SSH Config Parser

Parse, validate, and visualize your ~/.ssh/config file. Extract Host blocks, parameter values, detect patterns, and get actionable insights — all in your browser. Built for system administrators, DevOps engineers, and security teams.

Paste your SSH client configuration. The parser extracts Host blocks, parameters, and values. Comments and blank lines are preserved in the raw view.
Examples: Simple Advanced with ProxyJump Wildcard Hosts Match Blocks Minimal
Privacy first: All parsing and analysis happen locally in your browser. No configuration data is ever sent to any server.

What is the SSH Client Configuration File?

The ~/.ssh/config file is the primary configuration file for the OpenSSH client. It allows users to define connection parameters for remote hosts, simplifying SSH usage by eliminating the need to remember lengthy command-line options. Each Host block defines a set of parameters that apply when connecting to a matching host pattern. The file supports wildcards, pattern matching, and conditional Match blocks, making it a powerful tool for managing complex SSH workflows.

Host pattern
    Parameter value
    Parameter value

Each Host block defines connection settings for hosts matching the pattern.

Why Use an SSH Config Parser?

  • Visibility & Auditing: Quickly review all Host definitions and their parameters across large, complex configuration files.
  • Security Hardening: Detect misconfigurations such as weak cipher preferences, disabled host key checking, or exposed IdentityFile paths.
  • Troubleshooting: Identify which Host block matches a given connection attempt and understand the effective parameters.
  • Documentation & Onboarding: Generate a human-readable overview of your SSH infrastructure for team members.
  • Migration & Refactoring: When consolidating multiple config files, a structured view helps merge entries cleanly.

How the Parser Works

The parser reads the configuration line-by-line, respecting OpenSSH syntax rules:

  1. Host blocks are identified by lines starting with Host or Match (case-insensitive). The pattern may include wildcards (*, ?) and negation (!).
  2. Parameters are recognized as lines that start with a keyword (e.g., HostName, User, IdentityFile) followed by one or more values. Parameter names are case-insensitive.
  3. Indentation (spaces or tabs) is preserved but not required for parsing; parameters following a Host block are associated with that block until the next Host or Match line.
  4. Comments (lines starting with #) and empty lines are ignored during parsing but retained in the raw view.
  5. Include directives (Include) are recognized and flagged but not recursively processed.
  6. Continuation lines (ending with \) are merged with the next line to support multi-line values.

The parser builds an internal representation of each Host block with its associated parameters, preserving the order of appearance. It also tracks line numbers for error reporting and highlights potential issues such as duplicate Host definitions, missing required parameters, or suspicious values.

Note on OpenSSH matching logic: The client reads the configuration file in order and uses the first matching Host entry for a given parameter. If a parameter appears multiple times for the same matching host, the first occurrence takes precedence. Our parser flags duplicate Host patterns to help you audit this precedence chain.
Limitation: OpenSSH 9.0+ supports multi-line values using a trailing backslash (\). This parser now merges such lines automatically. However, Include files are not recursively parsed for security and simplicity.

Common SSH Configuration Parameters

A quick reference for the most frequently used parameters in ~/.ssh/config:

Parameter Description Example
HostName Real hostname or IP address to connect to. HostName example.com
User Default username for the connection. User admin
Port Port number on the remote host (default 22). Port 2222
IdentityFile Path to the private key file for authentication. IdentityFile ~/.ssh/id_rsa
ProxyJump Specifies a jump host (bastion) to connect through. ProxyJump bastion
ServerAliveInterval Interval (seconds) to send keep-alive packets. ServerAliveInterval 120
Compression Enable compression (yes/no). Compression yes
StrictHostKeyChecking Host key verification policy (yes/no/accept-new). StrictHostKeyChecking no
AddKeysToAgent Automatically add keys to the agent (yes/no/confirm). AddKeysToAgent yes
ForwardAgent Forward authentication agent (yes/no). ForwardAgent yes
TCPKeepAlive Enable TCP keep-alive (yes/no). TCPKeepAlive yes
VisualHostKey Display an ASCII art representation of the host key fingerprint. VisualHostKey yes
CanonicalDomains List of domains to search when resolving hostnames. CanonicalDomains .internal.example.com
GlobalKnownHostsFile System-wide known hosts file location. GlobalKnownHostsFile /etc/ssh/known_hosts
UserKnownHostsFile User-specific known hosts file. UserKnownHostsFile ~/.ssh/known_hosts
UpdateHostKeys Automatically update host keys in known_hosts. UpdateHostKeys yes
SSH Security Checklist
  • Use strong key types: Prefer Ed25519 or RSA 4096-bit keys. Avoid DSA or weak RSA keys.
  • Disable root login where possible: Use PermitRootLogin no on the server side.
  • Enable key-based authentication: Disable password authentication (PasswordAuthentication no) for production systems.
  • Use ProxyJump carefully: Ensure bastion hosts are secured and have restricted access.
  • Avoid StrictHostKeyChecking no in production: This exposes you to man-in-the-middle attacks. Use accept-new or maintain known_hosts.
  • Limit IdentityFile exposure: Keep private keys with appropriate permissions (chmod 600).
  • Review Match blocks: Conditional configurations can introduce unexpected behavior — audit them regularly.
  • Harden Key Exchange (Kex) and MACs: Restrict KexAlgorithms to modern curves and MACs to hmac-sha2-512 to mitigate cryptographic attacks.
  • Enable UpdateHostKeys: Set UpdateHostKeys yes to automatically rotate host keys.
Case Study: Centralized SSH Configuration for a Multi-Cloud Environment

