Client Configuration Optimization

2 min read Data Protection & Compliance

Client Configuration Optimization

Properly configured SSH clients enhance security while improving user experience. Client configurations should enforce security policies, streamline connections, and prevent common misconfigurations.

Create a security-focused global SSH client configuration:

# /etc/ssh/ssh_config
# System-wide SSH client configuration

# Global security settings
Host *
    # Protocol and authentication
    Protocol 2
    PasswordAuthentication no
    ChallengeResponseAuthentication no
    PubkeyAuthentication yes
    PreferredAuthentications publickey
    IdentitiesOnly yes
    
    # Security hardening
    StrictHostKeyChecking yes
    CheckHostIP yes
    HashKnownHosts yes
    VisualHostKey yes
    
    # Cipher specifications
    Ciphers [email protected],[email protected],[email protected]
    MACs [email protected],[email protected]
    KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group16-sha512
    
    # Connection settings
    ServerAliveInterval 60
    ServerAliveCountMax 3
    TCPKeepAlive yes
    Compression no
    
    # Forwarding restrictions
    ForwardAgent no
    ForwardX11 no
    ForwardX11Trusted no
    
    # Tunneling options
    Tunnel no
    PermitLocalCommand no
    
    # Timeouts
    ConnectTimeout 30
    ConnectionAttempts 3

Implement user-specific configurations for different environments:

# ~/.ssh/config
# User-specific SSH client configuration

# Default settings for all hosts
Host *
    # Use specific identity files
    IdentityFile ~/.ssh/id_ed25519
    IdentityFile ~/.ssh/id_rsa
    
    # Security settings
    AddKeysToAgent yes
    UseKeychain yes  # macOS only
    
    # Connection multiplexing for performance
    ControlMaster auto
    ControlPath ~/.ssh/control-%r@%h:%p
    ControlPersist 10m

# Production servers
Host prod-* *.production.example.com
    User produser
    IdentityFile ~/.ssh/id_ed25519_production
    IdentitiesOnly yes
    ForwardAgent no
    StrictHostKeyChecking yes
    LogLevel INFO
    SendEnv LANG LC_*
    
# Development environment
Host dev-* *.dev.example.com
    User developer
    IdentityFile ~/.ssh/id_ed25519_dev
    StrictHostKeyChecking ask
    ForwardAgent yes  # Needed for git operations
    LocalForward 8080 localhost:80
    LogLevel DEBUG

# Jump host configuration
Host jump-host bastion
    HostName jump.example.com
    User jumpuser
    IdentityFile ~/.ssh/id_ed25519_jump
    ForwardAgent yes
    DynamicForward 1080
    ExitOnForwardFailure yes

# Internal servers via jump host
Host internal-* 10.*
    ProxyJump jump-host
    User internaluser
    IdentityFile ~/.ssh/id_ed25519_internal
    StrictHostKeyChecking yes

# Git repositories
Host github.com
    HostName github.com
    User git
    IdentityFile ~/.ssh/id_ed25519_github
    IdentitiesOnly yes
    
# Personal server with custom port
Host personal
    HostName personal.example.com
    Port 2222
    User myuser
    IdentityFile ~/.ssh/id_ed25519_personal
    LocalForward 5432 localhost:5432  # PostgreSQL
    LocalForward 6379 localhost:6379  # Redis