You or your users have a collection of different keys for authenticating on different servers and accounts, and different ssh command options for each one. Typing all those long command strings is a bit tedious and error-prone. How do you make it easier and better?
Put individual configuration files for each server in
~/.ssh/, and select the one you want with the
-F flag. This example uses the
configuration file mailserver to set the
connection options for the server
jarlsberg.
[carla@windbag:~/.ssh]$ ssh -F mailserver jarlsbergIf you are logging in over the Internet, you'll need the fully qualified domain name of the server:
[carla@windbag:~/.ssh]$ ssh -F mailserver jarlsberg.carla.netIP addresses work, too.
Using custom configuration files lets you manage a lot of different logins sanely. For example, ~/.ssh/mailserver contains these options:
IdentityFile ~/.ssh/id_mailserver Port 2222 User mail_admin
It's easier and less error-prone to type ssh -F mailserver jarlsberg than ssh -i id_ mailserver-p2222-lmail_admin
jarlsberg.
Don't forget to configure your firewall for your alternate SSH ports, and check /etc/services to find unused ports.
You may open up as many alternate ports as you want on a single OpenSSH server. Use netstat to keep an eye on activities:
# netstat -a --tcp -p | grep ssh tcp6 0 0 *:2222 *:* LISTEN 7329/sshd tcp6 0 0 *:ssh *:* LISTEN 7329/sshd tcp6 0 0 ::ffff:192.168.1.1:2222windbag.localdoma:35474 ESTABLISHED7334/ sshd: carla tcp6 0 0 ::ffff:192.168.1.11:sshwindbag.localdoma:56374 ESTABLISHED7352/ sshd: carla
Remember, /etc/sshd_config controls the SSH daemon. /etc/ssh_config contains the global SSH client settings.
You may have any number of different SSH client configuration files in your ~/.ssh/directory.
The SSH daemon follows this precedence:
Command-line options
User's configuration file ($HOME/.ssh/config)
System-wide configuration file (/etc/ssh/ssh_config)
User's configuration files will not override global security settings, which is fortunate for your sanity and your security policies.