Love the extra security of your SSH’s Multifactor Authentication, but hate it when you have to enter that login dozens of times a day?

Enter SSH’s ControlPath, a simple option that’s built into SSH for reusing an existing connection to your server.

And best of all, it has a side effect of consolidating those half dozen SSH connections down to just one.


This only reuses SSH connections to hosts you are logged into or recently were (within the ControlPersist timeout show below). If you log into a new host or the timeout lapses, it will prompt for the MFA code.


If someone gains access to your computer, they will have the same access to the open SSH connections as you do.

How it works

When you login to your server, a single background connection will be started. On the first time, you’ll need to enter a verification code from your phone’s app. However, it will start a background SSH connection.

This connection will then be used by any subsequent ssh login/connections, all without any code. Because it’s just sending data on the previously created connection.

How to set it up

The setup is easy. It’s controlled by three options:

  • ControlMaster: Enables the sharing of multiple sessions over a single network connection. auto will simply make the connection if it doesn’t already exist.
  • ControlPath: Where to create the file to manage the shared connections. Some put this to ~/.ssh/ but as I like to keep things clean, I like to put it in the ~/.ssh/.control folder, which will have to be created.
  • ControlPersist: How long to keep the background connection open when not being used. Options are:
    • Set a number, which will be how many seconds to keep it idle in the background with no active SSH sessions. In the example below, we’ll set it to 9600, which is 3 hours.
    • Setting it to yes will disable any timeout.
    • If set to no the SSH connection won’t be put into the background, and will close as soon as all of your SSH connections are closed.

First decide where you want your control files to be. If you use what I have above and in the below examples, then create the directory:

mkdir ~/.ssh/.control

Here is an example of how to set it up with just one host, using ExampleHost as the hostname.

Add/edit your ~/.ssh/config to have the following entry.

Host ExampleHost
  ControlMaster auto
  ControlPath ~/.ssh/.control/host:%h:%p:%r
  ControlPersist 9600

Or if you want to use this for all your hosts, add this to the bottom of the file.

Host *
  ControlMaster auto
  ControlPath ~/.ssh/.control/host:%h:%p:%r
  ControlPersist 9600

Using it

Now that you’ve added it, it’s time to put it into action.

ssh ExampleHost

You will be asked for your verification code. Enter it.

Then in a new terminal, log in again.

ssh ExampleHost

You should not be asked for any verification code.

Now for the real test. Log out of both of the above, so you aren’t logged into any shell. And try it again. You should not be prompted for the verification code.

Opening a new connection

If you need to open a new connection, that doesn’t share the same SSH login, then run this:

ssh -o ControlMaster=no -o ControlPath=/dev/null ExampleHost

This will create a new ssh connection, without using ControlMaster.


Now, as this keeps us logged in, if anyone gains access to your computer they can simply log in.

So you’ll need to secure your computer, which you should already be doing.


It’s that simple.