For SSH config at ~/.ssh/config (local user) or /etc/ssh/ssh_config (global)
Include /path/to/other/config/fileHost * <-------------------------------------- Every single host you attempt to SSH to.
Host *.rlskeels.com <-------------------------- Every host ending with ".rlskeels.com". Ex: www.rlskeels.com
Host server1.rlskeels.com 172.17.5.10 <------- Only server1.rlskeels.com and 172.17.5.10 (Separate with a single space)
Host *.rlskeels.com !switch1.rlskeels.com <--- Every single host except for switch1.rlskeels.comTo keep my configuration files, their contents, and my SSH keys organized.
Inside .ssh/ is the config file. I normally don't do any SSH config in the config file.
I like to create a new config file for each site/entity that I deal with (i.e. Home, Client1, Client2).
My config file looks like this:
Include ~/.ssh/home-ssh-config
Include ~/.ssh/client1-ssh-config
Include ~/.ssh/client2-ssh-configI like to organize by device type.
##### Wildcard #####
Host *rlskeels.com
****
****
****
###################
##### Routers #####
###################
Host router-1.rlskeels.com
****
****
****
Host router-2.rlskeels.com
****
****
****
#####################
##### Switches ######
#####################
Host switch-1.rlskeels.com
****
****
****
###################
##### Servers #####
###################
Host dns-server-*.rlskeels.com
****
****
****
Host web-server-*.rlskeels.com
****
****
****My naming convention looks like this:
[site/network/entity]-[hostname-of-local-machine]-ssh
Example for the key I use with my home servers/machines from my computer with hostname seismic:
home-seismic-ssh
IdentityFile /path/to/private/keyUseKeychain yesTo forward your local machine's port 8080 to your remote machine's (localhost) port 80.
ssh user@server -L 8080:localhost:80Or, use your remote machine as a jump server. This will forward your local machine's port 1443 to 172.16.0.3's port 443 via your remote ssh machine.
ssh user@server -L 1443:172.16.0.3:443This is to generate an SSH public/private key pair.
ssh-keygen -t rsa -b 8192 -f key1You will be prompted to set a passphrase on the keys. DO IT. Protect the hell out of your keys!
This will create two files - key1 (private key) and key1.pub (public key)
vim /etc/ssh/sshd_configTo further secure your server, disable Password Authentication and only allow Public Key Authentication.
1. Copy your public key to your server.
Your public key needs to be copied to your server before disabling password auth, for obvious reasons.
From your local machine:
ssh-copy-id -i [file/path/to/your/public/key] [server-username]@[ip/hostname-of-server]Example:
ssh-copy-id -i .ssh/keys/key1.pub ross@192.168.1.502. Login to your server like normal. Open the sshd config file for editing.
vim /etc/ssh/sshd_config3. Uncomment the following config parameters and set their states accordingly.
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM noPort 22 #Internal use
Port 2222 #External use
AddressFamily inet
ListenAddress x.x.x.x
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
#These are defaults. Specify user below to modify specific parameters
AllowAgentForwarding no
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
PermitTTY no
Banner /etc/ssh/banner.txt
Match User bob
#bob is an admin
AllowAgentForwarding yes
AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding yes
PermitTTY yes
Match User john
#john is only allowed to forward
AllowTcpForwarding yes