SSH III - Configuration

Summary:

• Configuring The Client
• Configuring The Server

Configuring The Client

~OpenSSH knows three configuration levels: command line options, user configuration file, and system-wide configuration file ('/etc/ssh/ssh_config'). Options given on the command line prevail over configuration file options, options given in the user's configuration file prevail over those in the system-wide configuration file. All commandline options are available as configuration file options.
Since there is no user configuration file installed by default, copy and rename '/etc/ssh/ssh_config' to '~~/.ssh/config' (or edit '/etc/ssh/ssh_config' in place as 'root').

The standard configuration file looks like this:

{lots of explanations and possible options listed} ~# Be paranoid by default Host * ~ForwardAgent no ~ForwardX11 no ~FallBackToRsh no

{Available options are explained in

man ssh

The configuration file is read sequentially, i.e. the first setting that matches a pattern 'wins'.
Let's say you have an account at www.foobar.com and your account name is 'bilbo'. Furthermore you want to use the 'ssh-agent' - 'ssh-add' combo (discussed on the previous page) as well as data compression to speed up transfers. And since you are too lazy to type the full hostname every time, you want to use 'fbc' as an abbreviation for 'www.foobar.com'.
Your configuration file should then look like this:

Host *fbc ~HostName www.foobar.com User bilbo ~ForwardAgent yes Compression yes ~# Be paranoid by default Host * ~ForwardAgent no ~ForwardX11 no ~FallBackToRsh no

Next time you enter

ssh fbc

SSH connections to all other hosts will still use the 'paranoid' default settings, the configured accounts only those paranoid settings which haven't been explicitly turned off in their configuration or on the command line.
In the example above, an SSH connection to www.foobar.com will have these options set to 'yes': '~ForwardAgent' and 'Compression', these options however will still be set to 'no' unless overridden by command line arguments: '~ForwardX11' and '~FallBackToRsh'.

Further options you might want to have a look at include:

• ~CheckHostIP yes

  
  This option performs an additional IP address check on the remote host to prevent DNS spoofing.

• ~CompressionLevel

  
  The compression level ranges from '1' (fast) to '9' (best). Default is '6'.

• ~ForwardX11 yes

  
  You will need this option to run remote X applications locally.

• ~LogLevel DEBUG

  
  This option comes in handy when you've got trouble with your SSH connection. The default setting is INFO.

Configuring The Server

SSH server configuration is done via the file '/etc/ssh/sshd_config', options are explained in the file itself and in

man sshd

Among the default options you might want to have a look at, are:

• ~PermitRootLogin yes

  
  A preferable option might be

  ~PermitRootLogin without-password

  , which disables 'root' logins from machines without a matching key pair. Setting this option to 'no' disables 'root' logins completely and you have to use

  su

  from a user account.

• X11Forwarding no

  
  Change this option to 'yes' to allow your users to run X apps on your machine. Furthermore, disabling this option doesn't improve your server's security since "users can always install their own forwarders" (

  man sshd

  ).

• ~PasswordAuthentication yes

  
  Setting this option to 'no' will only allow SSH logins using the key mechanism. This might annoy users who are logging in from different machines frequently but is a boost to server security (password-based authentication schemes are weak).

• # Subsystem /usr/local/sbin/sftpd

  
  Removing the leading hash (#) and changing the path to '/usr/bin/sftpserv' will allow your users to use 'sftp', an SSH tunneled version of FTP ('sftpserv' is part of the sftp package). Given the familiarity of many users with FTP and the somewhat cumbersome handling of 'scp', this might be a worthwhile thing to provide. Moreover, the popular graphical 'gftp program supports transfers via 'sftp' since version 2.0.7 (which makes up for the missing features in pure 'sftp').

Now that you've got it working right, check out Next Item: how to copy files using SSH.

Other Languages: Français?

Related Resources:

Ssh FAQ
Getting started with SSH

man ssh

man sshd

Revision / Modified: Sep. 27, 2001 / July 14, 2000
Author: Tom Berger

Legal: This page is covered by the GNU Free Documentation License. Standard disclaimers of warranty apply. Copyright LSTB and Mandrakesoft.