My cheat sheet to configure ssh clients
based on
# RSA keys are favored over ECDSA keys when backward compatibility ''is required'',
# thus, newly generated keys are always either ED25519 or RSA (NOT ECDSA or DSA).
ssh-keygen -t rsa -b 4096 -C "key for xyz"
# ED25519 keys are favored over RSA keys when backward compatibility ''is not required''.
# This is only compatible with OpenSSH 6.5+ and fixed-size (256 bytes).
ssh-keygen -t ed25519 -C "key for xyz"
For /etc/ssh/ssh_config
Host *
VisualHostKey yes
ServerAliveInterval 300
#UseKeychain yes
SendEnv LANG LC_*
#
HashKnownHosts yes
# keys in order of preference
IdentityFile ~/.ssh/id_ed25519
IdentityFile ~/.ssh/id_rsa
# Host keys the client accepts - order here is honored by OpenSSH
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
# not recomented enable if required for compatibility
#ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
#
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,sntrup761x25519-sha512@openssh.com,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
# not recomented enable if required for compatibility
#ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
#
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
#
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
You can query your client support with, man ssh for more options.
ssh -Q cipher (supported symmetric ciphers),
cipher-auth (supported symmetric ciphers that support authenticated encryp‐tion),
mac (supported message integrity codes),
kex (key exchange algorithms),
key (keytypes),
For ~/.ssh/config
Host jump_host_nickname
Hostname jump_host
Port 22222
# ForwardAgent yes
# local forward example
Host lf_pgsql
Hostname pgsql.example.com
ProxyJump jump_host_nickname
# local_host:local_port:remote_host:remote_port
# local is from ssh client point of view, remote is any host accessible for ssh server
LocalForward localhost:5432 localhost:5432
SessionType none
ForkAfterAuthentication yes
ExitOnForwardFailure yes
IdentitiesOnly yes
CertificateFile ~/.ssh/id_ed25519-cert.pub
IdentityFile ~/.ssh/id_ed25519
# remote forward example
Host rf_app
Hostname app.example.com
ProxyJump jump_host_nickname
# local_host:local_port:remote_host:remote_port
# local is from ssh client point of view, remote is any host accessible for ssh server
RemoteForward localhost:5432 localhost:5432
SessionType none
ForkAfterAuthentication yes
ExitOnForwardFailure yes
IdentitiesOnly yes
CertificateFile ~/.ssh/id_ed25519-cert.pub
IdentityFile ~/.ssh/id_ed25519
# socks dynamic proxy example
Host myproxy
Hostname server.example.com
Port 2222
ProxyJump jump_host_nickname
DynamicForward 1337
SessionType none
ForkAfterAuthentication yes
ExitOnForwardFailure yes
IdentitiesOnly yes
CertificateFile ~/.ssh/id_ed25519-cert.pub
IdentityFile ~/.ssh/id_ed25519
Host *.local 10.0.0.*
ProxyJump jump_host_nickname
# ForwardAgent yes
# UseKeychain yes
IdentitiesOnly yes
CertificateFile ~/.ssh/id_ed25519-cert.pub
IdentityFile ~/.ssh/id_ed25519
Host *
AddKeysToAgent yes
ServerAliveInterval 60
ServerAliveCountMax 3
# Enables the sharing of multiple sessions over a single network connection.
# mkdri ~/.ssh/multiplex && chmod 700 ~/.ssh/multiplex
# ControlMaster auto
# ControlPath ~/.ssh/multiplex/%r@%h:%p
# ControlPersist 1 # wait 1 sec