Master SSH Config: 8 Powerful Tricks to Simplify Remote Access

Overview

SSH (Secure Shell) is a network protocol that provides encrypted communication for remote command‑line sessions and other services, protecting against eavesdropping, DNS spoofing and IP spoofing.

Key files and configuration locations

Typical key‑pair files are id_ecdsa (private key) and id_ecdsa.pub (public key). User‑specific SSH settings are stored in ~/.ssh/config; system‑wide defaults are in /etc/ssh/ssh_config.

Basic host entry

Host example
    HostName example.com
    User root
    # IdentityFile ~/.ssh/id_ecdsa   # private key
    # Port 22                        # optional port

With this entry you can connect simply with ssh example and copy files with scp a.txt example:/home/user_name without typing the full remote address each time.

Common configuration options

Host : pattern that selects which block applies to a given connection. Examples: * (all hosts), *.example.com (any sub‑domain), !*.dialup.example.com,*.example.com (exclude then include), 192.168.0.? (matches 192.168.0.0‑9).

AddKeysToAgent : controls automatic addition of private keys to ssh-agent. Values: no (default), confirm, ask, yes.

AddressFamily : selects address family for connections – any (default), inet (IPv4), inet6 (IPv6).

BindAddress : local address to bind when multiple interfaces exist; ignored if UsePrivilegedPort yes.

ChallengeResponseAuthentication : enable/disable challenge‑response methods ( yes default, no).

Compression / CompressionLevel : toggle data compression (default no) and set level 1‑9 (default 6).

ConnectionAttempts : number of retry attempts before giving up (default 1).

ConnectTimeout : timeout in seconds for establishing the TCP connection.

ControlMaster : enable sharing a single network connection among multiple sessions. Values: no (default), yes, ask, auto. Requires a unique ControlPath.

ControlPath : filesystem path for the master socket. Placeholders can be used: %L (local hostname first component), %l (full local hostname), %h (remote hostname as entered), %n (original remote hostname), %p (remote port), %r (remote login name), %u (local username), %i (local UID), %C (hash of %l%h%p%r). At least %h, %p and %r (or %C) should be present to guarantee uniqueness.

ControlPersist : keep the master connection open after the original client exits. Values: no, yes (infinite), or a number of seconds.

GatewayPorts : allow remote hosts to connect to locally forwarded ports ( no default, yes).

HostName : real hostname or IP address used for the connection; can contain %h placeholder.

IdentitiesOnly : restrict authentication to keys listed in the config, ignoring those offered by ssh-agent ( no default, yes).

IdentityFile : path to private key files (DSA, ECDSA, Ed25519, RSA). Placeholders: %d (home directory), %u (local user), %l (local hostname), %h (remote hostname), %r (remote user).

LocalCommand : command executed on the local machine after a successful connection (requires PermitLocalCommand yes). Supports the same placeholders as ControlPath.

LocalForward : forward a local port to a remote address. Syntax: LocalForward [bind_address:]port host:hostport.

RemoteForward : forward a remote port to a local address. Syntax similar to LocalForward.

PasswordAuthentication : enable password‑based login ( yes default, no).

PermitLocalCommand : enable the LocalCommand option ( no default, yes).

Port : remote SSH port (default 22).

ProxyCommand : command used to reach the target host via a proxy; placeholders %h, %p, %r are available.

Practical tips

Managing multiple key pairs

Define separate host blocks for each service and specify the appropriate IdentityFile. Example:

Host github
    HostName github.com
    IdentityFile ~/.ssh/id_ecdsa_github
    User git
Host coding
    HostName git.coding.net
    IdentityFile ~/.ssh/id_rsa_coding
    User git

After this, cloning a repository from Coding can be shortened:

# before
$ git clone [email protected]:deepzz/test.git
# after
$ git clone coding:deepzz/test.git

Editing remote files with Vim

$ vim scp://[email protected]//home/centos/docker-compose.yml
$ vim scp://example//home/centos/docker-compose.yml

Using a remote service locally (port forwarding)

Forward a local port to a remote service, e.g., PostgreSQL running on a remote host:

Host db
    HostName db.example.com
    LocalForward 5433 localhost:5432

Connect with ssh db and then access the database locally:

$ psql -h localhost -p 5433 orders

Forwarding remote traffic to the local machine

Host remote
    HostName remote.example.com
    RemoteForward 8080 localhost:3000

When you ssh remote, port 8080 on the remote host forwards to your local port 3000.

Sharing multiple connections (ControlMaster)

ControlMaster auto
ControlPath /tmp/%r@%h:%p

This configuration reuses an existing master connection for subsequent sessions, avoiding repeated authentication.

Keyword login (host alias)

Host deepzz
    HostName deepzz.com
    User root
    # IdentityFile ~/.ssh/id_ecdsa
    # Port 22

Now ssh deepzz logs in directly.

Proxy (jump) host

Host gateway
    HostName proxy.example.com
    User root
Host db
    HostName db.internal.example.com
    User root
    ProxyCommand ssh gateway netcat -q 600 %h %p

After this, ssh db connects via the gateway host.

Remote command execution

Run a single command on a remote host:

$ ssh example "cd /; ls"

Run a multi‑line command:

$ ssh example "
    cd /
    ls
"

Execute a local script on the remote host without copying it:

# create a script locally
$ echo "cd /; ls" > test.sh
$ chmod +x test.sh
# pipe it to ssh
$ ssh example < test.sh

Run an interactive command (e.g., top):

$ ssh -t example "top"

Reference documents

ssh_config manual: https://www.freebsd.org/cgi/man.cgi?query=ssh_config

SSH Wikipedia page: https://zh.wikipedia.org/wiki/Secure_Shell

SSH tips collection: http://wowubuntu.com/ssh-tips.html