How to set per-host SSH identity files in config

Per-host SSH identity configuration simplifies connecting to multiple remote systems that each require different keys. Instead of tracking which private key belongs to which server or repeatedly passing ‑i on the command line, identity files can be mapped directly to friendly host aliases for more predictable logins.

The OpenSSH client reads configuration from system-wide files such as /etc/ssh/ssh_config and a per-user file, combining matching Host blocks to determine connection parameters. Within these blocks, the IdentityFile directive selects which private key to offer during authentication, while related directives such as HostName and User define the remote endpoint and account.

Misconfigured host blocks or poorly protected key files can lead to failed logins or unintended key usage. On Linux, the per-user configuration typically resides at /home/<user>/.ssh/config, and both the directory and key files must have restrictive permissions to avoid rejection by ssh and to prevent other local users from reading sensitive material. Using separate, clearly named identity files per host reduces the chance of sending the wrong key to an untrusted server.

1. Open a terminal for the account that will hold the SSH keys and per-user configuration file.

   $ whoami
   alice

   OpenSSH reads the per-user configuration from ~/.ssh/config in the current user's home directory after applying any system-wide defaults.

2. Ensure the per-user SSH configuration directory exists.

   $ mkdir -p ~/.ssh

3. Restrict permissions on the SSH configuration directory to owner-only access.

   $ chmod 700 ~/.ssh

   World-readable SSH directories and key material allow other local users to copy credentials and may cause ssh to refuse using those files.

4. Open the SSH configuration file in a text editor.

   $ nano ~/.ssh/config

   The file may initially be empty; OpenSSH simply skips missing directives when parsing ~/.ssh/config.

5. Add a host entry that uses a dedicated identity file for a specific server.

   Host app-server
     HostName app.example.com
     User deploy
     IdentityFile ~/.ssh/id_ed25519_app

   The Host value defines the alias used on the command line, while IdentityFile points at the private key file that should be offered to that server.

6. Add additional host entries for other systems that require different keys.

   Host db-server
     HostName db.example.internal
     User dba
     IdentityFile ~/.ssh/id_ed25519_db
   
   Host github.com
     User git
     IdentityFile ~/.ssh/id_ed25519_github

   More specific Host patterns should appear earlier in the file because OpenSSH stops processing at the first matching block.

7. Restrict permissions on the private key files referenced in the configuration.

   $ chmod 600 ~/.ssh/id_ed25519_app ~/.ssh/id_ed25519_db ~/.ssh/id_ed25519_github

   Loose permissions on private keys can cause ssh to reject them with a warning and also expose secrets to other local users.

8. Optionally adjust the configuration path when using the built-in client on Windows 11.

   The per-user configuration for the bundled OpenSSH client on Windows 11 typically resides at /Users/<name>/.ssh/config.

9. Generate the expanded configuration for a host to confirm that the intended identity file is selected.

   $ ssh -G app-server | grep -i identityfile
   identityfile ~/.ssh/id_ed25519_app
   ##### snipped #####

   The ssh -G output displays the final configuration after all matching Host blocks and defaults are applied.

10. Connect to the configured host alias without specifying ‑i to test key selection.

    $ ssh app-server
    Welcome to Ubuntu 22.04.4 LTS
    Last login: Mon Jan 13 09:15:42 2025 from 203.0.113.10
    ##### snipped #####

11. Verify that the expected shell prompt or application banner appears, confirming that authentication succeeded with the configured identity file.

    Per-host IdentityFile lines allow clean, memorable aliases such as ssh app-server while still keeping strict control over which private key is used for each connection.