I received a lot of feedback regarding the last article on SSH. I'd like to thank those users who sent URLs for configuring SSH and their favorite SSH utilities. There is definitely a plethora of information regarding SSH, and I can only barely scratch its surface in the space of two articles. Accordingly, I'll be including pointers to additional reading and utilities to try yourself.
In this week's article, I want to spend a bit of time in the SSH configuration files, then mention briefly other utilities that allow the integration of SSH between your FreeBSD system and other operating systems.
We saw in the last article that it is possible both to make and accept SSH
connections using the default FreeBSD configurations. We also saw that we could
increase authentication security by generating a user key pair and copying over
the public key to the SSH server. OpenSSH includes a utility known as
ssh-agent, or the SSH authentication agent. IBM DeveloperWorks has
an excellent article series which explains how to use
ssh-agent. The author also goes into greater detail about how
the public and private keys work and gives many useful links to other
Also in FreeBSD Basics:
Since SSH is composed of a client and a server, there are two configuration
files. Not surprisingly, one is called
ssh_config and the other
sshd_config. That extra "
d", for daemon, or the SSH server, is
significant. The very first time I changed an SSH configuration file, I
mistakenly added a server line to the client configuration file and scratched
my head in puzzlement when it had no effect on my system. Remember to keep in
mind that the SSH client is where you are sitting, and the SSH server is the
machine you want to access remotely.
Both of these files have manpages which explain all of the possible configuration options. Both are well worth a read as you might possibly be intrigued by an option that I didn't cover here. Let's start by taking a look at the default SSH client configuration file. Some lines have been broken to fit on the page:
$ cat /etc/ssh/ssh_config # $OpenBSD: ssh_config,v 1.15 2002/06/20 20:03:34 stevesk Exp $ # $FreeBSD: src/crypto/openssh/ssh_config,v 22.214.171.124 2002/07/25 16:03:44 \ fanf Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for various options # Host * # ForwardAgent no # ForwardX11 no # RhostsAuthentication no # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes # BatchMode no # CheckHostIP no # StrictHostKeyChecking ask # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 # Protocol 2,1 # Cipher 3des # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, \ aes192-cbc,aes256-cbc # EscapeChar ~ # VersionAddendum FreeBSD-20020629
You probably noticed that every line in this file starts with a
# character (or is a remark). This doesn't mean that the SSH
client has no configurations. Instead, the defaults are listed here as a
reference. If you want to change a default, you first remove the
# on the appropriate line, then insert the new value. All of the
possible values are listed in the
As you go through the manpage, you'll notice that some configuration options only apply to certain versions. Whenever possible, you should use SSH version 2. If you always use a FreeBSD client to connect to a FreeBSD server, the default configurations on both the client and the server will ensure you always use version 2. However, if you are using your FreeBSD system to access a non-FreeBSD system, you may be forced to use version 1 as that is all many systems support.
What are the differences between versions 1 and 2? If you do a search on the Internet, the most common answer you'll receive is that version 2 is a complete re-write that addressed many of the security issues that appeared in version 1. The two versions also differ in the algorithms that they support which I've summarized here:
|version 1||DES, 3DES, blowfish|
|version 2||AES-128, AES-192, AES-256, blowfish, CAST-128, ArcFour|
|version 2||HMAC-MD5, HMAC-SHA-1, HMAC-RIPEMD|
You'll note that version 2 has support for stronger algorithms, and it provides protection against tampering. Remember, HMAC is a good acronym to find in a cryptosystem.
Note this line in the client configuration file:
# Protocol 2,1
This means that the client will try to use version 2; if the server only supports version 1, the client will use that instead. If you change the line to:
the client will fail to connect to any servers that only support version 1.
Remember that if you do make any changes, remove the
# or your
change will be ignored as it will still be commented.
Two lines deal with ciphers or encryption algorithms:
# Cipher 3des # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, \ aes192-cbc,aes256-cbc
The first line is used during a version 1 session. The manpage indicates that you should not use DES unless you absolutely have to. Note that the default is 3DES instead of the stronger, more efficient blowfish. This is because many non-FreeBSD systems don't support blowfish. Unfortunately, there are systems who only support version 1 and also only support DES. If this is the case, the default client configuration will fail, meaning you will have to change the line to:
Avoid this if possible. While this is still much, much better than using telnet to connect to the system and sending everything in clear text, it decreases the security provided by SSH.
The second line that deals with ciphers is used during a version 2 session. If you're curious about what the cbc indicates, this definition may or may not clear it up for you. This line gives an ordered list of encryption algorithms. The first algorithm that matches the server will be used to encrypt the data.
/etc/ssh/ssh_config is the global client
configuration file. This means that the values in this file can be overridden
by using switches when you use the
ssh command. Also, if you are a lazy typist
and always end up using the same switches, you can create a customized
configuration file in your home directory. For example, instead of using the
l switch in order to login as the user
biko, I could create a file
~/.ssh/config and place this line in it:
HostName 10.0.0.1 User biko
All SSH parameters are case sensitive, so make sure to capitalize the
Now whenever I
ssh to 10.0.0.1, I don't have to remember to include the
l switch. I'll still be prompted for
Pages: 1, 2