HPR ep0386 :: SSH config file

This episode spawned from some feedback I sent to klatuu from The Bad Apples podcast. I’ve been using my .ssh/config to simplify long or commonly used ssh commands.

Say you want to login to your home machine (mymachine.dynamicdns.org) as user homeuser that’s listening on a non standard port of 1234.

ssh -p 1234 homeuser@mymachine.dynamicdns.org

You can shorten this to

ssh home

by adding the following to your .ssh/config file

Host home
	User homeuser
	Hostname mymachine.dynamicdns.org
        Port 1234

Probably not worth setting up if you’re not going to be using it often but if you start doing a lot of port forwarding then your command line can quickly get unwieldy.

ssh -p 1234 -L 8080:localhost:80 \
homeuser@mymachine.dynamicdns.org

Just add the line below to the section to achieve the same result.

	LocalForward 8080 192.168.1.100:80

The nice thing is that you can add lots of LocalForward lines for a particular host. Another trick I use is to have different public/private key files for each group of server that I use. Normally you would use the -i switch

ssh -i ~/.ssh/work_id_dsa.pub homeuser@mymachine.dynamicdns.org

Just add the line below to the section to achieve the same result.

        IdentityFile ~/.ssh/work_id_dsa.pub

You can commands per host by placing them in the Host section or for all the hosts by placing them at the top of the file. Some common ones that I use are

  • ForwardX11 yes Use instead of using the -X switch to allow forwarding of X applications to run on your local X server.
  • ForwardAgent yes Use instead of using the -A switch to allow forwarding of the ssh-agent/ssh-add
  • Protocol 2 Use instead of -2 to ensure that only protocal 2 is used.
  • GSSAPIAuthentication no Use instead of -o GSSAPIAuthentication=no. This switch is used to provide Kerberos 5 authentication to ssh. Although the man pages say that GSSAPIAuthentication is off continue reading to see if the distro maintainers note that it is turned on. This is the case with Debian and Fedora based distros.

I started using this switch when I noticed that ssh connections were taking a long time to setup and I discovered that it was due to:
The default Fedora ssh_config file comes with GSSAPIAuthentication set to “yes”. This causes a DNS query in an attempt to resolve _kerberos. whenever ssh is invoked. During periods when connectivity to the outside world is interrupted for whatever reason, the ssh session won’t proceed until the DNS query times out. Not really a problem, just more of an annoyance when trying to ssh to another machine on the LAN.

So putting it all together a sample ~/.ssh/config file might look like this:

GSSAPIAuthentication no
ForwardAgent yes
EscapeChar none
ForwardX11 yes
Protocol 2

Host hometunnel
    User homeuser
    Hostname mymachine.dynamicdns.org
    LocalForward 8080 192.168.1.100:80
    Port 1234

Host home
    User homeuser
    Hostname mymachine.dynamicdns.org
    Port 1234

Host work
    User workuser
    Hostname mywork.mycompany.com
    IdentityFile ~/.ssh/work_id_dsa.pub

Host isp
    User ispuser
    Hostname isp.example.com
    IdentityFile ~/.ssh/isp_id_dsa.pub
This entry was posted in Podcasts and tagged , , , . Bookmark the permalink.

2 Responses to HPR ep0386 :: SSH config file

  1. Ken, thanks for posting this link into #oggcastplanet. I looked here because I have had trouble getting authentication keys working so I can auto-mount remote volumes in fstab with sshfs. While you don’t address that directly, I still found a wealth of info.

  2. After creating a new ~/.ssh/config, you may get
    “Bad owner or permissions on /home//.ssh/config”
    when executing the ssh command. If so, try
    chmod 0600 ~/.ssh/config
    Didn’t take time to find out why it works, but it solved it for me.

    Also, my seat of the pants impression is that the reduction in the time spent waiting for the password prompt after setting “GSSAPIAuthentication no” are only realized if you set up host aliases as Ken has above and reference the alias in your ssh command.

Leave a Reply

Your email address will not be published.