Ssh Client

The ProxyJump defines a bastion host (jump host, jump server, jump box) to use. Values Value Meaning none Disable ProxyJump functionality HOST Define the hostname of the bastion host [USER]HOST[:PORT] Define one or more parameters of the bastion host URI Define parameters in URI format Hostname Format: hostname User Format: user@hostname Port Format: hostname:port Command-line usage ssh -J bastion destinationsystem These parameters can also be specified in the format as a URI .

The ForwardAgent option specifies if SSH agent forwarding is allowed or not. ForwardAgent values Value Meaning Yes Agent forwarding is allowed No (default) Agent forwarding is not allowed PATH Path to the agent socket $VARIABLE Environment variable that stores the path Security caution Agent forwarding should not be used if not strictly needed. Any user that can access the agent’s socket stored in SSH_AUTH_SOCK may have access through the forwarded connection.

The IdentityAgent option specifies what UNIX-domain socket to use to communicate with the authentication agent. When configured, it overrides the environment variable SSH_AUTH_SOCK and provides the option to select a specific agent. Besides the option to define a socket, the location of the socket can also be provided by the SSH_AUTH_SOCK environment variable. In that case the value should defined as “SSH_AUTH_SOCK” (without quotes). If the value starts with a ‘$’, it indicates that another enviroment variable is to be used.

The file /etc/ssh/ssh_config is the main configuration file of the OpenSSH server daemon (sshd). Purpose It defines the system-wide settings for the SSH client. It can be overriden by storing settings in ~/.ssh/config that takes precedence. Configuration To learn more about the available configuration settings, have a look at the section OpenSSH client configuration.

Configuration files /etc/ssh/ssh_config ~/.ssh/config Configuration settings The client knows a lot of individual settings that may be configured in a configuration file or via the command-line. IdentityAgent Configure the socket to use for the SSH agent. See IdentityAgent Port Defines the port to be used. By default, the SSH server is configured with port 22 (TCP). ProxyJump Defines a bastion host (jump host, jump server, jump box) to connect to the destination system.

For the SSH client there are typically two places where configuration files are stored: in the home directory of the user and a global configuration file. User configuration Location: ~/.ssh/config This file is stored in the home directory of an user. It is optional and by default no file is available. System-wide configuration Location: /etc/ssh/ssh_config Overrides via: /etc/ssh/ssh_config.d/*.conf The default settings are in the ssh_config file. The system administrator may add customizations to this file, but typically it is advised to override settings using a separate configuration file.

The SSH client won’t connect to a system when it sees that host key changed since the initial connection it made. This helps against MitM attacks. The client knows when the host key is different by comparing it with the related values in the ~/.ssh/known_hosts file. Values Value Automatically save new host keys Action if host key changed yes No Refuse ask No, ask Refuse accept-new Yes Refuse no | off Yes Connect When connecting to many different systems, the accept-new value can help reducing the manual step to accept keys.

One of the common methods to authenticate with a SSH server is using the combination of a username and password. With the option PasswordAuthentication we can define if we want to use this type of authentication. While yes is the default, it might be useful to disable it for hosts that require public key authentication. This way we instruct the client to only try that.