OpenSSH is one of my favorite pieces of software. I try to keep up with the new features and changes and noticed something interesting in the OpenSSH release notes for version 9.4 about config tags.

 * ssh: add support for configuration tags to ssh.
   This adds a ssh_config(5) "Tag" directive and corresponding
   "Match tag" predicate that may be used to select blocks of
   configuration similar to the pf.conf keywords of the same

How to Use Tags in the SSH Config File

This means that you can define config directives in your ~/.ssh/config file and associate them with a tag. You can then refer to that tag to bring along those config directives.

This is particularly nice if you have a lot of config entries with the same set of directives.

I use it to avoid having to write out my key paths when using the IdentityFile directive. My config looks like this:

# default options for all hosts
Host *
        ControlPersist 5s
        VisualHostKey yes

#  For data center hosts
Match tagged ed_key
        Identityfile ~/.ssh/id_ed25519
	PreferredAuthentications publickey

# For AWS hosts
Match tagged aws_key
	IdentityFile ~/.ssh/aws_key
	PreferredAuthentications publickey

# force IPv4
Match tagged ip4
	AddressFamily inet

# Disable strict host key checking
Match tagged pwn_me
	StrictHostKeyChecking no

Host webserver
        Hostname web1.lan
        User jimmy
	Tag ed_key
	Tag ip4

Host loadbalancer
        Hostname lb1.lan
        User jimmy
	Tag ed_key

Host ec2
	Tag aws_key

Host unsafe
	Hostname oldschool.lan
	Tag pwn_me
	PreferredAuthentication keyboard-interactive,password

Let’s break this down a bit just to be sure.

Define the Tag with “Match tagged”

This is where tags are defined and configuration is associated with them. You can see we created 4 tags, ed_key, aws_key, ip4, and pwn_me. Each has a few directives under it that we want to reuse.

The basic pattern looks like this:

Match tagged <tag_name>
	<Directive 1>
	<Directive ...>

Tagging with “Tag”

This is how we tie the configuration from the Match tagged predicates, to hosts specified by one or most Host predicates. For example, in our config above, we’ve added the Tag aws_key line to the Host ec2 entry.

The pattern looks like this:

Host host
	Tag <tag_name>

How to use Tags on the Command Line

Before you go, you should learn this one other cool thing about tags. They can be called from the commandline with -P flag. This means that we can reuse these sets of config directives on-the-fly when connecting to hosts that don’t have an entry in the config:

ssh -P pwn_me

You can of course use built-in flags and/or the -o option for any directives without flags, but -P is a lot quicker if you have common config options you use frequently on random hosts.

Anyways, consider checking out your ~/.ssh/config file and see if you can’t make your life a bit easier.