SSH client configurations

Here is a set of SSH client configurations I usually use and find useful.

The SSH client configuration is stored in

~/.ssh/config

When a NAT router is involved between the client and server, it closes the TCP connections after a long time of inactivity (about 10 minutes for my router). To prevent the router from closing the connection, I keep connection alive with these options in the config file:

Host *
    ServerAliveInterval 290
    ServerAliveCountMax 2

I generate my Identity keys like this:

ssh-keygen -t rsa -b 4096
# or
ssh-keygen -t ed25519
ssh-keygen -t ed25519 -f filename

A password can be set on the key to protect it. The key password is asked at each new connection unless the key is loaded in SSH-agent (more information about SSH-agent below). The public key has to be copied to ~/.ssh/authorized_keys in the server and the client has to use the private key to connect with key instead of password:

ssh -i ~/.ssh/id_rsa myuser@example.com

It is possible to replace this command line with something shorter:

ssh server

In order to do that, add a configuration in ~/.ssh/config:

host server
        HostName example.com
        IdentityFile ~/.ssh/id_rsa
        Port 22
        User myuser

With SSH, one can do server hop and connect to a machine not reachable from the public internet.

Client -> host1 Server on Internet -> host2 Server in LAN

Without configuration, it is done like this:

ssh -J myuser@server auser@host2

It is configured like this in ~/.ssh/config:

host insideServer
        Hostname host2
        User auser
        IdentityFile ~/.ssh/id_rsa_InsideServer
        ProxyCommand ssh server -W %h:%p

Multiple jump host can be in a chain to a destination. All the identity files (the secret keys) have to be in the client machine.

Sometimes I want to connect to a host not reachable from the public internet without a jump host, then I use reverse tunneling like this:

# I connect the server (not reachable from the internet) to the client (example.com)
ssh -i ~/.ssh/id_rsa -R 19999:localhost:22 -C user@example.com
# On the client, I connect to port 19999
ssh userOnServer@localhost -p 19999

I use SSH agent to load the keys with password, the password is asked only when the key is loaded:

eval $(ssh-agent)
# add keys
ssh-add ~/.ssh/id_rsa

SHA-1 signature has been disable after version 8.8 (2021-09-26), so older ssh clients can't connect to newer ssh servers and newer clients can't connect to older servers. A solution is to upgrade the client to a newer version, another solution is to accept legacy hostkey using ssh-rsa algorithm for the machine with the old ssh server:

Set the configuration for the old server in ~/.ssh/config like this:

host oldserver
        HostName example.com
        IdentityFile ~/.ssh/id_rsa
        Port 22
        User myuser
        PubkeyAcceptedAlgorithms +ssh-rsa
        HostkeyAlgorithms +ssh-rsa

When I can't upgrade or change configuration, I setup an ftp server, see: How to transfer files between devices

or I use a third machine:

Machine A has an old SSH server
Machine B has Debian Bullseye which can connect to the old machine A and the new machine C with Debian Bookworm
Machine C has Debian Bookworm, machine C cannot connect to machine A. The error is: "Unable to negotiate with 192.168.1.2 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss"

I copy the files from A to C through B with pipes and tar (or cat for single file):

# From C
# Copy a file in A to C:
ssh B 'ssh A "cat file"' > file
# Copy multiple files in A to C, the data is compressed with bzip2 on the network:
ssh B 'ssh A "/bin/tar cj file1 dir2 file3"' | tar xj

It is possible to store ssh keys in tpm 2.0, I haven't tried yet: => https://jade.fyi/blog/tpm-ssh/ => https://blog.ledger.com/ssh-with-tpm/

Tag: #ssh