Currently I have the following ssh config file:
Host 172.30.* ControlMaster auto ControlPath ~/.ssh/cm_socket/%r@%h:%p ServerAliveInterval 60 TCPKeepAlive yes ProxyCommand ssh -i /home/ehud/.ssh/my-secret1.pem -q -A nc %h %p ControlMaster auto ControlPath ~/.ssh/mux-%r@%h:%p ControlPersist 8h User ubuntu IdentityFile /home/ehud/.ssh/my-secret1.pemNow I have other machines in the same subnet (172.30.*) but they have a different secret pem file. I would like to add same configuration with a different secret pem file and call ssh with some flag that will redirect me to the right secret file.
Is it possible??
Thanks
11 Answer
ssh -i '/home/ehud/.ssh/my-secret2.pem' …
ssh -o 'IdentityFile=/home/ehud/.ssh/my-secret2.pem' …Either of the above commands will load my-secret2.pem file first, but since you can specify multiple identity files (see man 1 ssh, -i option), the file my-secret1.pem given in your ssh_config will possibly also be tried. You may or may not want this.
If you're OK with this then you can specify my-secret2.pem via ssh_config by adding the following snippet before the Host 172.30.* block you already have:
# Special hosts, new identity file.
Host 172.30.10.* IdentityFile /home/ehud/.ssh/my-secret2.pemman 5 ssh_config says:
For each parameter, the first obtained value will be used. The configuration files contain sections separated by
Hostspecifications, and that section is only applied for hosts that match one of the patterns given in the specification. The matched host name is the one given on the command line.Since the first obtained value for each parameter is used, more host-specific declarations should be given near the beginning of the file, and general defaults at the end.
For any parameter that can be specified only once, it would be enough to match special hosts first, the whole 172.30.* range later. It's not obvious but "the first obtained value will be used" doesn't really apply to IdentityFile because you can specify multiple files. To make your special hosts not use the my-secret1.pem file, you need additional knowledge of an exclamation mark (!) usage.
Example snippet of ssh_config:
# Special hosts, new identity file.
Host 172.30.10.* IdentityFile /home/ehud/.ssh/my-secret2.pem
# Non-special hosts, old identity file.
Host 172.30.* !172.30.10.* IdentityFile /home/ehud/.ssh/my-secret1.pem
# Special and non-special hosts, like in your old config.
# Note there is no IdentityFile line here anymore.
# If there was, it would apply to special and non-special
# hosts, despite some previous IdentityFile line alrady loaded.
Host 172.30.* ControlMaster auto ControlPath ~/.ssh/cm_socket/%r@%h:%p ServerAliveInterval 60 TCPKeepAlive yes ProxyCommand ssh -i /home/ehud/.ssh/my-secret1.pem -q -A nc %h %p ControlMaster auto ControlPath ~/.ssh/mux-%r@%h:%p ControlPersist 8h User ubuntuNow if you e.g. ssh -v 172.30.10.22 (special host), you will see something like:
debug1: /etc/ssh/ssh_config line X: Applying options for 172.30.10.*
debug1: /etc/ssh/ssh_config line Y: Skipping Host block because of negated match for 172.30.10.*
debug1: /etc/ssh/ssh_config line Z: Applying options for 172.30.*and ssh -v 172.30.99.33 (non-special host) will print:
debug1: /etc/ssh/ssh_config line Y: Applying options for 172.30.*
debug1: /etc/ssh/ssh_config line Z: Applying options for 172.30.*So either way only one .pem file will be used.
There is also -F option for ssh. From man 1 ssh:
-F configfile
Specifies an alternative per-user configuration file. If a configuration file is given on the command line, the system-wide configuration file (/etc/ssh/ssh_config) will be ignored. The default for the per-user configuration file is~/.ssh/config.
This way you can load a completely different config by hand.
