SSH config for power users — ProxyJump, ControlPath, host aliases

If you SSH into more than three machines, your ~/.ssh/config is doing more work than you think. The default behavior is fine; the power-user behavior shaves real friction. This article covers the SSH client patterns you'll actually use when managing multiple LYLIX VPSes.

Host aliases

Stop typing ssh -i ~/.ssh/lx-key root@192.0.2.42 -p 2222. Define a name once in ~/.ssh/config:

Host wdc04-7
    HostName 192.0.2.42
    Port 22
    User root
    IdentityFile ~/.ssh/lx-key

Host mx1
    HostName mx1.lylix.net
    User alice
    IdentityFile ~/.ssh/lx-key

Now: ssh wdc04-7 and ssh mx1. Tab completion works on hostnames too if you have bash-completion / zsh installed.

Wildcards

For multiple VPSes that share a common config:

Host lx-*
    User alice
    IdentityFile ~/.ssh/lx-key
    ServerAliveInterval 30
    ServerAliveCountMax 3

Host lx-web-*
    # Inherits from lx-* above; adds web-specific
    LocalForward 8080 localhost:80

Host lx-web-1
    HostName 192.0.2.101

Host lx-web-2
    HostName 192.0.2.102

SSH applies all matching Host stanzas in order, first match wins per option. Put specific entries first, wildcards later.

ProxyJump — through a bastion

If your production VPSes don't accept SSH directly from the public Internet (and they shouldn't), bastion hosts give you a controlled entry point. ProxyJump makes it one-step:

Host bastion
    HostName bastion.lylix.net
    User alice
    IdentityFile ~/.ssh/lx-key

Host db-1
    HostName 10.0.1.10                     # private IP, only reachable from bastion
    User dba
    ProxyJump bastion

Now ssh db-1 transparently hops through bastion. Your SSH key authenticates twice (once to bastion, once to db-1); your key never lives ON the bastion (no SSH agent forwarding needed — ProxyJump establishes the proxy via the local SSH client).

Multi-hop also works: ProxyJump bastion-prod,db-cluster chains two hops.

ControlMaster — single TCP, multiple sessions

Every ssh command normally opens a fresh TCP connection. For workflows where you SSH the same host repeatedly (running ansible, scping a series of files, opening multiple terminal tabs), reuse the first connection:

Host *
    ControlMaster auto
    ControlPath /tmp/ssh-%r@%h:%p
    ControlPersist 10m

First ssh wdc04-7 establishes the TCP connection; subsequent ssh wdc04-7, scp file wdc04-7:/tmp/, etc. multiplex over the same connection. Saves the TCP+TLS handshake (typically 200–500 ms per command) and your second SSH auth roundtrip.

ControlPersist 10m keeps the master connection alive 10 minutes after the last session closes — fast reopens if you come back, auto-cleanup if you don't.

Gotcha: if the connection breaks (network blip, server reboot), the stale socket at /tmp/ssh-... can cause subsequent SSH attempts to hang. Remove with rm /tmp/ssh-* or use ssh -O exit wdc04-7 to cleanly close.

LocalForward / RemoteForward

Forward a port from the server to your laptop (LocalForward) or your laptop to the server (RemoteForward):

Host db-1
    HostName db-1.lylix.net
    User dba
    # Make db-1's PostgreSQL reachable on my laptop's port 5432
    LocalForward 5432 localhost:5432

After ssh db-1, a psql -h localhost on your laptop connects to db-1's PostgreSQL through the tunnel. Saves opening 5432 to the public Internet for ad-hoc database admin.

Identity per-host

If different VPSes use different SSH keys (best practice — no one key compromise gives access to everything):

Host customer-a-*
    IdentityFile ~/.ssh/customer-a-key
    IdentitiesOnly yes              # don't try other keys in ~/.ssh/

Host customer-b-*
    IdentityFile ~/.ssh/customer-b-key
    IdentitiesOnly yes

IdentitiesOnly yes matters: without it, ssh tries every key in your ~/.ssh/ and your agent — which can lock you out of the target if you exceed its MaxAuthTries (usually 6) before getting to the right one.

Recent OpenSSH compatibility flags

If you SSH to older boxes (CentOS 6 / 7 era), modern OpenSSH refuses old key types and algorithms by default. Re-enable per-host:

Host wdc04-old-*
    HostKeyAlgorithms +ssh-rsa
    PubkeyAcceptedAlgorithms +ssh-rsa
    KexAlgorithms +diffie-hellman-group14-sha1

Don't put this in a Host * stanza — re-enabling weak crypto everywhere undoes the modern client's security improvements. Scope to the specific old hosts that need it.

SSH agent — convenience without leaving keys lying around

eval $(ssh-agent -s)             # start an agent for this shell session
ssh-add ~/.ssh/lx-key            # decrypt the key once, agent holds it

For long-running agents that survive shell restarts, use keychain (Debian/Ubuntu package) or systemd's user-level ssh-agent service. On macOS, ssh-add --apple-use-keychain binds the key to Keychain so you only enter the passphrase once.