For system and network administrators or other users who frequently deal with sessions on multiple machines, SSH ends up being one of the most oft-used Unix tools. SSH usually works so well that until you use it for something slightly more complex than starting a terminal session on a remote machine, you tend to use it fairly automatically. However, the
~/.ssh/config
file bears mentioning for a few ways it can make using the ssh
a client a little easier.Abbreviating hostnames
If you often have to SSH into a machine with a long host and/or network name, it can get irritating to type it every time. For example, consider the following command:$ ssh web0911.colo.sta.solutionnetworkgroup.com
If you interact with the
web0911
machine a lot, you could include a stanza like this in your ~/.ssh/config
:Host web0911 HostName web0911.colo.sta.solutionnetworkgroup.com
This would allow you to just type the following for the same result:
$ ssh web0911
Of course, if you have root access on the system, you could also do this by adding the hostname to your
/etc/hosts
file, or by adding the domain to your /etc/resolv.conf
to search it, but I prefer the above solution as it’s cleaner and doesn’t apply system-wide.Fixing alternative ports
If any of the hosts with which you interact have SSH processes listening on alternative ports, it can be a pain to both remember the port number and to type it in every time:$ ssh webserver.example.com -p 5331
You can affix this port permanently into your
.ssh/config
file instead:Host webserver.example.com Port 5331
This will allow you to leave out the port definition when you call
ssh
on that host:$ ssh webserver.example.com
Custom identity files
If you have a private/public key setup working between your client machine and the server, but for whatever reason you need to use a different key from your normal one, you’ll be using the-i
flag to specify the key pair that should be used for the connection:$ ssh -i ~/.ssh/id_dsa.mail srv1.mail.example.com $ ssh -i ~/.ssh/id_dsa.mail srv2.mail.example.com
You can specify a fixed identity file in
.ssh/config
just for these hosts instead, using an asterisk to match everything in that domain:Host *.mail.example.com IdentityFile ~/.ssh/id_dsa.mail
I need to do this for Mikrotik’s RouterOS connections, as my own private key structure is 2048-bit RSA which RouterOS doesn’t support, so I keep a DSA key as well just for that purpose.
Logging in as a different user
By default, if you omit a username, SSH assumes the username on the remote machine is the same as the local one, so for servers on which I’m calledtom
, I can just type:tom@conan:$ ssh server.network
However, on some machines I might be known as a different username, and hence need to remember to connect with one of the following:
tom@conan:$ ssh -l tomryder server.anothernetwork tom@conan:$ ssh tomryder@server.anothernetwork
If I always connect as the same user, it makes sense to put that into my
.ssh/config
instead, so I can leave it out of the command entirely:Host server.anothernetwork User tomryder
SSH proxies
If you have an SSH server that’s only accessible to you via an SSH session on an intermediate machine, which is a very common situation when dealing with remote networks using private RFC1918 addresses through network address translation, you can automate that in.ssh/config
too. Say you can’t reach the host nathost
directly, but you can reach some other SSH server on the same private subnet that is publically accessible, publichost.example.com
:Host nathost ProxyCommand ssh -q -W %h:%p public.example.com
This will allow you to just type:
$ ssh nathost
More information
The above are the.ssh/config
settings most useful to me, but there are plenty more available; check man ssh_config
for a complete list.
No comments:
Post a Comment