loading...

OpenSSH: Configurations Based On Hosts, Etc.

nabbisen profile image Heddi Nabbisen ・3 min read

Summary

OpenSSH provides the way to define configurations based on hosts, etc. with the keywords, Host and Match.

Environment

  • SSH client: OpenSSH 7.9
✿ ✿ ✿

Basis

Open the ssh_config file.

$ nvim ~/.ssh/config

Then write definitions.

Examples

Here is an example of multiple conditions.
The definition of each condition is valid up to the next Host or Match keyword.

# [~/.ssh/config]

Host %host-name%
    %Parameter-Name%    %parameter-value%

Host %multiple-hosts-name-1% %multiple-hosts-name-2%
    %Parameter-Name%    %parameter-value%

Match {host,originalhost,user,localuser,exec,canonical,final} "%criteria%"
    %Parameter-Name%    %parameter-value%

...

Here is an example of multiple parameters in a single host.
Of course, it's all right to define more or less parameters in any hosts than others. (Be careful of the default values.)

# [~/.ssh/config]

Host %nickname%
    Hostname     %real-hostname%
    Port         %specified-port%
    User         %specified-user%
    IdentityFile ~/.ssh/specified-user_id_rsa
    ServerAliveInterval 60

* Note: Indentation is just for ease of viewing, which isn't actually necessary.

✿ ✿ ✿

Flexible Definitions

#1: Patterns

Pattern Symbol Usage
* Matches zero or more characters.
? Matches exactly one character.
! Negates targets.
Examples
# [ `*` keyword ]
# any hosts
Host *
# any .com domains
Host *.com

# [ `?` keyword ]
# 192.168.0.[0-9]
Host 192.168.0.?

# [ `!` keyword ]
# any except specified domain
Host * !cool-website.com
# any except specified domain and subdomains
Host * !cool-website.com !*.cool-website.com
# any 192.168.* except 192.168.0.*
Host 192.168.* !192.168.0.*

* Caution: ! keyword requires matched targets as well as negated ones:

  • NG: Host !some.domain.com
  • OK: Host * !some.domain.com

#2: Match Instead Of Host

Keyword Usage
host The real host name to log into.
originalhost The hostname as it is specified on the command-line.
user The target username on the remote host.
localuser The name of the local user running ssh.
Examples
# a single condition with a single option
Match host "some-domain.com"
# which equals to:
# Host some-domain.com
    IdentityFile ~/.ssh/default_id_rsa

# a single condition with multiple options
Match host "specified-domain.com,some.specified-domain.com"
# which equals to:
# Host specified-domain.com some.specified-domain.com
    IdentityFile ~/.ssh/specified-domain_id_rsa

# multiple conditions
Match host "specified-domain.com" user "specified-user"
    IdentityFile ~/.ssh/specified-user_id_rsa

* Caution: Don't put space between multiple options:

  • NG: Match host "specified-domain.com, some.specified-domain.com"
  • OK: Match host "specified-domain.com,some.specified-domain.com"
(Optional) More Controls With Match
Keyword Usage
exec Executes the specified command under the user's shell. If the command returns a zero exit status then the condition is considered true. Arguments can be defined as Tokens.
canonical Matches only when the configuration file is being re-parsed after hostname canonicalization.
final Requests that the configuration be re-parsed (regardless of whether CanonicalizeHostname is enabled), and matches only during this final pass. If CanonicalizeHostname is enabled, then canonical and final match during the same pass.
✿ ✿ ✿

Usages

#1: Configuration For Specified Hostname

Host some.cool-website.com
    User     %user-specified%

Host *
    User     %user-default%

#2: Configurations By Subdomains

# specified domain
Host cool-website.com
    # write configuration...

# specified subdomain
Host www.cool-website.com
    # write configuration...

# all subdomains
Host *.cool-website.com
    # write configuration...

# specified domain and subdomains
Host cool-website.com *.cool-website.com
# or:
# Match host "cool-website.com,*.cool-website.com"
    # write configuration...

#3: Hostname Alias

Host %nickname%
    HostName    real.very-long-hostname.com

#4: Port Switching

Host %host-with-unique-port%
    Port    %real-port%

#5: Using An Identity File

Host www.cool-website.com
    IdentityFile    ~/.ssh/specified_id_rsa
✿ ✿ ✿

Happy serving 🕊

Posted on by:

nabbisen profile

Heddi Nabbisen

@nabbisen

An ICT designer/developer and a security monk. "With a cool brain and a warm heart", I am challenging unsolved problems in our society. I use OpenBSD/Rust/etc.

Discussion

pic
Editor guide