nixCraft → Howto → Linux → SSH config file for OpenSSH Linux and Unix client

examples

How to create ssh config file for

OpenSSH in Linux/Unix
Author: Vivek Gite • Last updated: March 19, 2024 • 21 comments

H ow do I create and setup an OpenSSH config file to create

shortcuts for servers I frequently access under Linux or Unix
desktop operating systems?

We can set up a global or local configuration file for SSH clients can create
shortcuts for sshd servers, including advanced ssh client options.

Tutorial details

Difficulty level Intermediate

Root privileges No

Requirements Linux terminal

Category Terminal/ssh

Prerequisites OpenSSH client

OS compatibility *BSD • Linux • macOS • Unix • WSL

Est. reading time 7 minutes

You can configure your OpenSSH ssh client using various files as follows to save
time and typing frequently used ssh client command-line options such as port,
user, hostname, identity-file, and much more to increase your productivity from
Linux/macOS or Unix desktop:

You can configure your OpenSSH ssh client to save typing time for frequently
used ssh client command-line options such as port number, user name,
hostname/IP address, identity file, and much more. In addition to that it will
increase your productivity from Linux/macOS or Unix desktop.

System-wide OpenSSH config file client

configuration
 1. /etc/ssh/ssh_config : This files set the default configuration for all users of
OpenSSH clients on that desktop/laptop and it must be readable by all users
on the system.

User-specific OpenSSH file client configuration

1. ~/.ssh/config or $HOME/.ssh/config : This is user’s own configuration file

which, overrides the settings in the global client configuration file,
/etc/ssh/ssh_config.

~/.ssh/config file rules

The rules are as follows to create an ssh config file:

You need to edit ~/.ssh/config with a text editor such as vi.

One config parameter per line is allowed in the configuration file with the
parameter name followed by its value or values. The syntax is:
config value
config1 value1 value2

You can use an equal sign (=) instead of whitespace between the parameter
name and the values.
config=value
config1=value1 value2

All empty lines and lines starting with the hash (#) are ignored are ignored.

Please note that all values are case-sensitive, but parameter names are not.
 Note: If this is a brand new Linux, macOS/Unix box, or if you have never
used ssh before create the ~/.ssh/ directory first using the following
syntax:

mkdir -p $HOME/.ssh
chmod 0700 $HOME/.ssh

Examples

For demonstration purpose my sample setup is as follows:

1. Local desktop client – Apple macOS/OS X/Ubuntu Linux.

2. Remote Unix server – OpenBSD server running latest OpenSSH server.

3. OpenSSH remote server ip/host: 75.126.153.206 (server1.cyberciti.biz)

4. Remote OpenSSH server user: nixcraft

5. OpenSSH dest port: 4242

6. Local ssh private key file path :

/nfs/shared/users/nixcraft/keys/server1/id_rsa

Based upon the above information my ssh command is as follows:

$ ssh -i /nfs/shared/users/nixcraft/keys/server1/id_rsa -p
4242 [email protected]

OR
 $ ssh -i /nfs/shared/users/nixcraft/keys/server1/id_rsa -p
4242 -l nixcraft server1.cyberciti.biz

See how much I need to type. I need to remember the remote hostname/IP, port
number, the path to ssh key, username, etc. Too much typing and is not
increasing my productivity. But fear not, there is an easy way out.

Using the ssh config file

You can avoid typing all of the ssh command parameters while logging into a
remote machine and/or for executing commands on a remote machine. All you
have to do is create an ssh config file. Open the Terminal application and create
your config file by typing the following command:

## edit file in $HOME dir

vi ~/.ssh/config

OR

## edit file in $HOME dir

vi $HOME/.ssh/config

Add/Append the following config option for a shortcut to server1 as per our
sample setup:

Host server1
HostName server1.cyberciti.biz
User nixcraft
Port 4242
IdentityFile /nfs/shared/users/nixcraft/keys/server1/id_rsa
Save and close the file in vi/vim by pressing Esc key, type :w and hit Enter
key. To open your new SSH session to server1.cyberciti.biz by typing the
following command:

