Improve your SSH experience: use an ssh config file


Posted by Diego Assencio on 2013.11.27 under Linux (SSH)

Connecting via SSH can become quite annoying if you do it often by typing commands such as:

ssh myusername@mydomain.com

It is even more annoying if your server does not listen for incomming SSH connections on the standard port (22) and you must specify them every time you connect:

ssh myusername@mydomain.com -p <port-number>

While you could in principle create a shell alias for connecting to each server, there is a much more elegant solution to this problem: the ssh configuration file is there to save us all from millions of unnecessary key strokes. To be more precise, you can create a config file on the ~/.ssh directory and put all parameters necessary to connect to a server into that file under a given name of your choice. To get that done, open the ~/.ssh/config file (if you do not have a ~/.ssh directory, create it first):

nano ~/.ssh/config

and create the configuration for each server you often connect to as in the example below:

Host myserver
	Hostname mydomain.com
	User myusername
	Port 9999

where I assumed 'myserver' listens to incomming SSH connections on port 9999. If a server listens on the default SSH port (22), you can omit the "Port" line on its set of parameters (or write "Port 22" if you wish; it won't hurt). Now you can connect to 'myserver' with the following command:

ssh myserver

Much better than writing the long ssh command from above, right? Also, the server name should be automatically completed if you type part of it and press the "Tab" key (this works on Ubuntu).

Bonus: security options

You can do many other things with the config file. For instance, you can select a private key which you would like to use with a given server. You can even force the usage of a specific set of MACs, key exchange algorithms, ciphers and authentication algorithms when connecting to a given server. For instance, here goes an example:

Host myserver
	Hostname mydomain.com
	User myusername
	Port 10022
	Protocol 2
	HostKeyAlgorithms ssh-rsa
	Ciphers aes256-ctr, aes256-cbc
	MACs hmac-sha2-512, hmac-sha2-256
	KexAlgorithms diffie-hellman-group-exchange-sha256
	IdentityFile ~/.ssh/id_rsa

When you connect to 'myserver', the connection will only be established if the server supports the chosen:

SSH protocol version:2 (always use this one; version 1 is vulnerable)
authentication algorithm: RSA
cipher: AES with counter or cipher-block chaining as modes of operation and 256 bit long keys
MAC: HMAC using SHA-2 as a hash function with 512 or 256 bits long digests
key exchange algorithm: Diffie-Hellman

Also, the file ~/.ssh/id_rsa will be used as the private RSA key.

Readers familiar with cryptography will realize this gives the user a lot of control over the security of his/her connections. To get a complete list of supported ciphers, MACs, key exchange algorithms and authentication algorithms, see the manual for ssh_config:

man ssh_config

NOTE: you can assign a given configuration to many hosts at a time with the * symbol as shown below:

Host *
	Protocol 2
	HostKeyAlgorithms ssh-rsa
	Ciphers aes256-ctr, aes256-cbc
	MACs hmac-sha2-512, hmac-sha2-256
	KexAlgorithms diffie-hellman-group-exchange-sha256
	IdentityFile ~/.ssh/id_rsa

This will cause all your SSH connections to any server to use those parameters unless they have not been specified already. To make this clear: when the config file is read, only the first definition of a given parameter for a given server will be used. So in the example below:

Host myserver
	Hostname mydomain.com
	User myusername
	Port 10022
        Ciphers aes128-cbc
        MACs hmac-sha1
        KexAlgorithms diffie-hellman-group1-sha1

Host *
	Protocol 2
	HostKeyAlgorithms ssh-rsa
	Ciphers aes256-ctr
	MACs hmac-sha2-512
	KexAlgorithms diffie-hellman-group-exchange-sha256
	IdentityFile ~/.ssh/id_rsa

if you connect to 'myserver' using 'ssh myserver', the parameters set under 'myserver' will take precedence as they are define earlier on the config file. In other words, the MAC used for connecting to 'myserver' will be hmac-sha1 (HMAC with sha1 as a hash function) instead of hmac-sha2-512. Similarly, the block cipher used will be aes128-cbc (AES with CBC as a mode of operation and 128 bit long keys) instead of aes256-ctr, and so on.

Comments

IIm Tryin to lay you down easaay on Mar 22, 2017:
THANKS! This saved my sorry a$!

Leave a reply

NOTE: A name and a comment (max. 1024 characters) must be provided; all other fields are optional. Equations will be processed if surrounded with dollar signs (as in LaTeX). You can post up to 5 comments per day.