diego.assencio.com

Improve your SSH experience: use an ssh config file

Posted by Diego Assencio on 2013.11.27 under Linux (Security)

Connecting via SSH can become quite annoying if you do it often by typing commands such as: 

ssh myusername@mydomain.com

It is even more annoying if your server does not listen for incoming SSH connections on the default port (22) and you must specify the port number every time you connect to it. For a server listening on port 10022, your command may look like this: 

ssh myusername@mydomain.com -p 10022

While you could in principle create a shell alias containing the long ssh command for a server you usually connect to, there is a much more elegant solution to this problem: the ssh configuration file is there to save us all from millions of unnecessary keystrokes. To be precise, you can create a file called config in the ~/.ssh directory and put all parameters necessary to connect to a server into that file under a given name of your choice. To get that done, open the ~/.ssh/config file (if you do not have a ~/.ssh directory, create it first): 

nano ~/.ssh/config

and set the connection parameters for each server you often connect to using the example below: 

Host myserver
	Hostname mydomain.com
	User myusername
	Port 10022

Above, I assumed "mydomain.com" points to an SSH server accepting connections on port 10022, and that the username associated with the server account is "myusername". If a server listens on the default SSH port, you can omit the "Port" line on its configuration (or replace "10022" with "22" if you really wish to specify it). Now we can connect to this server with a much shorter command: 

ssh myserver

Much better than writing the long ssh command above, right? Also, the server name ("myserver" in our case) will be automatically completed if you type part of it and press the "Tab" key.

Bonus: security options

You can do many other things with the config file. For instance, you can select a private key which you would like to use with a certain server. You can even force ssh to use a specific set of MACs, key exchange algorithms, ciphers and authentication algorithms for each server. Here is an example: 

Host myserver
	Hostname mydomain.com
	User myusername
	Port 10022
	Protocol 2
	HostKeyAlgorithms ssh-rsa
	Ciphers aes256-ctr, aes256-cbc
	MACs hmac-sha2-512, hmac-sha2-256
	KexAlgorithms diffie-hellman-group-exchange-sha256
	IdentityFile ~/.ssh/id_rsa

When you connect to "myserver", the connection will only be established if the server supports the chosen:

SSH protocol version:2 (always use this one; version 1 is vulnerable)
authentication algorithm: RSA
cipher: AES with either counter or cipher-block chaining as mode of operation and 256-bit long keys
MAC: HMAC based on a SHA-2 hash function producing either 512- or 256-bit long digests
key exchange algorithm: Diffie-Hellman with flexible group size using SHA-2 with 256-bit long digests

Also, the file ~/.ssh/id_rsa will be used as the private RSA key. Whenever multiple choices are specified for a certain parameter (e.g. Ciphers is set to a list containing both aes256-ctr and aes256-cbc), ssh will always use the first one in the list which is supported by the server.

Readers familiar with cryptography will realize this gives the user a lot of control over the security of their connections. To get a complete list of supported ciphers, MACs, key exchange algorithms and authentication algorithms, see the manual for ssh_config: 

man ssh_config

In order to simplify the config file, you can assign a given configuration to many hosts at a time with the * symbol as shown below: 

Host *
	Protocol 2
	HostKeyAlgorithms ssh-rsa
	Ciphers aes256-ctr, aes256-cbc
	MACs hmac-sha2-512, hmac-sha2-256
	KexAlgorithms diffie-hellman-group-exchange-sha256
	IdentityFile ~/.ssh/id_rsa

This will cause all your SSH connections to any server to use those parameters unless they have already been specified. To make this clear: when the config file is read, only the first definition of a parameter for a certain server will be used. So in the example below: 

Host myserver
	Hostname mydomain.com
	User myusername
	Port 10022
        Ciphers aes128-cbc
        MACs hmac-sha1
        KexAlgorithms diffie-hellman-group1-sha1

Host *
	Protocol 2
	HostKeyAlgorithms ssh-rsa
	Ciphers aes256-ctr
	MACs hmac-sha2-512
	KexAlgorithms diffie-hellman-group-exchange-sha256
	IdentityFile ~/.ssh/id_rsa

if you connect to "myserver", the parameters set under the myserver section will take precedence as they are defined earlier in the config file. In other words, the MAC used will be hmac-sha1 (HMAC with SHA-1 as hash function) instead of hmac-sha2-512. Similarly, the block cipher used will be aes128-cbc (AES with CBC as mode of operation and 128-bit long keys) instead of aes256-ctr, and so on.

Comments

IIm Tryin to lay you down easaay on Mar 22, 2017:
THANKS! This saved my sorry a$!
Ezeelogin on May 28, 2022:
Very helpful tutorial for ssh configuration
Dr. Strangelove on May 31, 2022:
Thanks for the tip. This worked great.

At work, we have a different username for our service provider environments. So I was able to create a config file that specified the user and cipher preference. Even better, I used the HOST command to specify the IP address space using that account:

host 192.168.*.*

User user1
Ciphers aes256-cbc


Worked like a charm!