OpenSSH Config Tags How To
OpenSSH is one of my favorite pieces of software. I try to keep up with the new features and changes and noticed something interesting in the OpenSSH release notes for version 9.4 about config tags.
* ssh: add support for configuration tags to ssh.
This adds a ssh_config(5) "Tag" directive and corresponding
"Match tag" predicate that may be used to select blocks of
configuration similar to the pf.conf keywords of the same
name.
How to Use Tags in the SSH Config File
This means that you can define config directives in your ~/.ssh/config
file and associate them with a tag. You can then refer to that tag to bring along those config directives.
This is particularly nice if you have a lot of config entries with the same set of directives.
I use it to avoid having to write out my key paths when using the IdentityFile
directive. My config looks like this:
# default options for all hosts
Host *
ControlPersist 5s
VisualHostKey yes
# For data center hosts
Match tagged ed_key
Identityfile ~/.ssh/id_ed25519
PreferredAuthentications publickey
# For AWS hosts
Match tagged aws_key
IdentityFile ~/.ssh/aws_key
PreferredAuthentications publickey
# force IPv4
Match tagged ip4
AddressFamily inet
# Disable strict host key checking
Match tagged pwn_me
StrictHostKeyChecking no
Host webserver
Hostname web1.lan
User jimmy
Tag ed_key
Tag ip4
Host loadbalancer
Hostname lb1.lan
User jimmy
Tag ed_key
Host ec2
Hostname myec2.example.com
Tag aws_key
Host unsafe
Hostname oldschool.lan
Tag pwn_me
PreferredAuthentication keyboard-interactive,password
Let’s break this down a bit just to be sure.
Define the Tag with “Match tagged”
This is where tags are defined and configuration is associated with them. You can see we created 4 tags, ed_key
, aws_key
, ip4
, and pwn_me
. Each has a few directives under it that we want to reuse.
The basic pattern looks like this:
Match tagged <tag_name>
<Directive 1>
<Directive ...>
Tagging with “Tag”
This is how we tie the configuration from the Match tagged
predicates, to hosts specified by one or most Host
predicates. For example, in our config above, we’ve added the Tag aws_key
line to the Host ec2
entry.
The pattern looks like this:
Host host
Tag <tag_name>
How to use Tags on the Command Line
Before you go, you should learn this one other cool thing about tags. They can be called from the commandline with -P
flag. This means that we can reuse these sets of config directives on-the-fly when connecting to hosts that don’t have an entry in the config:
ssh -P pwn_me jane@ephemeral_host.net
You can of course use built-in flags and/or the -o
option for any directives without flags, but -P
is a lot quicker if you have common config options you use frequently on random hosts.
Anyways, consider checking out your ~/.ssh/config
file and see if you can’t make your life a bit easier.