Did you recently heard for ssh config file for the first time? Now wondering is there really is a ssh config file or I heard it by mistake? As you only knew about sshd_config
? Let me disappoint you, there is one more thing now which you have to learn about because we really do have ssh config file in Linux. So what is ssh_config
file? How do I use it?
In this tutorial I will give you a complete overview on it's usage and different practical examples from real time production environment. I will try to go as basic as possible to also help absolute beginners understand the concept behind the usage of ssh config file.
In Linux we have two different SSH configuration files
- server side -
sshd_config
- client side -
ssh_config
Different Client SSH Config File Location
First of all you should be familiar with the location of ssh config file which you choose for your environment. SSH will give preference in the below sequential order
- command-line options (
ssh -o <arg=val>
) - user's configuration file (
~/.ssh/config
) - system-wide configuration file (
/etc/ssh/ssh_config
)
For each parameter, the first obtained value will be used. So now you know you can use either of these methods or files to place your client configuration but SSH will give precedent in the provided order.
SSH with Command Line Options (ssh -o)
- All the arguments provided with command line arguments using SSH will be given the highest priority over all other available client SSH configuration files
- You can check man page of
ssh_config
to get the list of supported arguments to be used withssh
The syntax to use command line arguments would be:
ssh [-o arg1] [-o arg2] [-o arg3] .. user@remote_server
The below image will help you understand the flow:
User specific SSH Config File (~/.ssh/config)
You can create a user specific ssh configuration file per user on your Linux server. By default such client configuration file does not exist so you will need to create one depending upon your requirement
Create .ssh
directory under user's home folder and assign 700
permission to this directory
[deepak@rhel-8 ~]$ mkdir ~/.ssh
[deepak@rhel-8 ~]$ chmod 700 ~/.ssh/
[deepak@rhel-8 ~]$ ls -ld ~/.ssh/
drwx------ 2 deepak deepak 4096 May 29 20:16 /home/deepak/.ssh/
Next create a config
file under this directory and assign 600
permission
[deepak@rhel-8 ~]$ touch ~/.ssh/config [deepak@rhel-8 ~]$ chmod 600 ~/.ssh/config [deepak@rhel-8 ~]$ ls -l ~/.ssh/ total 0 -rw------- 1 deepak deepak 0 May 29 20:18 config
The content syntax for this config file would be:
Host <hostname>
ARG1=VALUE
ARG2=VALUE
ARG3=VALUE
..
Host <hostname>
ARG1=VALUE
ARG2=VALUE
..
Host *
ARG1=VALUE
ARG2=VALUE
..
Understanding the syntax
- There is no such restriction to define 3 hosts, I have just added them here for reference
- The file contains keyword-argument pairs, one per line
- Lines starting with '
#
' and empty lines are interpreted as comments. - Arguments may optionally be enclosed in double quotes (
"
) in order to represent arguments containing spaces. - Configuration options may be separated by white space or optional white space and exactly one ‘
=
’ - You can define
n
number of hosts by usingHost
section - It is recommended to give some indentation with white space character before you define the arguments for cleaner view (not mandatory though)
- This file is divided into blocks where each block is defined per
Host
value - In the last section I have used a regex
PATTERN
to match theHost
. Read more aboutPATTERNS
in the next chapter:
PATTERNS
Below list of regex PATTERNS
are supported:
* (wildcard that matches zero or more characters)
For example:
Host *.example.com
# Place config here
So this would match everything with example.com domain
? (wildcard that matches exactly one character)
For example:
The following pattern would match any host in the 192.168.0.[0-9] network range:
Host 192.168.0.?
# Place config here
! (Negated match)
If a negated entry is matched, then the Host entry is ignored, regardless of whether any other patterns on the line match.
Negated matches are therefore useful to provide exceptions for wildcard matches.
For example, to allow a key to be used from all hosts except from 192.168.0.100
Host * !192.168.0.100 # Place config here
Sample SSH config file with multiple Host section
Below is my sample ~/.ssh/config
file for user
Now I can just do SSH for one of these servers and the respective configuration option will be used for the connection (Here I have not defined any server1
in /etc/hosts
and this mapping is working due to the SSH configuration file)
[deepak@client ~]$ ssh server1 root@192.168.43.154's password: Welcome to server1 This file was created on 2020-02-01 Go away if you have no business being here Contact admin@golinuxcloud.com if anything is wrong Activate the web console with: systemctl enable --now cockpit.socket Last login: Fri May 29 20:27:59 2020 from 192.168.43.10 [root@server1 ~]#
System Wide SSH Config file (/etc/ssh/ssh_config)
- To define a system wide SSH configuration file use
/etc/ssh/ssh_config
file - This file will already be there with default template so you can add more
Host
entries or use the existing template
The location of the config file
# ls -l /etc/ssh/ssh_config -rw-r--r-- 1 root root 1766 May 29 21:40 /etc/ssh/ssh_config
The sections would be commented by default with few example values:
# Host # ForwardAgent no # ForwardX11 no # PasswordAuthentication yes # HostbasedAuthentication yes # EnableSSHKeysign yes {Output trimmed}
Some Examples
For example we would like to define few configuration parameters as common for all SSH connections from client machine so such arguments can be defined in /etc/ssh/ssh_config
file as below:
Host *
Port 2222
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
PasswordAuthentication yes
MACs hmac-md5,hmac-sha1,umac-64@openssh.com
ConnectTimeout 20
In this example I have applied a system wide SSH configuration to use Port 2222
for all SSH communication from client to any node. Now I have not defined any Port
in my user specific configuration file for server1
for user deepak
[deepak@client ~]$ cat .ssh/config
Host server1
HostName=192.168.43.154
StrictHostKeyChecking=no
User=root
PasswordAuthentication=yes
GSSAPIAuthentication=no
ConnectTimeout=10
So when we do SSH from client to server1
(I will enable verbose mode)
[deepak@client ~]$ ssh -v server1 debug1: Reading configuration data /home/deepak/.ssh/config debug1: /home/deepak/.ssh/config line 14: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 20: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug1: Connecting to 192.168.43.154 [192.168.43.154] port 2222. debug1: Connection established.
So SSH by default is using Port 2222
, what if I define a different port number in ~/.ssh/config
?
[deepak@client ~]$ ssh -v server1 debug1: Reading configuration data /home/deepak/.ssh/config debug1: /home/deepak/.ssh/config line 15: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 20: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug1: Connecting to 192.168.43.154 [192.168.43.154] port 22.
Now the user specific configuration file is given precedent over system wide config file.
I would recommend also read about different authentication methods available with sshd_config
Conclusion
In this tutorial we learned about different SSH Client configuration options and files. This file is very helpful in real time production environments as we have to define multiple SSH arguments every time we do SSH such as when using Public Key Authentication we disable StrictHostKeyChecking
to avoid any prompt, provide the private key file with IdentityFile
to perform password less authentication, batchMode
would be yes.
So there are many similar values which we use with SSH to avoid any user prompt and completely automate the communication with complete security. You must be familiar with the different file which you can use and the order in which SSH reads these files, the verbose output from SSH client will give more details about this sequence.
Lastly I hope this tutorial to understand SSH config file and it's usage on Linux was helpful. So, let me know your suggestions and feedback using the comment section.
References
I have used below external references for this tutorial guide
man page of SSH
Well written article. Thank you.