Most directives that can be set in the system-wide client configuration can be set by each user in
~/.ssh/config. This snippit contains a collection of my most used options:
SendEnv LC_* # Send all LC env vars to the host AddKeysToAgent yes # If asked to unlock a password-protected private # key, automatically add that key to the ssh-agent # so you no longer need to reenter the password # again this session # Example Host Definition Host foo # Arbitrary String. Use this definition by running `ssh foo` HostName foo.bar.com # Actual DNS Hostname or IP address of the server Port 12345 # Port number to connect to User thurstylark # Username on the server to connect as IdentityFile ~/.ssh/id_rsa # Private key to use for authentication ServerAliveInterval 300 # Interval in seconds before a keepalive packet is sent to the server ServerAliveCountMax 3 # Declare the connection dead after no response to this many keepalive packets HostKeyAlgorithms ssh-dss # Use ssh-dss for host-key algorithm checking (ssh-dss is insecure. Use something else) KexAlgorithms +kex # Add 'kex' to the list of Key Exchange Algorithms available for use. StrictHostKeyChecking no # Turn off Strict Host Key Checking for only this host (insecure) UserKnownHostsFile /dev/null # Discard this hosts host key instead of storing in ~/.ssh/known_hosts (not recommended) VisualHostKey yes # Always use randomart in place of host key sums
diffie-hellman-group1-sha1to the available Key Exchange Algorithms for connecting to older hardware that doesn't accept any currently allowed kex algorithms. Diffie Hellman is quite insecure, so please use caution.
User-specific ssh configs make it stupid easy to create several keys for several different uses. For instance, this allows you to have a separate key for each service that you use, and allows you less headache should one key be compromised.
For example: Github allows you to push to your remote repositories over ssh by adding a public key to your account. Ideally, you should create a keypair for this specific purpose, and name it something like 'github'. Then you can add something like this to your
host github.com IdentityFile ~/.ssh/github
Now, when your repo's origin url is set to something like
email@example.com:username/reponame.git, ssh will automatically use your github key instead of needing to specify it in the command, or using your username and password with HTTPS every time.
Often times a firewall or inconsistent connection can cause an ssh connection to be closed prematurely and give a "Write Failed: broken pipe" error message. Some firewalls are configured to close connections that have sent no data after a certain interval, thus causing a broken pipe error when the connection was otherwise healthy. This can usually be solved by sending data through the connection before that interval is up, thus resetting the firewall's timer.
ServerAliveInterval option sends a keepalive packet if no data has been received within the interval specified. All the keepalive packet does is request a response from the server to verify the connection is still good. By default, this option is disabled.
ServerAliveCountMax option specifies the number of keepalive packets that may be sent without a response before ssh terminates the connection. By default this is set to
3, but if your connection is unreliable, you can set this higher to give your server a better chance at responding the next time a keepalive packet is sent.
It is important to note that messages sent by the
TTYKeepAliveoption are not sent through the encrypted channel and can be spoofed, but the "server alive" messages are sent through the encrypted channel and cannot be spoofed. Do not use
TTYKeepAlivemessages for determining the quality or security of a connection! See
ssh-config(5)for more info.