SSH client config options
The SSH client configuration file (~/.ssh/config per user,
/etc/ssh/ssh_config system-wide) lets you set per-host defaults so you can type
ssh web1 instead of a long command full of flags. Options are grouped under
Host or Match blocks and cover connection details, authentication, port
forwarding, connection multiplexing and host-key security. This page is a
searchable, offline reference to the common keywords, each with its argument
format and default value.
How the config file is parsed
SSH reads the config from top to bottom. Each Host pattern line starts a block
whose options apply to any session whose alias matches the pattern (* and ?
are wildcards). For most options the first matching value wins, so order
matters: place narrow host blocks above a final catch-all Host *.
Match blocks are more powerful than Host: they can test the final hostname,
local username, remote username, or even an arbitrary command output before
activating. This lets you conditionally apply settings only on certain networks
or for certain users.
The five keyword families
- Connection —
HostName,Port,User, plus liveness controls likeServerAliveIntervalandConnectTimeout. - Authentication —
IdentityFileto point at a key,IdentitiesOnlyto avoid offering the wrong ones, andPreferredAuthenticationsto order methods. - Forwarding —
ProxyJumpfor bastions, andLocalForward,RemoteForward,DynamicForwardfor tunnels. - Multiplexing —
ControlMaster,ControlPath,ControlPersistfor fast repeated logins. - Security —
StrictHostKeyChecking,UserKnownHostsFile, and the algorithm listsCiphers,MACs,KexAlgorithms.
Within values, SSH expands tokens such as %h (host), %p (port), %r (remote
user) and %C (a hash of the connection), useful in ControlPath and
ProxyCommand.
Practical config examples
A clean per-host block that sets an alias, a specific key and a jump host:
Host web1
HostName 10.0.3.21
User deploy
IdentityFile ~/.ssh/deploy_ed25519
IdentitiesOnly yes
ProxyJump bastion.example.com
Keep idle sessions alive through a flaky firewall:
Host *
ServerAliveInterval 60
ServerAliveCountMax 3
Speed up repeated connections with multiplexing — subsequent connections to the same host reuse the existing authenticated session and open in under a second:
Host *
ControlMaster auto
ControlPath ~/.ssh/cm-%r@%h:%p
ControlPersist 10m
ProxyJump vs ProxyCommand
ProxyJump (added in OpenSSH 7.3) is the clean modern way to tunnel through a bastion:
Host internal-server
HostName 10.0.0.5
ProxyJump bastion.example.com
Older setups use ProxyCommand with netcat or nc:
Host internal-server
HostName 10.0.0.5
ProxyCommand ssh bastion.example.com -W %h:%p
Both achieve the same result, but ProxyJump is simpler, handles agent forwarding correctly, and supports chaining multiple jumps with a comma-separated list. Prefer ProxyJump on any OpenSSH 7.3 or later client.
IdentitiesOnly and agent fatigue
When your SSH agent holds many keys, SSH will try them all in sequence. Servers that enforce a low authentication-attempt limit will reject you with “Too many authentication failures” before your correct key is offered. Setting IdentitiesOnly yes under a host block prevents the agent from advertising its full key list and restricts SSH to the key named in IdentityFile:
Host strict-server
IdentityFile ~/.ssh/strict_server_key
IdentitiesOnly yes
Remember that the first matching value wins, so put your specific overrides above
the wildcard Host * block at the bottom of the file.