Tag Archives: ssh

Uses for ~/.ssh/config

For system and network administrators or other users who frequently deal with sessions on multiple machines, SSH ends up being one of the most oft-used Unix tools. SSH usually works so well that until you use it for something slightly more complex than starting a terminal session on a remote machine, you tend to use it fairly automatically. However, the ~/.ssh/config file bears mentioning for a few ways it can make using the ssh a client a little easier.

Abbreviating hostnames

If you often have to SSH into a machine with a long host and/or network name,
it can get irritating to type it every time. For example, consider the
following command:

$ ssh h1.iallex.com

If you interact with the iallex machine a lot, you could include a stanza
like this in your ~/.ssh/config:

Host iallex
    HostName h1.iallex.com

This would allow you to just type the following for the same result: ssh web0911, Of course, if you have root access on the system, you could also do this by adding the hostname to your /etc/hosts file, or by adding the domain to your /etc/resolv.conf to search it, but I prefer the above solution as it’s cleaner and doesn’t apply system-wide.

Fixing alternative ports

If any of the hosts with which you interact have SSH processes listening on alternative ports, it can be a pain to both remember the port number and to type it in every time:

$ ssh iallex.com -p 5331

You can affix this port permanently into your .ssh/config file instead:

Host iallex.com
    Port 5331

This will allow you to leave out the port definition when you call ssh on that host: ssh webserver.example.com

Custom identity files

If you have a private/public key setup working between your client machine and the server, but for whatever reason you need to use a different key from your normal one, you’ll be using the -i flag to specify the key pair that should be used for the connection:

$ ssh -i ~/.ssh/id_dsa.stage srv1.stage

You can specify a fixed identity file in .ssh/config just for these hosts instead, using an asterisk to match everything in that domain:

Host *.stage
    IdentityFile ~/.ssh/id_dsa.stage

I need to do this for Mikrotik’s RouterOS connections, as my own private key structure is 2048-bit RSA which RouterOS doesn’t support, so I keep a DSA key as well just for that purpose.

Force SSH client to use password authentication instead of public key

ssh -o PubkeyAuthentication=no apps@fe-dev-142

Also a shortcut for this purpose:
ssh user:@fe-dev-142

Note the colon (:) and the empty password after it.

Logging in as a different user

By default, if you omit a username, SSH assumes the username on the remote machine is the same as the local one, so for servers on which I’m called tom, I can just type:

ssh iallex.com # => ssh tom@iallex.com

However, on some machines I might be known as a different username, and hence need to remember to connect with one of the following:

ssh -l jack iallex.com
# or
ssh jack@iallex.com

If I always connect as the same user, it makes sense to put that into my .ssh/config instead, so I can leave it out of the command entirely:

Host iallex.com
    User jack

SSH proxies

If you have an SSH server that’s only accessible to you via an SSH session on an intermediate machine, which is a very common situation when dealing with remote networks using private RFC1918 addresses through network address translation, you can automate that in .ssh/config too. Say you can’t reach the host nathost directly, but you can reach some other SSH server on the same private subnet that is publically accessible, publichost.example.com:

Host nathost
    ProxyCommand ssh -q -W %h:%p public.example.com

This will allow you to just type: ssh nathost

More information

The above are the .ssh/config settings most useful to me, but there are plenty more available; check man ssh_config for a complete list.

Create a socket proxy by ssh port forwarding

Enable TCP Forwarding by sshd server

cat /etc/ssh/sshd_config

Here are some example. First let’s restrict the users who are allowed to forward TCP sessions:

# SSH1, SSH2, OpenSSH
AllowTcpForwarding no

and then at the end of the file put

Match User allex,john,andy
    AllowTcpForwarding yes

Or better, allow specific ports per user groups:

AllowTcpForwarding no
Match Group admins
AllowTcpForwarding yes
Match User john,andy,ted
AllowTcpForwarding yes
PermitOpen 192.168.0.1:443

After all, restart openssh-server,

/etc/init.d/sshd restart

Use ssh -D port forwarding create a local socket proxy server

# Create socket proxy channel
ssh -CfNg -D 127.0.0.1:7070 user@host &>/dev/null &

Note: man ssh for more details,

  • -C Requests compression of all data
  • -f Requests ssh to go to background just before command execution.
  • -N Do not execute a remote command. This is useful for just forwarding ports (protocol version 2 only).
  • -g Allows remote hosts to connect to local forwarded ports (if just use local env AVOID IT)
  • -D Specifies a local “dynamic” application-level port forwarding.

Setup socket proxy in Browser.

There are lots of proxy tools for web browser extensions. (such as SwitchySharp for chrome.)

Use socks proxy for commands in terminal

export http_proxy=socks5://127.0.0.1:7070 https_proxy=socks5://127.0.0.1:7070

Reference Links