Me

SSH Config - My favourite config file

by
published on

The SSH Config file is totally the most underrated config file on any Unix machine...

It's stored in ~/.ssh/config, alongside your keys and known_hosts file.

Take a look at a bit of my simple config:

Here, were specifying a Host (name), a default User (optional), a Hostname (obvious), and a Port (optional, but for consistency for other hosts I have it here).

Once these are set up, one can SSH quite simply, without an IP etc., just our defined Host name:

 You can see here that I'm using key-based authentication, because who in their right mind has SSH password authentication enabled on production servers?

If you have multiple SSH keys, you can specify which one using the "IdentityFile" option, or if you have a SOCKS proxy/SSH port forwarding setup, you can use "LocalForward".

There are a lot of options available for use, take a look at the documentation.

How to set up key-based SSH authentication

  1. Make a key
    This is super easy... Just run
    ssh-keygen -t rsa
    And it'll put everything where it needs to be. You probably want to set a password, or anyone who finds your laptop will have access to your servers etc.
  2. "Beam me up, Scotty"
    Time to send the key to the remote server... This is especially easy if you've already got SSH Config setup for your server...
    ssh-copy-id london # Or use an IP address, I don't care
    This will prompt for your password the first time
  3. Bask in the glory of sensible authentication.
    Now you can SSH like normal, but without the faff of using different passwords.

For extra marks, I'd recommend you disable password authentication on your SSH server (SO) and change the default SSH port from 22, to something that'll take ages for the script-kiddies' toys to get to, like 999999... or maybe something else, I don't care.

Why?

Using config is the best way to make security easy. If you've got to faff about with long passwords everyday, you'll get fed up and make shorter passwords (I would)... So if we instead use configuration to make the security seamless, we get the best of both worlds.