thurstylark
/
tlwiki-wikijs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

docs: update dotfiles/ssh

This commit is contained in:
David Thurstenson 2024-03-08 01:57:21 +00:00 committed by David Thurstenson
parent e2efea48a1
commit d459b5fded
1 changed files with 26 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
dotfiles/ssh.md
View File

@ -1,45 +1,45 @@
---
title: "OpenSSH"
description: "Creature comfort configs for SSH"
author: "Thurstylark"
date: 2021-9-25
draft: false
title: OpenSSH
description: Creature comfort configs for SSH
published: true
date: 2024-03-08T01:57:19.739Z
tags:
editor: markdown
dateCreated: 2024-03-07T23:21:49.285Z
---
## User-Specific Client Config
Most directives that can be set in the system-wide client configuration can be set by each user in `~/.ssh/config`. This snippit contains a collection of my most used options:
```
SendEnv LC_* # Send all LC env vars to the host
SendEnv LC_* # Send all LC env vars to the host
AddKeysToAgent yes # If asked to unlock a password-protected private
# key, automatically add that key to the ssh-agent
# so you no longer need to reenter the password
# again this session
# key, automatically add that key to the ssh-agent
# so you no longer need to reenter the password
# again this session
# Example Host Definition
Host foo # Arbitrary String. Use this definition by running `ssh foo`
HostName foo.bar.com # Actual DNS Hostname or IP address of the server
Port 12345 # Port number to connect to
User thurstylark # Username on the server to connect as
IdentityFile ~/.ssh/id_rsa # Private key to use for authentication
ServerAliveInterval 300 # Interval in seconds before a keepalive packet is sent to the server
ServerAliveCountMax 3 # Declare the connection dead after no response to this many keepalive packets
HostKeyAlgorithms ssh-dss # Use ssh-dss for host-key algorithm checking (ssh-dss is insecure. Use something else)
KexAlgorithms +kex # Add 'kex' to the list of Key Exchange Algorithms available for use.
StrictHostKeyChecking no # Turn off Strict Host Key Checking for only this host (insecure)
UserKnownHostsFile /dev/null # Discard this hosts host key instead of storing in ~/.ssh/known_hosts (not recommended)
VisualHostKey yes # Always use randomart in place of host key sums
Host foo # Arbitrary String. Use this definition by running `ssh foo`
HostName foo.bar.com # Actual DNS Hostname or IP address of the server
Port 12345 # Port number to connect to
User thurstylark # Username on the server to connect as
IdentityFile ~/.ssh/id_rsa # Private key to use for authentication
ServerAliveInterval 300 # Interval in seconds before a keepalive packet is sent to the server
ServerAliveCountMax 3 # Declare the connection dead after no response to this many keepalive packets
HostKeyAlgorithms ssh-dss # Use ssh-dss for host-key algorithm checking (ssh-dss is insecure. Use something else)
KexAlgorithms +kex # Add 'kex' to the list of Key Exchange Algorithms available for use.
StrictHostKeyChecking no # Turn off Strict Host Key Checking for only this host (insecure)
UserKnownHostsFile /dev/null # Discard this hosts host key instead of storing in ~/.ssh/known_hosts (not recommended)
VisualHostKey yes # Always use randomart in place of host key sums
```
### Directive Notes
- `Host`
- Can also refer to an actual hostname. See "Host-Specific Keys" below.
- Can also refer to an actual hostname. See [Host-Specific Keys](#host-specific-keys) below.
- `ServerAliveInterval` and `ServerAliveCountMax`
- It's common for a firewall to cause problems keeping connections open, so tweaking these settings can help. See "Broken Pipe Remedy" below.
- It's common for a firewall to cause problems keeping connections open, so tweaking these settings can help. See [Broken Pipe Remedy](#broken-pipe-remedy) below.
- `HostKeyAlgorithms`
- ssh-dss is less secure than the alternatives/defaults. Only use this if necessary.
- `KexAlgorithms`
@ -69,4 +69,4 @@ The `ServerAliveInterval` option sends a keepalive packet if no data has been re
Additionally, the `ServerAliveCountMax` option specifies the number of keepalive packets that may be sent without a response before ssh terminates the connection. By default this is set to `3`, but if your connection is unreliable, you can set this higher to give your server a better chance at responding the next time a keepalive packet is sent.
It is important to note that messages sent by the `TTYKeepAlive` option are not sent through the encrypted channel and can be spoofed, but the "server alive" messages are sent through the encrypted channel and cannot be spoofed. Do not use `TTYKeepAlive` messages for determining the quality or security of a connection! See `ssh-config(5)` for more info.
It is important to note that messages sent by the `TTYKeepAlive` option are not sent through the encrypted channel and can be spoofed, but the "server alive" messages are sent through the encrypted channel and cannot be spoofed. Do not use `TTYKeepAlive` messages for determining the quality or security of a connection! See `ssh-config(5)` for more info.