## Improve your SSH experience: use an ssh config file

Posted by Diego Assencio on 2013.11.27 under Linux (SSH)

Connecting via SSH can become quite annoying if you do it often by typing commands such as:

ssh myusername@mydomain.com


It is even more annoying if your server does not listen for incomming SSH connections on the standard port (22) and you must specify them every time you connect:

ssh myusername@mydomain.com -p <port-number>


While you could in principle create a shell alias for connecting to each server, there is a much more elegant solution to this problem: the ssh configuration file is there to save us all from millions of unnecessary key strokes. To be more precise, you can create a config file on the ~/.ssh directory and put all parameters necessary to connect to a server into that file under a given name of your choice. To get that done, open the ~/.ssh/config file (if you do not have a ~/.ssh directory, create it first):

nano ~/.ssh/config


and create the configuration for each server you often connect to as in the example below:

Host myserver
Hostname mydomain.com
Port 9999


where I assumed 'myserver' listens to incomming SSH connections on port 9999. If a server listens on the default SSH port (22), you can omit the "Port" line on its set of parameters (or write "Port 22" if you wish; it won't hurt). Now you can connect to 'myserver' with the following command:

ssh myserver


Much better than writing the long ssh command from above, right? Also, the server name should be automatically completed if you type part of it and press the "Tab" key (this works on Ubuntu).

### Bonus: security options

You can do many other things with the config file. For instance, you can select a private key which you would like to use with a given server. You can even force the usage of a specific set of MACs, key exchange algorithms, ciphers and authentication algorithms when connecting to a given server. For instance, here goes an example:

Host myserver
Hostname mydomain.com
Port 10022
Protocol 2
HostKeyAlgorithms ssh-rsa
Ciphers aes256-ctr, aes256-cbc
MACs hmac-sha2-512, hmac-sha2-256
KexAlgorithms diffie-hellman-group-exchange-sha256
IdentityFile ~/.ssh/id_rsa


When you connect to 'myserver', the connection will only be established if the server supports the chosen:

 SSH protocol version: 2 (always use this one; version 1 is vulnerable) authentication algorithm: RSA cipher: AES with counter or cipher-block chaining as modes of operation and 256 bit long keys MAC: HMAC using SHA-2 as a hash function with 512 or 256 bits long digests key exchange algorithm: Diffie-Hellman

Also, the file ~/.ssh/id_rsa will be used as the private RSA key.

Readers familiar with cryptography will realize this gives the user a lot of control over the security of his/her connections. To get a complete list of supported ciphers, MACs, key exchange algorithms and authentication algorithms, see the manual for ssh_config:

man ssh_config


NOTE: you can assign a given configuration to many hosts at a time with the * symbol as shown below:

Host *
Protocol 2
HostKeyAlgorithms ssh-rsa
Ciphers aes256-ctr, aes256-cbc
MACs hmac-sha2-512, hmac-sha2-256
KexAlgorithms diffie-hellman-group-exchange-sha256
IdentityFile ~/.ssh/id_rsa


This will cause all your SSH connections to any server to use those parameters unless they have not been specified already. To make this clear: when the config file is read, only the first definition of a given parameter for a given server will be used. So in the example below:

Host myserver
Hostname mydomain.com
Port 10022
Ciphers aes128-cbc
MACs hmac-sha1
KexAlgorithms diffie-hellman-group1-sha1

Host *
Protocol 2
HostKeyAlgorithms ssh-rsa
Ciphers aes256-ctr
MACs hmac-sha2-512
KexAlgorithms diffie-hellman-group-exchange-sha256
IdentityFile ~/.ssh/id_rsa


if you connect to 'myserver' using 'ssh myserver', the parameters set under 'myserver' will take precedence as they are define earlier on the config file. In other words, the MAC used for connecting to 'myserver' will be hmac-sha1 (HMAC with sha1 as a hash function) instead of hmac-sha2-512. Similarly, the block cipher used will be aes128-cbc (AES with CBC as a mode of operation and 128 bit long keys) instead of aes256-ctr, and so on.