$ ssh server1

Adding another host

Append the following to your ~/.ssh/config file:

Host nas01
HostName 192.168.1.100
User root
IdentityFile ~/.ssh/nas01.key

You can simply type:

$ ssh nas01

Understanding Host Patterns

A pattern for Host directive is nothing but IP address, DNS hostname, or

combination of special wildcard characters. For example, ? wildcard that
matches exactly one character. On the other hand, * wildcard matches zero or
more characters. It allows us to define the usage pattern. For instance, to specify
and allow login from laptop.sweet.home , desktop.sweet.home ,
rpi.sweet.home , and corerouter.sweet.home , I could use the following pattern:

Host *.sweet.home
Hostname 192.168.2.17
User vivek
IdentityFile ~/.ssh/id_ed25519.pub
The following pattern would match any host in the 192.168.2.[0-9] network
range:

Host 192.168.2.?
Hostname 192.168.2.18
User admin
IdentityFile ~/.ssh/id_ed25519.pub

We can also set a pattern list. It is a comma-separated list of patterns. Patterns

within pattern lists may be negated by preceding them with an exclamation mark
( ! ) in your authorized_keys. Here is an example from ~/.ssh/authorized_keys
file on the remote server. First, login to the remote box:

$ ssh [email protected]

Now edit the file, run:

$ vim ~/.ssh/authorized_keys

Update it as follows:

# Allow login from 192.168.2.0/24 subnet but not from 192.168.2.25

from="!192.168.2.25,192.168.2.*" ssh-ed25519 my_random_pub_key_here vivek@nixcraft
# Allow login from *.sweet.home but not from router.sweet.home
from="!router.sweet.home,*.sweet.home" ssh-ed25519 my_random_pub_key_here vivek@nixcraft

Save and close the file in vim.

Putting it all together

Here is my sample ~/.ssh/config file that explains and create, design, and
evaluate different needs for remote access using ssh client:
### default for all ##
## Set override as per host ##
Host server1
HostName server1.cyberciti.biz
User nixcraft
Port 4242
IdentityFile /nfs/shared/users/nixcraft/keys/server1/id_rsa

## Home nas server ##

Host nas01
HostName 192.168.1.100
User root
IdentityFile ~/.ssh/nas01.key

## Login AWS Cloud ##

Host aws.apache
HostName 1.2.3.4
User wwwdata
IdentityFile ~/.ssh/aws.apache.key

## Login to internal lan server at 192.168.0.251 via our public uk office ssh based gateway usin
## $ ssh uk.gw.lan ##
Host uk.gw.lan uk.lan
HostName 192.168.0.251
User nixcraft
ProxyCommand ssh [email protected] nc %h %p 2> /dev/null

## Our Us Proxy Server ##

## Forward all local port 3128 traffic to port 3128 on the remote vps1.cyberciti.biz server ##
## $ ssh -f -N proxyus ##
Host proxyus
HostName vps1.cyberciti.biz
User breakfree
IdentityFile ~/.ssh/vps1.cyberciti.biz.key
LocalForward 3128 127.0.0.1:3128

## Now set defaults for all if not matched by any hosts ##

Host *
ForwardAgent no
ForwardX11 no
ForwardX11Trusted yes
User nixcraft
Port 22
Protocol 2
ServerAliveInterval 60
ServerAliveCountMax 30
Understanding ~/.ssh/config entries

Host : Defines for which host or hosts the configuration section applies.
The section ends with a new Host section or the end of the file. A single *
as a pattern can be used to provide global defaults for all hosts.

HostName : Specifies the real host name to log into. Numeric IP addresses
are also permitted.

User : Defines the username for the SSH connection.

IdentityFile : Specifies a file from which the user’s DSA, ECDSA or DSA
authentication identity is read. The default is ~/.ssh/identity for protocol
version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and ~/.ssh/id_rsa for protocol
version 2. The IdentityFile option in SSH config or at the CLI refers to the
private key file, which must be kept confidential.

