Every time you SSH, OpenSSH negotiates a connection, authenticates, and sets up encryption. On a slow link, that’s 2-3 seconds gone.
Do it 50 times a day? You’ve wasted 100 seconds before lunch.
SSH multiplexing reuses connections. First connection is normal. Every other one piggybacks on that socket. Result: instant SSH.
How It Works
SSH creates a control socket. Subsequent connections to the same host use that socket instead of creating a new one.
# First connection: slow (normal negotiation)$ time ssh prod ls /real 0m2.134s
# Second connection: fast (reuses socket)$ time ssh prod ls /real 0m0.042s100x faster. No password, no auth delay. Just traffic through the existing socket.
Setup: Three Lines
Add to your ~/.ssh/config:
Host * ControlMaster auto ControlPath ~/.ssh/sockets/%h-%p-%r ControlPersist 600That’s it:
- ControlMaster auto: Create a control socket on first connection, reuse on subsequent ones.
- ControlPath: Where the socket file lives.
%h=hostname,%p=port,%r=remote user. - ControlPersist 600: Keep the socket alive for 600 seconds after the last connection closes.
Create the socket directory:
mkdir -p ~/.ssh/socketschmod 700 ~/.ssh/socketsDone. Test it:
$ ssh prod 'echo first'first$ ssh prod 'echo second'secondThe second one should be instant.
Verify It’s Working
Check for socket files:
$ ls -la ~/.ssh/sockets/total 0srwx------ 1 user user 0 Apr 2 10:00 prod.example.com-22-admin ↑ that's the socket (s = socket)The s in -rw- means socket. Only the owner can access it (for security).
Or ask SSH directly:
$ ssh -O check prodMaster running (pid=12345)
$ ssh -O check nonexistentNo ControlPath specified, cannot check control master statusControl It Manually
While a socket exists, you can:
# Stop multiplexing for this host$ ssh -O exit prod
# Close all multiplexed connections$ ssh -O exit -S ~/.ssh/sockets/\*Or kill the socket:
rm ~/.ssh/sockets/prod.example.com-22-adminReal-World Example: Rapid SCP
Copying multiple files without multiplexing:
$ time for f in file{1..10}; do scp prod:~/data/$f .; donereal 0m25.000s# 2.5 seconds per SCP (connection overhead)With multiplexing:
# First connection establishes socket$ ssh prod ls / > /dev/null
# Now SCPs reuse it$ time for f in file{1..10}; do scp prod:~/data/$f .; donereal 0m2.500s# 0.25 seconds per SCP (mostly just transfer)10x faster.
Rsync Without Pain
Rsync is SSH-heavy (lots of small operations):
# Without multiplexing: crawls$ rsync -av prod:~/source/ ./dest/# Each file operation = new SSH connection
# With multiplexing: zip$ ssh prod ls / > /dev/null # Prime the socket$ rsync -av prod:~/source/ ./dest/# Reuses socket for all operationsControlPersist Explained
ControlPersist 600 means:
“Keep the socket open for 600 seconds after the last connection exits.”
So:
$ ssh prod cmd1# Connection exits, but socket stays open for 10 min
$ sleep 30; ssh prod cmd2# cmd2 reuses the existing socket (still fresh)
$ sleep 800; ssh prod cmd3# Socket is dead, so this creates a new oneFor always-on sessions, use:
Host prod ControlMaster auto ControlPath ~/.ssh/sockets/%h-%p-%r ControlPersist yesSocket persists until you manually close it.
Combining With Config
Put it in your Host blocks for maximum control:
# Multiplexing for everythingHost * ControlMaster auto ControlPath ~/.ssh/sockets/%h-%p-%r ControlPersist 600
# Except this one (security-sensitive)Host secure-server ControlMaster noSecurity Considerations
Socket lives in your home directory. If your home is NFS-mounted or accessible to others, someone could hijack the socket.
Fix it:
chmod 700 ~/.ssh/sockets# Only you can access the directorySSH checks socket ownership anyway (won’t use it if group/others can write).
For sensitive hosts, disable multiplexing:
Host secure-prod ControlMaster noPerformance: Numbers
Baseline (no multiplexing):
$ for i in {1..10}; do time ssh prod 'echo x'; done# Average: ~2 seconds per connectionWith multiplexing:
$ ssh prod 'echo x' # Establish socket (2 sec)$ for i in {1..10}; do time ssh prod 'echo x'; done# Average: ~0.05 seconds per connection40x speedup after priming.
Over slow links (high latency):
- No multiplexing: +500ms per connection
- Multiplexing: +10ms per connection
Bandwidth unchanged. Latency is the win.
Gotchas
ControlPath too long: Linux has a max socket path length (~108 chars). If your hostname is long, the path might exceed it.
# Check your limitpython3 -c "import socket; print(socket.AF_UNIX)" # Usually 108
# If using long hostnames, shorten the pathControlPath ~/.ssh/m/%h-%pStale sockets: If SSH crashes, the socket lingers. You may get weird errors. Just delete it:
rm ~/.ssh/sockets/*Different users, same host: Use %r (remote user) in ControlPath so each user gets their own socket:
ControlPath ~/.ssh/sockets/%h-%p-%rTL;DR
Three lines. Instant SSH. Worth it.
Host * ControlMaster auto ControlPath ~/.ssh/sockets/%h-%p-%r ControlPersist 600Your fingers—and your patience—will thank you.
