Sunday, 11 September 2016

SSH config for users

Let me ask you the question are you still using the ssh admin@host.com or more likely using port forwarding like this ssh -L 5900:localhost:5900 admin@host.com

If so, STOP right now just stop, there is a so much better way its call ssh config.
user's configuration file (~/.ssh/config)
system-wide configuration file (/etc/ssh/ssh_config)

For the moment since I'm not the sharing kind when it comes so connection details we'll focus on the user configuration file stored in ~/.ssh/config now if you've never used it before then the file doesn't exist so there are a number of ways to create it using vi or nano
But we'll use touch ~/.ssh/config

Now you should have an empty file, let's give some example what can be put there.

Host server1
     HostName server1.company.com
     User minecraft
     Port 4242
     IdentityFile ~/.ssh/server1.key


Host server2
     HostName 192.168.1.100
     User root
     IdentityFile ~/.ssh/server2.key

What this now lets you do is use just the ssh server1 or ssh server2, not only is that shorter and easier to remember it also means you don't need to remember switches like -p and -i and there is no reason to stop there more complex configurations can be used for matching domains and IP ranges.


Now here is a larger example using few kinds of setups both with ports and port forwarding and timeout settings.

### default for all ##
Host *
     ForwardAgent no
     ForwardX11 no
     ForwardX11Trusted yes
     User minecraft
     Port 22
     Protocol 2
     ServerAliveInterval 60
     ServerAliveCountMax 30

## override as per host ##
Host server1
     HostName server1.company.com
     User minecraft
     Port 4242
     IdentityFile /nfs/shared/users/nixcraft/keys/server1/id_rsa

## Home nas server ##
Host nas
     HostName 192.168.1.100
     User root
     IdentityFile ~/.ssh/nas01.key

## Login AWS Cloud ##
Host aws.apache
     HostName 10.20.3.4
     User wwwdata
     IdentityFile ~/.ssh/aws.apache.key


## Forward all local port 3128 traffic to port 3128 on the remote vps1.company.com server ##
## $ ssh -f -N  proxy ##
Host proxy
    HostName vps1.company.com
    User anonnymus
    IdentityFile ~/.ssh/vps1.key
    LocalForward 3128 127.0.0.1:3128

You can also use ranges on the hosts so that anything matching that range can be used
Host *.company.com
Host 192.168.0.?

You can also pre-configure connections via a server that has network access like a proxy or gateway to the network.

Host *.company.com
  User admin
  Port 4444
  IdentityFile ~/.ssh/aws.apache.key
  ForwardAgent yes
  ProxyCommand ssh accessable.company.com nc %h %p

Now for any server I ssh to that ends company.com will be forward first to the server call accessible then on to the target server, meaning that you don't have type very long ssh commands to reach a server.

Not that forwarding has to be enabled for the last example on the ssh server.

No comments: