OpenSSH: Configurations Based On Hosts, Etc.

nabbisen profile image Heddi Nabbisen ・3 min read


OpenSSH provides the way to define configurations based on hosts, etc. with the keywords, Host and Match.


  • SSH client: OpenSSH 7.9
✿ ✿ ✿


Open the ssh_config file.

$ nvim ~/.ssh/config

Then write definitions.


Here is an example of multiple conditions.
The definition of each condition is valid up to the next Host or Match keyword.

# [~/.ssh/config]

Host %host-name%
    %Parameter-Name%    %parameter-value%

Host %multiple-hosts-name-1% %multiple-hosts-name-2%
    %Parameter-Name%    %parameter-value%

Match {host,originalhost,user,localuser,exec,canonical,final} "%criteria%"
    %Parameter-Name%    %parameter-value%


Here is an example of multiple parameters in a single host.
Of course, it's all right to define more or less parameters in any hosts than others. (Be careful of the default values.)

# [~/.ssh/config]

Host %nickname%
    Hostname     %real-hostname%
    Port         %specified-port%
    User         %specified-user%
    IdentityFile ~/.ssh/specified-user_id_rsa
    ServerAliveInterval 60

* Note: Indentation is just for ease of viewing, which isn't actually necessary.

✿ ✿ ✿

Flexible Definitions

#1: Patterns

Pattern Symbol Usage
* Matches zero or more characters.
? Matches exactly one character.
! Negates targets.
# [ `*` keyword ]
# any hosts
Host *
# any .com domains
Host *.com

# [ `?` keyword ]
# 192.168.0.[0-9]
Host 192.168.0.?

# [ `!` keyword ]
# any except specified domain
Host * !cool-website.com
# any except specified domain and subdomains
Host * !cool-website.com !*.cool-website.com
# any 192.168.* except 192.168.0.*
Host 192.168.* !192.168.0.*

* Caution: ! keyword requires matched targets as well as negated ones:

  • NG: Host !some.domain.com
  • OK: Host * !some.domain.com

#2: Match Instead Of Host

Keyword Usage
host The real host name to log into.
originalhost The hostname as it is specified on the command-line.
user The target username on the remote host.
localuser The name of the local user running ssh.
# a single condition with a single option
Match host "some-domain.com"
# which equals to:
# Host some-domain.com
    IdentityFile ~/.ssh/default_id_rsa

# a single condition with multiple options
Match host "specified-domain.com,some.specified-domain.com"
# which equals to:
# Host specified-domain.com some.specified-domain.com
    IdentityFile ~/.ssh/specified-domain_id_rsa

# multiple conditions
Match host "specified-domain.com" user "specified-user"
    IdentityFile ~/.ssh/specified-user_id_rsa

* Caution: Don't put space between multiple options:

  • NG: Match host "specified-domain.com, some.specified-domain.com"
  • OK: Match host "specified-domain.com,some.specified-domain.com"
(Optional) More Controls With Match
Keyword Usage
exec Executes the specified command under the user's shell. If the command returns a zero exit status then the condition is considered true. Arguments can be defined as Tokens.
canonical Matches only when the configuration file is being re-parsed after hostname canonicalization.
final Requests that the configuration be re-parsed (regardless of whether CanonicalizeHostname is enabled), and matches only during this final pass. If CanonicalizeHostname is enabled, then canonical and final match during the same pass.
✿ ✿ ✿


#1: Configuration For Specified Hostname

Host some.cool-website.com
    User     %user-specified%

Host *
    User     %user-default%

#2: Configurations By Subdomains

# specified domain
Host cool-website.com
    # write configuration...

# specified subdomain
Host www.cool-website.com
    # write configuration...

# all subdomains
Host *.cool-website.com
    # write configuration...

# specified domain and subdomains
Host cool-website.com *.cool-website.com
# or:
# Match host "cool-website.com,*.cool-website.com"
    # write configuration...

#3: Hostname Alias

Host %nickname%
    HostName    real.very-long-hostname.com

#4: Port Switching

Host %host-with-unique-port%
    Port    %real-port%

#5: Using An Identity File

Host www.cool-website.com
    IdentityFile    ~/.ssh/specified_id_rsa
✿ ✿ ✿

Happy serving 🕊

Posted on by:

nabbisen profile

Heddi Nabbisen


An ICT designer/developer and a security monk. "With a cool brain and a warm heart", I am challenging unsolved problems in our society. I use OpenBSD/Rust/etc.


Editor guide