发布于

The ~/.ssh/config File: Make Your SSH Life 10× Easier (and Safer)

If you SSH into multiple machines every day and you’re still typing long commands like

ssh -i ~/.ssh/special_key -p 2222 [email protected]

…then you are suffering needlessly.

The ~/.ssh/config file is the single best way to stop that pain. It’s a per-user OpenSSH client configuration file (usually at /home/yourname/.ssh/config or ~/.ssh/config on macOS/Linux), and it lets you centralize all your connection logic so you rarely need flags anymore.

What it actually does (the good parts)
1 Host aliases / nicknames
Turn ugly connection strings into one nice short name.

Host prod-db
    HostName 10.88.12.45
    User admin
    Port 2222
    IdentityFile ~/.ssh/prod_rsa

After that, you just type:

ssh prod-db

2 Common options you almost always want

  • User — default username
  • Port — non-22 ports
  • IdentityFile — which key to offer (and only that key if you pair it with IdentitiesOnly yes)
  • ProxyJump — jump hosts / bastions (the modern replacement for ProxyCommand)

Example with a bastion:

Host internal-server
    HostName 192.168.77.22
    User deploy
    ProxyJump bastion.corp.example.com

3 Wildcards & patterns for groups of hosts
Very powerful once you have 10+ machines with similar setup.

Host *.staging.example.com
    User staging
    IdentityFile ~/.ssh/staging_key
    ServerAliveInterval 30

Host prod-*
    IdentitiesOnly yes
    IdentityFile ~/.ssh/prod_ed25519

4 Security & hardening tricks (things people usually learn the hard way)

Host untrusted-host
    StrictHostKeyChecking accept-new
    UserKnownHostsFile /dev/null     # only for throwaway/testing hosts!

Host *
    # Good defaults everyone should consider
    ServerAliveInterval 60
    ServerAliveCountMax 3
    Compression yes                # sometimes helps a lot on slow links
    ForwardAgent no                # safer default nowadays

Quick example people actually use

# ~/.ssh/config

Host *
    ServerAliveInterval 30
    ServerAliveCountMax 5
    AddKeysToAgent yes
    UseKeychain yes               # macOS only, keeps passphrase in keychain

Host jump
    HostName jump.corp.example.com
    User jumpuser

Host *.internal
    ProxyJump jump
    User app
    IdentityFile ~/.ssh/internal_ed25519

Host laptop
    HostName 192.168.1.88
    User pi
    Port 8822

Important gotchas / pro tips
1 Permissions must be 600: chmod 600 ~/.ssh/config
OpenSSH will silently ignore the file if it’s too permissive — very common source of “why isn’t my config working?” pain.

2 User-level ~/.ssh/config overrides /etc/ssh/ssh_config

3 The file is not shell script — no variables, no conditionals (except the limited Match blocks in newer OpenSSH versions)

4 You can split config into multiple files with Include (OpenSSH ≥7.3):

Include ~/.ssh/config.d/*.conf

Once you start using it properly, going back to flag-heavy SSH feels like using vi without a .vimrc. Highly recommended.

What are your favorite ~/.ssh/config tricks?

发布于

~/.ssh/config 文件的作用

~/.ssh/config 文件是 OpenSSH 客户端的配置文件,位于用户主目录下的 .ssh 子目录中(例如 /home/username/.ssh/config)。它允许用户自定义 SSH 连接的行为,而无需每次连接时手动指定选项。该文件的作用主要包括简化 SSH 操作、提升安全性和管理多个主机的连接配置。

主要作用

  • 简化命令:通过定义主机别名(Host),可以将复杂的连接参数封装起来。例如,将一个远程服务器的 IP、端口、用户名等预设为一个短名称,以后只需用 ssh alias 即可连接,而无需输入 ssh -p 2222 [email protected]
  • 自定义连接参数:支持设置各种 SSH 选项,如:

端口(Port):指定非标准端口。

用户名(User):默认登录用户。

密钥文件(IdentityFile):指定私钥路径,避免每次手动加载。

代理跳板(ProxyJump):配置跳板机连接。

其他高级选项:如 KeepAlive、Compression 等,用于优化连接稳定性或性能。

  • 提升安全性:可以限制特定主机的认证方式(如 IdentitiesOnly yes,只使用指定密钥),或禁用不安全的选项(如 StrictHostKeyChecking no,但不推荐)。
  • 主机匹配:支持通配符(如 Host *.example.com),对多个相似主机应用同一配置。

文件格式示例

文件是纯文本,使用键值对格式(不区分大小写)。示例:

Host myserver
    HostName 192.168.1.100
    User myuser
    Port 2222
    IdentityFile ~/.ssh/my_private_key

注意事项

  • 文件权限应为 600(chmod 600 ~/.ssh/config),以确保安全。
  • 如果文件不存在,可以手动创建。
  • 系统级配置在 /etc/ssh/ssh_config,但用户级 ~/.ssh/config 优先级更高。
  • 适用于 ssh、scp、sftp 等命令。