SSH Config Snippet Generator

SSH Config Snippet

Host rows:

Enter one host per line. Optional ProxyJump values can reference another alias or an external jump host.

Quoted CSV cells are supported for paths or aliases that need literal commas.

Default user:

Keep the user explicit so copied aliases behave the same across workstations.

Default port:

Enter a TCP port from 1 to 65535.

Default identity file:

Leave blank to omit IdentityFile unless a host row supplies one.

Add IdentitiesOnly yes

Limits authentication to the configured identity files instead of trying every key from ssh-agent.

Include section comments

Adds short comments before generated host groups.

StrictHostKeyChecking:

Omit keeps the client default; accept-new is common for managed bootstrap snippets.

AddKeysToAgent:

Omit keeps the client default; ask or confirm are useful on shared workstations.

ForwardAgent:

Omit keeps the client default. Use yes only for trusted jump or admin hosts.

ServerAliveInterval:

Use 0 to omit. Values such as 30 or 60 help idle administrative sessions survive NAT timeouts.

sec

ServerAliveCountMax:

Written only when ServerAliveInterval is greater than zero.

ControlMaster:

Omit leaves multiplexing untouched; auto is a common per-host setting for repeat admin work.

ControlPersist:

Use OpenSSH time syntax, such as 5m, 30m, or yes.

ControlPath:

Default uses a per-user control socket path under ~/.ssh.

Fix required before using this snippet

{{ error }}

Review before pasting

{{ warning }}

{{ result.configText || '# Fix validation errors to generate SSH config.' }}

Host alias	HostName	User	Port	ProxyJump	IdentityFile	Copy
No valid hosts parsed yet.
{{ host.alias }}	{{ host.hostname }}	{{ host.user }}	{{ host.port }}	{{ host.proxyJump \|\| '-' }}	{{ host.identityFile \|\| '-' }}

Check	Status	Detail	Copy
{{ check.label }}	{{ check.status }}	{{ check.detail }}

{{ formattedJson }}

Export to PDF Fullscreen

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

OpenSSH client configuration turns repeated connection details into named Host entries. Instead of typing a long command with a hostname, user, port, private key, and jump host every time, a short alias can hold those settings in one readable block.

These snippets are useful for administrators, developers, support engineers, and automation maintainers who connect to the same servers from more than one terminal session or workstation. A clear Host block prevents small mistakes such as using the wrong username, forgetting a bastion host, or letting an SSH agent try a long list of unrelated keys.

Diagram showing SSH host rows becoming OpenSSH Host blocks and stable ssh aliases.

An SSH config snippet is still configuration text, not a live connectivity test. It cannot prove that a host is reachable, that a private key exists on the workstation, that a bastion accepts the connection, or that a host key is trusted. Those checks happen when the OpenSSH client evaluates the finished config and attempts the connection.

The safest snippets are specific enough to be repeatable and small enough to review. Aliases, hostnames, identity files, jump paths, host-key behavior, keepalive settings, and connection sharing should all be intentional before the block is pasted into ~/.ssh/config or a managed configuration template.

Technical Details:

An OpenSSH client config file is a sequence of keyword and argument lines. Host starts a section that applies to one or more host patterns, while directives under that section set values such as HostName, User, Port, IdentityFile, and ProxyJump. OpenSSH reads command-line options first, then the user's config file, then the system config file, and generally uses the first value it obtains for a parameter.

A host alias is not necessarily the network name. The alias after Host is what the user types, such as ssh db-prod. HostName names the actual destination, User supplies the login name, and Port supplies the TCP port. Keeping those pieces separate makes config blocks easier to audit than one long command line.

ProxyJump changes the connection path. The OpenSSH client first connects to the jump host, then establishes forwarding to the final destination through that hop. Multiple jump hosts can be comma-separated, but destination-host settings do not automatically become jump-host settings, so jump hosts that need their own user, port, or key should have their own matching config entries.

