This error occurs when the SSH client or server encounters an invalid or misspelled configuration option. It typically indicates a typo in your SSH config file, use of a deprecated option, or an option that's not supported by your SSH version.
The "Bad configuration option" error appears when OpenSSH parses a configuration file (either ~/.ssh/config for the client or /etc/ssh/sshd_config for the server) and encounters an unrecognized directive. OpenSSH is strict about configuration syntax—it rejects any option it doesn't understand. The error message usually includes a line number pointing to where the invalid option appears. This error can occur when the SSH client reads ~/.ssh/config or when the SSH server reads its main configuration file.
First, verify your SSH version and check if your config file has syntax errors:
# Check your SSH version
ssh -V
# Validate the config file syntax without connecting
ssh -G hostname_or_alias > /dev/nullThe ssh -G command will print the effective configuration and immediately show any syntax errors. This helps identify the exact line with the problem.
The error message should specify the file and line number. Open the config file and check that line:
# For SSH client config (most common)
nano ~/.ssh/config
# For SSH server config (if you're running sshd)
sudo nano /etc/ssh/sshd_configLook at the line mentioned in the error. Check for:
- Typos in the option name
- Lowercase letters (should be: HostName, IdentityFile, Port, User, etc.)
- Trailing characters or spaces
- Incomplete configuration
Verify option names use correct capitalization. Here are common mistakes:
Common typos:
- 'hostname' → should be 'HostName'
- 'identityfile' → should be 'IdentityFile'
- 'user' → should be 'User'
- 'port' → should be 'Port'
- 'identitiesonly' → should be 'IdentitiesOnly'
- 'usekeychain' → should be 'UseKeychain' (macOS only)
- 'identifyfile' → should be 'IdentityFile' (common typo)
Example of correcting ~/.ssh/config:
# WRONG (typo)
Host myserver
HostName example.com
IdentityFile ~/.ssh/id_rsa
identitiesonly yes # WRONG case
# CORRECT
Host myserver
HostName example.com
IdentityFile ~/.ssh/id_rsa
IdentitiesOnly yes # CORRECT caseIf you're getting 'Bad configuration option: UseKeychain' on Linux or Windows, it's because that option only works on macOS. Handle this in two ways:
Option 1: Use IgnoreUnknown directive (SSH 7.3+)
Add this at the top of ~/.ssh/config to ignore unknown options:
IgnoreUnknown UseKeychain
Host *
UseKeychain yes
AddKeysToAgent yes
IdentityFile ~/.ssh/id_ed25519The SSH client will silently ignore 'UseKeychain' and 'AddKeysToAgent' on systems that don't support them.
Option 2: Conditionally include config files
Use Include with environment-specific config files:
# ~/.ssh/config
# Include macOS-specific config
Include ~/.ssh/config.macos
# Common settings
Host *
AddKeysToAgent yes
IdentityFile ~/.ssh/id_ed25519Then create ~/.ssh/config.macos with macOS-only options:
Host *
UseKeychain yesSome options have been deprecated and removed in newer OpenSSH versions. Check your SSH version:
ssh -VCommon deprecated options:
- 'RSAAuthentication' (removed in OpenSSH 7.4, use PubkeyAuthentication instead)
- 'DSAAuthentication' (deprecated)
- 'RhostsRSAAuthentication' (deprecated)
- 'GSSAPICleanupCredentials' (changed to GSSAPICleanupcredentials in some versions)
If you see a deprecated option error, check the OpenSSH release notes for your version or remove the option from your config.
Check if the file has incorrect encoding or line endings. This sometimes causes parsing issues:
Using vim to check and fix:
vim ~/.ssh/config
# Type: :set fileformat?- If output is 'fileformat=dos', the file has CRLF line endings (Windows style)
- Fix by typing: :set fileformat=unix then :wq
Also check for BOM (Byte Order Mark):
# Check for BOM
file ~/.ssh/config
# If it shows "UTF-8 (with BOM)", remove BOM:
# Using vim:
# :set nobomb
# :wqUsing dos2unix tool:
# Convert CRLF to LF
dos2unix ~/.ssh/configThe client config (~/.ssh/config) and server config (/etc/ssh/sshd_config) have different valid options. Using server options in client config causes this error.
Server-only options (belong in /etc/ssh/sshd_config):
- PermitRootLogin
- StrictModes
- MaxAuthTries
- MaxSessions
- PubkeyAuthentication (server-side)
- PasswordAuthentication (server-side)
- PermitEmptyPasswords
Client-only options (belong in ~/.ssh/config):
- HostName
- User
- IdentityFile
- ProxyCommand
- LocalForward
- RemoteForward
Example mistake:
# WRONG - ~/.ssh/config
Host myserver
HostName example.com
PermitRootLogin no # THIS IS A SERVER OPTION
# CORRECT - ~/.ssh/config
Host myserver
HostName example.com
User myuser
# Server option belongs in /etc/ssh/sshd_config insteadIf you can't identify the exact issue, comment out suspect lines one at a time and test:
# In ~/.ssh/config, comment out lines with #
# Host example
# HostName example.com
# IdentityFile ~/.ssh/id_rsa
# UseKeychain yes # Try commenting this out first if on Linux
# Test if config now works
ssh -G example > /dev/null && echo "Config OK" || echo "Still has errors"Once you find the problematic line, fix or remove it. Then uncomment the rest.
Advanced troubleshooting:
SSH version-specific options: Some options were added in specific OpenSSH versions. Check the man page for your version:
man ssh_config | grep -A 2 "OptionName"Include directive: Modern OpenSSH (7.3+) supports the Include directive, allowing you to split config into multiple files:
Include ~/.ssh/config.d/*This is useful for managing platform-specific or project-specific SSH settings.
Debugging SSH config: Use ssh -vvv hostname for verbose output showing exactly which config options are being loaded and how they're interpreted.
Config file permissions: While not directly causing this error, ensure ~/.ssh/config has proper permissions (600) for SSH to accept it:
chmod 600 ~/.ssh/configMatch directive: OpenSSH 6.7+ supports conditional config using Match blocks, allowing you to apply options based on criteria:
Match host example.com
IdentityFile ~/.ssh/id_rsa
Match host *.local
StrictHostKeyChecking noIgnoreUnknown directive usage: While IgnoreUnknown helps with cross-platform compatibility, don't overuse it. Only ignore options you specifically expect on some platforms.
Load key "/home/user/.ssh/id_rsa": invalid format
How to fix 'Load key invalid format' in SSH
Bad owner or permissions on /home/user/.ssh/config
How to fix "Bad owner or permissions on .ssh/config" in SSH
Error connecting to agent: Connection refused
How to fix "Error connecting to agent: Connection refused" in SSH
Connection closed by UNKNOWN port 65535
How to fix 'Connection closed by UNKNOWN port 65535' in SSH
Offending ECDSA key in /home/user/.ssh/known_hosts:line
How to fix "Offending ECDSA key in known_hosts" in SSH