Inspect OpenSSH configuration.
Validate the configuration file and output the effective configuration.
$ sudo sshd -T
port 22 addressfamily any listenaddress [::]:22 listenaddress 0.0.0.0:22 usepam yes logingracetime 120 x11displayoffset 10 maxauthtries 6 maxsessions 10 clientaliveinterval 0 clientalivecountmax 3 streamlocalbindmask 0177 permitrootlogin yes ignorerhosts yes ignoreuserknownhosts no hostbasedauthentication no hostbasedusesnamefrompacketonly no pubkeyauthentication yes kerberosauthentication no kerberosorlocalpasswd yes kerberosticketcleanup yes gssapiauthentication no gssapikeyexchange no gssapicleanupcredentials yes gssapistrictacceptorcheck yes gssapistorecredentialsonrekey no passwordauthentication yes kbdinteractiveauthentication no challengeresponseauthentication no printmotd no printlastlog yes x11forwarding yes x11uselocalhost yes permittty yes permituserrc yes strictmodes yes tcpkeepalive yes permitemptypasswords no compression yes gatewayports no usedns no allowtcpforwarding yes allowagentforwarding yes disableforwarding no allowstreamlocalforwarding yes streamlocalbindunlink no fingerprinthash SHA256 exposeauthinfo no pidfile /run/sshd.pid xauthlocation /usr/bin/xauth ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 banner none forcecommand none chrootdirectory none trustedusercakeys none revokedkeys none authorizedprincipalsfile none versionaddendum none authorizedkeyscommand none authorizedkeyscommanduser none authorizedprincipalscommand none authorizedprincipalscommanduser none hostkeyagent none kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,di ffie-hellman-group14-sha256,diffie-hellman-group14-sha1 casignaturealgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa hostbasedacceptedkeytypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,r sa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa hostkeyalgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa pubkeyacceptedkeytypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa rdomain none loglevel INFO syslogfacility AUTH authorizedkeysfile .ssh/authorized_keys .ssh/authorized_keys2 hostkey /etc/ssh/ssh_host_rsa_key hostkey /etc/ssh/ssh_host_ecdsa_key hostkey /etc/ssh/ssh_host_ed25519_key acceptenv LANG acceptenv LC_* authenticationmethods any subsystem sftp /usr/lib/openssh/sftp-server maxstartups 10:30:100 permittunnel no ipqos lowdelay throughput rekeylimit 0 0 permitopen any permitlisten any permituserenvironment no
Evaluate the user configuration file and output the effective configuration.
$ ssh -G example.org
user milosz hostname example.org port 22 addressfamily any batchmode no canonicalizefallbacklocal yes canonicalizehostname false challengeresponseauthentication yes checkhostip yes compression no controlmaster false enablesshkeysign no clearallforwardings no exitonforwardfailure no fingerprinthash SHA256 forwardx11 no forwardx11trusted yes gatewayports no gssapiauthentication yes gssapikeyexchange no gssapidelegatecredentials no gssapitrustdns no gssapirenewalforcesrekey no gssapikexalgorithms gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- hashknownhosts yes hostbasedauthentication no identitiesonly no kbdinteractiveauthentication yes nohostauthenticationforlocalhost no passwordauthentication yes permitlocalcommand no proxyusefdpass no pubkeyauthentication yes requesttty auto streamlocalbindunlink no stricthostkeychecking ask tcpkeepalive yes tunnel false verifyhostkeydns false visualhostkey no updatehostkeys false canonicalizemaxdots 1 connectionattempts 1 forwardx11timeout 1200 numberofpasswordprompts 3 serveralivecountmax 3 serveraliveinterval 0 ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com hostkeyalgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v0 1@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa hostbasedkeytypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v0 1@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 casignaturealgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256 loglevel INFO macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 securitykeyprovider internal pubkeyacceptedkeytypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-ce rt-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa xauthlocation /usr/bin/xauth identityfile ~/.ssh/milosz canonicaldomains globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2 userknownhostsfile /home/milosz/.ssh/known_hosts /home/milosz/.ssh/known_hosts2 sendenv LANG sendenv LC_* addkeystoagent true forwardagent no connecttimeout none tunneldevice any:any controlpersist no escapechar ~ ipqos lowdelay throughput rekeylimit 0 0 streamlocalbindmask 0177 syslogfacility USER
In both of these cases, you can specify the configuration file.
$ sudo sshd -f /etc/ssh/sshd_config -T
$ ssh -F ~/.ssh/config -G gitlab
Simple as that, but beware as this is an effective configuration, so it doesn’t show any match rules.