Thursday, September 25, 2008

OpenSSH: Basic Configuration

prerequisite concepts: prelude

If you're not already using a config file (~/.ssh/config) you should peruse the documentation to see what it offers; an ongoing benefit I enjoy is that it allows me to accomplish more while typing less. Suppose, for example, you need to access two mail servers which are both behind a firewall and sharing a single public IP address. One server uses NAT (port forwarding) to provide user access via IMAP-SSL, POP3-SSL, and perhaps even webmail, all on default ports; similarly SSH can be accessed on port 22. The other server happens to be a mail relay, which handles all of the spam and virus scanning for inbound and outbound mail; while the SMTP, SMTPS, and submission services all enjoy a NAT configuration using default ports, SSH access is on port 23 because port 22 already forwards to the IMAP server and the sysadmin hasn't read this series of articles.

As an added bonus, your accounts have usernames which differ from each other (let's use "fred" and "barney") as well as from your workstation. To log in to these machines using the command line, you would type:

ssh fred@example.com
ssh -p 23 barney@example.com


This isn't a great deal of typing but already one can see that differentiating more complex connections may be confusing when distinguished only by the port used. We can clarify things a bit with a config file like this:

Host imap
HostName example.com
User fred
Host smtp
HostName example.com
Port 23
User barney


Now our SSH commands look nicer:

ssh imap
ssh smtp


The config file can always be overridden with command line options, so ssh admin@smtp will log in as admin rather than barney, but will still use port 23 and any other options set in ~/.ssh/config. Once you start using LocalForward and ProxyCommand command line options quickly become tedious and unwieldy, even if you can remember all options for every host you attend.

One final note, in addition to acting as a convenient alias, the host keywords may also be used to make declarations for groups of servers, or all servers, by using wildcards and pattern-lists. The ssh_config man page (or your preferred documentation) has a detailed PATTERNS section, but a below is a brief example to whet your appetite:
# global declarations
  Host *
  ForwardAgent yes
  ForwardX11 yes

# just for example.com servers
  Host *.example.com
  ServerAliveInterval 60
  StrictHostKeyChecking no