Generated result
{{ result.primary }}
{{ result.summaryLine }}
{{ badge.label }}
{{ sshStageAliasLabel }} {{ sshStageJumpLabel }} {{ sshStageKeyLabel }} {{ sshStageUserPortLabel }}
Enter one host per line. Optional ProxyJump values can reference another alias or an external jump host.
Quoted CSV cells are supported for paths or aliases that need literal commas.
Keep the user explicit so copied aliases behave the same across workstations.
Enter a TCP port from 1 to 65535.
Leave blank to omit IdentityFile unless a host row supplies one.
Limits authentication to the configured identity files instead of trying every key from ssh-agent.
Adds short comments before generated host groups.
Omit keeps the client default; accept-new is common for managed bootstrap snippets.
Omit keeps the client default; ask or confirm are useful on shared workstations.
Omit keeps the client default. Use yes only for trusted jump or admin hosts.
Use 0 to omit. Values such as 30 or 60 help idle administrative sessions survive NAT timeouts.
sec
Written only when ServerAliveInterval is greater than zero.
Omit leaves multiplexing untouched; auto is a common per-host setting for repeat admin work.
Use OpenSSH time syntax, such as 5m, 30m, or yes.
Default uses a per-user control socket path under ~/.ssh.
{{ result.configText || '# Fix validation errors to generate SSH config.' }}
Host alias HostName User Port ProxyJump IdentityFile Copy
No valid hosts parsed yet.
{{ host.alias }} {{ host.hostname }} {{ host.user }} {{ host.port }} {{ host.proxyJump || '-' }} {{ host.identityFile || '-' }}
Check Status Detail Copy
{{ check.label }} {{ check.status }} {{ check.detail }} 
{{ formattedJson }}
Tags: Automation, SSH, Sysadmin
Secure Shell (SSH) Key Fingerprint Checker Check an SSH public key, compare SHA256, MD5, or legacy SHA-1 fingerprints in your browser, and prepare host-key records with trust warnings.
Interface Description Standard Checker Audit network interface descriptions from config, CSV, or show output for missing evidence, duplicates, length issues, and cleanup work.
Terraform Variable Defaults Checker Review Terraform variable blocks for risky defaults, secret-like fallbacks, type mismatches, nullable surprises, and prioritized fixes.
Hostname Naming Standard Checker Audit hostname inventories for DNS-safe labels, naming regex drift, lowercase rules, required suffixes, duplicates, and JSON-ready cleanup notes.
Customize
Advanced
:

SSH client config files are small text files, but they often carry the details that make administrative access dependable. A server connection may depend on a login name, a nonstandard port, a private key, a bastion host, a host-key rule, and a short alias that people remember. Putting those choices in a reviewed Host block reduces the chance that a pasted command reaches the wrong machine or skips a required route.

OpenSSH reads client settings from command-line options, the user's config file, and the system config. Inside those files, Host sections match the name typed after ssh. The alias and the destination do not have to be the same: Host db-prod can point to HostName db01.internal.example.com, use a specific user, and travel through a jump host before the final connection is attempted.

  • Aliases should be short, unique, and recognizable in shell history, runbooks, and automation notes.
  • Destinations should be explicit enough to separate a friendly name from a DNS name or address.
  • Jump hosts, identity files, and host-key choices should reflect policy, not last-minute command-line habits.
  • Connection sharing and keepalives can help repeated admin work, but they also need review because they change client behavior beyond the target host.
OpenSSH alias, jump host, target host, and identity file relationship

A generated SSH config block is not a reachability check. It cannot prove that DNS resolves, that the private key exists on the client, that the bastion permits the connection, or that the destination host key is already trusted. Those facts are settled when the OpenSSH client evaluates the config and attempts a connection.

The safest snippets are boring to read: one alias per intent, one real destination per alias, explicit ports and users, and reviewable choices for keys and host-key handling. When a config will be copied into ~/.ssh/config, a configuration-management template, or shared team notes, the text should be clear enough for another operator to spot a wrong route before anyone runs ssh.

How to Use This Tool:

Enter host rows, set the defaults that should fill blank cells, then review the generated snippet and checklist before copying anything into an SSH config file.

