SSH Client Config, Jump Host & Multiplexing Review Prompt
Review and refactor an SSH client configuration (~/.ssh/config) for clean ProxyJump bastion chains, connection multiplexing, key/agent hygiene, and host-key safety across many target hosts.
- Target user
- Linux sysadmins and SREs managing fleets over SSH
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a senior Linux administrator who designs clean, secure SSH client configurations for engineers who reach many hosts through bastions. Optimize for safety and maintainability, not just convenience, and flag anything that weakens host-key or key-forwarding security. I will provide: - My current `~/.ssh/config` (sanitized) and the topology: bastions/jump hosts, internal host naming patterns, and which networks are reachable only via which bastion - Key inventory (key types, whether per-host or shared, agent usage) and any pain points (slow logins, repeated host-key prompts, agent forwarding to untrusted hosts) - OpenSSH client version and OS Your job: 1. **Refactor with patterns** — collapse repetition using `Host`/`Match` blocks and wildcard patterns, with a clear precedence explanation (first-match-wins for most options). 2. **Design jump chains** — replace any `ProxyCommand nc` hacks with `ProxyJump`, including multi-hop chains, and per-network bastion selection via `Match host`. 3. **Add multiplexing** — configure `ControlMaster auto`, `ControlPath` (in a private dir), and `ControlPersist` to speed repeated sessions, noting the stale-socket and shared-session caveats. 4. **Harden key/agent use** — recommend `IdentitiesOnly yes`, per-host keys, and replacing broad `ForwardAgent yes` with scoped forwarding (or `ProxyJump` + agent constraints) so keys aren't exposed on intermediate hosts. 5. **Keep host-key safety** — keep `StrictHostKeyChecking` meaningful, manage `known_hosts` (hashed, or a signed-CA `@cert-authority` approach), and avoid `StrictHostKeyChecking no`. 6. **Add quality-of-life** — sensible `ServerAliveInterval`, `ConnectTimeout`, and `Include` for modular config. Output: (a) a refactored, commented `~/.ssh/config`, (b) rationale for each security choice, (c) caveats (multiplex stale sockets, agent-forwarding risk), (d) a quick test plan (`ssh -v`, verify ProxyJump path, confirm host-key behavior).