Chapter 3

The ~/.ssh/config File

Host aliases, IdentityFile, ProxyJump preview.

Learning objectives

Organize multiple hosts in ~/.ssh/config
Set defaults: user, identity file, jump host, and keepalive
Simplify Workshop Co. admin to short aliases like ssh workshop-web

The config file

Instead of long commands, Marcus maintains ~/.ssh/config on his laptop:

# ~/.ssh/config — Workshop Co. infrastructure

Host bastion workshop-bastion
    HostName bastion.workshopco.ca
    User marcus
    IdentityFile ~/.ssh/workshopco_ed25519
    IdentitiesOnly yes

Host workshop-web
    HostName 10.20.0.10
    User deploy
    IdentityFile ~/.ssh/workshopco_ed25519
    ProxyJump bastion
    ServerAliveInterval 60

Host workshop-db
    HostName 10.20.0.5
    User deploy
    IdentityFile ~/.ssh/workshopco_ed25519
    ProxyJump bastion

Host workshop-files
    HostName 10.20.0.15
    User deploy
    IdentityFile ~/.ssh/workshopco_ed25519
    ProxyJump bastion

Host workshop-proxmox
    HostName 192.168.10.2
    User root@pam
    IdentityFile ~/.ssh/workshopco_ed25519
    ProxyJump bastion
    LocalForward 8006 127.0.0.1:8006

Now Marcus types ssh workshop-web — SSH connects to bastion first, then forwards to the private web VM IP.

IdentitiesOnly yes

Prevents SSH from offering every key in your agent to every server — avoids "too many authentication failures" when a server allows only three attempts.

Common directives explained

Directive	Purpose
`HostName`	Real DNS or IP
`User`	Default login name
`IdentityFile`	Which private key to use
`ProxyJump`	Bastion host for indirect access
`LocalForward`	Tunnel local port to remote service
`ServerAliveInterval`	Keeps NAT firewalls from dropping idle sessions
`Port`	Non-default SSH port if used

Worked example — Proxmox UI through tunnel

With the config above, Marcus runs:

ssh workshop-proxmox

While connected, his laptop's https://127.0.0.1:8006 reaches Proxmox web UI through the encrypted tunnel — without exposing port 8006 to the public internet.

Match patterns and wildcards

Host workshop-*
    User deploy
    IdentityFile ~/.ssh/workshopco_ed25519
    ProxyJump bastion

Applies defaults to all hosts whose alias starts with workshop-. Specific stanzas below override wildcards.

Try it yourself

Add a Host workshop-staging entry for VM 111 at 10.20.0.11 using the same jump host pattern.

Sample stanza

Host workshop-staging
    HostName 10.20.0.11
    User deploy
    IdentityFile ~/.ssh/workshopco_ed25519
    ProxyJump bastion
    ServerAliveInterval 60

Check your understanding

What is the difference between ProxyJump and typing two ssh commands manually?
Why forward Proxmox 8006 to localhost instead of opening it on the router?

Answers

ProxyJump automates bastion hop with one command, proper agent forwarding options, and cleaner config.
Reduces attack surface — admin UI only reachable through authenticated SSH tunnel.