SSH

Server Configuration and Use

In terms of how IPv4 and IPv6 addresses are supported, the server, sshd2, is managed by the following keywords in the sshd2_config configuration file:

AddressFamily { inet | inet6 | any }

This keyword specifies which address families may be used. It may be supplied exactly once or be omitted.

Valid values for AddressFamily are:

  • inet (default): Accepts IPv4 addresses only. IPv6 addresses are ignored.

  • inet6: Accepts IPv6 addresses only.

  • any: Accepts both IPv4 and IPv6 addresses.

The command-line options -4 and -6 correspond to inet and inet6. If the command-line options are specified, they override the configuration keyword.

If no configuration keyword or command-line option is supplied, the default inet is used.

ListenAddress { IPv4 address | IPv6 address } [ port ]

This keyword specifies the network interface(s) on which the server will listen. It may be supplied multiple times, or be omitted:

  • If ListenAddress is omitted, sshd2 listens on the IPv4 0.0.0.0 address or the IPv6 :: address, or both, depending on the address family selected as above.

  • Multiple listening sockets are opened in the order given by the sequence of ListenAddress keywords found.

Listen addresses must accord with the AddressFamily specification: an address ruled out by the address family selected will be ignored.

Optionally, the port on which to listen may be specified here, thus overriding any Port configurations and the default port 22.

The command-line option -o ListenAddress='ip-address [port]' may also be used to specify interfaces on which the server is to listen. These are additional to any interfaces specified using configuration keywords. Each -o ListenAddress option must be followed by one address-port definition, consisting of an IPv4 or IPv6 address followed by a space, and an optional port number. If the port is missing, the last Port configuration keyword or the default port 22 is used.

Note that the -p port number option will override any port number specified via the configuration keyword Port or ListenAddress, but it does not affect any port numbers supplied with the -o ListenAddress option.

An IPv6 address may be either a link-local address or a global address; the server will listen all scopes of a link-local address if one is specified.

The following table demonstrates some of the allowed and invalid combinations of the above-mentioned configuration keywords and command-line options, and their resultant effect:

Address  -4 / -6  Listen         -o              Listen on
Family            Address        ListenAddress   interface(s), port(s)

*         -4       none          127.0.0.1       127.0.0.1
*         -4       none          127.0.0.1 23    127.0.0.1:23
*         -4       none          ::1             error
*         -4       none          any             0.0.0.0:22
*         -4       none          any 23          0.0.0.0:23
*         -4       none          none            0.0.0.0:22
*         -6       none          0.0.0.0         error
*         -6       none          ::1             [::1]:22
*         -6       none          127.0.0.1       error
*         -6       none          ::              [::]:22
*         -6       none          any             [::]:22
*         -6       none          none            [::]:22
any       -6       0.0.0.0       none            0.0.0.0:22
any       none     ::1           127.0.0.1 23    [::1]:22, 127.0.0.1:23
any       none     ::1 23        none            [::1]:23
any       none     127.0.0.1     10.1.1.1 23     127.0.0.1:22, 10.1.1.1:23
any       none     127.0.0.1     ::1             127.0.0.1:22, [::1]:22
any       none     127.0.0.1 23  none            127.0.0.1:23
any       none     127.0.0.1     fe80::100:10 23 127.0.0.1:22, [fe80::100:10]:23
any       none     127.0.0.1     none            127.0.0.1:22
any       none     ::1           none            [::1]:22 1
any       none     [::]          none            0.0.0.0:22, [::]:22
any       none     none          ::              0.0.0.0:22, [::]:22
any       none     none          ::1             [::1]:22
any       none     none          127.0.0.1       127.0.0.1:22
any       none     none          127.0.0.1 23    127.0.0.1:23
any       none     none          any             0.0.0.0:22, [::]:22
any       none     none          any 23          0.0.0.0:23, [::]:23
any       none     none          none            0.0.0.0:22, [::]:22
inet6     -4       ::1           none            [::1]:22
inet6     -6       0.0.0.0       none            error
inet6     none     ::1           :: 23           [::1]:22, [::]:23
inet6     none     ::1 23        ::              [::1]:23, [::]:22
inet6     none     ::1 23        127.0.0.1       [::1]:23
inet6     none     ::1 23        fe80::100:10    [::1]:23, [fe80::100:10]:22
inet6     none     ::1 23        none            [::1]:23
inet6     none     127.0.0.1     ::              [::]:22
inet6     none     127.0.0.1     none            error
inet6     none     ::1           none            [::1]:22  2
inet6     none     none          127.0.0.1       error  3
inet6     none     none          :: 23           [::]:23
inet6     none     none          fe80::100:10 23 [fe80::100:10]:23
inet6     none     none          none            [::]:22
inet      -6       0.0.0.0       none            0.0.0.0:22
inet      none     ::1           127.0.0.1       127.0.0.1:22
inet      none     127.0.0.1     10.1.1.1 23     127.0.0.1:22, 10.1.1.1:23
inet      none     127.0.0.1     ::              127.0.0.1:22
inet      none     127.0.0.1 23  10.1.1.1 22     127.0.0.1:23, 10.1.1.1:22
inet      none     127.0.0.1     :: 23           127.0.0.1:22
inet      none     127.0.0.1 23  none            127.0.0.1:23
inet      none     127.0.0.1     none            127.0.0.1:22
inet      none     ::1           none            error
inet      none     none          ::              error
inet      none     none          none            0.0.0.0:22
none      -4       ::1           127.0.0.1       127.0.0.1:22
none      -4       ::1           none            error
none      -6       0.0.0.0       none            error
none      none     none          [::] 23         error
none      none     none          any             0.0.0.0:22
none      none     none          any 23          0.0.0.0:23
none      none     none          ::              error
none      none     none          none            0.0.0.0:22
1 2

Subsequent sshg3 ::1#22 succeeds; sshg3 127.0.0.1#22 fails.

3

AddressFamily is overridden if explicit address is given.

Running the server with the verbose option may help to clarify what interfaces are being listened on. See sshd2(8) and sshd2_config(5) for more details, as well as for where hosts may be specified or matched by IPv6 address (e.g. sshd2_config keywords AllowHosts, AllowSHosts, ProxyServer, etc.).