SSH configuration file (~/.ssh/config) is an important tool for managing SSH connections, which can simplify connection commands, improve work efficiency, and enhance security. Proper configuration can significantly improve the convenience of server management.
Configuration File Locations
- User-level configuration:
~/.ssh/config - System-level configuration:
/etc/ssh/ssh_config - Server configuration:
/etc/ssh/sshd_config
Common Configuration Options
Basic Connection Configuration
bash# ~/.ssh/config Host production HostName prod.example.com User deploy Port 2222 IdentityFile ~/.ssh/id_rsa_prod Host staging HostName staging.example.com User deploy IdentityFile ~/.ssh/id_rsa_staging # Use wildcards to configure multiple servers Host *.internal User admin IdentityFile ~/.ssh/id_rsa_internal StrictHostKeyChecking no
Advanced Connection Options
bashHost jump-server HostName jump.example.com User jumpuser # Connection timeout settings ConnectTimeout 10 # Keep connection alive ServerAliveInterval 60 ServerAliveCountMax 3 # Compress transmission Compression yes # Use specific key IdentityFile ~/.ssh/id_rsa_jump
Proxy Jump Configuration
bash# Connect to internal servers through jump server Host internal-db HostName db.internal User dbuser ProxyJump jump-server Host internal-app HostName app.internal User appuser ProxyJump jump-server
Server Security Configuration (sshd_config)
Basic Security Settings
bash# /etc/ssh/sshd_config # Disable root login PermitRootLogin no # Disable password authentication PasswordAuthentication no # Only allow specific users AllowUsers user1 user2 # Disable empty passwords PermitEmptyPasswords no # Limit maximum authentication attempts MaxAuthTries 3 # Login timeout LoginGraceTime 60
Network Security Settings
bash# Change default port Port 2222 # Only listen on specific address ListenAddress 192.168.1.100 # Disable port forwarding AllowTcpForwarding no GatewayPorts no # Disable X11 forwarding X11Forwarding no
Performance Optimization Settings
bash# Use faster encryption algorithms Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com # Use faster key exchange algorithms KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 # Use faster MAC algorithms MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com # Enable compression Compression yes
Logging and Auditing
bash# Verbose logging LogLevel VERBOSE # Log login information SyslogFacility AUTHPRIV # Enable PAM UsePAM yes
Configuration File Best Practices
1. File Permission Management
bash# Set correct file permissions chmod 700 ~/.ssh chmod 600 ~/.ssh/config chmod 600 ~/.ssh/id_rsa chmod 644 ~/.ssh/id_rsa.pub
2. Use Host Aliases
bash# Simplify connection commands Host prod HostName production-server.example.com User deploy IdentityFile ~/.ssh/production_key # Use: ssh prod instead of: ssh deploy@production-server.example.com -i ~/.ssh/production_key
3. Environment-Specific Configuration
bash# Development environment Host dev-* User developer ForwardAgent yes # Production environment Host prod-* User deploy ForwardAgent no StrictHostKeyChecking yes
4. Multi-Factor Authentication
bashHost critical-server HostName critical.example.com User admin # Use multiple authentication methods AuthenticationMethods publickey,keyboard-interactive
Configuration Verification and Testing
Test Configuration Syntax
bash# Test user configuration ssh -F ~/.ssh/config -T hostname # Test server configuration sudo sshd -t
Debug Connection Issues
bash# Verbose debug information ssh -vvv user@hostname # Use specific configuration file ssh -F /path/to/config user@hostname
Security Hardening Recommendations
- Regular Updates: Keep SSH software up to date
- Key Management: Regularly rotate SSH keys
- Access Control: Use firewalls to restrict SSH access
- Monitor Logs: Regularly review SSH login logs
- Disable Insecure Features: Turn off unnecessary SSH features
Proper SSH configuration can significantly improve server management efficiency and security, making it an essential skill for every system administrator.