Parse, validate, and visualize your ~/.ssh/config file. Extract Host blocks, parameter values, detect patterns, and get actionable insights — all in your browser. Built for system administrators, DevOps engineers, and security teams.
The ~/.ssh/config file is the primary configuration file for the OpenSSH client. It allows users to define connection parameters for remote hosts, simplifying SSH usage by eliminating the need to remember lengthy command-line options. Each Host block defines a set of parameters that apply when connecting to a matching host pattern. The file supports wildcards, pattern matching, and conditional Match blocks, making it a powerful tool for managing complex SSH workflows.
Host pattern
Parameter value
Parameter value
Each Host block defines connection settings for hosts matching the pattern.
The parser reads the configuration line-by-line, respecting OpenSSH syntax rules:
Host or Match (case-insensitive). The pattern may include wildcards (*, ?) and negation (!).
HostName, User, IdentityFile) followed by one or more values. Parameter names are case-insensitive.
#) and empty lines are ignored during parsing but retained in the raw view.
Include) are recognized and flagged but not recursively processed.
\) are merged with the next line to support multi-line values.
The parser builds an internal representation of each Host block with its associated parameters, preserving the order of appearance. It also tracks line numbers for error reporting and highlights potential issues such as duplicate Host definitions, missing required parameters, or suspicious values.
Host entry for a given parameter. If a parameter appears multiple times for the same matching host, the first occurrence takes precedence. Our parser flags duplicate Host patterns to help you audit this precedence chain.
\). This parser now merges such lines automatically. However, Include files are not recursively parsed for security and simplicity.
A quick reference for the most frequently used parameters in ~/.ssh/config:
| Parameter | Description | Example |
|---|---|---|
| HostName | Real hostname or IP address to connect to. |
HostName example.com
|
| User | Default username for the connection. |
User admin
|
| Port | Port number on the remote host (default 22). |
Port 2222
|
| IdentityFile | Path to the private key file for authentication. |
IdentityFile ~/.ssh/id_rsa
|
| ProxyJump | Specifies a jump host (bastion) to connect through. |
ProxyJump bastion
|
| ServerAliveInterval | Interval (seconds) to send keep-alive packets. |
ServerAliveInterval 120
|
| Compression | Enable compression (yes/no). |
Compression yes
|
| StrictHostKeyChecking | Host key verification policy (yes/no/accept-new). |
StrictHostKeyChecking no
|
| AddKeysToAgent | Automatically add keys to the agent (yes/no/confirm). |
AddKeysToAgent yes
|
| ForwardAgent | Forward authentication agent (yes/no). |
ForwardAgent yes
|
| TCPKeepAlive | Enable TCP keep-alive (yes/no). |
TCPKeepAlive yes
|
| VisualHostKey | Display an ASCII art representation of the host key fingerprint. |
VisualHostKey yes
|
| CanonicalDomains | List of domains to search when resolving hostnames. |
CanonicalDomains .internal.example.com
|
| GlobalKnownHostsFile | System-wide known hosts file location. |
GlobalKnownHostsFile /etc/ssh/known_hosts
|
| UserKnownHostsFile | User-specific known hosts file. |
UserKnownHostsFile ~/.ssh/known_hosts
|
| UpdateHostKeys | Automatically update host keys in known_hosts. |
UpdateHostKeys yes
|
PermitRootLogin no on the server side.
PasswordAuthentication no) for production systems.
StrictHostKeyChecking no in production: This exposes you to man-in-the-middle attacks. Use accept-new or maintain known_hosts.
chmod 600).
KexAlgorithms to modern curves and MACs to hmac-sha2-512 to mitigate cryptographic attacks.
UpdateHostKeys: Set UpdateHostKeys yes to automatically rotate host keys.
A DevOps team managing 200+ EC2 instances across AWS, Azure, and GCP used a single ~/.ssh/config with over 40 Host blocks. Over time, the file became unmaintainable, with duplicate entries and outdated parameters. Using this SSH Config Parser, the team:
StrictHostKeyChecking no that were inadvertently copied across environments.
Host * block, reducing the file size by 40%.
The result was a cleaner, more secure configuration that improved team productivity and reduced connection errors. The parser's structured output enabled the team to generate documentation and onboarding guides for new engineers.
OpenSSH supports conditional Match blocks that apply parameters based on criteria such as hostname, user, local user, or canonical hostname. The parser recognizes Match blocks and treats them similarly to Host blocks, displaying their conditions as part of the block header. This is useful for configurations that need to adapt dynamically (e.g., different settings for internal vs. external networks).
Match blocks are parsed and displayed with their condition criteria for full visibility.
* matches any string, ? matches a single character. Negation (!) excludes matches. The parser visualizes which patterns are wildcard and which are literal.
Host example # comment). The parser treats # only at the beginning of a line as a comment.
Include directive is processed in-place. While our parser does not recursively fetch included files, it flags Include directives to remind you of external dependencies.
Host * matches everything, including more specific hosts" — Actually, Host * is a catch-all, but OpenSSH evaluates entries in order. The parser shows you the exact order of blocks to help you trace this.
? and * are interchangeable" — No. * matches zero or more characters; ? matches exactly one character. The parser distinguishes between them in the wildcard badge.
ssh -G host outputs the effective configuration for a specific host, applying all matching blocks. This parser, in contrast, shows you the static structure of your config file — all Host blocks, their parameters, and patterns — making it easier to audit and understand the entire file at a glance.
Include lines and flags them, but does not recursively fetch or parse external files. This is a deliberate design choice to keep the tool self-contained and secure — no files are read from your system. You can manually paste the content of included files into the input area for full analysis.
* or ?. For example, prod-* matches any host starting with "prod-". Wildcards are powerful but can lead to unexpected matches if not carefully scoped. The parser highlights wildcard hosts and shows how many parameters they define.
ssh -G for production use.
~/.ssh/config). The server configuration (/etc/ssh/sshd_config) uses a different syntax and is not supported. For server config parsing, we recommend using sshd -T to validate.
ProxyJump is the modern, simplified way to specify a bastion host (e.g., ProxyJump bastion). It automatically sets up the necessary tunnel. ProxyCommand is a more flexible, lower-level directive that allows you to specify an arbitrary command to establish the connection. The parser treats both as standard parameters.