diff --git a/dotfiles/ssh.md b/dotfiles/ssh.md index 96684ee..2a66a5c 100644 --- a/dotfiles/ssh.md +++ b/dotfiles/ssh.md @@ -1,45 +1,45 @@ --- -title: "OpenSSH" -description: "Creature comfort configs for SSH" -author: "Thurstylark" -date: 2021-9-25 -draft: false +title: OpenSSH +description: Creature comfort configs for SSH +published: true +date: 2024-03-08T01:57:19.739Z +tags: +editor: markdown +dateCreated: 2024-03-07T23:21:49.285Z --- - - ## User-Specific Client Config Most directives that can be set in the system-wide client configuration can be set by each user in `~/.ssh/config`. This snippit contains a collection of my most used options: ``` -SendEnv LC_* # Send all LC env vars to the host +SendEnv LC_* # Send all LC env vars to the host AddKeysToAgent yes # If asked to unlock a password-protected private - # key, automatically add that key to the ssh-agent - # so you no longer need to reenter the password - # again this session + # key, automatically add that key to the ssh-agent + # so you no longer need to reenter the password + # again this session # Example Host Definition -Host foo # Arbitrary String. Use this definition by running `ssh foo` - HostName foo.bar.com # Actual DNS Hostname or IP address of the server - Port 12345 # Port number to connect to - User thurstylark # Username on the server to connect as - IdentityFile ~/.ssh/id_rsa # Private key to use for authentication - ServerAliveInterval 300 # Interval in seconds before a keepalive packet is sent to the server - ServerAliveCountMax 3 # Declare the connection dead after no response to this many keepalive packets - HostKeyAlgorithms ssh-dss # Use ssh-dss for host-key algorithm checking (ssh-dss is insecure. Use something else) - KexAlgorithms +kex # Add 'kex' to the list of Key Exchange Algorithms available for use. - StrictHostKeyChecking no # Turn off Strict Host Key Checking for only this host (insecure) - UserKnownHostsFile /dev/null # Discard this hosts host key instead of storing in ~/.ssh/known_hosts (not recommended) - VisualHostKey yes # Always use randomart in place of host key sums +Host foo # Arbitrary String. Use this definition by running `ssh foo` + HostName foo.bar.com # Actual DNS Hostname or IP address of the server + Port 12345 # Port number to connect to + User thurstylark # Username on the server to connect as + IdentityFile ~/.ssh/id_rsa # Private key to use for authentication + ServerAliveInterval 300 # Interval in seconds before a keepalive packet is sent to the server + ServerAliveCountMax 3 # Declare the connection dead after no response to this many keepalive packets + HostKeyAlgorithms ssh-dss # Use ssh-dss for host-key algorithm checking (ssh-dss is insecure. Use something else) + KexAlgorithms +kex # Add 'kex' to the list of Key Exchange Algorithms available for use. + StrictHostKeyChecking no # Turn off Strict Host Key Checking for only this host (insecure) + UserKnownHostsFile /dev/null # Discard this hosts host key instead of storing in ~/.ssh/known_hosts (not recommended) + VisualHostKey yes # Always use randomart in place of host key sums ``` ### Directive Notes - `Host` - - Can also refer to an actual hostname. See "Host-Specific Keys" below. + - Can also refer to an actual hostname. See [Host-Specific Keys](#host-specific-keys) below. - `ServerAliveInterval` and `ServerAliveCountMax` - - It's common for a firewall to cause problems keeping connections open, so tweaking these settings can help. See "Broken Pipe Remedy" below. + - It's common for a firewall to cause problems keeping connections open, so tweaking these settings can help. See [Broken Pipe Remedy](#broken-pipe-remedy) below. - `HostKeyAlgorithms` - ssh-dss is less secure than the alternatives/defaults. Only use this if necessary. - `KexAlgorithms` @@ -69,4 +69,4 @@ The `ServerAliveInterval` option sends a keepalive packet if no data has been re Additionally, the `ServerAliveCountMax` option specifies the number of keepalive packets that may be sent without a response before ssh terminates the connection. By default this is set to `3`, but if your connection is unreliable, you can set this higher to give your server a better chance at responding the next time a keepalive packet is sent. - It is important to note that messages sent by the `TTYKeepAlive` option are not sent through the encrypted channel and can be spoofed, but the "server alive" messages are sent through the encrypted channel and cannot be spoofed. Do not use `TTYKeepAlive` messages for determining the quality or security of a connection! See `ssh-config(5)` for more info. +It is important to note that messages sent by the `TTYKeepAlive` option are not sent through the encrypted channel and can be spoofed, but the "server alive" messages are sent through the encrypted channel and cannot be spoofed. Do not use `TTYKeepAlive` messages for determining the quality or security of a connection! See `ssh-config(5)` for more info.