Beginners guide to use ssh config file with examples

Did you recently heard for ssh config file for the first time? Now wondering is there really is a ssh config file or I heard it by mistake? As you only knew about sshd_config? Let me disappoint you, there is one more thing now which you have to learn about because we really do have ssh config file in Linux. So what is ssh_config file? How do I use it?

In this tutorial I will give you a complete overview on it's usage and different practical examples from real time production environment. I will try to go as basic as possible to also help absolute beginners understand the concept behind the usage of ssh config file.

In Linux we have two different SSH configuration files

  1. server side - sshd_config
  2. client side - ssh_config

 

Different Client SSH Config File Location

First of all you should be familiar with the location of ssh config file which you choose for your environment. SSH will give preference in the below sequential order

  1. command-line options (ssh -o <arg=val>)
  2. user's configuration file (~/.ssh/config)
  3. system-wide configuration file (/etc/ssh/ssh_config)

For each parameter, the first obtained value will be used. So now you know you can use either of these methods or files to place your client configuration but SSH will give precedent in the provided order.

 

SSH with Command Line Options (ssh -o)

  • All the arguments provided with command line arguments using SSH will be given the highest priority over all other available client SSH configuration files
  • You can check man page of ssh_config to get the list of supported arguments to be used with ssh

The syntax to use command line arguments would be:

ssh [-o arg1] [-o arg2] [-o arg3] .. user@remote_server

The below image will help you understand the flow:

Beginners guide to use ssh config file with examples
SSH command line option

 

User specific SSH Config File (~/.ssh/config)

You can create a user specific ssh configuration file per user on your Linux server. By default such client configuration file does not exist so you will need to create one depending upon your requirement

Create .ssh directory under user's home folder and assign 700 permission to this directory

[deepak@rhel-8 ~]$ mkdir ~/.ssh

[deepak@rhel-8 ~]$ chmod 700 ~/.ssh/

[deepak@rhel-8 ~]$ ls -ld ~/.ssh/
drwx------ 2 deepak deepak 4096 May 29 20:16 /home/deepak/.ssh/

Next create a config file under this directory and assign 600 permission

[deepak@rhel-8 ~]$ touch ~/.ssh/config

[deepak@rhel-8 ~]$ chmod 600 ~/.ssh/config

[deepak@rhel-8 ~]$ ls -l ~/.ssh/
total 0
-rw------- 1 deepak deepak 0 May 29 20:18 config

The content syntax for this config file would be:

Host <hostname>
   ARG1=VALUE
   ARG2=VALUE
   ARG3=VALUE
   ..
   
Host <hostname>
   ARG1=VALUE
   ARG2=VALUE
   ..

Host *   
   ARG1=VALUE
   ARG2=VALUE
   ..

 

Understanding the syntax

  • There is no such restriction to define 3 hosts, I have just added them here for reference
  • The file contains keyword-argument pairs, one per line
  • Lines starting with '#' and empty lines are interpreted as comments.
  • Arguments may optionally be enclosed in double quotes (") in order to represent arguments containing spaces.
  • Configuration options may be separated by white space or optional white space and exactly one ‘=
  • You can define n number of hosts by using Host section
  • It is recommended to give some indentation with white space character before you define the arguments for cleaner view (not mandatory though)
  • This file is divided into blocks where each block is defined per Host value
  • In the last section I have used a regex PATTERN to match the Host. Read more about PATTERNS in the next chapter:

 

PATTERNS

Below list of regex PATTERNS are supported:

* (wildcard that matches zero or more characters)

For example:

Host *.example.com
   # Place config here

So this would match everything with example.com domain

? (wildcard that matches exactly one character)

For example:
The following pattern would match any host in the 192.168.0.[0-9] network range:

Host 192.168.0.?
  # Place config here

! (Negated match)

If a negated entry is matched, then the Host entry is ignored, regardless of whether any other patterns on the line match.
Negated matches are therefore useful to provide exceptions for wildcard matches.

For example, to allow a key to be used from all hosts except from 192.168.0.100

Host * !192.168.0.100 
   # Place config here

 

Sample SSH config file with multiple Host section

Below is my sample ~/.ssh/config file for  user

Beginners guide to use ssh config file with examples
Sample SSH Config File Example

 

Now I can just do SSH for one of these servers and the respective configuration option will be used for the connection (Here I have not defined any server1 in /etc/hosts and this mapping is working due to the SSH configuration file)

[deepak@client ~]$ ssh server1
root@192.168.43.154's password:
Welcome to server1

This file was created on 2020-02-01
Go away if you have no business being here

Contact admin@golinuxcloud.com if anything is wrong
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Fri May 29 20:27:59 2020 from 192.168.43.10
[root@server1 ~]#

 

System Wide SSH Config file (/etc/ssh/ssh_config)

  • To define a system wide SSH configuration file use /etc/ssh/ssh_config file
  • This file will already be there with default template so you can add more Host entries or use the existing template

The location of the config file

# ls -l /etc/ssh/ssh_config
-rw-r--r-- 1 root root 1766 May 29 21:40 /etc/ssh/ssh_config

The sections would be commented by default with few example values:

# Host
#   ForwardAgent no
#   ForwardX11 no
#   PasswordAuthentication yes
#   HostbasedAuthentication yes
#   EnableSSHKeysign yes
{Output trimmed}

 

Some Examples

For example we would like to define few configuration parameters as common for all SSH connections from client machine so such arguments can be defined in /etc/ssh/ssh_config file as below:

Host *
   Port 2222
   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
   PasswordAuthentication yes
   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
   ConnectTimeout 20

In this example I have applied a system wide SSH configuration to use Port 2222 for all SSH communication from client to any node. Now I have not defined any Port in my user specific configuration file for server1 for user deepak

[deepak@client ~]$ cat .ssh/config
Host server1
   HostName=192.168.43.154
   StrictHostKeyChecking=no
   User=root
   PasswordAuthentication=yes
   GSSAPIAuthentication=no
   ConnectTimeout=10

So when we do SSH from client to server1 (I will enable verbose mode)

[deepak@client ~]$ ssh -v server1

debug1: Reading configuration data /home/deepak/.ssh/config
debug1: /home/deepak/.ssh/config line 14: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: Connecting to 192.168.43.154 [192.168.43.154] port 2222.
debug1: Connection established.

So SSH by default is using Port 2222, what if I define a different port number in ~/.ssh/config ?

[deepak@client ~]$ ssh -v server1

debug1: Reading configuration data /home/deepak/.ssh/config
debug1: /home/deepak/.ssh/config line 15: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: Connecting to 192.168.43.154 [192.168.43.154] port 22.

Now the user specific configuration file is given precedent over system wide config file.

I would recommend also read about different authentication methods available with sshd_config

 

Conclusion

In this tutorial we learned about different SSH Client configuration options and files. This file is very helpful in real time production environments as we have to define multiple SSH arguments every time we do SSH such as when using Public Key Authentication we disable StrictHostKeyChecking to avoid any prompt, provide the private key file with IdentityFile to perform password less authentication, batchMode would be yes.

So there are many similar values which we use with SSH to avoid any user prompt and completely automate the communication with complete security. You must be familiar with the different file which you can use and the order in which SSH reads these files, the verbose output from SSH client will give more details about this sequence.

Lastly I hope this tutorial to understand SSH config file and it's usage on Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

References

I have used below external references for this tutorial guide
man page of SSH

Leave a Comment

Please use shortcodes <pre class=comments>your code</pre> for syntax highlighting when adding code.