Master SSH Config: Simplify Connections and Boost Ops Efficiency

Why Use ~/.ssh/config?

Operations engineers often run SSH commands such as ssh -p 2222 -i ~/.ssh/my_key [email protected]. When managing dozens or hundreds of servers this becomes repetitive and error‑prone. By defining entries in ~/.ssh/config you can replace the long command with a short alias like ssh myserver and also gain features such as bastion (jump) proxying and connection reuse.

Configuration File Lookup Order

When establishing an SSH connection the client reads configuration in this order:

Command‑line options

User configuration file ~/.ssh/config System‑wide file /etc/ssh/ssh_config Settings in ~/.ssh/config override system defaults, while command‑line options have the highest priority.

Basic Syntax

The file is composed of Host blocks. Each block starts with Host followed by one or more aliases (wildcards * and ? are allowed). Inside a block you specify key‑value pairs separated by spaces or =. Example:

# Comment line
Host myhost
    HostName 203.0.113.10
    User alice
    Port 2222
    IdentityFile ~/.ssh/id_rsa_alice
    # more options...

Simple Alias Example

For a development server with IP 198.51.100.1, user dev, port 10022, and private key ~/.ssh/dev_key, add:

Host dev-server
    HostName 198.51.100.1
    User dev
    Port 10022
    IdentityFile ~/.ssh/dev_key

After saving the file you can connect with a single command:

ssh dev-server

Common Directives Explained

Host

: Starts a block; can contain wildcards. HostName: Real host name or IP address. User: Login username. Port: Remote port (default 22). IdentityFile: Path to a private key; multiple entries are tried in order. IdentitiesOnly yes: Use only the keys listed in IdentityFile, ignoring keys loaded in ssh‑agent.

Advanced Techniques

1. Bastion (Jump) Host

When direct access to an internal server is blocked, configure a bastion host and use ProxyJump (OpenSSH 7.3+):

# Bastion host
Host bastion
    HostName bastion.example.com
    User jumpuser
    IdentityFile ~/.ssh/bastion_key

# Internal server accessed via bastion
Host internal-app
    HostName 10.0.1.10
    User app_admin
    ProxyJump bastion
    IdentityFile ~/.ssh/internal_key

Now ssh internal-app automatically tunnels through bastion. For older OpenSSH versions use ProxyCommand:

Host internal-app
    HostName 10.0.1.10
    User app_admin
    ProxyCommand ssh bastion -W %h:%p

2. Connection Reuse with ControlMaster

Repeatedly opening new sessions to the same host incurs full handshakes. Enabling ControlMaster lets subsequent connections share the original TCP channel.

<code>Host *</code>
    ControlMaster auto
    ControlPath ~/.ssh/sockets/%r@%h:%p
    ControlPersist 10m

ControlMaster auto

: Starts or reuses a master connection. ControlPath: Unix socket path; placeholders %r (remote user), %h (host), %p (port) ensure uniqueness. ControlPersist 10m: Keeps the master alive for 10 minutes after the last client exits.

3. Keepalive to Prevent Disconnections

Idle connections may be dropped by firewalls or NAT. Adding a heartbeat keeps them alive:

<code>Host *</code>
    ServerAliveInterval 60
    ServerAliveCountMax 3

ServerAliveInterval 60

: Send a keepalive every 60 seconds. ServerAliveCountMax 3: Consider the connection dead after three unanswered keepalives.

Practical Tips & Best Practices

Organize with Wildcards : Group common settings under Host * (e.g., ControlMaster, ServerAliveInterval) so they apply to all hosts but can be overridden by specific blocks.

Security First : Never store passwords in the config; prefer key‑based authentication.

Version Compatibility : Use ProxyJump on modern OpenSSH; fall back to ProxyCommand for older servers.

Keep It Clean : Periodically remove obsolete host entries to keep the file readable.

Conclusion

The ~/.ssh/config file is far more than a simple alias list; it is a powerful efficiency amplifier. Mastering its directives—basic aliases, bastion jumps, connection reuse, and keepalive settings—lets you streamline daily operations and handle complex network topologies with confidence.