ProxyCommand : Specifies the command to use to connect to the server. The

command string extends to the end of the line, and is executed with the
user’s shell. In the command string, any occurrence of %h will be substituted
by the host name to connect, %p by the port, and %r by the remote user
name. The command can be basically anything, and should read from its
standard input and write to its standard output. This directive is useful in
conjunction with and its proxy support. For example, the following directive
would connect via an HTTP proxy at 192.1.0.253:
ProxyCommand /usr/bin/nc -X connect -x 192.1.0.253:3128 %h %p

LocalForward : Specifies that a TCP port on the local machine be forwarded

over the secure channel to the specified host and port from the remote
machine. The first argument must be [bind_address:]port and the second
argument must be host:hostport.

Port : Specifies the port number to connect on the remote host.

 Protocol : Specifies the protocol versions ssh(1) should support in order of
preference. The possible values are 1 and 2.

ServerAliveInterval : Sets a timeout interval in seconds after which if no

data has been received from the server, will send a message through the
encrypted channel to request a response from the server. See blogpost
“Open SSH Server connection drops out after few or N minutes of inactivity”
for more information.

ServerAliveCountMax : Sets the number of server alive messages which

may be sent without receiving any messages back from the server. If this
threshold is reached while server alive messages are being sent, ssh will
disconnect from the server, terminating the session.

Speed up ssh session

Multiplexing is nothing but send more than one ssh connection over a single
connection. OpenSSH can reuse an existing TCP connection for multiple
concurrent SSH sessions. This results into reduction of the overhead of creating
new TCP connections. Update your ~/.ssh/config:

Host server1
HostName server1.cyberciti.biz
ControlPath ~/.ssh/controlmasters/%r@%h:%p
ControlMaster auto

See “Linux / Unix: OpenSSH Multiplexer To Speed Up OpenSSH Connections” for

more info. In this example, I go through one host to reach another server i.e.
jump host using ProxyCommand:

## ~/.ssh/config ##
Host internal
HostName 192.168.1.100
 User vivek
ProxyCommand ssh [email protected] -W %h:%p
ControlPath ~/.ssh/controlmasters/%r@%h:%p
ControlMaster auto

For more info see the following tutorials:

How To Reuse SSH Connection To Speed Up Remote Login Process Using

Multiplexing

How To Setup SSH Keys on a Linux / Unix System

Overriding ssh config file option

The ssh command reads its configuration in the following order:

1. ssh command line-option

2. ~/.ssh/config option

3. /etc/ssh/ssh_config options

Say you have the following options set in ~/.ssh/config:

Host ln.openvpn-sg-vpn1 ln.wireguard-sg-vpn1

Hostname 172.16.0.1
User vivek
port 22
IdentityFile ~/.ssh/id_ed25519.pub
StrictHostKeyChecking no

Now want to use all other options from ~/.ssh/config but to connect using
admin user instead of vivek, then:

$ ssh -o "User=admin" ln.openvpn-sg-vpn1

We can specifies an alternative per-user configuration file such as /dev/null to
disable ~/.ssh/config too by passing the -F :

$ ssh -F /dev/null [email protected]

$ ssh -F /dev/null [email protected]
$ ssh -F /dev/null -i ~/.ssh/aws/id_ed25519.pub
[email protected]

A note about shell aliases (outdated method)

WARNING! This bash shell aliased based setup may work out for you.
However, I recommend that you use ~/.ssh/config file for better results in a
long run. SSH config file is more advanced and elegant solutions. The alias
command only used here for demo purpose and it is here due to historical
reasons.

