What information does ssh -vvv expose?

The private keys are not displayed, not even ephemeral ones used only for that session.

But public keys are displayed. Person with access to output of ssh -vvv would be able to identify the server in an internet scan (if server is open to the internet) and identify the client using something like "ssh public key is associated with github account".

So this is a privacy problem, but not a way to attack the server or the client, IMO.

If an insecure authentication method is enabled, even if it is not used, person with access to output would see that, and might try to attack the server or the client using that insecure method. There are tools to scan servers (e.g. this) but the information about the configuration of the client is new to the attacker. The attacker might get the same information by MiTM or by tricking client to try to connect to it without pretending to be something else.


The option "-vvv" leads to displaying mot information on your display. An attacker that is only observing your network traffic will not get any of this information because the traffic between your terminal and remote host is encrypted. For instance, "-vvv" option leads to displaying information about environment variables defined on the host side. But the attacker will not be able to read this.