One of the key secrets to being a good sysadmin is knowing how to be lazy. I’m one of those guys who will spend an hour writing a script to do something I could have knocked out in 10 minutes. Wait.. that’s not being lazy? It is if I have to perform that task more than 6 times.

My job requires a lot of ssh. My workstation might as well be a thin client. Working from home I use ssh even more. My VPN connection doesn’t give me as much access to certain areas of our network like I do when logged in locally. So I’ll do a lot of

ssh -t servericanget.to ssh servericantget.to

So what I’ve done is started playing with my ssh config.

The most time saving thing is enabling connection sharing. No I can log into servericanget.to once and keep that tab open. Then when I need to hop through it using ssh -t to get to another server, I don’t get prompted for a password.

# Enable connection sharing
ControlMaster auto
ControlPath /tmp/ssh_mux_%h_%p_%r

So, after that, what else can I tweak. Not only am I sysadmin, I’m a car junky too. Love American Muscle and huge fan of Subaru. Little turbo boxer with AWD… oh man I miss my WRX. Anyway… as you might imagine, I like performance too. So, I’ve tweaked out the ssh config adding things like compression, preference for faster ciphers, etc etc.

# Sometimes speeds up initial handshake
GSSAPIAuthentication no
# Prefer protocol 2
Protocol 2,1
# Enable Compression
Compression yes
# Update Ciphers
Ciphers blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc

Last, I tweak some default host settings. Pretty standard stuff. I rarely need X11 fowarded, but I’ve had a few times where I’ve had to disconnect and reconnect with -X. I don’t see any reason not to have it on by default.

# Global defaults for hosts
Host *
ForwardX11 yes

You might note that I don’t have ForwardAgent included. Technically there is a risk in doing that if you can’t trust intermediate hosts. 99.9% of the time this won’t be an issue, but I never know when I might need to jump into a host somewhere some way that it might be a problem. So, might as well just not enable it. I haven’t actually had a case where I needed/wanted it anyway.

So, the final version can be found here - https://github.com/joerussbowman/Mystuff/blob/master/desktop/ssh/config

If I make changes, I’ll keep that repository up to date, so that’s the best place to go grab it from rather than just me copy/pasting something in this blog post that might get outdated.

If you have any suggestions for other ssh features you use, use the comments to share.