Love the extra security of your SSH’s Multifactor Authentication, but hate it when you have to enter that login dozens of times a day?
Enter SSH’s ControlPath, a simple option that’s built into SSH for reusing an existing connection to your server.
And best of all, it has a side effect of consolidating those half dozen SSH connections down to just one.
Tip
This only reuses SSH connections to hosts you are logged into or recently were (within the ControlPersist timeout show below). If you log into a new host or the timeout lapses, it will prompt for the MFA code.
Warning
If someone gains access to your computer, they will have the same access to the open SSH connections as you do.
How it works
When you login to your server, a single background connection will be started. On the first time, you’ll need to enter a verification code from your phone’s app. However, it will start a background SSH connection.
This connection will then be used by any subsequent ssh login/connections, all without any code. Because it’s just sending data on the previously created connection.
How to set it up
The setup is easy. It’s controlled by three options:
ControlMaster: Enables the sharing of multiple sessions over a single network connection.autowill simply make the connection if it doesn’t already exist.ControlPath: Where to create the file to manage the shared connections. Some put this to~/.ssh/but as I like to keep things clean, I like to put it in the~/.ssh/.controlfolder, which will have to be created.ControlPersist: How long to keep the background connection open when not being used. Options are:- Set a number, which will be how many seconds to keep it idle in the background with no active SSH sessions. In the example below, we’ll set it to
9600, which is 3 hours. - Setting it to
yeswill disable any timeout. - If set to
nothe SSH connection won’t be put into the background, and will close as soon as all of your SSH connections are closed.
- Set a number, which will be how many seconds to keep it idle in the background with no active SSH sessions. In the example below, we’ll set it to
First decide where you want your control files to be. If you use what I have above and in the below examples, then create the directory:
mkdir ~/.ssh/.control
Here is an example of how to set it up with just one host, using ExampleHost as the hostname.
Add/edit your ~/.ssh/config to have the following entry.
Host ExampleHost
Hostname example.com
ControlMaster auto
ControlPath ~/.ssh/.control/host:%h:%p:%r
ControlPersist 9600
Or if you want to use this for all your hosts, add this to the bottom of the file.
Host *
Hostname example.com
ControlMaster auto
ControlPath ~/.ssh/.control/host:%h:%p:%r
ControlPersist 9600
Using it
Now that you’ve added it, it’s time to put it into action.
ssh ExampleHost
You will be asked for your verification code. Enter it.
Then in a new terminal, log in again.
ssh ExampleHost
You should not be asked for any verification code.
Now for the real test. Log out of both of the above, so you aren’t logged into any shell. And try it again. You should not be prompted for the verification code.
Opening a new connection
If you need to open a new connection, that doesn’t share the same SSH login, then run this:
ssh -o ControlMaster=no -o ControlPath=/dev/null ExampleHost
This will create a new ssh connection, without using ControlMaster.
Security
Now, as this keeps us logged in, if anyone gains access to your computer they can simply log in.
So you’ll need to secure your computer, which you should already be doing.
Conclusion
It’s that simple.