• Use SSH Config Aliases Instead of Long Commands

    Typing this every time gets old fast:

    ssh -p 2222 -i ~/.ssh/work_ed25519 deploy@app.example.com

    Put the connection details in ~/.ssh/config and give the host a short name:

    Host app-prod
  HostName app.example.com
  User deploy
  Port 2222
  IdentityFile ~/.ssh/work_ed25519
  IdentitiesOnly yes

    Now connect with:

    ssh app-prod

    File Permissions

    Create the config file if it does not exist:

    mkdir -p ~/.ssh
touch ~/.ssh/config
chmod 700 ~/.ssh
chmod 600 ~/.ssh/config

    Private keys should also be readable only by you:

    chmod 600 ~/.ssh/work_ed25519

    Why IdentitiesOnly Helps

    IdentityFile tells SSH which key to use. If you also run an SSH agent with many loaded keys, the client may still offer agent keys. IdentitiesOnly yes tells SSH to use the configured identity files for this host instead of trying every key the agent knows about.

    This avoids two common annoyances:

    • the server rejects you after too many authentication attempts;
    • you accidentally authenticate with a different key than expected.

    Reuse Common Options

    You can group defaults with patterns:

    Host *.internal
  User deploy
  IdentityFile ~/.ssh/work_ed25519
  IdentitiesOnly yes

Host app-prod
  HostName app01.internal
  Port 2222

    app-prod inherits matching options, then adds the concrete hostname and port.

    Jump Hosts

    If the server is only reachable through a bastion host, use ProxyJump:

    Host bastion
  HostName bastion.example.com
  User admin
  IdentityFile ~/.ssh/bastion_ed25519
  IdentitiesOnly yes

Host private-db
  HostName db01.internal
  User postgres
  ProxyJump bastion
  IdentityFile ~/.ssh/db_ed25519
  IdentitiesOnly yes

    Then:

    ssh private-db

    Avoid turning on ForwardAgent yes as a habit. Agent forwarding can be useful, but it exposes your local agent to the remote host. Prefer ProxyJump when you only need to pass through a bastion.

    Verify What SSH Will Use

    When the config becomes confusing, ask SSH to print the final evaluated settings:

    ssh -G app-prod | grep -E '^(hostname|user|port|identityfile|identitiesonly) '

    For connection debugging:

    ssh -v app-prod

    The -G option is great for checking config logic without connecting. The -v option is better when authentication or networking actually fails.