106 lines
3.5 KiB
Markdown
106 lines
3.5 KiB
Markdown
# SSH Client Configuration
|
|
|
|
Here you find suggestions and best practices for a SSH client configuration file `~/.ssh/config`.
|
|
The assumption is that you are working at the PSI campus or are connected over VPN using `AnyConnect` or `openconnect`.
|
|
|
|
A good SSH config is a rather personal thing. First there are useful defaults, then starting points for common use cases.
|
|
The last chapter contains the details and explanations useful for a even more streamlined configuration.
|
|
|
|
## TLDR; common defaults
|
|
```
|
|
# useful defaults
|
|
ControlPersist 3h
|
|
ControlPath ~/.ssh/controlmasters/%r@%h:%p
|
|
HashKnownHosts no
|
|
AddKeysToAgent yes
|
|
ServerAliveInterval 300
|
|
ServerAliveCountMax 2
|
|
```
|
|
These are suitable everywhere.
|
|
|
|
## TLDR; I work on a beamline
|
|
```
|
|
# beamline x09lb
|
|
Host x09lb-* !x09lb-gw*
|
|
ProxyJump x09lb-gw.psi.ch
|
|
GSSAPIDelegateCredentials yes
|
|
ForwardAgent yes
|
|
ForwardX11Trusted yes
|
|
ControlMaster auto
|
|
```
|
|
Add all the machines of your beamline (`*` and `?` wildcards allowed) at the host selection line and exclude the gateway at the end. Then update at "ProxyJump" the gateway accordingly.
|
|
|
|
## TLDR; I run a few servers
|
|
|
|
```
|
|
Host wmgt0*
|
|
ControlMaster auto
|
|
|
|
# my trusted machines I usually connect as root
|
|
Host lx-*
|
|
User root
|
|
ProxyJump wmgt02.psi.ch
|
|
GSSAPIDelegateCredentials yes
|
|
ForwardAgent yes
|
|
ControlMaster auto
|
|
```
|
|
|
|
## TLDR; I connect to all over the PSI
|
|
```
|
|
Host wmgt0*
|
|
ControlMaster auto
|
|
GSSAPIDelegateCredentials no
|
|
ForwardAgent no
|
|
|
|
# gateways
|
|
Host *-gw* cptgate* ucsgw*
|
|
ProxyJump wmgt02.psi.ch
|
|
|
|
# beamlines
|
|
Host x09lb-* !x09lb-gw*
|
|
ProxyJump x09lb-gw
|
|
|
|
# more of them...
|
|
|
|
# default fallback Jumphost
|
|
Host pc* mpc* vpc* vmpc*
|
|
ProxyJump wmgt02.psi.ch
|
|
|
|
# do trusted connecion by using FQDN (needed for AFS access, etc.)
|
|
Host *.psi.ch
|
|
GSSAPIDelegateCredentials yes
|
|
ForwardAgent yes
|
|
|
|
```
|
|
|
|
Here we by default do not trust the machines we connect to, e.g. we do not delegate the Kerberos TGT, do not forward the SSH agent and do not do X forwarding, stuff which could be abused when the destination machine is compromised or run by an hostile admin.
|
|
Features requiring trust are selected on a case by case basis when needed (e.g. for AFS) by using their FQDN instead of just the short name.
|
|
|
|
Alternatively you might use
|
|
- `ssh -K` for `GSSAPIDelegateCredentials yes` (Kerberos TGT delegation)
|
|
- `ssh -A` for `ForwardAgent yes`
|
|
- `ssh -X` for `ForwardX11 yes`
|
|
- `ssh -Y` for `ForwardX11Trusted yes`
|
|
|
|
But note that for tools like scp or rsync these options are difficult to pass in.
|
|
|
|
If you have trusted servers and/or beamlines, just include for them the according parts of the previous chapters.
|
|
|
|
## Glory Details
|
|
|
|
The full feature set you get at [`ssh_config(5)`](https://man.openbsd.org/ssh_config).
|
|
|
|
|
|
### Multiplexing Master Connection
|
|
|
|
The master connection (`ControlMaster auto`) multiplexes several connections over the first connection. This means that the connection setup and authentication step is only done once and so you get a single-signon behaviour (especially useful for `wmgt01` and `wmgt02`) and a faster connection setup for subsequent connections. The `ControlPersist` setting defines for how long the master connection will stay after the last user connection has been closed.
|
|
|
|
|
|
### Stale Connection Detection
|
|
A stale connection will be closed after 10 minutes with the suggested default settings:
|
|
```
|
|
ServerAliveInterval 300
|
|
ServerAliveCountMax 2
|
|
```
|
|
When there is no traffic it will send an alive message every 5 minutes and when two of them did not get a response it closes the connection.
|