Other Languages: Français?
Since there is no user configuration file installed by default, copy and rename '/etc/ssh/ssh_config' to '~~/.ssh/config' (or edit '/etc/ssh/ssh_config' in place as 'root'). The standard configuration file looks like this: {lots of explanations and possible options listed} ~# Be paranoid by default Host * ~ForwardAgent no ~ForwardX11 no ~FallBackToRsh no {Available options are explained in, chapter CONFIGURATION FILES}
The configuration file is read sequentially, i.e. the first setting that matches a pattern 'wins'.
Let's say you have an account at www.foobar.com and your account name is 'bilbo'. Furthermore you want to use the 'ssh-agent' - 'ssh-add' combo (discussed on the previous page) as well as data compression to speed up transfers. And since you are too lazy to type the full hostname every time, you want to use 'fbc' as an abbreviation for 'www.foobar.com'.
Your configuration file should then look like this: Host *fbc ~HostName www.foobar.com User bilbo ~ForwardAgent yes Compression yes ~# Be paranoid by default Host * ~ForwardAgent no ~ForwardX11 no ~FallBackToRsh no Next time you enter, SSH will look up the full hostname, use your user name to login and authenticate using the key managed by the 'ssh-agent'. It can't get much easier than that, can it? ;)
SSH connections to all other hosts will still use the 'paranoid' default settings, the configured accounts only those paranoid settings which haven't been explicitly turned off in their configuration or on the command line.
In the example above, an SSH connection to www.foobar.com will have these options set to 'yes': '~ForwardAgent' and 'Compression', these options however will still be set to 'no' unless overridden by command line arguments: '~ForwardX11' and '~FallBackToRsh'. Further options you might want to have a look at include:. Note that ~OpenSSH does not have different configuration files for SSH 1.x and 2.x.
Among the default options you might want to have a look at, are:
Getting started with SSH
,
Revision / Modified: Sep. 27, 2001 / July 14, 2000
Author: Tom Berger Legal: This page is covered by the GNU Free Documentation License. Standard disclaimers of warranty apply. Copyright LSTB and Mandrakesoft.
SSH III - Configuration
Summary:- Configuring The Client
- Configuring The Server
Configuring The Client
~OpenSSH knows three configuration levels: command line options, user configuration file, and system-wide configuration file ('/etc/ssh/ssh_config'). Options given on the command line prevail over configuration file options, options given in the user's configuration file prevail over those in the system-wide configuration file. All commandline options are available as configuration file options.Since there is no user configuration file installed by default, copy and rename '/etc/ssh/ssh_config' to '~~/.ssh/config' (or edit '/etc/ssh/ssh_config' in place as 'root'). The standard configuration file looks like this: {lots of explanations and possible options listed} ~# Be paranoid by default Host * ~ForwardAgent no ~ForwardX11 no ~FallBackToRsh no {Available options are explained in
man ssh
Let's say you have an account at www.foobar.com and your account name is 'bilbo'. Furthermore you want to use the 'ssh-agent' - 'ssh-add' combo (discussed on the previous page) as well as data compression to speed up transfers. And since you are too lazy to type the full hostname every time, you want to use 'fbc' as an abbreviation for 'www.foobar.com'.
Your configuration file should then look like this: Host *fbc ~HostName www.foobar.com User bilbo ~ForwardAgent yes Compression yes ~# Be paranoid by default Host * ~ForwardAgent no ~ForwardX11 no ~FallBackToRsh no Next time you enter
ssh fbc
In the example above, an SSH connection to www.foobar.com will have these options set to 'yes': '~ForwardAgent' and 'Compression', these options however will still be set to 'no' unless overridden by command line arguments: '~ForwardX11' and '~FallBackToRsh'. Further options you might want to have a look at include:
~CheckHostIP yes
This option performs an additional IP address check on the remote host to prevent DNS spoofing.~CompressionLevel
The compression level ranges from '1' (fast) to '9' (best). Default is '6'.~ForwardX11 yes
You will need this option to run remote X applications locally.~LogLevel DEBUG
This option comes in handy when you've got trouble with your SSH connection. The default setting is INFO.
Configuring The Server
SSH server configuration is done via the file '/etc/ssh/sshd_config', options are explained in the file itself and inman sshd
~PermitRootLogin yes
A preferable option might be, which disables 'root' logins from machines without a matching key pair. Setting this option to 'no' disables 'root' logins completely and you have to use~PermitRootLogin without-password
from a user account.su
X11Forwarding no
Change this option to 'yes' to allow your users to run X apps on your machine. Furthermore, disabling this option doesn't improve your server's security since "users can always install their own forwarders" ().man sshd
~PasswordAuthentication yes
Setting this option to 'no' will only allow SSH logins using the key mechanism. This might annoy users who are logging in from different machines frequently but is a boost to server security (password-based authentication schemes are weak).# Subsystem /usr/local/sbin/sftpd
Removing the leading hash (#) and changing the path to '/usr/bin/sftpserv' will allow your users to use 'sftp', an SSH tunneled version of FTP ('sftpserv' is part of the sftp package). Given the familiarity of many users with FTP and the somewhat cumbersome handling of 'scp', this might be a worthwhile thing to provide. Moreover, the popular graphical 'gftp program supports transfers via 'sftp' since version 2.0.7 (which makes up for the missing features in pure 'sftp').
Related Resources:
Ssh FAQGetting started with SSH
man ssh
man sshd
Author: Tom Berger Legal: This page is covered by the GNU Free Documentation License. Standard disclaimers of warranty apply. Copyright LSTB and Mandrakesoft.
SSH III - Configuration
Version 1.4 last modified by esfa on 30/06/2004 at 09:51
Version 1.4 last modified by esfa on 30/06/2004 at 09:51
Document data
- Lost account?
- Join the community, be part of the Club: it's free!
- Get the PWP Download Subscription!
