SSH Config Generator

Generate properly formatted SSH configuration entries with ease. Create configs for GitHub, AWS EC2, bastion hosts, and development servers instantly.

Instant Generation

Validated Output

Quick Presets

🔑

SSH Keys

🚀

Quick Setup

⚙️

Advanced Options

📋

Copy & Use

Free SSH Config Generator: Create OpenSSH Configuration Files Online

Generate properly formatted SSH configuration entries instantly for GitHub, AWS EC2, bastion hosts, and development servers. Simplify your SSH workflow with auto-validated configs, quick presets, and expert-level options—no manual formatting required.

What Is an SSH Config File (And Why You Need One)?

An SSH config file (~/.ssh/config) stores connection settings for remote servers, eliminating the need to remember complex SSH commands. Instead of typing ssh -i ~/.ssh/mykey.pem user@ec2-54-123-45-67.compute.amazonaws.com -p 2222, you simply type ssh myserver. According to OpenSSH documentation, SSH config files improve security, productivity, and connection management for developers and system administrators.

Professional SSH configuration goes beyond simple host aliases. It manages identity files (private keys), proxy jumps for bastion hosts, port forwarding, connection timeouts, keep-alive settings, and strict host key checking—reducing connection errors by 90% while maintaining security best practices across development, staging, and production environments.

Why SSH Config Files Are Essential for DevOps:

Boost Productivity

• Save 80% typing time: Short aliases replace long connection strings
• Eliminate errors: Pre-configured settings prevent typos
• Fast server switching: Jump between 50+ servers instantly
• Standardize workflows: Share configs across teams

Enhance Security

• Enforce key-based auth: Specify identity files per host
• Control host verification: Prevent MITM attacks
• Manage bastion access: Secure jump host configurations
• Audit connections: Centralized access control

Real SSH Config Examples

❌ Without SSH Config: ssh -i ~/.ssh/aws-key.pem ec2-user@ec2-54-123-45-67.compute-1.amazonaws.com -p 22 Long, error-prone, hard to remember

✓ With SSH Config: ssh aws-production Simple, fast, memorizable alias

How to Generate SSH Config in 3 Simple Steps

Choose a preset or fill in details: Select from GitHub, AWS EC2, Bastion Host, or Development Server presets for instant configuration. Or manually enter your Host alias (e.g., "myserver"), HostName (IP address or domain like 192.168.1.100), port number (default 22), username, and path to your SSH private key (IdentityFile like ~/.ssh/id_rsa).

Configure advanced options (optional): Enable ProxyJump for bastion/jump hosts, set ServerAliveInterval to prevent connection timeouts, configure ForwardAgent for key forwarding, and customize StrictHostKeyChecking for security. These options handle complex scenarios like accessing internal servers through jump hosts or maintaining persistent connections.

Copy and use your config: Click "Generate SSH Config" to create a properly formatted entry with correct indentation and syntax. Copy the output to your ~/.ssh/config file, or download it directly. The generator validates all fields and provides usage instructions—test your new alias with ssh [alias-name].

💡 Pro Tip: Organize Multiple Servers

Create configs for all your servers at once—production, staging, development. Save each entry to your ~/.ssh/config file separated by blank lines. Use clear naming conventions like "prod-web-01", "staging-db", "dev-api" for easy identification. This workflow saves hours when managing 10+ servers across different environments.

10 Essential SSH Config Options Explained

Host (Alias Name):

The short name you'll type to connect (e.g., ssh myserver). Use descriptive names like "aws-prod-web" or "github" for clarity. Supports wildcards like "*.example.com" for pattern matching across multiple servers. This is the only required field—everything else has defaults.

HostName (Server Address):

The actual server IP address (192.168.1.100) or domain name (server.example.com). Required field that tells SSH where to connect. Can be an internal IP for VPN connections or public hostname for cloud servers. Accepts both IPv4 and IPv6 addresses.

Port (Connection Port):

SSH port number (default: 22). Many servers use custom ports like 2222 or 2200 for security. Specify non-standard ports to avoid connection failures. Valid range: 1-65535. Common alternatives: 22 (default), 2222 (custom), 22000 (non-standard).

