Where does the SSH client config file live and how is it parsed?

The per-user file is ~/.ssh/config and the system-wide file is /etc/ssh/ssh_config. SSH reads them top to bottom and for most options the first matching value wins, so put specific Host blocks before broad wildcard ones like Host *.

What is the difference between Host and HostName?

Host introduces a block and is matched against the alias you type on the command line, supporting wildcards. HostName is the real address SSH actually connects to, letting you define a short alias whose HostName is a long DNS name or IP.

How do I connect through a bastion or jump host?

Use ProxyJump with the bastion's address, for example ProxyJump bastion.example.com, or chain several comma-separated. SSH first connects to the jump host and then tunnels to the final destination, replacing older ProxyCommand netcat tricks.

What does IdentitiesOnly yes do?

It tells SSH to offer only the keys named by IdentityFile or -i and ignore every key the agent advertises. This prevents the server from rejecting you with 'too many authentication failures' when your agent holds many keys.

How does connection multiplexing speed up SSH?

Setting ControlMaster auto with a ControlPath socket lets repeated connections to the same host reuse one authenticated TCP session, skipping the handshake. ControlPersist keeps that master open in the background for a while after you log out.

SSH Config Options Reference

SSH client config options

The SSH client configuration file (~/.ssh/config per user, /etc/ssh/ssh_config system-wide) lets you set per-host defaults so you can type ssh web1 instead of a long command full of flags. Options are grouped under Host or Match blocks and cover connection details, authentication, port forwarding, connection multiplexing and host-key security. This page is a searchable, offline reference to the common keywords, each with its argument format and default value.

How it works

SSH reads the config from top to bottom. Each Host pattern line starts a block whose options apply to any session whose alias matches the pattern (* and ? are wildcards). For most options the first matching value wins, so order matters: place narrow host blocks above a final catch-all Host *.

The keyword families are:

Connection — HostName, Port, User, plus liveness controls like ServerAliveInterval and ConnectTimeout.
Authentication — IdentityFile to point at a key, IdentitiesOnly to avoid offering the wrong ones, and PreferredAuthentications to order methods.
Forwarding — ProxyJump for bastions, and LocalForward, RemoteForward, DynamicForward for tunnels.
Multiplexing — ControlMaster, ControlPath, ControlPersist for fast repeated logins.
Security — StrictHostKeyChecking, UserKnownHostsFile, and the algorithm lists Ciphers, MACs, KexAlgorithms.

Within values, SSH expands tokens such as %h (host), %p (port), %r (remote user) and %C (a hash of the connection), useful in ControlPath and ProxyCommand.

Tips and examples

A clean per-host block that sets an alias, a specific key and a jump host:

Host web1
    HostName 10.0.3.21
    User deploy
    IdentityFile ~/.ssh/deploy_ed25519
    IdentitiesOnly yes
    ProxyJump bastion.example.com

Keep idle sessions alive through a flaky firewall:

Host *
    ServerAliveInterval 60
    ServerAliveCountMax 3

Speed up repeated connections with multiplexing:

Host *
    ControlMaster auto
    ControlPath ~/.ssh/cm-%r@%h:%p
    ControlPersist 10m

Remember that the first matching value wins, so put your specific overrides above the wildcard Host * block at the bottom of the file.

SSH Config Options Reference

Email me this result

SSH client config options

How it works

Tips and examples