Using the SSH Client Config File ~/.ssh/config.
Imagine you have to regularly connect to +15 remote systems over SSH. That means to remember all of the remote IP addresses, different usernames, non-standard ports, what authentication keys to use, and various command-line. Quite a big waste of time. Fortunately, SSH allows you to generate a config file that contains all of that information.
So, instead of typing, ssh -p 54673 -i ~/.ssh/west-coast/keys/server#1/id_rsa rabbit@192.168.1.111 you could simply type: ssh rabbit
SSH Client Config Files
Below are the locations of the ssh client configuration files:
/etc/ssh/ssh_config– this is the default, system-wide configuration file. It contains settings that apply to all users of the ssh client machine.~/.ssh/configor$HOME/.ssh/config– is the user-specific/custom configuration file. It has configurations that apply to a specific user. It, therefore, overrides default settings in the system-wide config file. This is the file we will create and use.
By default, the SSH configuration file may not exist, so we need to create it with the read/write permissions for the user only.
$ touch ~/.ssh/config
$ chmod 0600 ~/.ssh/config
SSH Config File Structure & Patterns
The contents of the SSH client configuration file are divided into sections. Each section begins with the Host directive and provides unique SSH parameters for connecting to the remote SSH server. Indentation is optional but preferred since it makes the file simpler to read.
Let’s look at the following examples:
$ nano ~/.ssh/config
Host rabbit
HostName 192.168.1.111
user rabbit
Port 54673
IdentityFile ~/.ssh/west-coast/keys/server#1/id_rsa
LogLevel INFOHost : This can be anything, it’s the short name.HostName: IP or hostname.User: User on the server, this is needed if your user on the server is different than on the local machine.Port: Open port in the server if different from default 22.IdentityFile: Where the key file is.
Now, logging in is as easy as typing:
$ ssh rabbit
Patterns
A pattern for Host directive is nothing but an IP address, DNS hostname, or a combination of special wildcard characters. It can include a single pattern or a list of patterns separated by whitespace. Each pattern can have zero or more non-whitespace characters or one of the pattern specifiers listed below:
*- Matches zero or more characters. For example,Host *matches all hosts, while192.168.0.*matches hosts in the192.168.0.0/24subnet.?- Matches exactly one character. The pattern,Host 10.10.0.?matches all hosts in10.10.0.[0-9]range.!- When used at the start of a pattern, it negates the match. For example,Host 10.10.0.* !10.10.0.5matches any host in the10.10.0.0/24subnet except10.10.0.5.
Add more Servers using Patterns
Let's go ahead and configure more entries:
The ssh client will use the options specified in the Host *west host * !vivaldi-west and Host * sections.
$ nano ~/.ssh/config
Host rabbit
HostName 192.168.1.111
user rabbit
Port 54673
IdentityFile ~/.ssh/west-coast/keys/server#1/id_rsa
Host sheep-west
HostName 192.168.1.10
User sheep
Port 23561
Host vivaldi-west
HostName 192.168.1.20
PubkeyAuthentication no
Host *west
user admin
IdentityFile ~/.ssh/linux-west.key
Port 4555
Host * !vivaldi-west
LogLevel INFO
ServerAliveInterval 60
ServerAliveCountMax 20
Host *
User root
Compression yes
IdentityFile ~/.ssh/top/key/id_rsa
ServerAliveInterval 60
ServerAliveCountMax 20Compression : It’s used to set compression during the remote connection with the "yes" value. The default is "no".ServerAliveInterval : Sets a timeout interval in seconds after which if no response (or data) has been received from the server, ssh will send a message through the encrypted channel to request a response from the server. The default value is 0, meaning no messages will be sent to the server, or 300 if the BatchMode option has been defined.ServerAliveCountMax: Sets the number of server alive messages which may be sent without ssh receiving any response from the server.LogLevel: Defines the verbosity level that is used when logging messages from ssh. The allowed values include: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. And the default is INFO. Ie. the INFO parameter specifies that login and logout activity will be logged.PubkeyAuthentication: Specifies whether public key authentication is allowed. The default is yes.
Let's explain what each section does:
ssh rabbit:
The ssh client reads the file and applies the options from the first match, which is Host rabbit. Then it checks the next section one by one for a matching pattern. The next matching one is Host * !vivaldi-west (meaning all hosts except !vivaldi-west), and it will apply the connection option from this section. The last definition Host * also matches, but the ssh client will take only the Compression option since the User option is already defined in the Host rabbit section.
The options used in this case are:
HostName 192.168.1.111
user rabbit
Port 54673
IdentityFile ~/.ssh/west-coast/keys/server#1/id_rsa
LogLevel INFO
Compression yes
ServerAliveInterval 60
ServerAliveCountMax 20
When running ssh sheep-west the matching host patterns are: Host sheep-west, Host *west, Host * !vivaldi-west and Host *.
The options used in this case are:
HostName 192.168.1.10
user sheep
Port 23561
IdentityFile ~/.ssh/top/key/id_rsa
LogLevel INFO
Compression yes
ServerAliveInterval 60
ServerAliveCountMax 20
If you run ssh vivaldi-west, the matching host patterns are:Host vivaldi-west, Host *west and Host *.
The options used in this case are:
HostName 192.168.1.20
user admin
Port 4555
Compression yes
PubkeyAuthentication no
IdentityFile ~/.ssh/top/key/id_rsa
but will not perform ServerAliveInterval 60 and ServerAliveCountMax 20 since Host * !vivaldi-west (meaning all hosts except vivaldi-west). Password auth. will be used because public key authentication has been disabled.
Note that, the SSH config file is also read by other programs such as scp , sftp , and rsync. You may also want to set up an SSH key-based authentication (yes, we have a tutorial on that) and connect to your Linux servers without entering a password.
We hope this was helpful.