Skip to content

SSH Config: Best Practices and Advanced Techniques

This page provides a practical and security-oriented guide to OpenSSH client configuration. It covers real-world ssh_config examples ranging from modern public-key authentication to legacy compatibility, ProxyJump setups, multi-identity environments, connection tuning, and special-purpose workflows such as Git, VPS access, Dropbear unlocking, and constrained networks. Each example illustrates how to balance security, compatibility, and operational requirements in diverse SSH environments.

Configuration Examples

Publickey for Github Example

Host github.com gist.github.com
  User git
  Hostname github.com
  PreferredAuthentications publickey
  IdentityFile ~/.ssh/id_ed25519
  MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

Publickey and Password Example

Host router
  user wuseman
  Hostname 192.168.1.1
  IdentityFile ~/.ssh/id_rsa-2022-08-23
  KexAlgorithms +diffie-hellman-group1-sha1
  PreferredAuthentications publickey,password
  HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
  PubkeyAcceptedKeyTypes +ssh-rsa

VPS: Publickey Example

Host vps
  user wuseman
  Hostname 192.168.1.1
  IdentityFile ~/.ssh/id_ed25519-2022-04-21
  KexAlgorithms +diffie-hellman-group1-sha1
  PreferredAuthentications publickey
  HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa

Only Password Example

Host server
  user wuseman
  Hostname 192.168.1.1
  PreferredAuthentications publickey,password
  KexAlgorithms +diffie-hellman-group1-sha1
  PreferredAuthentications assword
  HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa

ProxyJump: Configuration

Host finalserver
  Hostname finalserver.com
  User wuseman
  ProxyJump middleman
  IdentityFile ~/.ssh/id_rsa
 
Host middleman
  Hostname middleman.com
  User wuseman
  IdentityFile ~/.ssh/id_rsa

Connection timeout configuration

  • This configuration will set a custom connection timeout
Host slowserver
  Hostname slowserver.com
  User wuseman
  ConnectTimeout 60
  IdentityFile ~/.ssh/id_rsa

SSH protocol Version 1 Example

Host oldserver
  Hostname oldserver.com
  User wuseman
  Protocol 1
  IdentityFile ~/.ssh/id_rsa

SSH protocol version 2

Host oldserver
  Hostname oldserver.com
  User wuseman
  Protocol 2
  IdentityFile ~/.ssh/id_rsa

Disabling host checking

Host volatile
  Hostname volatile.com
  User wuseman
  CheckHostIP no
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null

Server with custom SSH configuration

Host customconfig
  User wuseman
  Hostname 192.168.1.1
  IdentityFile ~/.ssh/id_rsa
  Port 2222
  ServerAliveInterval 20
  ServerAliveCountMax 3
  Compression yes

Multiple IdentityFiles

Host multikey
  Hostname multikey.com
  User wuseman
  IdentityFile ~/.ssh/id_rsa
  IdentityFile ~/.ssh/id_ed25519
  IdentityFile ~/.ssh/id_ecdsa

Gitea / Samsung Laptop / Server / WeeChat .... example.

host 192.168.1.181
  user server 
  port 22
  identityfile ~/.ssh/wuseman/id_ed25519_wuseman
  hostkeyalgorithms=+ssh-dss,ssh-rsa
  pubkeyacceptedkeytypes +ssh-rsa
  kexalgorithms +diffie-hellman-group1-sha1

host server
  user server 
  Hostname server
  port 22
  identityfile ~/.ssh/wuseman/id_ed25519_wuseman
  hostkeyalgorithms=+ssh-dss,ssh-rsa
  pubkeyacceptedkeytypes +ssh-rsa
  kexalgorithms +diffie-hellman-group1-sha1

Dropbear Unlocking - Ubuntu Server

host server
  User root
  Hostname unlock-server
  Port 2222
  IdentityFile ~/.ssh/wuseman/id_ed25519_wuseman
  HostKeyAlgorithms=+ssh-dss,ssh-rsa
  PubkeyAcceptedKeyTypes +ssh-rsa
  KexAlgorithms +diffie-hellman-group1-sha1
  RequestTTY yes
  RemoteCommand cryptroot-unlock