Host Block Field Map:

OpenSSH Host block field map
Directive	What it affects	Review cue
`Host`	Sets the alias or pattern matched by the SSH command.	Use short aliases without whitespace, such as `bastion` or `db-prod`.
`HostName`	Sets the actual hostname or address to connect to.	Keep it distinct from the alias when the alias is only a shortcut.
`User`	Sets the remote login name.	Make service, admin, and personal users explicit to avoid workstation defaults.
`Port`	Sets the remote TCP port.	Use a whole number from `1` to `65535`.
`IdentityFile`	Points to the private key used for public-key authentication.	Tilde paths and OpenSSH tokens are allowed, but the file must exist on the client.
`IdentitiesOnly yes`	Limits authentication to configured identity files.	Use it when ssh-agent offers too many keys or when a host must use one known key.
`HostKeyAlias`	Changes the name used for host-key lookup.	Use it deliberately for hosts reached through aliases, rebuilds, or shared addresses.
`ProxyJump`	Routes the connection through one or more jump hosts.	Confirm each jump alias resolves in the same config context.

Generated Row Translation:

The input row model is comma-separated. A header row with alias,hostname is ignored, blank lines and comment lines are ignored, and quoted CSV cells are supported for values that need literal commas. The expected column order is fixed.

CSV row translation for SSH config snippet generation
Column position	Meaning	Fallback or boundary
`alias`	Becomes the `Host` value.	Required, must not contain whitespace, and repeated aliases are flagged for review.
`hostname`	Becomes `HostName`.	Required and must not contain whitespace.
`user`	Becomes `User`.	Blank values use the default user when one is supplied.
`port`	Becomes `Port`.	Blank values use the default port; invalid values are blocked.
`proxyjump`	Becomes `ProxyJump`.	Blank, `-`, and `none` omit it.
`identityfile`	Becomes `IdentityFile`.	Blank values use the default identity file; `-` omits it for that row.
`hostkeyalias`	Becomes `HostKeyAlias`.	Optional and must not contain whitespace.

Option Behavior:

Advanced SSH config option behavior
Option	Generated behavior	Important boundary
`StrictHostKeyChecking`	Can be omitted or written as `accept-new`, `yes`, `no`, or `ask`.	`no` weakens host-key protection and should be used only when the rollout policy accepts that risk.
`AddKeysToAgent`	Can be omitted or written as `no`, `yes`, `ask`, or `confirm`.	`ask` and `confirm` are useful when key use should remain visible to the user.
`ForwardAgent`	Can be omitted or written as `no` or `yes`.	Agent forwarding lets the remote side request signatures from the local agent, so enable it only for trusted hosts.
`ServerAliveInterval` and `ServerAliveCountMax`	Written only when the interval is greater than zero.	The interval is clamped from `0` to `3600` seconds and the count from `1` to `20`.
`ControlMaster`, `ControlPersist`, and `ControlPath`	Connection sharing directives are written only when `ControlMaster` is selected.	A control path should uniquely include user, host, and port tokens and live in a directory other users cannot write to.

Everyday Use & Decision Guide:

Start with one reliable row for each server: alias, hostname, user, port, jump host, and key. Use the Bastion sample when the final hosts sit behind a jump server, or the Git sample when the main concern is binding one alias to one SSH key.

Keep the default user, default port, and default identity file conservative. A blank row value inherits those defaults, so one broad default can silently affect every generated block. If one host needs no identity file, put - in that row's identity cell instead of clearing the global default for every host.

Use IdentitiesOnly yes when the key listed in the snippet should be the key SSH tries.
Leave StrictHostKeyChecking omitted unless the deployment policy requires an explicit value.
Use accept-new for managed first-contact workflows only after host-key risk has been considered.
Set ForwardAgent yes only for hosts you trust with access to your agent during the session.
Use keepalive values such as 30 or 60 seconds when idle admin sessions are dropped by NAT or middleboxes.
Turn on ControlMaster auto only when repeated sessions to the same host should reuse a master connection.

If the summary says Check input, fix the error banner before copying the config. Blocking errors include blank aliases, blank hostnames, whitespace inside aliases or hostnames, unclosed quoted CSV cells, and ports outside 1 to 65535.

Warnings deserve a slower review even when the config text is generated. Duplicate aliases can cause the wrong block to match first, extra CSV cells may mean a pasted row shifted columns, and external ProxyJump values should be checked against the user's existing SSH config.

Step-by-Step Guide:

Build the rows first, then review the generated text, host ledger, and validation checklist before pasting anything into an SSH config file.

