OpenSSH Configuration¶

Client Configuration¶

Configuration Locations¶

OpenSSH Client knows the following configurations locations:

System: /etc/ssh/ssh_config
Local: ~/.ssh/config

System-wide Configuration¶

Use RSA for Host Keys only¶

HostKeyAlgorithms ssh-rsa-cert-v01@openssh.com,ssh-rsa

Use DNS and SSHFP ressource records for Host Key Verification¶

VerifyHostKeyDNS ask

Local Configuration¶

Use shared connections¶

mkdir -p ~/.ssh/sockets

Host *
     ControlMaster auto
     ControlPath ~/.ssh/sockets/%r@%h
     ControlPersist 30m

Fast reconnect on interrupted connections¶

Host *
     ServerAliveInterval 10
     ServerAliveCountMax 2

Use configured Identities only¶

Host *
     IdentitiesOnly yes

Use Host Keys without exception¶

Host *
     StrictHostKeyChecking yes

Use User Keys from subdirectory¶

mkdir -p ~/.ssh/keys

Host example.org
     Hostname example.org
     User john
     IdentityFile ~/.ssh/keys/john.doe@example.org

Use SSH Gateways¶

Host ssh-gateway.example.org
     Hostname ssh-gateway.example.org
     User john
     IdentityFile ~/.ssh/keys/john.doe@example.org

Host intern.example.org
     Hostname intern.example.org
     User john
     ProxyJump ssh-gateway.example.org

Use Configuration File Includes¶

Note

This feature requires a patch included in Progress Linux but currently not included in Debian.

mkdir -p ~/.ssh/configs

Include ~/.ssh/configs/example.org

OpenSSH Server¶

Configuration Locations¶

OpenSSH Server knows the following configurations locations:

System: /etc/ssh/sshd_config

System-wide configuration¶

Use system-wide authorized_keys¶

AuthorizedKeysFile /etc/ssh/authorized_keys/%u %h/.ssh/authorized_keys

Use RSA for User Keys only¶

PubkeyAcceptedKeyTypes ssh-rsa-cert-v01@openssh.com,ssh-rsa

Do not use DSA and ECDSA Host Keys¶

Note

openssh-server will recreate DSA, ECDSA, and ED25519 keys on upgrades on Debian systems (not on Progress Linux).

sudo rm -f /etc/ssh/ssh_host_*dsa_key*
sudo sed -i -e 's|^\(HostKey .*dsa_key$\)|#\1|' /etc/ssh/sshd_config

sudo rm -f /etc/ssh/ssh_host_*ed25519_key*
sudo sed -i -e 's|^\(HostKey .*ed25519_key$\)|#\1|' /etc/ssh/sshd_config

Disable Password Authentication¶

PasswordAuthentication no

Disable Message of the Day¶

PrintMotd no

Disable distribution-specified extra version suffix¶

DebianBanner no

Reject user specified locales¶

AcceptEnv

Use Host Certificate¶

HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub

Use system-wide known_hosts¶

cat > /etc/ssh/ssh_known_hosts << EOF
@cert-authority *.example.org ssh-rsa [...]
EOF

Log users with connecting fingerprint¶

LogLevel VERBOSE

cat > /etc/rsyslog.d/openssh-server.conf << EOF
:msg, regex, "Accepted publickey for .*" -/var/log/openssh-server.log
:msg, regex, "Found matching .* key:" -/var/log/openssh-server.log
EOF

OpenSSH Configuration¶

Client Configuration¶

Configuration Locations¶

System-wide Configuration¶

Use RSA for Host Keys only¶

Use DNS and SSHFP ressource records for Host Key Verification¶

Local Configuration¶

Use shared connections¶

Fast reconnect on interrupted connections¶

Use configured Identities only¶

Use Host Keys without exception¶

Use User Keys from subdirectory¶

Use SSH Gateways¶

Use Configuration File Includes¶

OpenSSH Server¶

Configuration Locations¶

System-wide configuration¶

Use system-wide authorized_keys¶

Use RSA for User Keys only¶

Do not use DSA and ECDSA Host Keys¶

Disable Password Authentication¶

Disable Root Login¶

Disable Message of the Day¶

Disable distribution-specified extra version suffix¶

Reject user specified locales¶

Use Host Certificate¶

Use system-wide known_hosts¶

Log users with connecting fingerprint¶