- How to Use Tags in the SSH Config File
- How to use Tags on the Command Line
OpenSSH is one of my favorite pieces of software. I try to keep up with the new features and changes and noticed something interesting in the OpenSSH release notes for version 9.4 about config tags.
* ssh: add support for configuration tags to ssh. This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf keywords of the same name.
How to Use Tags in the SSH Config File
This means that you can define config directives in your
~/.ssh/config file and associate them with a tag. You can then refer to that tag to bring along those config directives.
This is particularly nice if you have a lot of config entries with the same set of directives.
I use it to avoid having to write out my key paths when using the
IdentityFile directive. My config looks like this:
# default options for all hosts Host * ControlPersist 5s VisualHostKey yes # For data center hosts Match tagged ed_key Identityfile ~/.ssh/id_ed25519 PreferredAuthentications publickey # For AWS hosts Match tagged aws_key IdentityFile ~/.ssh/aws_key PreferredAuthentications publickey # force IPv4 Match tagged ip4 AddressFamily inet # Disable strict host key checking Match tagged pwn_me StrictHostKeyChecking no Host webserver Hostname web1.lan User jimmy Tag ed_key Tag ip4 Host loadbalancer Hostname lb1.lan User jimmy Tag ed_key Host ec2 Hostname myec2.example.com Tag aws_key Host unsafe Hostname oldschool.lan Tag pwn_me PreferredAuthentication keyboard-interactive,password
Let’s break this down a bit just to be sure.
Define the Tag with “Match tagged”
This is where tags are defined and configuration is associated with them. You can see we created 4 tags,
pwn_me. Each has a few directives under it that we want to reuse.
The basic pattern looks like this:
Match tagged <tag_name> <Directive 1> <Directive ...>
Tagging with “Tag”
This is how we tie the configuration from the
Match tagged predicates, to hosts specified by one or most
Host predicates. For example, in our config above, we’ve added the
Tag aws_key line to the
Host ec2 entry.
The pattern looks like this:
Host host Tag <tag_name>
How to use Tags on the Command Line
Before you go, you should learn this one other cool thing about tags. They can be called from the commandline with
-P flag. This means that we can reuse these sets of config directives on-the-fly when connecting to hosts that don’t have an entry in the config:
ssh -P pwn_me jane@ephemeral_host.net
You can of course use built-in flags and/or the
-o option for any directives without flags, but
-P is a lot quicker if you have common config options you use frequently on random hosts.
Anyways, consider checking out your
~/.ssh/config file and see if you can’t make your life a bit easier.