- How to Use Tags in the SSH Config File
- How to use Tags on the Command Line
OpenSSH is one of my favorite pieces of software. I try to keep up with the new features and changes and noticed something interesting in the OpenSSH release notes for version 9.4 about config tags.
* ssh: add support for configuration tags to ssh.
This adds a ssh_config(5) "Tag" directive and corresponding
"Match tag" predicate that may be used to select blocks of
configuration similar to the pf.conf keywords of the same
How to Use Tags in the SSH Config File
This means that you can define config directives in your
~/.ssh/config file and associate them with a tag. You can then refer to that tag to bring along those config directives.
This is particularly nice if you have a lot of config entries with the same set of directives.
I use it to avoid having to write out my key paths when using the
IdentityFile directive. My config looks like this:
# default options for all hosts
# For data center hosts
Match tagged ed_key
# For AWS hosts
Match tagged aws_key
# force IPv4
Match tagged ip4
# Disable strict host key checking
Match tagged pwn_me
Let’s break this down a bit just to be sure.
Define the Tag with “Match tagged”
This is where tags are defined and configuration is associated with them. You can see we created 4 tags,
pwn_me. Each has a few directives under it that we want to reuse.
The basic pattern looks like this:
Match tagged <tag_name>
Tagging with “Tag”
This is how we tie the configuration from the
Match tagged predicates, to hosts specified by one or most
Host predicates. For example, in our config above, we’ve added the
Tag aws_key line to the
Host ec2 entry.
The pattern looks like this:
How to use Tags on the Command Line
Before you go, you should learn this one other cool thing about tags. They can be called from the commandline with
-P flag. This means that we can reuse these sets of config directives on-the-fly when connecting to hosts that don’t have an entry in the config:
ssh -P pwn_me jane@ephemeral_host.net
You can of course use built-in flags and/or the
-o option for any directives without flags, but
-P is a lot quicker if you have common config options you use frequently on random hosts.
Anyways, consider checking out your
~/.ssh/config file and see if you can’t make your life a bit easier.