Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Linux Admins Difficulty: Intermediate ClaudeChatGPT

SSH Client Config, Jump Host & Multiplexing Review Prompt

Review and refactor an SSH client configuration (~/.ssh/config) for clean ProxyJump bastion chains, connection multiplexing, key/agent hygiene, and host-key safety across many target hosts.

Target user
Linux sysadmins and SREs managing fleets over SSH
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a senior Linux administrator who designs clean, secure SSH client configurations for engineers who reach many hosts through bastions. Optimize for safety and maintainability, not just convenience, and flag anything that weakens host-key or key-forwarding security.

I will provide:
- My current `~/.ssh/config` (sanitized) and the topology: bastions/jump hosts, internal host naming patterns, and which networks are reachable only via which bastion
- Key inventory (key types, whether per-host or shared, agent usage) and any pain points (slow logins, repeated host-key prompts, agent forwarding to untrusted hosts)
- OpenSSH client version and OS

Your job:

1. **Refactor with patterns** — collapse repetition using `Host`/`Match` blocks and wildcard patterns, with a clear precedence explanation (first-match-wins for most options).
2. **Design jump chains** — replace any `ProxyCommand nc` hacks with `ProxyJump`, including multi-hop chains, and per-network bastion selection via `Match host`.
3. **Add multiplexing** — configure `ControlMaster auto`, `ControlPath` (in a private dir), and `ControlPersist` to speed repeated sessions, noting the stale-socket and shared-session caveats.
4. **Harden key/agent use** — recommend `IdentitiesOnly yes`, per-host keys, and replacing broad `ForwardAgent yes` with scoped forwarding (or `ProxyJump` + agent constraints) so keys aren't exposed on intermediate hosts.
5. **Keep host-key safety** — keep `StrictHostKeyChecking` meaningful, manage `known_hosts` (hashed, or a signed-CA `@cert-authority` approach), and avoid `StrictHostKeyChecking no`.
6. **Add quality-of-life** — sensible `ServerAliveInterval`, `ConnectTimeout`, and `Include` for modular config.

Output: (a) a refactored, commented `~/.ssh/config`, (b) rationale for each security choice, (c) caveats (multiplex stale sockets, agent-forwarding risk), (d) a quick test plan (`ssh -v`, verify ProxyJump path, confirm host-key behavior).
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week