An alias is nothing but shortcut to commands and you can create the alias use
the following syntax in your ~/.bashrc file:

## create a new bash shell alias as follow ##

alias server1="ssh -i /nfs/shared/users/nixcraft/keys/server1/id_rsa -p 4242 [email protected]

Then, to ssh into the server1, instead of typing full ssh

-i
/nfs/shared/users/nixcraft/keys/server1/id_rsa -p 4242
[email protected] command, you would only have to type
the command ‘server1’ and press the [ENTER] key:

$ server1
Conclusion

This page explained the ssh client configuration file syntax and examples to
increase your productivity at Linux, macOS, or Unix shell. See the following
resources or read it using the man command:

$ man 5 ssh_config

Also see:

Top OpenSSH Server Best Security Practices

This entry is 3 of 23 in the Linux/Unix OpenSSH Tutorial series. Keep reading the rest of the

series:

1. Top 20 OpenSSH Server Best Security Practices

2. How To Set up SSH Keys on a Linux / Unix System

3. OpenSSH Config File Examples For Linux / Unix Users

4. Audit SSH server and client config on Linux/Unix

5. How to install and upgrade OpenSSH server on FreeBSD

6. Ubuntu Linux install OpenSSH server

7. Install OpenSSH server on Alpine Linux (including Docker)

8. Debian Linux Install OpenSSH SSHD Server

9. Configure OpenSSH To Listen On an IPv6 Address

10. OpenSSH Server connection drops out after few minutes of inactivity

11. Display banner/message before OpenSSH authentication

12. Force OpenSSH (sshd) to listen on selected multiple IP address only

 13. OpenSSH Change a Passphrase With ssh-keygen command

14. Reuse SSH Connection To Speed Up Remote Login Process Using Multiplexing

15. Check Syntax Errors before Restarting SSHD Server

16. Change the ssh port on Linux or Unix server

17. OpenSSH Deny or Restrict Access To Users and Groups

18. Linux OpenSSH server deny root user access / log in

19. Disable ssh password login on Linux to increase security

20. SSH ProxyCommand example: Going through one host to reach server

21. OpenSSH Multiplexer To Speed Up OpenSSH Connections

22. Install / Append SSH Key In A Remote Linux / UNIX Servers Authorized_keys

23. Use ssh-copy-id with an OpenSSH Server Listening On a Different Port

🥺 Was this helpful? Please add a comment to show your appreciation or

feedback.

Hi! 🤠
I'm Vivek Gite. I write about Linux, IT, and open source. Subscribe to my
RSS feed or email newsletter for updates. This site is self-funded and
ad-free 🙌 . Want to support nixCraft? You can help through Patreon,
PayPal, or merchandise store.

Patreon ➔ PayPal ➔

🔎 To search, type & hit enter...

Related Tutorials

How to tell ssh client to ignore ssh config file

RHEL 6: Change OpenSSH Port To 1255 ( SELinux Config )

Linux / Unix: OpenSSH Multiplexer To Speed Up…

OpenSSH: ssh-add / ssh-agent Command Set Maximum…

How to create a new config file in Ansible playbook

Linux / UNIX View Only Configuration File Directives…

Ubuntu / Debian Linux Install Keychain SSH Key…

21 comments… add one ↓

John • Dec 1, 2017 @ 0:22

Thanks so much, I totally agree with Bill–superb post.

↩ ∞
Andrew McGlashan • Aug 18, 2020 @ 9:03

There is a problem with the “putting it all together” example.

As you can see from the following, if you define something, then it cannot be
redefined later. You need to “*” grouping at the end of the file to catch things that
aren’t yet defined for a “Host” entry.
Two example config files and attempts to use them shown below demonstrate
this fact.

$ cat /tmp/configx

Host *
Port 24
Protocol 2

Host sadsack
Port 333
Hostname aaa
andrewm@mx-hvk-1:/tmp

$ ssh -F /tmp/configx sadsack

ssh: connect to host aaa port 24: Connection refused

$ cat /tmp/configy
 Host sadsack
Port 333
Hostname aaa

Host *
Port 24
Protocol 2
andrewm@mx-hvk-1:/tmp

$ ssh -F /tmp/configy sadsack

ssh: connect to host aaa port 333: Connection refused

↩ ∞

Dietmar (in Western Germany) • Oct 18, 2020 @ 11:33

Great page! The whole site is of outstanding quality an reliability!!

