between the Secure Shell host and the application server host.

You can also configure local forwarding in the configuration file using the LocalForward keyword.

-m mac_algorithm

Specifies, in order of preference, which MACs (message authentication codes) are supported by the client. Allowed values are 'hmac-sha256', 'hmac-sha1', 'hmac-sha1-96', 'hmac-md5', 'hmac-md5-96', 'hmac-sha512', and 'hmac-ripemd160'. Use 'AnyMac' to support all of these. Use 'AnyStdMac' to specify 'hmac-sha256, hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96, hmac-sha512'. Specifying hmac-sha256 also enables hmac-sha2-256. Specifying hmac-sha512 also enables hmac-sha2-512. Multiple MACs can also be specified as a comma-separated list. Additional options are 'none', 'any' (equivalent to AnyMac plus 'none'), and 'AnyStd' (equivalent to 'AnyStdMac' plus 'none'). When 'none' is the agreed on MAC, no message authentication code is used. Because this provides no data integrity protection, options that include 'none' are not recommended.

You can also configure MACs in the configuration file using the MACs keyword; the default is 'AnyStdMac'.

-n

Redirects stdin from /dev/null, which prevents reading from stdin. You can also configure this in the configuration file using the DontReadStdin keyword.

-o option

Sets any option that can be configured using a configuration file keyword. For a list of keywords and their meanings, see ssh2_config(5). Syntax alternatives are shown below. Use quotation marks to contain expressions that include spaces.

-o key1=value
-o key1="sample value"
-o "key1 value"
-o key=value1,value2
-o key="value1, value2"

To configure multiple options, use multiple -o switches.

-o key1=value -o key2=value
-p port

Specifies the port to connect to on the server. The default is 22, which is the standard port for Secure Shell connections. You can also configure the port in the configuration file using the Port keyword.

-q

Enables quiet mode, which causes all warning and diagnostic messages, including banners, to be suppressed. You can also configure this in the configuration file using the QuietMode keyword.

-R [protocol/][listening_host:] listening_port:host:hostport

Redirects data from the specified remote port (on the computer running the Secure Shell server), through the secure tunnel to the specified destination host and port. When the Secure Shell connection is established, the Secure Shell server opens a socket on its host (the computer running the Secure Shell server) using the designated remote port (listening_port). (On server hosts with multiple interfaces, use listening_host to specify which interface.) Configure your client application (the one whose data you want to forward) to send data to the forwarded socket (rather than directly to the destination host and port). When that client establishes a connection, all data sent to the forwarded port is redirected through the secure tunnel to the Secure Shell client, which decrypts it and then directs it to the destination socket (host,hostport). The optional protocol can be tcp or ftp.

You can also configure remote forwarding in the configuration file using the RemoteForward keyword.

-s subsystem

Invokes the specified subsystem on the remote system. Subsystems are a feature of the Secure Shell protocol which facilitates the use of Secure Shell as a secure transport for other applications (such as sftp). Subsystems must be defined by the Secure Shell server.

-S

Connects without requesting a session channel on the server. This can be used with port-forwarding requests if a session channel (and tty) is not needed, or the server does not give one.

-t

Forces a tty allocation even if a command is specified. You can also configure this in the configuration file using the ForcePTTYAllocation keyword.

-v

Sets the debug level to verbose mode, which is equivalent to using '-d 2'. You can also configure this in the configuration file using the VerboseMode keyword.

-V

Displays product name and version information and exits. If other options are specified on the command line, they are ignored.

-W password_file

Specifies a file containing the password to use for the connection. Set permissions on the password file to 600; the file is not accepted if it has read or write permissions for group or other. Also, for a non-root user, the file is not accepted if there has been a change in identity (userid). This option applies only to password authentication. If AllowedAuthentications is configured to attempt keyboard-interactive before password authentication (the default), users will receive a password prompt even if a valid password file is present. To prevent this, modify the allowed authentications list to support only password authentication or to attempt password authentication before keyboard-interactive.

Note: Passphraseless public keys provide a more secure way to configure authentication without requiring user interaction, because private keys are not transmitted over the encrypted connection like passwords are.

-X

Enables X11 connection forwarding and treats X11 clients as untrusted. Untrusted remote X11 clients are prevented from tampering with data belonging to trusted X11 clients. You can also configure this in the configuration file using the ForwardX11 keyword.

-x

Disables X11 connection forwarding. You can also configure this in the configuration file using the ForwardX11 keyword.

-Y

Enables X11 connection forwarding and treats X11 clients as trusted.