  1. Fill Host rows as CSV in the order alias,hostname,user,port,proxyjump,identityfile,hostkeyalias. Blank lines and comment lines are ignored, and a header beginning with alias,hostname is skipped.
  2. Use Bastion sample when a final host must travel through a jump host, or Git sample when aliases should bind Git hosts to specific keys. Replace every sample hostname and alias before using the output.
  3. Set Default user, Default port, and Default identity file for blank cells. A dash in the identity cell omits IdentityFile for that row instead of inheriting the default.
  4. Leave Add IdentitiesOnly yes enabled when the configured key should be the key offered for each host. Turn it off only when ssh-agent fallback is intentional and the checklist warning is acceptable.
  5. Open Advanced for rollout policy choices such as StrictHostKeyChecking, AddKeysToAgent, ForwardAgent, keepalives, and ControlMaster. Use explicit values only when they match the environment you are preparing.
  6. Resolve any red error message before copying. Invalid rows include missing aliases, unclosed quoted CSV cells, whitespace in compact fields, and ports outside 1 through 65535.
  7. Read Host Ledger to catch shifted cells, alias-to-hostname mistakes, missing users, wrong ports, jump values, and inherited identity files. Pay special attention to one-cell rows, because they can turn the same text into both the alias and the destination.
  8. Use Validation Checklist for duplicate aliases, outside jump references, identity coverage, host-key policy, keepalives, and connection sharing. Copy from SSH Config only after the checklist reflects the intended policy.

Interpreting Results:

The config text is ready to copy only when the summary shows host blocks and no blocking errors remain. Warnings are not syntax failures, but they flag choices that can create surprises later, such as duplicate aliases, jump hosts defined somewhere else, omitted identity files, or ssh-agent fallback.

Host Ledger is the best place to catch CSV mistakes because every parsed host is flattened into columns. If a jump value appears under IdentityFile, or if HostName repeats the alias when you expected a real DNS name, fix the row before trusting the generated block.

Result area What to trust What to verify next
SSH Config The generated Host blocks and directives. Run ssh -G alias or a controlled test before sharing the snippet.
Host Ledger The parsed alias, destination, user, port, jump, and key values. Compare each row against the source inventory or runbook.
Validation Checklist Review flags for duplicates, jump references, identities, host-key policy, keepalives, and multiplexing. Decide whether each warning is intentional before pasting.
JSON A structured snapshot of the generated hosts, checks, warnings, errors, and config text. Use it for review notes or handoff records, not as proof that the hosts are reachable.

A clean-looking snippet can still be wrong if an alias points at a stale hostname or a jump host means something different on another workstation. Treat the generated text as a draft until OpenSSH resolves the final effective config and a real connection test confirms the path.

Technical Details:

OpenSSH client configuration is made from keyword and argument lines. A Host line starts a section that applies to matching names, and the directives underneath it supply values such as HostName, User, Port, IdentityFile, and ProxyJump. Because the first obtained value for a parameter is normally used, more specific host declarations usually belong before broad defaults.

The generator builds plain OpenSSH client config text in the browser. It does not query DNS, open a socket, inspect local key files, or check server host keys. Its job is transformation and review: host rows become config blocks, selected policy options become directives, and questionable combinations become errors or warnings.

Transformation Core:

Row field Generated directive Rule or limit
alias Host Required, cannot contain whitespace, and duplicate aliases are warning-level review items.
hostname HostName Required in normal CSV use and cannot contain whitespace; a single first cell can make alias and destination match, so review the ledger.
user User Blank cells inherit Default user; whitespace is blocked.
port Port Blank cells inherit Default port; valid values are whole numbers from 1 through 65535.
proxyjump ProxyJump Blank, -, and none omit the directive; compact values with whitespace are blocked.
identityfile IdentityFile Blank cells inherit the default identity path; - omits the directive for that host.
hostkeyalias HostKeyAlias Optional, cannot contain whitespace, and should be used deliberately for aliases, rebuilds, tunnels, or shared addresses.

ProxyJump changes the path to the target by asking the client to connect through one or more jump hosts. A jump value can reference another alias from the same snippet, a wider config entry, or a full host expression. The final host's User, Port, and IdentityFile do not automatically define the jump host, so a bastion that needs special settings should have its own matching Host entry.

Identity handling is easy to misread because an SSH agent may offer keys beyond the one listed in the config. IdentityFile names a key source, while IdentitiesOnly yes tells the client to use configured identities instead of trying every identity the agent or security-key provider offers. That distinction matters when a server limits authentication attempts or when personal and work keys live in the same agent.

