SSH Config Generator

Build your ~/.ssh/config file visually. Add multiple hosts with aliases, identity files, proxy jumps, and connection options. 100% client side.

Add Host Entry

About SSH Config Files

The SSH config file (~/.ssh/config) lets you define per-host connection settings, saving you from typing long SSH commands. Instead of ssh -i ~/.ssh/key.pem -p 2222 user@192.168.1.100, just type ssh prod-server.

Common Options

  • Host - alias used in ssh <alias>
  • HostName - actual IP address or domain
  • User - SSH username
  • Port - SSH port (default: 22)
  • IdentityFile - path to the private key
  • ProxyJump - bastion/jump host for tunneling
  • ForwardAgent - forward SSH agent to remote host
  • ServerAliveInterval - keepalive interval to prevent timeouts

Usage

Copy the generated config and save it to ~/.ssh/config. Set permissions with chmod 600 ~/.ssh/config.

Related Tools

~/.ssh/config: From "Where Did I Save That Key" to Aliases

Most engineers manage SSH access by running ssh -i ~/keys/whatever.pem ec2-user@52.123.45.67 and pasting the same command into their shell history hundreds of times. ~/.ssh/config turns that into ssh prod-web. It also lets you set per-host options, jump hosts, multiplexing, and key-by-pattern matching — features most people don't realize exist.

The minimal useful config

Host prod-web
    HostName 52.123.45.67
    User ubuntu
    IdentityFile ~/keys/prod.pem
    IdentitiesOnly yes
    ServerAliveInterval 60

Now ssh prod-web Just Works. No memorized IP, no flags.

Patterns worth using

  • Wildcards. Host *.dev.example.com matches every dev subdomain.
  • Bastion / jump hosts. ProxyJump bastion uses your defined bastion as an SSH proxy. No more two-shell SSH chains.
  • Connection multiplexing. ControlMaster auto + ControlPath + ControlPersist 10m reuses one TCP connection for multiple SSH sessions. Subsequent connects feel instant.
  • IdentitiesOnly yes. Without this, ssh-agent offers every loaded key in order, which can cause "too many auth attempts" rejections on servers that limit retries.
  • Match blocks. Match host *.aws exec "test ..." for dynamic conditions.

Common pitfalls

  • File permissions. ssh refuses to use ~/.ssh/config if it's group-readable. Run chmod 600 ~/.ssh/config and chmod 700 ~/.ssh.
  • StrictHostKeyChecking ask vs no. no auto-accepts new keys — disables MITM detection. Always leave at ask (default) and verify the fingerprint on first connect.
  • Forwarding agent on untrusted hosts. ForwardAgent yes lets the remote host use your local agent (and your local keys). Bastions = OK. Random servers = no.
  • Specifying the wrong identity. If IdentityFile isn't set explicitly per host, ssh tries every key in ~/.ssh/ in alphabetical order. Some servers lock you out after 3 wrong tries.
  • Multiple Host blocks for the same alias. ssh merges them, taking the first occurrence of each option. Order matters.

When to graduate

For team-scale infra, replace static configs with SSH certificates issued by Vault or Smallstep CA, plus dynamic inventory from Terraform/Pulumi. Each user gets short-lived (4–8 hour) certs, and you no longer have to rotate authorized_keys when someone leaves. See our Vault vs Secrets Manager comparison.

Frequently Asked Questions

Why is ssh ignoring my config file?

Most often: wrong file permissions. Run "chmod 600 ~/.ssh/config" and "chmod 700 ~/.ssh". Also confirm the file is at ~/.ssh/config, not ~/ssh/config.

How do I jump through a bastion?

Add ProxyJump bastion-alias to the inner host's block. ssh handles the chain transparently — no need for ssh-in-ssh anymore.

What does IdentitiesOnly yes actually do?

Forces ssh to only offer the keys explicitly listed in IdentityFile rather than all keys in your agent. Prevents MaxAuthTries lockouts on servers with strict auth limits.

Can I use the config for sftp and scp too?

Yes — both honor ~/.ssh/config. Use the host alias the same way: "scp file prod-web:/tmp/".