.
One demand about ssh config file is not covered:
.
What, if I want to “land” in a particulart directory? Can you cover this question?
.
The only solution I found elsewhere:

sudo vim .ssh/config

add
 ## needs both!!:
RequestTTY yes
RemoteCommand cd /srv/terra-daten/; exec $SHELL

May be you find a better solution?

.
Much appreciate your work!
↩ ∞

ömer • Nov 22, 2020 @ 11:08

Thank you in advance.

My problem is that I couldn’t “Save and close the file”. After Add/append config,
how can I exit that screen?

↩ ∞

🛡️ Vivek Gite • Nov 22, 2020 @ 12:38

Are you using vim or vi? If so see:

Vi / Vim Save And Quit The Editor Command

↩ ∞

Nisargam • Aug 15, 2022 @ 11:44

Hi,

thanks a lot for this helpful information.

I think you should pay attention to this line:

 IdentityFile ~/.ssh/id_ed25519.pub

What happend, when I used

id_ecdsa.pub

was this error message:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/home/nisargam/.ssh/id_ecdsa.pub' are too o
It is required that your private key files are NOT accessible by
This private key will be ignored.
Load key "/home/nisargam/.ssh/id_ecdsa.pub": bad permissions
[email protected]: Permission denied (publickey,keyboar

In the end I experienced that I only have to give the identities name, and openssh
knows what is the private key and what’s the public part.

Greetings
Nisargam
↩ ∞

Anonymous • Nov 17, 2023 @ 5:43

Set correct permission on your private key file. If a file name is

~/.ssh/aws.key, then set it to 0600 (-rw-------):
 chmod 0600 ~/.ssh/aws.key
chown user_name:user_name ~/.ssh/aws.key

Ref: SSH: WARNING: UNPROTECTED PRIVATE KEY FILE! Error and Solution
↩ ∞

Lionel • Nov 22, 2023 @ 15:43

I was looking for information on config files and I found the information I
needed. Thank you.

↩ ∞

Leonie • Nov 28, 2023 @ 19:29

Examples starting with `Host *` are somewhat incorrect.

man ssh_config(5) states:

For each parameter, the first obtained value will be used. The configuration files
contain sections separated by ”Host” specifications, and that section is only
applied for hosts that match one of the patterns given in the specification. The
matched host name is the one given on the command line.

Since the first obtained value for each parameter is used, more host-specific
declarations should be given near the beginning of the file, and general defaults
at the end.

Therefore, under “### default for all ###”, the `User nixcraft` will be enforced for
all hosts, regardless of the more host-specific rules further down.

↩ ∞
← Older Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Comment *

Name

Post Comment

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by

the site admin.

Next FAQ: Linux Change Password Using passwd Command Over SSH

Previous FAQ: SSH Into Google Cloud Compute Engine Instance Using Secure
Shell Client
🤓 nixCraft SHOP 👇

🔎 SEARCH

🔎 To search, type & hit enter...

🔥 FEATURED ARTICLES

1 30 Cool Open Source Software I Discovered in 2013

2 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X

3 Top 32 Nmap Command Examples For Linux Sys/Network Admins

4 25 PHP Security Best Practices For Linux Sys Admins

5 30 Linux System Monitoring Tools Every SysAdmin Should Know

6 40 Linux Server Hardening Security Tips

7 Linux: 25 Iptables Netfilter Firewall Examples For New SysAdmins

8 Top 20 OpenSSH Server Best Security Practices

9 Top 25 Nginx Web Server Best Security Practices

10 My 10 UNIX Command Line Mistakes

📧 SIGN UP FOR MY NEWSLETTER

👀 /etc

➔ Linux shell scripting tutorial

➔ RSS/Feed

➔ About nixCraft

➔ nixCraft Shop

➔ Mastodon

©2002-2024 nixCraft • Privacy • ToS • Contact/Email • Corporate patron Cloudflare