SSH — mihomo
mihomo includes an SSH client outbound. Outbound only — there is no SSH-server inbound.
Outbound
Entry under proxies: with type: ssh. Embeds BasicOption.
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
name | string | (required) | <string> | Unique proxy name. |
server | string | (required) | <host> | SSH server hostname or IP. |
port | int | (required) | <port> | SSH server port (22 by convention). |
username | string | (required) | <string> | SSH login name. |
password | string | (unset) | <string> | Password authentication. Use either this or `private-key`, not both. |
private-key | string | (unset) | <PEM block or file path> | Private-key authentication. Accepts an inline PEM block or a file path; mihomo auto-detects the format. |
private-key-passphrase | string | (unset) | <string> | Passphrase for encrypted private keys. |
host-key | []string | [] | <known_hosts line> | Expected host keys in OpenSSH known_hosts format. Empty disables verification — testing only. |
host-key-algorithms | []string | (library default) | <algo> | Restrict host-key algorithms accepted by the client. |
Source: adapter/outbound/ssh.go:31-42 · pinned at v1.19.27 (5184081)
Examples
Key-based auth:
yaml
proxies:
- name: ssh-server
type: ssh
server: ssh.example.com
port: 22
username: alice
private-key: /etc/mihomo/id_ed25519
private-key-passphrase: <passphrase>
host-key:
- ssh.example.com ssh-ed25519 AAAA...Inline key with explicit algorithms:
yaml
proxies:
- name: ssh-strict
type: ssh
server: ssh.example.com
port: 22
username: alice
private-key: |
-----BEGIN OPENSSH PRIVATE KEY-----
<key bytes>
-----END OPENSSH PRIVATE KEY-----
host-key-algorithms:
- ssh-ed25519
- rsa-sha2-512Notes
private-keyaccepts either an inline PEM block or a file path; mihomo decides by checking if the value containsBEGIN.host-keyis OpenSSHknown_hostsformat. An empty list means trust on first use — never enable this for unattended deployments.- The SSH outbound does not support multiplexing — each connection opens a fresh SSH session. Pair with mihomo's
dialer-proxychaining if you want to multiplex through another transport.
Cross-core notes
- Xray-core has no SSH outbound. See SSH — Xray-core.
- sing-box uses
user(notusername), snake_case for the rest (private_key,host_key_algorithms), and accepts a list of inline keys for rotation. It also exposes aclient_versionbanner field. See SSH — sing-box.
Source: adapter/outbound/ssh.go:31-42 · v1.19.27 (5184081)