This episode spawned from some feedback I sent to klatuu from The Bad Apples podcast. I’ve been using my .ssh/config to simplify long or commonly used ssh commands.
Say you want to login to your home machine (mymachine.dynamicdns.org) as user homeuser that’s listening on a non standard port of 1234.
ssh -p 1234 homeuser@mymachine.dynamicdns.org
You can shorten this to
ssh home
by adding the following to your .ssh/config file
Host home
User homeuser
Hostname mymachine.dynamicdns.org
Port 1234
Probably not worth setting up if you’re not going to be using it often but if you start doing a lot of port forwarding then your command line can quickly get unwieldy.
ssh -p 1234 -L 8080:localhost:80 \r
homeuser@mymachine.dynamicdns.org
Just add the line below to the section to achieve the same result.
LocalForward 8080 192.168.1.100:80
The nice thing is that you can add lots of LocalForward lines for a particular host. Another trick I use is to have different public/private key files for each group of server that I use. Normally you would use the -i switch
ssh -i ~/.ssh/work_id_dsa.pub homeuser@mymachine.dynamicdns.org
Just add the line below to the section to achieve the same result.
IdentityFile ~/.ssh/work_id_dsa.pub
You can commands per host by placing them in the Host section or for all the hosts by placing them at the top of the file. Some common ones that I use are
- ForwardX11 yes Use instead of using the -X switch to allow forwarding of X applications to run on your local X server.
- ForwardAgent yes Use instead of using the -A switch to allow forwarding of the ssh-agent/ssh-add
- Protocol 2 Use instead of -2 to ensure that only protocal 2 is used.
- GSSAPIAuthentication no Use instead of -o GSSAPIAuthentication=no. This switch is used to provide Kerberos 5 authentication to ssh. Although the man pages say that GSSAPIAuthentication is off continue reading to see if the distro maintainers note that it is turned on. This is the case with Debian and Fedora based distros.
I started using this switch when I noticed that ssh connections were taking a long time to setup and I discovered that it was due to:
The default Fedora ssh_config file comes with GSSAPIAuthentication set to “yes”. This causes a DNS query in an attempt to resolve _kerberos. whenever ssh is invoked. During periods when connectivity to the outside world is interrupted for whatever reason, the ssh session won’t proceed until the DNS query times out. Not really a problem, just more of an annoyance when trying to ssh to another machine on the LAN.
So putting it all together a sample ~/.ssh/config file might look like this:
GSSAPIAuthentication no
ForwardAgent yes
EscapeChar none
ForwardX11 yes
Protocol 2
Host hometunnel
User homeuser
Hostname mymachine.dynamicdns.org
LocalForward 8080 192.168.1.100:80
Port 1234
Host home
User homeuser
Hostname mymachine.dynamicdns.org
Port 1234
Host work
User workuser
Hostname mywork.mycompany.com
IdentityFile ~/.ssh/work_id_dsa.pub
Host isp
User ispuser
Hostname isp.example.com
IdentityFile ~/.ssh/isp_id_dsa.pub
Ken, thanks for posting this link into #oggcastplanet. I looked here because I have had trouble getting authentication keys working so I can auto-mount remote volumes in fstab with sshfs. While you don’t address that directly, I still found a wealth of info.
After creating a new ~/.ssh/config, you may get
“Bad owner or permissions on /home//.ssh/config”
when executing the ssh command. If so, try
chmod 0600 ~/.ssh/config
Didn’t take time to find out why it works, but it solved it for me.
Also, my seat of the pants impression is that the reduction in the time spent waiting for the password prompt after setting “GSSAPIAuthentication no” are only realized if you set up host aliases as Ken has above and reference the alias in your ssh command.