Enter one host per line in Host rows using the order alias,hostname,user,port,proxyjump,identityfile,hostkeyalias.
Set Default user, Default port, and Default identity file for values that should apply when a row leaves those cells blank.
Keep Add IdentitiesOnly yes enabled when each generated host should use the configured key list rather than every key offered by ssh-agent.
Open Advanced only for policy settings such as host-key checking, agent behavior, forwarding, keepalives, or connection sharing.
Review any error or warning banner. Do not copy a snippet while the error banner is present.
Check Host Ledger to confirm each alias, hostname, user, port, jump host, and identity file landed in the expected column.
Check Validation Checklist for duplicate aliases, jump-host references, identity handling, host-key policy, keepalives, and multiplexing.
Use SSH Config for the final text and JSON only when a handoff record or downstream review needs structured data.

Interpreting Results:

SSH Config is the text to paste into a client config file or configuration-management template. Each valid host row becomes one block. When comments are enabled, a short comment line appears before each block showing the alias and destination hostname.

Host Ledger is the fastest way to catch column mistakes. If ProxyJump appears where IdentityFile was expected, or if the user column is blank when it should be explicit, fix the row before using the generated block.

How to interpret SSH config generator result cues
Result cue	Meaning	Useful follow-up
`Host blocks`	The parsed row count produced usable config blocks.	Compare the count with the number of intended hosts.
`via jump`	At least one host uses `ProxyJump`.	Confirm the jump host alias or external host is reachable from the client.
`agent fallback`	`IdentitiesOnly yes` is omitted.	Expect ssh-agent to offer additional keys unless other config prevents it.
`Host key policy`	Shows whether `StrictHostKeyChecking` is omitted or explicit.	Treat `no` as a policy exception, not a convenience default.
`Connection multiplexing`	Reports whether `ControlMaster` directives will be written.	Check `ControlPath` length and uniqueness before rollout.

A clean checklist means the entered text passed the generator's format rules. It does not mean the destination server accepts the key, that the target's host key is already trusted, that DNS resolves, or that the final config file order will match the intended host block.

Worked Examples:

Bastion Path:

A row such as db-prod,db01.internal.example.com,dba,22,bastion,~/.ssh/id_prod_ed25519,db-prod-via-bastion creates a block for ssh db-prod. The alias is db-prod, the network destination is db01.internal.example.com, the login user is dba, and the connection routes through bastion.

Host db-prod
  HostName db01.internal.example.com
  User dba
  Port 22
  IdentityFile ~/.ssh/id_prod_ed25519
  IdentitiesOnly yes
  ProxyJump bastion
  HostKeyAlias db-prod-via-bastion

Git Alias:

A row such as github-work,github.com,git,22,,~/.ssh/id_work_ed25519, binds a memorable alias to the git user and one key. That keeps personal and work keys from being mixed when tools invoke ssh github-work or a Git remote uses the alias as its host.

FAQ:

Does the snippet test SSH connectivity?

No. The result is configuration text. Use the OpenSSH client to test the final alias, and use ssh -G alias when you want to inspect the evaluated client configuration before opening a session.

Where should the generated block be placed?

Most personal client entries belong in ~/.ssh/config. More specific Host entries should appear before broader wildcard defaults because OpenSSH generally uses the first value it obtains for each parameter.

Can jump hosts use their own keys and users?

Yes, but those settings normally need their own matching host entries. A destination block that uses ProxyJump bastion does not automatically define the login user, key, or port for bastion.

Does the tool upload host rows or keys?

No server-side SSH lookup is performed. The page parses the text you enter, produces local output, and does not read private key files from your machine. Avoid placing real secrets in shared URLs, tickets, or exported records.

Glossary:

Host: The alias or pattern a user types after ssh.
HostName: The actual hostname or IP address OpenSSH connects to after a host block matches.
ProxyJump: A jump-host directive that routes the connection through one or more intermediate SSH hosts.
IdentityFile: A path to a private key used for public-key authentication.
ControlMaster: An OpenSSH feature that can share multiple sessions over one master connection.
HostKeyAlias: A name used for host-key lookup when the config should separate trust records from the visible host alias or address.