## Improve your SSH experience: use an ssh config file

Posted by Diego Assencio on 2013.11.27 under Linux (Security)

Connecting via SSH can become quite annoying if you do it often by typing commands such as:

ssh myusername@mydomain.com


It is even more annoying if your server does not listen for incoming SSH connections on the default port (22) and you must specify the port number every time you connect to it. For a server listening on port 10022, your command may look like this:

ssh myusername@mydomain.com -p 10022


While you could in principle create a shell alias containing the long ssh command for a server you usually connect to, there is a much more elegant solution to this problem: the ssh configuration file is there to save us all from millions of unnecessary keystrokes. To be precise, you can create a file called config in the ~/.ssh directory and put all parameters necessary to connect to a server into that file under a given name of your choice. To get that done, open the ~/.ssh/config file (if you do not have a ~/.ssh directory, create it first):

nano ~/.ssh/config


and set the connection parameters for each server you often connect to using the example below:

Host myserver
Hostname mydomain.com
Port 10022


Above, I assumed "mydomain.com" points to an SSH server accepting connections on port 10022, and that the username associated with the server account is "myusername". If a server listens on the default SSH port, you can omit the "Port" line on its configuration (or replace "10022" with "22" if you really wish to specify it). Now we can connect to this server with a much shorter command:

ssh myserver


Much better than writing the long ssh command above, right? Also, the server name ("myserver" in our case) will be automatically completed if you type part of it and press the "Tab" key.

### Bonus: security options

You can do many other things with the config file. For instance, you can select a private key which you would like to use with a certain server. You can even force ssh to use a specific set of MACs, key exchange algorithms, ciphers and authentication algorithms for each server. Here is an example:

Host myserver
Hostname mydomain.com
Port 10022
Protocol 2
HostKeyAlgorithms ssh-rsa
Ciphers aes256-ctr, aes256-cbc
MACs hmac-sha2-512, hmac-sha2-256
KexAlgorithms diffie-hellman-group-exchange-sha256
IdentityFile ~/.ssh/id_rsa


When you connect to "myserver", the connection will only be established if the server supports the chosen:

 SSH protocol version: 2 (always use this one; version 1 is vulnerable) authentication algorithm: RSA cipher: AES with either counter or cipher-block chaining as mode of operation and 256-bit long keys MAC: HMAC based on a SHA-2 hash function producing either 512- or 256-bit long digests key exchange algorithm: Diffie-Hellman with flexible group size using SHA-2 with 256-bit long digests

Also, the file ~/.ssh/id_rsa will be used as the private RSA key. Whenever multiple choices are specified for a certain parameter (e.g. Ciphers is set to a list containing both aes256-ctr and aes256-cbc), ssh will always use the first one in the list which is supported by the server.

Readers familiar with cryptography will realize this gives the user a lot of control over the security of their connections. To get a complete list of supported ciphers, MACs, key exchange algorithms and authentication algorithms, see the manual for ssh_config:

man ssh_config


In order to simplify the config file, you can assign a given configuration to many hosts at a time with the * symbol as shown below:

Host *
Protocol 2
HostKeyAlgorithms ssh-rsa
Ciphers aes256-ctr, aes256-cbc
MACs hmac-sha2-512, hmac-sha2-256
KexAlgorithms diffie-hellman-group-exchange-sha256
IdentityFile ~/.ssh/id_rsa


This will cause all your SSH connections to any server to use those parameters unless they have already been specified. To make this clear: when the config file is read, only the first definition of a parameter for a certain server will be used. So in the example below:

Host myserver
Hostname mydomain.com
Port 10022
Ciphers aes128-cbc
MACs hmac-sha1
KexAlgorithms diffie-hellman-group1-sha1

Host *
Protocol 2
HostKeyAlgorithms ssh-rsa
Ciphers aes256-ctr
MACs hmac-sha2-512
KexAlgorithms diffie-hellman-group-exchange-sha256
IdentityFile ~/.ssh/id_rsa


if you connect to "myserver", the parameters set under the myserver section will take precedence as they are defined earlier in the config file. In other words, the MAC used will be hmac-sha1 (HMAC with SHA-1 as hash function) instead of hmac-sha2-512. Similarly, the block cipher used will be aes128-cbc (AES with CBC as mode of operation and 128-bit long keys) instead of aes256-ctr, and so on.