Uses for ~/.ssh/config

For system and network administrators or other users who frequently deal with sessions on multiple machines, SSH ends up being one of the most oft-used Unix tools. SSH usually works so well that until you use it for something slightly more complex than starting a terminal session on a remote machine, you tend to use it fairly automatically. However, the ~/.ssh/config file bears mentioning for a few ways it can make using the ssh a client a little easier.

Abbreviating hostnames

If you often have to SSH into a machine with a long host and/or network name, it can get irritating to type it every time. For example, consider the following command:

$ ssh web0911.colo.sta.solutionnetworkgroup.com

If you interact with the web0911 machine a lot, you could include a stanza like this in your ~/.ssh/config:

Host web0911
    HostName web0911.colo.sta.solutionnetworkgroup.com

This would allow you to just type the following for the same result:

$ ssh web0911

Of course, if you have root access on the system, you could also do this by adding the hostname to your /etc/hosts file, or by adding the domain to your /etc/resolv.conf to search it, but I prefer the above solution as it’s cleaner and doesn’t apply system-wide.

Fixing alternative ports

If any of the hosts with which you interact have SSH processes listening on alternative ports, it can be a pain to both remember the port number and to type it in every time:

$ ssh webserver.example.com -p 5331

You can affix this port permanently into your .ssh/config file instead:

Host webserver.example.com
    Port 5331

This will allow you to leave out the port definition when you call ssh on that host:

$ ssh webserver.example.com

Custom identity files

If you have a private/public key setup working between your client machine and the server, but for whatever reason you need to use a different key from your normal one, you’ll be using the -i flag to specify the key pair that should be used for the connection:

$ ssh -i ~/.ssh/id_dsa.mail srv1.mail.example.com
$ ssh -i ~/.ssh/id_dsa.mail srv2.mail.example.com

You can specify a fixed identity file in .ssh/config just for these hosts instead, using an asterisk to match everything in that domain:

Host *.mail.example.com
    IdentityFile ~/.ssh/id_dsa.mail

I need to do this for Mikrotik’s RouterOS connections, as my own private key structure is 2048-bit RSA which RouterOS doesn’t support, so I keep a DSA key as well just for that purpose.

Logging in as a different user

By default, if you omit a username, SSH assumes the username on the remote machine is the same as the local one, so for servers on which I’m called tom, I can just type:

tom@conan:$ ssh server.network

However, on some machines I might be known as a different username, and hence need to remember to connect with one of the following:

tom@conan:$ ssh -l tomryder server.anothernetwork
tom@conan:$ ssh tomryder@server.anothernetwork

If I always connect as the same user, it makes sense to put that into my .ssh/config instead, so I can leave it out of the command entirely:

Host server.anothernetwork
    User tomryder

SSH proxies

If you have an SSH server that’s only accessible to you via an SSH session on an intermediate machine, which is a very common situation when dealing with remote networks using private RFC1918 addresses through network address translation, you can automate that in .ssh/config too. Say you can’t reach the host nathost directly, but you can reach some other SSH server on the same private subnet that is publically accessible, publichost.example.com:

Host nathost
    ProxyCommand ssh -q -W %h:%p public.example.com

This will allow you to just type:

$ ssh nathost

More information

The above are the .ssh/config settings most useful to me, but there are plenty more available; check man ssh_config for a complete list.

13 thoughts on “Uses for ~/.ssh/config

  1. Pingback: Ssh configuration tips « 0ddn1x: tricks with *nix

  2. Pingback: Linux News » Uses for ~/.ssh/config

  3. Pingback: Blair Armeau » Uses for ~/.ssh/config | Arabesque

  4. Two interesting feature that I use with AWS, to establish connections to EC2: – Wildcard character in hostname: Host ec* – Multiple files ID, you just add multiple entries to connect IdentityFile that he will attempt to use key files until the connection happen.

  5. Pingback: Links 21/2/2012: HijackThis Becomes Open Source, LibrePlanet 2012 is Coming | Techrights

  6. Thank you for this. I hadn’t come across ProxyHost, so that’s a new one for my toolkit. Cheers.

    One option I do find I use all the time for our web farm machines in the data centre is ServerAliveInterval 60. This stops the connection dropping after a couple of minutes inactivity. (There is a fairly paranoid firewall sitting between our corporate LAN and the backside of our data centre machines. Quite rightly, too.)

  7. I really appreciate this information, but the proxy command (as given) doe not work with my version of OpenSSH. My version (OpenSSH_5.3p1) does not have a “W” (Upper case W) option . In what version is “W” available and how would I configure this with the version of SSH I have?

    Thanks again for a great post!

  8. Pingback: SSH Simples | Bruno GuimarĂ£es

Leave a Reply

Your email address will not be published. Required fields are marked *

You can use Markdown if you want.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>