User (SSH Username):

Default username for connections. Saves typing "-l user" every time. Common usernames: ubuntu (Ubuntu servers), ec2-user (AWS EC2), root (legacy systems), git (GitHub), admin (network devices). Override per-connection if needed.

IdentityFile (Private Key Path):

Path to your SSH private key file (e.g., ~/.ssh/id_rsa, ~/.ssh/aws-key.pem). Essential for key-based authentication. Supports tilde expansion (~/) and multiple keys per host. Generate keys with ssh-keygen -t ed25519 for modern security as recommended by SSH Academy.

ProxyJump (Bastion/Jump Host):

Connect to target server through a bastion host (e.g., bastion.example.com). Critical for accessing internal networks from outside. Format: user@jumphost:port or just hostname. Replaces old ProxyCommand method. Chain multiple jumps with commas: bastion1,bastion2,target for complex network topologies.

ForwardAgent (SSH Agent Forwarding):

Enable (yes) or disable (no) SSH agent forwarding. When enabled, your local SSH keys work on the remote server for further connections (useful for Git operations). Security risk: only enable for trusted servers. Default: no. Use with caution in production environments.

ServerAliveInterval (Keep-Alive):

Send keep-alive packets every N seconds to prevent connection timeouts (e.g., 60 = every minute). Essential for long-running sessions or connections through firewalls that drop idle connections. Recommended: 60-120 seconds. Set to 0 to disable. Combine with ServerAliveCountMax for reconnection control.

StrictHostKeyChecking (Security Level):

Controls host key verification: "yes" (strict, reject unknown hosts), "no" (accept all, insecure), "ask" (prompt user, default). Use "yes" for production security, "accept-new" for first connections. Setting "no" bypasses MITM protection—only use in isolated development environments.

Compression (Data Compression):

Enable (yes) or disable (no) connection compression. Speeds up transfers over slow networks (DSL, satellite) but uses CPU. Useful for file transfers and remote desktop forwarding. Default: no. Enable for low-bandwidth connections, disable for high-speed LANs where compression overhead reduces performance.

8 Real-World SSH Config Use Cases

1. GitHub SSH Configuration

Configure SSH for GitHub to use git@ protocol instead of HTTPS, enabling passwordless Git operations. Set Host to "github.com", User to "git", and IdentityFile to your GitHub-specific key. Add multiple GitHub accounts with different host aliases (github-personal, github-work) to manage separate identities. Essential for CI/CD pipelines and automated deployments.

Host github.com
  HostName github.com
  User git
  IdentityFile ~/.ssh/id_ed25519

2. AWS EC2 Instance Access

Simplify AWS EC2 connections by storing instance details. Use the .pem key file from AWS as IdentityFile, set User to ec2-user (Amazon Linux) or ubuntu (Ubuntu AMI). Enable ServerAliveInterval to prevent timeout disconnections during long sessions. Create separate configs for production, staging, and development instances with our IP lookup tool.

3. Bastion Host / Jump Server Setup

Access internal servers through a bastion host using ProxyJump. This two-hop configuration connects to the jump host first, then tunnels to the target server—critical for accessing private VPCs, internal databases, or servers behind firewalls. Reduces attack surface by exposing only one hardened bastion server to the internet.

4. Development Server Quick Access

Configure development, staging, and local VM servers for rapid switching. Use consistent naming like "dev-api", "staging-web", "local-db" across projects. Enable ForwardAgent for Git access from dev servers. Set Compression for remote development over VPN. Saves 2-3 minutes per connection × 50 daily connections = 2+ hours weekly.

5. Multiple SSH Keys Management

Manage different SSH keys for different services (GitHub, GitLab, work servers, personal VPS). Specify unique IdentityFile per host to prevent key conflicts. Use IdentitiesOnly yes to force specific key usage. Essential for contractors managing multiple client environments or developers with work/personal separation requirements.

6. Port Forwarding and Tunneling

Configure LocalForward for accessing remote services locally (e.g., forward remote MySQL port 3306 to local port 3307). Set up RemoteForward for exposing local services to remote servers. DynamicForward creates a SOCKS proxy for secure browsing through SSH tunnels. Critical for database administration and testing internal APIs.

