Client Configuration
Typical end-user SSH configuration needs.
See Create Certificates for generating certificates to use.
ssh-keygen -b 4096 -t rsa -f {KEYNAME}
chmod 0600 {KEYNAME}
chmod 0640 {KEYNAME}.pub
cat {KEYNAME}.pub >> ~/.ssh/authorized_keys
Restricting SSH Tunneling
Restrict what local ports and IP’s can be accessed via SSH tunneling.
All on one line, comma separated with the public key cert afterwards.
no-port-forwarding: disable all port forwarding.no-X11-forwarding: disable X11 forwarding.no-agent-forwarding: disable agent forwarding.permitopen: explicitly allow port to be opened.
Disable X11 forwarding but allow ports 80,4243,32400 to be forwarded.
~/.ssh/authorized_keysno-X11-forwarding,permitopen="localhost:80",permitopen="localhost:4243",permitopen="10.10.10.10:32400" {PUBKEY DUMP}
Allow connection, but disables all forwarding.
~/.ssh/authorized_keysno-port-forwarding {PUBKEY DUMP}
SSH Host Configuration
Setup SSH to automatically select correct options when using hosts/shortcuts.
See detailed explanation
on config file. internal-sftp
is the default now and is built from the same code as sftp-server but also
includes support for ChrootDirectories.
~/.ssh/config# Autoselect github keys
Host *.github.com github.com
User {GITHUB USERNAME}
HostName *.github.com github.com
Port 443
PreferredAuthentications publickey
IdentityFile ~/.ssh/github
Host {CUSTOM NAME}
HostName {HOST IP OR DNS}
User {USER TO AUTH AS}
IdentityFile ~/.ssh/{CERT}
BatchMode yes
CheckHostIP no
PasswordAuthentication no
KbdInteractiveAuthentication no
PreferredAuthentications publickey
StrictHostKeyChecking no
Port {SSH SERVER PORT}
Importing RSA Keys for Putty/WinSCP on Windows
See Puttygen Documentation.
Copy RSA private key to windows computer.
⌘ + r › puttygen › Conversions › Import Key (Select Private Key)
Rename Key Comment to
user@server.Save private key in a
.ppkfile to local machine.Delete RSA keys (use sdelete64).
Update public key in
authorized_keysfile with comment about key being used.