How to Disable SSH ControlMaster for Specific Hosts in OpenSSH Config


1 views

When working with OpenSSH's connection multiplexing feature, you might encounter situations where you need to disable ControlMaster for specific hosts despite having it enabled globally. The debug output clearly shows the persistent connection being created even when explicitly configured not to:

debug1: setting up multiplex master socket
debug1: channel 0: new [/ms/git@droolit.unfuddle.com:22]

OpenSSH processes configuration options in a specific order. The first matching Host section's options take precedence. In your case, both the wildcard (Host *) and specific (Host *.unfuddle.com) patterns match, but the ordering matters.

To properly disable ControlMaster for unfuddle.com hosts, you need to restructure your ~/.ssh/config file:

# Global defaults (applied last)
Host *
  ControlPath /ms/%r@%h:%p
  ControlMaster auto
  ControlPersist 4h

# Specific overrides (applied first)
Host *.unfuddle.com
  ControlMaster no
  ControlPath none

The key points in this configuration:

  • Specific host patterns are evaluated before wildcard patterns
  • Setting ControlPath none ensures no master socket is created
  • The configuration is processed top-down with more specific rules first

After making these changes, verify with the -v flag:

ssh -v git@droolit.unfuddle.com

You should not see these lines in the output:

debug1: setting up multiplex master socket
debug1: channel 0: new [/ms/git@droolit.unfuddle.com:22]

For more complex scenarios, you can use negative patterns:

Host !*.unfuddle.com *
  ControlMaster auto
  ControlPersist 4h
  ControlPath /ms/%r@%h:%p
  • Always test with -v flag to verify connection behavior
  • Clear existing master sockets if changes don't take effect immediately
  • Consider SSH version differences - some older versions may handle config precedence differently

For complete control over connection multiplexing, these configuration patterns give you the flexibility to enable persistent connections where beneficial while disabling them when necessary.

When working with OpenSSH's connection multiplexing feature, you might encounter situations where you need to disable ControlMaster for specific hosts while keeping it enabled globally. This becomes particularly important when dealing with Git repositories or services that don't play well with persistent connections.

OpenSSH's config file follows a specific pattern matching order where more specific host declarations override general ones. Your current configuration:

Host *
  ControlPath /ms/%r@%h:%p
  ControlMaster auto
  ControlPersist 4h

Host *.unfuddle.com
  ControlMaster no

This should theoretically work, but there appears to be a quirk in some OpenSSH versions where the ControlPath directive persists even when ControlMaster is disabled.

To ensure the ControlMaster feature is completely disabled for unfuddle.com hosts, try this more explicit configuration:

Host *
  ControlMaster auto
  ControlPath /ms/%r@%h:%p
  ControlPersist 4h

Host *.unfuddle.com
  ControlMaster no
  ControlPath none
  ControlPersist 0

After making these changes, verify the behavior with:

ssh -v git@your.unfuddle.host

Check that no control socket is created in your specified directory:

ls -la /ms/

If the above doesn't work, consider these alternatives:

# Option 1: Use Match directive
Match host *.unfuddle.com
  ControlMaster no
  ControlPath none

# Option 2: Explicitly disable all multiplexing
Host *.unfuddle.com
  ControlMaster no
  ControlPath none
  ForwardAgent no
  ForwardX11 no
  ForwardX11Trusted no

When troubleshooting SSH configuration issues:

  • Always use -v flag for verbose output
  • Clear existing control sockets (rm -f /ms/*)
  • Check for multiple config files that might override settings