SSH Client Configurations
This post covers some, though not all, of the advanced and reusable SSH client configurations I use during my day-to-day administrating of various servers.
Review of the manual page for ssh_config
is recommend though it is possible
to skip to, or search for, specific topics via the following examples;
man -P 'less -ip "^patterns"' ssh_config
man -P 'less -ip "^tokens"' ssh_config
man -P 'less -ip "<TOPIC>"' ssh_config
- Defaults for all connections
- Prefix configuration with trailing glob
- Suffix configuration with leading glob
- Specificity chaining with globs
- Example usage
Defaults for all connections
Host *
IdentitiesOnly yes
StrictHostKeyChecking accept-new
Note, any of above may be selectively overridden on a per-host basis within following configuration blocks.
Prefix configuration with trailing glob
Host tor-*
ProxyCommand socat STDIO SOCKS4A:127.0.0.1:%h:%p,socksport=9050
AddressFamily inet
Compression yes
Note, the above requires the client has socat
, and tor
, installed. And
that the server has tor
and sshd
configured correctly.
Tip, review the
Tor Project Onion Service Setup
guide for details on how to configure the remote server. Hint, 9050
should
match the SOCKSPort
defined within /etc/tor/torrc
the client
configuration file. Default is 9050
for many Linux based devices.
The %h
and %p
format strings will automatically be replaced with the
HostName
and Port
for a given Host
configuration block. Review the
man -P 'less -ip "^tokens"' ssh_config
manual section for more details on
what other format strings are available to ProxyCommand
value.
Suffix configuration with leading glob
Host *-screen
RemoteCommand screen -RD ssh
RequestTTY yes
Host *-tmux
RemoteCommand tmux attach-session -t ssh || tmux new -s ssh
RequestTTY yes
Note, these may be append to any Host
that has a trailing glob; check
Example usage section of this document for details on
how the above may be utilized.
Specificity chaining with globs
## Shared for all that connect to `rpi`
Host *rpi*
HostName 10.0.0.42
Port 2222
## Extend `tor*` configurations previously defined
Host tor.rpi*
HostName AnOnionDomainHere.onion
## Administrator account for `rpi` server
Host *rpi.root*
User root
IdentityFile ~/.ssh/rpi-root
## First normal user for `rpi` server
Host *rpi.pi*
User pi
IdentityFile ~/.ssh/rpi-pi
Example usage
Login to Raspberry Pi as pi
, over Tor, and immediately start screen
session
ssh tor.rpi.pi-screen
The above functions not only because of globing, but also because of the order
of Host
definitions and overrides. Expanded out the above command may be
treated as though the following configurations are explicitly defined;
Host tor.rpi.pi-screen
# Host *
IdentitiesOnly yes
# Host tor-*
ProxyCommand socat STDIO SOCKS4A:127.0.0.1:%h:%p,socksport=9050
# Host *rpi*
# HostName 10.0.0.42
Port 2222
# Host tor.rpi*
HostName AnOnionDomainHere.onion
# Host *rpi.pi*
User pi
# Host *-screen
RemoteCommand screen -RD ssh
RequestTTY yes