Make life easy with ssh_config

Victoria D. Doty

This blog site submit addresses how to configure the habits of an SSH client making use of the ssh_config file. We will take a glimpse at the use of wildcards and how they can be employed to radically simplify your everyday living with no bloating your client.

No matter if you are hunting to include some supplemental stability constraints, limit failures, or protect against carpal tunnel, ssh_config is an typically underutilized, nonetheless impressive resource. Our intention is to make everyday living easier to manage a fleet of servers and customers. We’ll do that below by developing a adaptable configuration file for our SSH client.

You should be aware, this submit is not about server-facet configuration by means of sshd_config.

What is ssh_config?

You might be surprised by how significantly of SSH client habits can be configurable. With no a config file, specifying command line arguments to SSH results in being cumbersome promptly:

ssh -i /customers/virag/keys/us-west/ed25519 -p 1024 -l virag  myserver.aws-west.case in point.com

Which is as well long to sort after, permit by itself many times a working day. If you’re running many servers and VMs, developing a tailored ~/.ssh/ssh_config is a excellent way to prune usually employed ssh commands. (Read through much more: “Comparing SSH Keys.”)

For case in point, we can shorten the above to ssh myserver by enhancing the ssh_config to browse:

Host myserver
      Hostname myserver.aws-west.case in point.com
      Consumer virag
      Port 1024
      IdentityFile /customers/virag/keys/us-west/ed25519

How does ssh_config get the job done?

The SSH client reads configuration information and facts from three sites in the subsequent buy:

  1. Method extensive in /and so forth/ssh/ssh_config
  2. Consumer-specific in ~/.ssh/ssh_config
  3. Command line flags equipped to SSH directly

This indicates that command line flags (#three) can override person-specific config (#2), which can override global config (#1).

Going back again to the case in point above, you might discover that ssh_config is organized into stanzas starting off with a host header:

Host [alias]
      Option1 [Worth]
      Option2 [Worth]
      Option3 [Worth]

Whilst not technically required, this format is legible by individuals. The SSH client, nevertheless, does not care about this formatting. Alternatively, it will take configuration parameters by matching the SSH argument entered in the command line with any and all host headers. Wildcards can be employed as aspect of the host header as nicely. Look at:

Host myserver2
      Hostname myserver2.aws-west.case in point.com
Host myserver*
      Hostname myserver1.aws-west.case in point.com
      Consumer virag
      Port 1024

Working with the myserver1 alias, we get what we count on from the 2nd stanza.

      Hostname myserver1.aws-west.case in point.com
Consumer virag
Port 1024

But myserver2 also has a related list of choices.

      Hostname myserver2.aws-west.case in point.com
      Consumer virag
      Port 1024

The SSH client obtains this information and facts by pattern matching and locking in values as it reads sequentially down the file. Mainly because myserver2 matches both equally myserver2 and myserver*, it will to start with take the Hostname worth from myserver2. Then, as it comes to the 2nd pattern match, the Consumer and Port values are employed, but the Hostname field is previously crammed. Permit me repeat this: SSH accepts the to start with worth for every single possibility.

ssh_config case in point

Expanding on what we have realized, let us see how we can organize ssh_config when we have a modest fleet. Acquire the subsequent scenario:

  • Virag functions with 6 environments: Dev, Test, and Prod on both equally east and west coastline AWS locations.
  • Virag has frequent person accessibility to both equally Dev and Prod environments, but is root on Test.
  • Prod environments have stricter stability controls.

Alternatively of remembering many SSH command combinations, I’ve edited my nearby config file.

Host east-prod
      HostName east-prod.prod.case in point.com
Host *-prod
      HostName west-prod.prod.case in point.com
      Consumer virag
      PasswordAuthentication no
      PubKeyAuthentication indeed
      IdentityFile /customers/virag/keys/production/ed25519
Host east-test
      HostName east-test.test.case in point.com
Host *-test
      HostName west-test.test.case in point.com
      Consumer root
Host east-dev
      HostName east-dev.east.case in point.com
Host *-dev
      HostName west-dev.west.case in point.com
      Consumer virag
Host * !prod
      PreferredAuthentications publickey
Host *
      HostName bastion.case in point.com
      Consumer Default
      ServerAliveInternal one hundred twenty
      ServerAliveCountMax 5

If we have been to run ssh east-test, our comprehensive list of choices would browse:

HostName east-test.test.case in point.com
Consumer root
PreferredAuthentications publickey
ServerAliveInternal 30
ServerAliveCountMax 5

The SSH client picked up the supposed possibility values by matching with east-test, *-test, * !prod, and *. You might discover the Host * stanza will implement to any SSH argument. In other terms, Host * defines the global environment for all customers. This is particularly practical for applying stability controls offered to the client. Over, we employed just two, but there are many keywords and phrases that will tighten up stability, this kind of as CheckHostIP, HashKnownHosts, StrictHostKeyChecking, and many much more concealed gems. (Read through much more: “How to SSH Appropriately.”)

A term of warning: Mainly because the SSH client interprets choices sequentially, generic configurations should be positioned towards the bottom of the file. If positioned at the top, possibility values will be fixed before the client can browse host-specific choices additional beneath. In the scenario above, placing Host * at the beginning of the file would result in the person remaining Default.

If a person-off circumstances occur, always bear in mind that choices entered into the command line will override individuals in ssh_config:

ssh -o "Consumer=root" dev

SSH simplicity

The broader takeaway from this write-up is to make everyday living very simple. This can be achieved with even the most basic of configuration choices employed in clever strategies (or making use of Teleport). These allow us to continue to be dedicated to powerful stability and limit human mistake. (Read through much more: “Developer Helpful Infrastructure Safety.”)

Virag Mody joined Teleport in January of 2020, immediately after co-founding a computer software code auditing corporation for Ethereum apps. He continues to find out about trending technologies and creates superior top quality penned and movie information. In his no cost time, Virag enjoys rock climbing, movie video games, and strolling his pet dog.

New Tech Forum presents a location to check out and focus on rising enterprise technology in unparalleled depth and breadth. The collection is subjective, primarily based on our decide of the technologies we believe to be important and of biggest curiosity to InfoWorld readers. InfoWorld does not settle for marketing and advertising collateral for publication and reserves the proper to edit all contributed information. Deliver all inquiries to [email protected]

Copyright © 2021 IDG Communications, Inc.

Next Post

Red Hat Enterprise Linux takes aim at edge computing

With Purple Hat Business Linux eight.four, Purple Hat is emphasizing edge computing deployments, with the addition of container deployment and administration capabilities geared to edge usage. RHEL eight.four will come to be commonly obtainable in the coming months. Declared April 27, RHEL eight.four assists sustain standardization and management throughout Linux […]

Subscribe US Now