Option Allowed output Review boundary
StrictHostKeyChecking Omitted, accept-new, yes, no, or ask. no weakens host-key checking and should be a deliberate exception.
AddKeysToAgent Omitted, no, yes, ask, or confirm. ask and confirm keep key addition or use visible on shared workstations.
ForwardAgent Omitted, no, or yes. Forward only to trusted hosts that need agent access, because remote sessions can request signatures from the local agent.
ServerAliveInterval and ServerAliveCountMax Written only when the interval is greater than zero. Interval is clamped from 0 to 3600 seconds; count is clamped from 1 to 20.
ControlMaster, ControlPersist, and ControlPath Connection-sharing lines are written only when ControlMaster is selected. The control socket path should include user, host, and port tokens or a hash and live in a directory other users cannot write to.

Values that may naturally contain spaces, such as some paths, are quoted when needed. Compact tokens that OpenSSH expects as single words, including aliases, hostnames, users, jump values, and host-key aliases, are blocked when they contain whitespace. That split keeps path handling flexible while preventing a host row from turning into ambiguous config lines.

No formula is involved because this is a deterministic text-generation task, not a numeric calculation. The important audit trail is the mapping from each CSV field to its generated directive, plus the warnings that identify decisions a human operator should approve before the snippet becomes part of a real SSH client config.

Worked Examples:

Prepare a bastion route for database hosts

A team enters rows for bastion, db-prod, and db-report. The database rows use bastion in the proxyjump cell, the default user is admin, and Add IdentitiesOnly yes is enabled. The generated text contains separate host blocks, and Validation Checklist shows the jump references as covered because the bastion alias is part of the same host set.

Bind a Git alias to a work key

A developer enters github-work,github.com,git,22,,~/.ssh/id_ed25519_work,github-work. The snippet lets ssh github-work reach github.com as git while using the work identity file. With IdentitiesOnly yes, the client is less likely to offer unrelated personal keys from ssh-agent.

Catch a duplicate production alias

Two rows both use prod for different hostnames. The config can still be generated, but the checklist flags the repeated alias for review. Renaming the entries to prod-db and prod-web makes the intent visible and avoids relying on OpenSSH match order by accident.

Reject a bad port before paste

A row with port 70000 produces a blocking error because valid TCP ports are 1 through 65535. The summary stays in a fix-required state and the config output remains unusable until the row is corrected.

Advanced Tips:

  • Use a header row only as a reminder of the CSV order. The parser skips a leading alias,hostname row, but every following row still needs values in the expected positions.
  • Put a dash in the per-row identityfile cell when a host must omit IdentityFile. Leave the cell blank only when the row should inherit Default identity file.
  • Keep Add IdentitiesOnly yes enabled for hosts with explicit keys unless ssh-agent fallback is intentional. The checklist will mark fallback as a review item.
  • Select StrictHostKeyChecking deliberately. accept-new can fit managed bootstrap work, while no should be treated as an exception that weakens host-key protection.
  • Set ServerAliveInterval only when idle sessions need client keepalives. The generated snippet writes ServerAliveCountMax only when the interval is greater than zero.
  • Use ControlMaster, ControlPersist, and ControlPath for repeated administrative connections only after choosing a private control-socket path that will exist on the client.

FAQ:

Why does the snippet write Port 22?

Blank row ports inherit Default port, which starts at 22. The snippet writes the port explicitly so the host block remains clear even on systems where client defaults or shared config files differ.

Can ProxyJump point to an alias outside these rows?

Yes. The checklist marks that case for review because the alias must exist in the user's broader SSH config or be a full jump-host expression that OpenSSH can resolve.

What if a row has only one host value?

A one-cell row can become both the alias and the destination. That may be acceptable for a simple hostname, but it is usually better to enter both alias and hostname so the ledger is easy to audit.

What does a dash in the identity file cell mean?

A dash omits IdentityFile for that row. Leaving the cell blank is different because blank cells inherit Default identity file when one is set.

Does this test the SSH connection?

No. It produces config text and review notes. Use ssh -G alias to inspect the effective client config, then test the connection in a controlled way before distributing the snippet.

Should ForwardAgent be enabled?

Enable ForwardAgent yes only for trusted hosts that need it. Agent forwarding lets the remote session ask the local agent for signatures, so it should not be a casual default.

Glossary:

Host alias
The name typed after ssh, such as db-prod, that selects a matching Host section.
HostName
The real destination hostname or address used after the alias matches.
ProxyJump
An OpenSSH option that reaches the final host through one or more jump hosts.
IdentityFile
The private key path or public key reference used for public-key authentication.
IdentitiesOnly
An option that limits authentication attempts to configured identity files instead of every identity offered by ssh-agent or a security-key provider.
StrictHostKeyChecking
The client policy for accepting or rejecting host keys when a host is new or has changed.
ControlMaster
An option for sharing later SSH sessions over a master connection through a control socket.

References: