SSH ControlMaster lets you reuse an existing SSH connection for multiple new sessions, drastically cutting down on authentication and connection setup time.
Let’s see it in action. Imagine you have a server prod-web-01.example.com and you’re frequently SSHing into it.
First, we need to enable ControlMaster in your SSH client configuration (~/.ssh/config).
Host prod-web-01.example.com
ControlMaster auto
ControlPath ~/.ssh/control/%r@%h:%p
ControlPersist 600
Here’s what these lines do:
ControlMaster auto: This is the core of it. If an active control connection exists for this host,autotells SSH to use it. If not, it will create a new one.ControlPath ~/.ssh/control/%r@%h:%p: This specifies where the control socket file will be created.%r: The remote username.%h: The hostname.%p: The port.~/.ssh/control/: We’re creating a dedicated directory for these sockets. Make sure this directory exists (mkdir -p ~/.ssh/control).
ControlPersist 600: This tells SSH to keep the control connection open for 600 seconds (10 minutes) after the last client disconnects. This is crucial for achieving the speedup. If you want it to stay open indefinitely until you explicitly kill it, useControlPersist yes.
Now, let’s set up a scenario.
First SSH connection:
ssh user@prod-web-01.example.com
This will prompt for your password or use your SSH key. Once you’re in, don’t close this terminal. This is your "master" connection.
Now, open a new terminal window and connect again:
ssh user@prod-web-01.example.com
Observe the difference. If ControlMaster is working, you’ll be logged in instantly, without any password prompt or key negotiation. This is because SSH detected the existing control socket (~/.ssh/control/user@prod-web-01.example.com:22 in this case) and reused the established underlying connection.
You can verify the control socket exists:
ls -l ~/.ssh/control/
You’ll see a file with a name matching your ControlPath pattern.
The magic happens because SSH creates a local Unix domain socket. When you initiate a new ssh command to the same host with ControlMaster enabled, it checks for this socket. If found and the master connection is still alive (or ControlPersist keeps it alive), it bypasses the entire handshake process (key exchange, authentication) and directly tunnels the new session over the existing, already authenticated, connection.
Think of it like having a direct phone line already open. Instead of redialing and going through the automated menu every time, you just speak your request. The ControlPersist value is like setting your phone to not hang up for a few minutes after the last call.
The ControlPath is particularly useful for managing multiple connections to different hosts or users. If you connect to prod-web-01 as user1 and then prod-web-02 as user2, the %r@%h:%p pattern ensures distinct control sockets are created for each, preventing conflicts.
The real benefit shines when you’re running many commands, like in scripts or automated tasks, or when you’re toggling between interactive sessions. The time saved on authentication alone can be significant, especially over high-latency networks.
You can also explicitly manage these control connections. To list active multiplexed connections:
ssh -O check user@prod-web-01.example.com
This will output Control socket "/home/user/.ssh/control/user@prod-web-01.example.com:22" already exists.
To explicitly close a master connection (which will also terminate any multiplexed sessions on it):
ssh -O exit user@prod-web-01.example.com
This command sends an EXIT request to the master process via the control socket.
If you ever find yourself SSHing into a server and then immediately needing to run scp or rsync to the same server, or even opening another ssh session for a different command, the performance gain is substantial.
One less obvious benefit is that you can use ProxyCommand with ControlMaster. This allows you to multiplex connections even when you’re not directly connecting to the final destination, but rather to a bastion host. The control master connection is established to the bastion, and then all subsequent SSH tunnels go through that single authenticated connection to the bastion.
The next hurdle you’ll face is understanding how to manage ControlMaster effectively in complex environments with many jump hosts or when dealing with ephemeral server instances.