7. Team Configuration Standardization

Create standardized SSH configs for entire development teams. Share the same config file via Git (with placeholder paths for private keys) so everyone uses consistent server aliases. Reduces onboarding time from 2 hours to 5 minutes for new developers. Document server access patterns and enforce security policies through config templates.

8. Raspberry Pi and IoT Device Access

Configure multiple Raspberry Pi devices, IoT gateways, or home servers with fixed IPs or dynamic DNS. Set User to "pi" for Raspberry Pi OS. Enable Compression for slow home network connections. Use ServerAliveInterval to maintain connections through residential routers that aggressively timeout idle sessions.

7 SSH Config Mistakes That Break Connections

1. Incorrect File Permissions on ~/.ssh/config

SSH refuses to use config files with wrong permissions for security. The ~/.ssh/config file must be 600 (read/write for owner only) and ~/.ssh directory must be 700. Fix with: chmod 600 ~/.ssh/config && chmod 700 ~/.ssh. Error: "Bad owner or permissions on ~/.ssh/config" indicates this issue.

2. Wrong Indentation or Syntax Formatting

SSH config requires specific indentation: Host entries flush left, options indented with spaces (not tabs). Mix-ups cause options to apply to wrong hosts. Our generator ensures proper formatting automatically. Manual editing tip: use 2-4 spaces consistently, never tabs. Validate syntax with ssh -G hostname to see final config.

3. Using Relative Paths Instead of Absolute Paths

IdentityFile paths must be absolute or use tilde expansion (~/ for home directory). Relative paths like "./keys/id_rsa" fail when SSH runs from different directories. Always use ~/.ssh/keyname or /full/path/to/key. Verify key paths exist with ls -la ~/.ssh/ before adding to config.

4. Forgetting to Set Key File Permissions

Private keys must have 600 permissions (owner read/write only). SSH rejects keys with 644, 755, or any group/world readable permissions. Error: "WARNING: UNPROTECTED PRIVATE KEY FILE!" Fix with: chmod 600 ~/.ssh/keyfile. Apply to all keys: chmod 600 ~/.ssh/id_*.

5. ProxyJump Misconfiguration for Bastion Hosts

ProxyJump requires the jump host to be accessible and properly configured first. Common mistake: referencing a jump host that doesn't have its own config entry or using incorrect format. Format: user@host:port or just hostname. Chain jumps with commas, not through directive. Test jump host independently before adding ProxyJump targets.

6. Conflicting Host Patterns and Order Issues

SSH reads config top-to-bottom and uses FIRST match. If "Host *" appears before "Host github.com", the wildcard catches everything and specific config never applies. Place specific hosts BEFORE wildcards. Use "Host *.example.com" for domain-wide patterns. Order matters: specific → patterns → wildcards → defaults.

7. Not Testing Config Before Relying on It

Always test new configs with ssh -v hostname (verbose mode) to see connection details and catch errors. Use ssh -G hostname to display final computed configuration without connecting. Verify with our SSL checker for certificate issues.

Frequently Asked Questions

Where is the SSH config file located?

The SSH client configuration file is located at ~/.ssh/config on Linux, macOS, and WSL. The system-wide config is at /etc/ssh/ssh_config. User configs override system settings. Create the file if it doesn't exist with: touch ~/.ssh/config && chmod 600 ~/.ssh/config. Windows users: %USERPROFILE%\.ssh\config (OpenSSH on Windows 10+).

How do I generate SSH keys for my config?

Generate modern ED25519 keys with: ssh-keygen -t ed25519 -C "your_email@example.com". For legacy systems (pre-2014), use RSA 4096-bit: ssh-keygen -t rsa -b 4096. Save keys to ~/.ssh/id_ed25519 and add the public key (.pub) to the server's authorized_keys. ED25519 is faster and more secure than RSA according to SSH.com security guidelines.

Can I use the same SSH config on multiple computers?

Yes—share the same ~/.ssh/config file across machines via Git, Dropbox, or cloud sync. Use variables or environment-specific paths for IdentityFile locations that differ per machine. Store private keys locally (never commit to Git) and reference them with ~/ paths that work everywhere. Use symlinks for machine-specific overrides: ~/.ssh/config.d/ directory pattern for modular configs.

What's the difference between IdentityFile and IdentitiesOnly?

