Uses for ~/.ssh/config

For system and network administrators or other users who frequently deal with sessions on multiple machines, SSH ends up being one of the most oft-used Unix tools. SSH usually works so well that until you use it for something slightly more complex than starting a terminal session on a remote machine, you tend to use it fairly automatically. However, the ~/.ssh/config file bears mentioning for a few ways it can make using the ssh a client a little easier.

Abbreviating hostnames

If you often have to SSH into a machine with a long host and/or network name, it can get irritating to type it every time. For example, consider the following command:

$ ssh

If you interact with the web0911 machine a lot, you could include a stanza like this in your ~/.ssh/config:

Host web0911

This would allow you to just type the following for the same result:

$ ssh web0911

Of course, if you have root access on the system, you could also do this by adding the hostname to your /etc/hosts file, or by adding the domain to your /etc/resolv.conf to search it, but I prefer the above solution as it’s cleaner and doesn’t apply system-wide.

Fixing alternative ports

If any of the hosts with which you interact have SSH processes listening on alternative ports, it can be a pain to both remember the port number and to type it in every time:

$ ssh -p 5331

You can affix this port permanently into your .ssh/config file instead:

    Port 5331

This will allow you to leave out the port definition when you call ssh on that host:

$ ssh

Custom identity files

If you have a private/public key setup working between your client machine and the server, but for whatever reason you need to use a different key from your normal one, you’ll be using the -i flag to specify the key pair that should be used for the connection:

$ ssh -i ~/.ssh/id_dsa.mail
$ ssh -i ~/.ssh/id_dsa.mail

You can specify a fixed identity file in .ssh/config just for these hosts instead, using an asterisk to match everything in that domain:

Host *
    IdentityFile ~/.ssh/id_dsa.mail

I need to do this for Mikrotik’s RouterOS connections, as my own private key structure is 2048-bit RSA which RouterOS doesn’t support, so I keep a DSA key as well just for that purpose.

Logging in as a different user

By default, if you omit a username, SSH assumes the username on the remote machine is the same as the local one, so for servers on which I’m called tom, I can just type:

tom@conan:$ ssh

However, on some machines I might be known as a different username, and hence need to remember to connect with one of the following:

tom@conan:$ ssh -l tomryder server.anothernetwork
tom@conan:$ ssh tomryder@server.anothernetwork

If I always connect as the same user, it makes sense to put that into my .ssh/config instead, so I can leave it out of the command entirely:

Host server.anothernetwork
    User tomryder

SSH proxies

If you have an SSH server that’s only accessible to you via an SSH session on an intermediate machine, which is a very common situation when dealing with remote networks using private RFC1918 addresses through network address translation, you can automate that in .ssh/config too. Say you can’t reach the host nathost directly, but you can reach some other SSH server on the same private subnet that is publically accessible,

Host nathost
    ProxyCommand ssh -q -W %h:%p

This will allow you to just type:

$ ssh nathost

More information

The above are the .ssh/config settings most useful to me, but there are plenty more available; check man ssh_config for a complete list.

13 thoughts on “Uses for ~/.ssh/config

  1. Pingback: Ssh configuration tips « 0ddn1x: tricks with *nix

  2. Pingback: Linux News » Uses for ~/.ssh/config

  3. Pingback: Blair Armeau » Uses for ~/.ssh/config | Arabesque

  4. Two interesting feature that I use with AWS, to establish connections to EC2: – Wildcard character in hostname: Host ec* – Multiple files ID, you just add multiple entries to connect IdentityFile that he will attempt to use key files until the connection happen.

  5. Pingback: Links 21/2/2012: HijackThis Becomes Open Source, LibrePlanet 2012 is Coming | Techrights

  6. Thank you for this. I hadn’t come across ProxyHost, so that’s a new one for my toolkit. Cheers.

    One option I do find I use all the time for our web farm machines in the data centre is ServerAliveInterval 60. This stops the connection dropping after a couple of minutes inactivity. (There is a fairly paranoid firewall sitting between our corporate LAN and the backside of our data centre machines. Quite rightly, too.)

  7. I really appreciate this information, but the proxy command (as given) doe not work with my version of OpenSSH. My version (OpenSSH_5.3p1) does not have a “W” (Upper case W) option . In what version is “W” available and how would I configure this with the version of SSH I have?

    Thanks again for a great post!

  8. Pingback: SSH Simples | Bruno GuimarĂ£es

Leave a Reply

Your email address will not be published. Required fields are marked *

You can use Markdown if you want.