Tip

HP-UX Secure Shell: Part 6 - The client configuration files

There are several configuration files used by HP-SSH. Some are used by the daemon and others by the client. A couple weeks ago we looked at the host based configuration file, this week we will look at the client configuration file.

The ssh_config File

/etc/opt/ssh: (or) /opt/ssh/etc:
-r--r--r--   1 bin        bin           1659 Sep  9 20:32 ssh_config

The ssh_config file is the default configuration file for the SSH client. The entries in this file are only used if they are not specified in either the user's own configuration file ($HOME/.ssh/config) or at the command line. The "#" sign is a comment in this file. The following are the default values provided with HP-SSH:

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsAuthentication yes
#   RhostsRSAAuthentication yes
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   FallBackToRsh no
#   UseRsh no
#   BatchMode no
#   CheckHostIP yes
#   StrictHostKeyChecking ask
#   IdentityFile ˜/.ssh/identity
#   IdentityFile ˜/.ssh/id_rsa
#   IdentityFile ˜/.ssh/id_dsa
#   Port 22
#   Cipher 3des
#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes2
56-cbc
#   EscapeChar ˜

The format of this file is the same as the sshd_config file. The above listing shows the default values and are actually just comments. These default values were defined as part of the compilation of the program. For

    Requires Free Membership to View

example to enable batch mode, the line would be changed to:

    BatchMode yes

The very first line of the file reads "# Host *" and is indented to the left. This is used to create separate sections for different hosts. In this example, all clients connecting to all (*) hosts will use the following configuration options. However, if this was changed to "Host *.cerius.com" all the following options would apply only to clients connecting to a host that fell within that domain. Multiple sections can be created. What if a host the client was connecting to fell into two sections? Both sections would be applied but only the first keyword would be used. For example:

  Host *
    ForwardAgent no
    ForwardX11 no
    RhostsAuthentication yes
  Host *.cerius.com
    RhostsAuthentication no

would cause a client attempting to connect to ctg700.cerius.com to be able to use RhostsAuthentication. Alternatively:

 Host *.cerius.com
    RhostsAuthentication no
 Host *
    ForwardAgent no
    ForwardX11 no
    RhostsAuthentication yes

would disable a client attempting to connect to ctg700.cerius.com to use RhostsAuthentication.

The following command will display all the keywords available with the HP SSH client:

grep "", o" /opt/ssh/src/ssh/readconf.c | cut -f2 -d, | cut -f2 -d" " | sort

Those underlined are not found in the default ssh.config file:

AFSTokenPassing
BatchMode
BindAddress
ChallengeResponseAuthentication
CheckHostIP
Cipher
Ciphers
ClearAllForwardings
Compression
CompressionLevel
ConnectionAttempts
DynamicForward

EscapeChar
FallBackToRsh
ForwardAgent
ForwardX11
GatewayPorts
GlobalKnownHostsFile
GlobalKnownHostsFile2
GssAuthentication
GssDelegateCreds
GssGlobusDelegateLimitedCreds

Host
HostKeyAlgorithms
HostKeyAlias
HostName
HostbasedAuthentication

IdentityFile
KbdInteractiveAuthentication
KbdInteractiveDevices
KeepAlives
KerberosAuthentication
KerberosTgtPassing
LocalForward
LogLevel
Macs
NoHostAuthenticationForLocalhost
NumberOfPasswordPrompts
PasswordAuthentication

Port
PreferredAuthentications
Protocol
ProxyCommand
PubkeyAuthentication

RSAAuthentication
RemoteForward
RhostsAuthentication
RhostsRSAAuthentication
SmartcardDevice
StrictHostKeyChecking
UseCtg701ilegedPort
UseRsh
User
UserKnownHostsFile
UserKnownHostsFile2
XAuthLocation

Let's try using the LogLevel keyword to change the amount of information displayed to the user:

On the client host the /etc/opt/ssh/ssh_config file is changed to include:

LogLevel debug3

When the user initiates the SSH session, they are greeted by screens and screens of debugging information (for debug level 1, 2, and 3):

$ ssh ctg701      
debug3: Seeing PRNG from /opt/ssh/libexec/ssh-rand-helper
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: restore_uid
<rest removed>

All users will receive this since this is in the system default file (ssh_config). But, what if the user creates an entry in their own configuration file for the same keyword but using a different entry? The user vking adds the following to their $HOME/.ssh/config file:

LogLevel info

Now when this user initiates the SSH session, only the regular feedback is displayed to the user. If a different user, jrice, was to initiate a session, they would receive the full debugging information if they did not have their own setting in their own configuration file. Entries in the user's configuration file take precedent over entries in the ssh_config file.

What happens if at the command line the user enters a different value for the keyword?

$ ssh -o "LogLevel=debug1" ctg701
debug1: Reading configuration data /home/vking/.ssh/config
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.

In this example, the user will only see debug information for level 1 (not 2 and 3).

In summary, the SSH client uses the following order to determine the value to use with a keyword. The first obtained value is used:

Command line
User's configuration file ($HOME/.ssh/config)
System-wide client configuration file (/etc/opt/ssh/ssh_config)

The next article will look at using an SSH-enabled terminal emulator from the client PC in an HP-UX environment.


Chris Wong is a technical consultant and trainer for Cerius Technology Group, Inc. in Bellevue, WA. She is the author of the HP Press book HP-UX 11i Security. http://newfdawg.com


This was first published in November 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.