===================== OpenSSH Configuration ===================== Client Configuration ==================== Configuration Locations ----------------------- OpenSSH Client knows the following configurations locations: * **System:** ``/etc/ssh/ssh_config`` * **Local:** ``~/.ssh/config`` System-wide Configuration ------------------------- Use RSA for Host Keys only ~~~~~~~~~~~~~~~~~~~~~~~~~~ .. code-block:: bash HostKeyAlgorithms ssh-rsa-cert-v01@openssh.com,ssh-rsa Use DNS and SSHFP ressource records for Host Key Verification ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. code-block:: bash VerifyHostKeyDNS ask Local Configuration ------------------- Use shared connections ~~~~~~~~~~~~~~~~~~~~~~ .. code-block:: bash mkdir -p ~/.ssh/sockets .. code-block:: bash Host * ControlMaster auto ControlPath ~/.ssh/sockets/%r@%h ControlPersist 30m Fast reconnect on interrupted connections ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. code-block:: bash Host * ServerAliveInterval 10 ServerAliveCountMax 2 Use configured Identities only ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. code-block:: bash Host * IdentitiesOnly yes Use Host Keys without exception ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. code-block:: bash Host * StrictHostKeyChecking yes Use User Keys from subdirectory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. code-block:: bash mkdir -p ~/.ssh/keys .. code-block:: bash Host example.org Hostname example.org User john IdentityFile ~/.ssh/keys/john.doe@example.org Use SSH Gateways ~~~~~~~~~~~~~~~~ .. code-block:: bash Host ssh-gateway.example.org Hostname ssh-gateway.example.org User john IdentityFile ~/.ssh/keys/john.doe@example.org Host intern.example.org Hostname intern.example.org User john ProxyJump ssh-gateway.example.org Use Configuration File Includes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. Note:: This feature requires a patch included in Progress Linux but currently not included in Debian. .. code-block:: bash mkdir -p ~/.ssh/configs .. code-block:: bash Include ~/.ssh/configs/example.org OpenSSH Server ============== Configuration Locations ----------------------- OpenSSH Server knows the following configurations locations: * **System:** ``/etc/ssh/sshd_config`` System-wide configuration ------------------------- Use system-wide authorized_keys ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. code-block:: bash AuthorizedKeysFile /etc/ssh/authorized_keys/%u %h/.ssh/authorized_keys Use RSA for User Keys only ~~~~~~~~~~~~~~~~~~~~~~~~~~ .. code-block:: bash PubkeyAcceptedKeyTypes ssh-rsa-cert-v01@openssh.com,ssh-rsa Do not use DSA and ECDSA Host Keys ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. NOTE:: openssh-server will recreate DSA, ECDSA, and ED25519 keys on upgrades on Debian systems (not on Progress Linux). .. code-block:: bash sudo rm -f /etc/ssh/ssh_host_*dsa_key* sudo sed -i -e 's|^\(HostKey .*dsa_key$\)|#\1|' /etc/ssh/sshd_config sudo rm -f /etc/ssh/ssh_host_*ed25519_key* sudo sed -i -e 's|^\(HostKey .*ed25519_key$\)|#\1|' /etc/ssh/sshd_config Disable Password Authentication ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. code-block:: bash PasswordAuthentication no Disable Root Login ~~~~~~~~~~~~~~~~~~ .. code-block:: bash PermitRootLogin no Disable Message of the Day ~~~~~~~~~~~~~~~~~~~~~~~~~~ .. code-block:: bash PrintMotd no Disable distribution-specified extra version suffix ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. code-block:: bash DebianBanner no Reject user specified locales ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. code-block:: bash AcceptEnv Use Host Certificate ~~~~~~~~~~~~~~~~~~~~ .. code-block:: bash HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub Use system-wide known_hosts ~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. code-block:: bash cat > /etc/ssh/ssh_known_hosts << EOF @cert-authority *.example.org ssh-rsa [...] EOF Log users with connecting fingerprint ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. code-block:: bash LogLevel VERBOSE .. code-block:: bash cat > /etc/rsyslog.d/openssh-server.conf << EOF :msg, regex, "Accepted publickey for .*" -/var/log/openssh-server.log :msg, regex, "Found matching .* key:" -/var/log/openssh-server.log EOF