The ~/.ssh/config File: Make Your SSH Life 10× Easier (and Safer)

If you SSH into multiple machines every day and you’re still typing long commands like

ssh -i ~/.ssh/special_key -p 2222 [email protected]

…then you are suffering needlessly.

The ~/.ssh/config file is the single best way to stop that pain. It’s a per-user OpenSSH client configuration file (usually at /home/yourname/.ssh/config or ~/.ssh/config on macOS/Linux), and it lets you centralize all your connection logic so you rarely need flags anymore.

What it actually does (the good parts)
1 Host aliases / nicknames
Turn ugly connection strings into one nice short name.

Host prod-db
    HostName 10.88.12.45
    User admin
    Port 2222
    IdentityFile ~/.ssh/prod_rsa

After that, you just type:

ssh prod-db

2 Common options you almost always want

• User — default username
• Port — non-22 ports
• IdentityFile — which key to offer (and only that key if you pair it with IdentitiesOnly yes)
• ProxyJump — jump hosts / bastions (the modern replacement for ProxyCommand)

Example with a bastion:

Host internal-server
    HostName 192.168.77.22
    User deploy
    ProxyJump bastion.corp.example.com

3 Wildcards & patterns for groups of hosts
Very powerful once you have 10+ machines with similar setup.

Host *.staging.example.com
    User staging
    IdentityFile ~/.ssh/staging_key
    ServerAliveInterval 30

Host prod-*
    IdentitiesOnly yes
    IdentityFile ~/.ssh/prod_ed25519

4 Security & hardening tricks (things people usually learn the hard way)

Host untrusted-host
    StrictHostKeyChecking accept-new
    UserKnownHostsFile /dev/null     # only for throwaway/testing hosts!

Host *
    # Good defaults everyone should consider
    ServerAliveInterval 60
    ServerAliveCountMax 3
    Compression yes                # sometimes helps a lot on slow links
    ForwardAgent no                # safer default nowadays

Quick example people actually use

# ~/.ssh/config

Host *
    ServerAliveInterval 30
    ServerAliveCountMax 5
    AddKeysToAgent yes
    UseKeychain yes               # macOS only, keeps passphrase in keychain

Host jump
    HostName jump.corp.example.com
    User jumpuser

Host *.internal
    ProxyJump jump
    User app
    IdentityFile ~/.ssh/internal_ed25519

Host laptop
    HostName 192.168.1.88
    User pi
    Port 8822

Important gotchas / pro tips
1 Permissions must be 600: chmod 600 ~/.ssh/config
OpenSSH will silently ignore the file if it’s too permissive — very common source of “why isn’t my config working?” pain.

2 User-level ~/.ssh/config overrides /etc/ssh/ssh_config

3 The file is not shell script — no variables, no conditionals (except the limited Match blocks in newer OpenSSH versions)

4 You can split config into multiple files with Include (OpenSSH ≥7.3):

Include ~/.ssh/config.d/*.conf

Once you start using it properly, going back to flag-heavy SSH feels like using vi without a .vimrc. Highly recommended.

What are your favorite ~/.ssh/config tricks?