Using the SSH Client Config File ~/.ssh/config.

Imagine you have to regularly connect to +15 remote systems over SSH. That means to remember all of the remote IP addresses, different usernames, non-standard ports, what authentication keys to use, and various command-line. Quite a big waste of time. Fortunately, SSH allows you to generate a config file that contains all of that information.

So, instead of typing, ssh -p 54673 -i ~/.ssh/west-coast/keys/server#1/id_rsa rabbit@192.168.1.111 you could simply type: ssh rabbit

SSH Client Config Files


Below are the locations of the ssh client configuration files:

  1. /etc/ssh/ssh_config – this is the default, system-wide configuration file. It contains settings that apply to all users of the ssh client machine.
  2. ~/.ssh/config or $HOME/.ssh/config – is the user-specific/custom configuration file. It has configurations that apply to a specific user. It, therefore, overrides default settings in the system-wide config file. This is the file we will create and use.

By default, the SSH configuration file may not exist, so we need to create it with the read/write permissions for the user only.

$ touch ~/.ssh/config

$ chmod 0600 ~/.ssh/config


SSH Config File Structure & Patterns


The contents of the SSH client configuration file are divided into sections. Each section begins with the Host directive and provides unique SSH parameters for connecting to the remote SSH server. Indentation is optional but preferred since it makes the file simpler to read.

Let’s look at the following examples:

$ nano ~/.ssh/config

Host rabbit
    HostName 192.168.1.111
    user rabbit
    Port 54673
    IdentityFile ~/.ssh/west-coast/keys/server#1/id_rsa
    LogLevel INFO

Host : This can be anything, it’s the short name.
HostName: IP or hostname.
User: User on the server, this is needed if your user on the server is different than on the local machine.
Port: Open port in the server if different from default 22.
IdentityFile: Where the key file is.

Now, logging in is as easy as typing:

$ ssh rabbit


Patterns

A pattern for Host directive is nothing but an IP address, DNS hostname, or a combination of special wildcard characters. It can include a single pattern or a list of patterns separated by whitespace. Each pattern can have zero or more non-whitespace characters or one of the pattern specifiers listed below:

  • * - Matches zero or more characters. For example, Host * matches all hosts, while 192.168.0.* matches hosts in the 192.168.0.0/24 subnet.
  • ? - Matches exactly one character. The pattern, Host 10.10.0.? matches all hosts in 10.10.0.[0-9] range.
  • ! - When used at the start of a pattern, it negates the match. For example, Host 10.10.0.* !10.10.0.5 matches any host in the 10.10.0.0/24 subnet except 10.10.0.5.


Add more Servers using Patterns


Let's go ahead and configure more entries:
The ssh client will use the options specified in the Host *west
host * !vivaldi-west and Host * sections.

$ nano ~/.ssh/config

Host rabbit
    HostName 192.168.1.111
    user rabbit
    Port 54673
    IdentityFile ~/.ssh/west-coast/keys/server#1/id_rsa
    
    
Host sheep-west
    HostName 192.168.1.10
    User sheep
    Port 23561
    
Host vivaldi-west
    HostName 192.168.1.20
    PubkeyAuthentication no


Host *west
    user admin
    IdentityFile ~/.ssh/linux-west.key
    Port 4555
    
Host * !vivaldi-west
    LogLevel INFO
    ServerAliveInterval 60
    ServerAliveCountMax 20

Host *
    User root
    Compression yes
    IdentityFile ~/.ssh/top/key/id_rsa
    ServerAliveInterval 60
    ServerAliveCountMax 20


Compression : It’s used to set compression during the remote connection with the "yes" value. The default is "no".
ServerAliveInterval : Sets a timeout interval in seconds after which if no response (or data) has been received from the server, ssh will send a message through the encrypted channel to request a response from the server. The default value is 0, meaning no messages will be sent to the server, or 300 if the BatchMode option has been defined.
ServerAliveCountMax: Sets the number of server alive messages which may be sent without ssh receiving any response from the server.
LogLevel: Defines the verbosity level that is used when logging messages from ssh. The allowed values include: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. And the default is INFO. Ie. the INFO parameter specifies that login and logout activity will be logged.
PubkeyAuthentication: Specifies whether public key authentication is allowed. The default is yes.

Let's explain what each section does:

ssh rabbit:
The ssh client reads the file and applies the options from the first match, which is Host rabbit. Then it checks the next section one by one for a matching pattern. The next matching one is Host * !vivaldi-west (meaning all hosts except !vivaldi-west), and it will apply the connection option from this section. The last definition Host * also matches, but the ssh client will take only the Compression option since the User option is already defined in the Host rabbit section.

The options used in this case are:

HostName 192.168.1.111
user rabbit
Port 54673
IdentityFile ~/.ssh/west-coast/keys/server#1/id_rsa
LogLevel INFO
Compression yes
ServerAliveInterval 60
ServerAliveCountMax 20


When running ssh sheep-west the matching host patterns are:
Host sheep-west, Host *west, Host * !vivaldi-west and Host *.

The options used in this case are:

HostName 192.168.1.10
user sheep
Port 23561
IdentityFile ~/.ssh/top/key/id_rsa
LogLevel INFO
Compression yes
ServerAliveInterval 60
ServerAliveCountMax 20


If you run ssh vivaldi-west, the matching host patterns are:
Host vivaldi-west, Host *west and Host *.

The options used in this case are:

HostName 192.168.1.20
user admin
Port 4555
Compression yes
PubkeyAuthentication no
IdentityFile ~/.ssh/top/key/id_rsa


but will not perform ServerAliveInterval 60 and ServerAliveCountMax 20 since Host * !vivaldi-west (meaning all hosts except vivaldi-west). Password auth. will be used because public key authentication has been disabled.



Note that, the SSH config file is also read by other programs such as scp , sftp , and rsync. You may also want to set up an SSH key-based authentication (yes, we have a tutorial on that) and connect to your Linux servers without entering a password.
We hope this was helpful.