SSH Config Options Reference

Every ~/.ssh/config keyword with type, scope and connection behavior.

Searchable SSH client config file option reference covering Host and Match blocks, HostName/Port/User, IdentityFile and authentication, ProxyJump and port forwarding, connection multiplexing and host-key security — each with its argument and default. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

Where does the SSH client config file live and how is it parsed?

The per-user file is ~/.ssh/config and the system-wide file is /etc/ssh/ssh_config. SSH reads them top to bottom and for most options the first matching value wins, so put specific Host blocks before broad wildcard ones like Host *.

SSH client config options

The SSH client configuration file (~/.ssh/config per user, /etc/ssh/ssh_config system-wide) lets you set per-host defaults so you can type ssh web1 instead of a long command full of flags. Options are grouped under Host or Match blocks and cover connection details, authentication, port forwarding, connection multiplexing and host-key security. This page is a searchable, offline reference to the common keywords, each with its argument format and default value.

How the config file is parsed

SSH reads the config from top to bottom. Each Host pattern line starts a block whose options apply to any session whose alias matches the pattern (* and ? are wildcards). For most options the first matching value wins, so order matters: place narrow host blocks above a final catch-all Host *.

Match blocks are more powerful than Host: they can test the final hostname, local username, remote username, or even an arbitrary command output before activating. This lets you conditionally apply settings only on certain networks or for certain users.

The five keyword families

  • ConnectionHostName, Port, User, plus liveness controls like ServerAliveInterval and ConnectTimeout.
  • AuthenticationIdentityFile to point at a key, IdentitiesOnly to avoid offering the wrong ones, and PreferredAuthentications to order methods.
  • ForwardingProxyJump for bastions, and LocalForward, RemoteForward, DynamicForward for tunnels.
  • MultiplexingControlMaster, ControlPath, ControlPersist for fast repeated logins.
  • SecurityStrictHostKeyChecking, UserKnownHostsFile, and the algorithm lists Ciphers, MACs, KexAlgorithms.

Within values, SSH expands tokens such as %h (host), %p (port), %r (remote user) and %C (a hash of the connection), useful in ControlPath and ProxyCommand.

Practical config examples

A clean per-host block that sets an alias, a specific key and a jump host:

Host web1
    HostName 10.0.3.21
    User deploy
    IdentityFile ~/.ssh/deploy_ed25519
    IdentitiesOnly yes
    ProxyJump bastion.example.com

Keep idle sessions alive through a flaky firewall:

Host *
    ServerAliveInterval 60
    ServerAliveCountMax 3

Speed up repeated connections with multiplexing — subsequent connections to the same host reuse the existing authenticated session and open in under a second:

Host *
    ControlMaster auto
    ControlPath ~/.ssh/cm-%r@%h:%p
    ControlPersist 10m

ProxyJump vs ProxyCommand

ProxyJump (added in OpenSSH 7.3) is the clean modern way to tunnel through a bastion:

Host internal-server
    HostName 10.0.0.5
    ProxyJump bastion.example.com

Older setups use ProxyCommand with netcat or nc:

Host internal-server
    HostName 10.0.0.5
    ProxyCommand ssh bastion.example.com -W %h:%p

Both achieve the same result, but ProxyJump is simpler, handles agent forwarding correctly, and supports chaining multiple jumps with a comma-separated list. Prefer ProxyJump on any OpenSSH 7.3 or later client.

IdentitiesOnly and agent fatigue

When your SSH agent holds many keys, SSH will try them all in sequence. Servers that enforce a low authentication-attempt limit will reject you with “Too many authentication failures” before your correct key is offered. Setting IdentitiesOnly yes under a host block prevents the agent from advertising its full key list and restricts SSH to the key named in IdentityFile:

Host strict-server
    IdentityFile ~/.ssh/strict_server_key
    IdentitiesOnly yes

Remember that the first matching value wins, so put your specific overrides above the wildcard Host * block at the bottom of the file.