Connecting via SSH can become quite annoying if you do it often by typing commands such as:
It is even more annoying if your server does not listen for incoming SSH connections on the default port (22) and you must specify the port number every time you connect to it. For a server listening on port 10022, your command may look like this:
ssh firstname.lastname@example.org -p 10022
While you could in principle create a shell alias containing the long ssh command for a server you usually connect to, there is a much more elegant solution to this problem: the ssh configuration file is there to save us all from millions of unnecessary keystrokes. To be precise, you can create a file called config in the ~/.ssh directory and put all parameters necessary to connect to a server into that file under a given name of your choice. To get that done, open the ~/.ssh/config file (if you do not have a ~/.ssh directory, create it first):
and set the connection parameters for each server you often connect to using the example below:
Host myserver Hostname mydomain.com User myusername Port 10022
Above, I assumed "mydomain.com" points to an SSH server accepting connections on port 10022, and that the username associated with the server account is "myusername". If a server listens on the default SSH port, you can omit the "Port" line on its configuration (or replace "10022" with "22" if you really wish to specify it). Now we can connect to this server with a much shorter command:
Much better than writing the long ssh command above, right? Also, the server name ("myserver" in our case) will be automatically completed if you type part of it and press the "Tab" key.
Bonus: security options
You can do many other things with the config file. For instance, you can select a private key which you would like to use with a certain server. You can even force ssh to use a specific set of MACs, key exchange algorithms, ciphers and authentication algorithms for each server. Here is an example:
Host myserver Hostname mydomain.com User myusername Port 10022 Protocol 2 HostKeyAlgorithms ssh-rsa Ciphers aes256-ctr, aes256-cbc MACs hmac-sha2-512, hmac-sha2-256 KexAlgorithms diffie-hellman-group-exchange-sha256 IdentityFile ~/.ssh/id_rsa
When you connect to "myserver", the connection will only be established if the server supports the chosen:
|SSH protocol version:||2 (always use this one; version 1 is vulnerable)|
|cipher:||AES with either counter or cipher-block chaining as mode of operation and 256-bit long keys|
|MAC:||HMAC based on a SHA-2 hash function producing either 512- or 256-bit long digests|
|key exchange algorithm:||Diffie-Hellman with flexible group size using SHA-2 with 256-bit long digests|
Also, the file ~/.ssh/id_rsa will be used as the private RSA key. Whenever multiple choices are specified for a certain parameter (e.g. Ciphers is set to a list containing both aes256-ctr and aes256-cbc), ssh will always use the first one in the list which is supported by the server.
Readers familiar with cryptography will realize this gives the user a lot of control over the security of their connections. To get a complete list of supported ciphers, MACs, key exchange algorithms and authentication algorithms, see the manual for ssh_config:
In order to simplify the config file, you can assign a given configuration to many hosts at a time with the * symbol as shown below:
Host * Protocol 2 HostKeyAlgorithms ssh-rsa Ciphers aes256-ctr, aes256-cbc MACs hmac-sha2-512, hmac-sha2-256 KexAlgorithms diffie-hellman-group-exchange-sha256 IdentityFile ~/.ssh/id_rsa
This will cause all your SSH connections to any server to use those parameters unless they have already been specified. To make this clear: when the config file is read, only the first definition of a parameter for a certain server will be used. So in the example below:
Host myserver Hostname mydomain.com User myusername Port 10022 Ciphers aes128-cbc MACs hmac-sha1 KexAlgorithms diffie-hellman-group1-sha1 Host * Protocol 2 HostKeyAlgorithms ssh-rsa Ciphers aes256-ctr MACs hmac-sha2-512 KexAlgorithms diffie-hellman-group-exchange-sha256 IdentityFile ~/.ssh/id_rsa
if you connect to "myserver", the parameters set under the myserver section will take precedence as they are defined earlier in the config file. In other words, the MAC used will be hmac-sha1 (HMAC with SHA-1 as hash function) instead of hmac-sha2-512. Similarly, the block cipher used will be aes128-cbc (AES with CBC as mode of operation and 128-bit long keys) instead of aes256-ctr, and so on.