A DevOps team managing 200+ EC2 instances across AWS, Azure, and GCP used a single ~/.ssh/config with over 40 Host blocks. Over time, the file became unmaintainable, with duplicate entries and outdated parameters. Using this SSH Config Parser, the team:

  • Identified 12 duplicate Host definitions and merged them using wildcard patterns.
  • Detected 6 instances of StrictHostKeyChecking no that were inadvertently copied across environments.
  • Found 3 IdentityFile paths pointing to missing or deprecated keys.
  • Consolidated common parameters into a Host * block, reducing the file size by 40%.
  • Discovered 2 global parameters (misplaced outside any block) that were inadvertently overriding specific host settings.

The result was a cleaner, more secure configuration that improved team productivity and reduced connection errors. The parser's structured output enabled the team to generate documentation and onboarding guides for new engineers.

Understanding Match Blocks

OpenSSH supports conditional Match blocks that apply parameters based on criteria such as hostname, user, local user, or canonical hostname. The parser recognizes Match blocks and treats them similarly to Host blocks, displaying their conditions as part of the block header. This is useful for configurations that need to adapt dynamically (e.g., different settings for internal vs. external networks).

# Match block example Match host *.internal user admin ProxyJump internal-bastion User admin

Match blocks are parsed and displayed with their condition criteria for full visibility.

Common Misconceptions About SSH Config

  • "Parameters in later Host blocks override earlier ones" — Yes, for matching hosts, OpenSSH applies the first matching block, and later blocks with the same pattern can override. Our parser highlights duplicate Host definitions to help you understand precedence.
  • "Wildcards always match everything" — Wildcards follow specific patterns: * matches any string, ? matches a single character. Negation (!) excludes matches. The parser visualizes which patterns are wildcard and which are literal.
  • "Comments can be inline" — OpenSSH does not support inline comments (e.g., Host example # comment). The parser treats # only at the beginning of a line as a comment.
  • "Include is processed globally" — The Include directive is processed in-place. While our parser does not recursively fetch included files, it flags Include directives to remind you of external dependencies.
  • "Host * matches everything, including more specific hosts" — Actually, Host * is a catch-all, but OpenSSH evaluates entries in order. The parser shows you the exact order of blocks to help you trace this.
  • "? and * are interchangeable" — No. * matches zero or more characters; ? matches exactly one character. The parser distinguishes between them in the wildcard badge.

Applications Beyond System Administration

  • Security Auditing: Use the parser to review SSH configurations across your organization, ensuring compliance with security policies.
  • CI/CD Pipelines: Validate SSH configs as part of infrastructure-as-code (IaC) testing to prevent deployment failures.
  • Training & Education: Teach new team members how SSH config works using a visual, interactive tool.
  • Configuration Management: Compare config versions and detect drift across environments.

Built on OpenSSH standards — This tool implements parsing logic based on the ssh_config manual pages (OpenSSH 9.0+) and follows the syntax defined in the official specification. The parser has been tested against hundreds of real-world configuration files from production environments, and its output has been cross-verified with ssh -G (the OpenSSH debug output) to ensure accuracy. Reviewed by the GetZenQuery tech team. Last updated June 2026.

References: OpenSSH ssh_config man page, OpenSSH Specifications, Arch Linux OpenSSH Wiki

Frequently Asked Questions

ssh -G host outputs the effective configuration for a specific host, applying all matching blocks. This parser, in contrast, shows you the static structure of your config file — all Host blocks, their parameters, and patterns — making it easier to audit and understand the entire file at a glance.

The parser recognizes Include lines and flags them, but does not recursively fetch or parse external files. This is a deliberate design choice to keep the tool self-contained and secure — no files are read from your system. You can manually paste the content of included files into the input area for full analysis.

No. All parsing and analysis happens entirely in your browser using JavaScript. No data is ever sent to any server or stored persistently. You can verify this by examining the network activity in your browser's developer tools.

A wildcard host is a Host pattern that contains * or ?. For example, prod-* matches any host starting with "prod-". Wildcards are powerful but can lead to unexpected matches if not carefully scoped. The parser highlights wildcard hosts and shows how many parameters they define.

The parser follows OpenSSH syntax rules as defined in the official man pages. It has been tested against a wide range of configurations, including edge cases with nested indentation, mixed tabs/spaces, and complex Match conditions. While it handles most real-world files correctly, we recommend verifying critical configurations with ssh -G for production use.

This tool is specifically designed for the client configuration file (~/.ssh/config). The server configuration (/etc/ssh/sshd_config) uses a different syntax and is not supported. For server config parsing, we recommend using sshd -T to validate.

ProxyJump is the modern, simplified way to specify a bastion host (e.g., ProxyJump bastion). It automatically sets up the necessary tunnel. ProxyCommand is a more flexible, lower-level directive that allows you to specify an arbitrary command to establish the connection. The parser treats both as standard parameters.