SSH fails to connect or initialize when your .ssh/config file contains invalid or misspelled configuration options. This error occurs during SSH parsing and prevents any connections from being established.
OpenSSH has encountered one or more invalid configuration options in your ~/.ssh/config or /etc/ssh/sshd_config file. This happens when you use a misspelled option name, an option that doesn't exist in your SSH version, a platform-specific option on an incompatible system, or a deprecated option that has been removed from newer OpenSSH releases. The SSH service refuses to continue and terminates rather than apply an invalid configuration.
Run this command to see which line has the bad option:
ssh -G hostnameor for sshd config:
sudo sshd -tThe output will specify the exact line number and option name causing the issue.
SSH config options are case-sensitive. Common misspellings:
- 'identifyfile' should be 'IdentityFile'
- 'identitiesonly' should be 'IdentitiesOnly'
- 'hostkey' should be 'HostKey'
- 'port' should be 'Port'
Open your ~/.ssh/config file and verify the exact spelling matches the OpenSSH documentation.
If you're using a shared config across Linux and macOS:
For UseKeychain (macOS only):
# Add IgnoreUnknown directive above the option
IgnoreUnknown UseKeychain
UseKeychain yesThis tells non-Apple SSH to ignore the option while macOS still uses it.
For other macOS-specific options, use the same pattern:
IgnoreUnknown AddKeysToAgent,UseKeychain
AddKeysToAgent yes
UseKeychain yesSome options require a minimum OpenSSH version:
ssh -VCommon version requirements:
- 'ProxyJump' requires OpenSSH 7.3+
- 'PubkeyAcceptedAlgorithms' requires OpenSSH 7.8+
- 'Include' directive requires OpenSSH 7.3+
If your version is too old, either upgrade SSH or remove the unsupported option.
SSH config files must use UTF-8 encoding with Unix line endings (LF, not CRLF).
In Vim:
:set fileformat=unix " Change CRLF to LF
:set nobomb " Remove Byte Order Mark
:wqOn command line:
# Convert CRLF to LF
dos2unix ~/.ssh/config
# Or with sed
sed -i 's/\r$//' ~/.ssh/configCheck the OpenSSH release notes and comment out any deprecated options. Common ones:
# Deprecated in OpenSSH 7.0+ (use PubkeyAuthentication instead)
# RSAAuthentication yes
# Deprecated in OpenSSH 7.5+ (now the default)
# UsePrivilegeSeparation sandbox
# Deprecated in OpenSSH 7.4+
# GSSAPICleanupCredentials yesYou can find the current supported options with:
man ssh_configAfter making changes, verify the syntax:
# For ~/.ssh/config
ssh -G hostname
# For /etc/ssh/sshd_config
sudo sshd -tBoth commands should exit with no output if the config is valid. Then test your connection:
ssh -v hostname # Use -v for verbose output to debug furtherClient vs Server Config: ~/.ssh/config is the client-side config and accepts client options only (IdentityFile, ProxyJump, etc.). /etc/ssh/sshd_config is the server-side config and accepts server options only (PermitRootLogin, PasswordAuthentication, etc.). Using the wrong options in the wrong file causes this error.
Backing up before changes: Always backup your config first:
cp ~/.ssh/config ~/.ssh/config.backup-$(date +%Y%m%d)Testing with verbose mode: Use ssh -vvv hostname to see detailed parsing and identify exactly where the error occurs.
Match blocks: If using 'Match' directives, ensure they're supported by your OpenSSH version (7.3+) and that the criteria are valid. Some criteria like 'exec' require careful escaping.
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
How to fix SSH man-in-the-middle attack warning in SSH
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
How to fix "WARNING: UNPROTECTED PRIVATE KEY FILE!" in SSH
sign_and_send_pubkey: no mutual signature supported
How to fix "sign_and_send_pubkey: no mutual signature supported" in SSH
Bad owner or permissions on /home/user/.ssh/known_hosts
How to fix "Bad owner or permissions on known_hosts" in SSH
It is required that your private key files are NOT accessible by others.
How to fix "private key files are NOT accessible by others" in SSH