There are several configuration files used by HP-SSH. Some are used by the daemon and others by the client. A couple weeks ago we looked at the host based configuration file, this week we will look at the client configuration file.
The ssh_config File
/etc/opt/ssh: (or) /opt/ssh/etc: -r--r--r-- 1 bin bin 1659 Sep 9 20:32 ssh_config
The ssh_config file is the default configuration file for the SSH client. The entries in this file are only used if they are not specified in either the user's own configuration file ($HOME/.ssh/config) or at the command line. The "#" sign is a comment in this file. The following are the default values provided with HP-SSH:
# Host * # ForwardAgent no # ForwardX11 no # RhostsAuthentication yes # RhostsRSAAuthentication yes # RSAAuthentication yes # PasswordAuthentication yes # FallBackToRsh no # UseRsh no # BatchMode no # CheckHostIP yes # StrictHostKeyChecking ask # IdentityFile ˜/.ssh/identity # IdentityFile ˜/.ssh/id_rsa # IdentityFile ˜/.ssh/id_dsa # Port 22 # Cipher 3des # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes2 56-cbc # EscapeChar ˜
The format of this file is the same as the sshd_config file. The above listing shows the default values and are actually just comments. These default values were defined as part of the compilation of the program. For example to enable batch mode, the line would be changed to:
The very first line of the file reads "# Host *" and is indented to the left. This is used to create separate sections for different hosts. In this example, all clients connecting to all (*) hosts will use the following configuration options. However, if this was changed to "Host *.cerius.com" all the following options would apply only to clients connecting to a host that fell within that domain. Multiple sections can be created. What if a host the client was connecting to fell into two sections? Both sections would be applied but only the first keyword would be used. For example:
Host * ForwardAgent no ForwardX11 no RhostsAuthentication yes Host *.cerius.com RhostsAuthentication no
would cause a client attempting to connect to ctg700.cerius.com to be able to use RhostsAuthentication. Alternatively:
Host *.cerius.com RhostsAuthentication no Host * ForwardAgent no ForwardX11 no RhostsAuthentication yes
would disable a client attempting to connect to ctg700.cerius.com to use RhostsAuthentication.
The following command will display all the keywords available with the HP SSH client:
grep "", o" /opt/ssh/src/ssh/readconf.c | cut -f2 -d, | cut -f2 -d" " | sort
Those underlined are not found in the default ssh.config file:
Let's try using the LogLevel keyword to change the amount of information displayed to the user:
On the client host the /etc/opt/ssh/ssh_config file is changed to include:
When the user initiates the SSH session, they are greeted by screens and screens of debugging information (for debug level 1, 2, and 3):
$ ssh ctg701 debug3: Seeing PRNG from /opt/ssh/libexec/ssh-rand-helper debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid <rest removed>
All users will receive this since this is in the system default file (ssh_config). But, what if the user creates an entry in their own configuration file for the same keyword but using a different entry? The user vking adds the following to their $HOME/.ssh/config file:
Now when this user initiates the SSH session, only the regular feedback is displayed to the user. If a different user, jrice, was to initiate a session, they would receive the full debugging information if they did not have their own setting in their own configuration file. Entries in the user's configuration file take precedent over entries in the ssh_config file.
What happens if at the command line the user enters a different value for the keyword?
$ ssh -o "LogLevel=debug1" ctg701 debug1: Reading configuration data /home/vking/.ssh/config debug1: Reading configuration data /opt/ssh/etc/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted.
In this example, the user will only see debug information for level 1 (not 2 and 3).
In summary, the SSH client uses the following order to determine the value to use with a keyword. The first obtained value is used:
User's configuration file ($HOME/.ssh/config)
System-wide client configuration file (/etc/opt/ssh/ssh_config)
The next article will look at using an SSH-enabled terminal emulator from the client PC in an HP-UX environment.
Chris Wong is a technical consultant and trainer for Cerius Technology Group, Inc. in Bellevue, WA. She is the author of the HP Press book HP-UX 11i Security. http://newfdawg.com