SSH Client Config File Examples

The SSH client configuration file (~/.ssh/config) is one of the most underutilized productivity tools for developers and system administrators who regularly connect to remote servers. Instead of typing ssh -i ~/.ssh/prod_rsa -p 2222 [email protected] every time, you define the settings once in the config file and connect with a simple ssh prod-web. The config file also stores per-host settings that would be impossible to type every time, like ProxyJump for bastion hosts and ServerAlive settings for keeping connections alive through firewalls. This example shows four common config sections. The Host * block sets global defaults for all connections: ServerAliveInterval 60 sends a keepalive packet every 60 seconds to prevent SSH connections from dropping due to firewall idle timeout (a very common problem on cloud infrastructure behind NAT). ServerAliveCountMax 3 means the connection drops after three missed keepalives. AddKeysToAgent yes automatically adds loaded keys to the SSH agent so you don't need to type your passphrase repeatedly. The prod-web block defines a named alias with all the connection details: HostName is the actual IP address or DNS name, User is the username to log in as, IdentityFile specifies which private key to use, and Port overrides the default port 22. After saving this config, ssh prod-web connects with all these options automatically. The bastion block configures an AWS EC2 bastion host using a .pem key file. ec2-user is the standard username for Amazon Linux and some other AWS AMI types. The IdentityFile points to the downloaded key pair file from AWS. The private-db block demonstrates the ProxyJump directive — the most powerful feature in modern SSH client configuration. ProxyJump bastion tells SSH to first connect to the "bastion" host defined above, then tunnel from there to 10.0.1.50 (a private network IP not accessible from the public internet). From the user's perspective, ssh private-db connects directly to the private database server with a single command, but the connection actually traverses the bastion host transparently. File permission requirements: SSH is strict about config file permissions for security reasons. Run chmod 600 ~/.ssh/config to restrict access to your user only. SSH refuses to use config files (and private key files) that are group or world readable. On Windows Subsystem for Linux, permissions can get reset — check them after any update. Tips: you can use wildcards in Host patterns. Host *.internal.example.com matches all internal hostnames and applies common settings (proxy, key file, user) without listing each server individually. This is especially useful for fleets of servers with predictable naming conventions.

Host *
    ServerAliveInterval 60
    ServerAliveCountMax 3
    AddKeysToAgent yes

Host prod-web
    HostName 203.0.113.10
    User deploy
    IdentityFile ~/.ssh/prod_rsa
    Port 2222

Host bastion
    HostName bastion.example.com
    User ec2-user
    IdentityFile ~/.ssh/aws_key.pem

Host private-db
    HostName 10.0.1.50
    User ubuntu
    ProxyJump bastion
    IdentityFile ~/.ssh/aws_key.pem