Using the SSH Config File to Simplify SSH Access

Using SSH keys for host access

Using SSH private/public keys is one of the better ways to limit and secure access to your hosts, by configuring a set of known (public) keys to allow authentication through keys instead of less secure password-based authentication.

In addition, and this is the case for our setup at Pivot Freight, you would further your private hosts by disabling public network access and only allowing SSH traffic through a publicly available, hardened, host known as a bastion or jump host. The downside is that accessing those hosts from your local host can become tedious and repetitive.

But thankfully there is a better way: the SSH config file.

Access without the SSH config file

Without a SSH config file this is how you would access the jump host from your command line (all examples are for OS X):

ssh -p 1234 username@104.11.22.33

Where 104.11.22.33 is the jump host public IP address and 1234 is the port your SSH daemon has been configured to run on, if not the default of 22.

Now that’s not too bad but gets repetitive. Now, assume you need to access to a host that is only accessible through the jump host, you will then do:

ssh -p 1234 username@104.11.22.33 nc 10.11.22.33 1234

Where 10.11.22.33 is the target host private IP address, again assuming the 1234 is the port your SSH daemon is has been configured to run on (both jump host and target host) and that the same username’s public key is deployed on the target host as well.

Now this will get very repetitive very quickly, especially as the number of hosts increase even if you wanted to maintain scripts for each target host. But thankfully there is a better way: the SSH config file.

Using the SSH config file to simplify access

You can use the SSH config file to store host-specific SSH configuration properties, including ports and jump hosts.

Assuming you would want to configure access for the example hosts above you would create a ~/.ssh/config file with the following content:

Host jump-host
    HostName 104.11.22.33
    Port 1234
    User username
Host target-host
    HostName 10.11.22.33
    Port 1234
    User username
    ProxyCommand ssh -p 1234 username@104.11.22.33 nc %h 1234

Now you can do the following to SSH into the jump host:

ssh jump-host

But even better if you want to SSH into the target host now you simply need to type:

ssh target-host

What’s also pretty neat about this approach is that it works with SCP as well, so if you wanted to SCP from a target host to your local host you would only need to type:

scp target-host:/home/username/readme.txt .

And it will simply work, no need to remember to use -P instead of -p with SCP :).

Cheers,
Olivier.