IdentityFile specifies which key(s) to try for authentication. SSH will try all available keys by default. IdentitiesOnly yes forces SSH to ONLY use the specified IdentityFile(s), ignoring ssh-agent and default keys. Use IdentitiesOnly when managing multiple keys for different services to prevent "too many authentication failures" errors from trying wrong keys first.

How do I debug SSH connection issues?

Use verbose mode to see detailed connection logs: ssh -v hostname (basic), ssh -vv (more detail), ssh -vvv (maximum debug output). Check which config file is being used, which keys are tried, and where failures occur. Verify config syntax with ssh -G hostname to print computed configuration without connecting.

How do wildcard host patterns work in SSH config?

Use Host *.example.com to match all subdomains, or Host prod-* to match all hosts starting with "prod-". The * wildcard matches any characters. Use ? for single character matches. Combine patterns: Host web* db* matches both web and db prefixes. Remember: SSH uses the FIRST matching block, so place specific hosts before wildcards.

What is the best ServerAliveInterval setting?

Recommended: ServerAliveInterval 60 (send keep-alive every 60 seconds) with ServerAliveCountMax 3 (disconnect after 3 failed keep-alives = 180s total timeout). This prevents firewall/NAT timeouts for idle sessions while not overwhelming the network. Use 30 seconds for very restrictive firewalls, 120 seconds for stable connections. Disable with ServerAliveInterval 0 for local networks.

Is it safe to disable StrictHostKeyChecking?

Never disable in production (StrictHostKeyChecking no). This bypasses man-in-the-middle attack protection and accepts any host key. Only use in isolated development/testing environments where security isn't critical. Safer alternative: use StrictHostKeyChecking accept-new to automatically accept new hosts but reject changed keys. For automation, pre-populate known_hosts file instead of disabling checks per OpenSSH security best practices.

Advanced SSH Config Techniques

Conditional Configuration with Match

Use Match directives to apply settings conditionally based on hostname, user, or local/remote addresses. Example: apply different keys for internal vs external networks. Advanced feature for complex enterprise environments with varying security policies across network zones.

Include External Config Files

Organize configs using Include ~/.ssh/config.d/* to load separate files per project or client. Maintain modular configs for work, personal, client A, client B. Simplifies management when handling 50+ server definitions across multiple environments.

ControlMaster for Connection Sharing

Enable connection multiplexing with ControlMaster to reuse existing SSH connections for new sessions. Dramatically speeds up repeated connections (Git push/pull, scp transfers). Set ControlPath for socket location and ControlPersist for background connection timeout. Reduces connection time from 2-3s to 0.1s.

Dynamic Port Forwarding (SOCKS Proxy)

Configure DynamicForward to create a SOCKS5 proxy through SSH. Route browser traffic or application connections through the SSH tunnel for secure browsing on untrusted networks. Essential for accessing geo-restricted services or securing connections on public WiFi. Combine with FoxyProxy for browser automation.

Automated Deployment Pipeline Integration

Use SSH configs in CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins) for consistent deployment targets. Store configs in version control (without private keys) and inject keys from secrets. Standardizes deployment across team members and automated systems. Reference with ssh deploy-prod in scripts.

Certificate-Based Authentication

Configure SSH certificate authentication for enterprise environments using CertificateFile instead of IdentityFile. Supports key rotation, expiration, and centralized access control through SSH CA. More scalable than managing individual authorized_keys files across 100+ servers. Recommended for large infrastructure deployments.

Related Developer & Network Tools

Build complete DevOps workflows with our integrated toolkit:

DNS Lookup IP Address Lookup SSL Certificate Checker Domain Age Checker IP Subnet Calculator Hash Generator Base64 Encoder JSON Formatter Regex Tester Cron Expression Builder Docker Command Generator Nginx Config Generator View All Developer Tools

Ready to Simplify Your SSH Workflow?

Generate production-ready SSH configuration entries in seconds. Save hours of manual formatting, eliminate connection errors, and standardize server access across your entire team. 100% free, no signup required, works offline after first load.

OpenSSH Compatible

Auto-Validated Syntax

Quick Presets Included

Copy & Download

Trusted by 25,000+ developers and DevOps engineers for SSH configuration management