SSH Client improvements

This article is going to concentrate several SSH client related topics and optimisations I have implemented. Amongst are:

• Managing modular SSH client config
• SSH connection failure from Ubuntu to Oracle Linux 8
• Using SSH jump server transparently

SSH client modular configuration

Initially, the configuration for SSH client should be present (per-user) in the user’s home directory, under .ssh/config. I believe that this configuration file is not modular enough, and when you want to add/edit/remove an entry, you might risk damaging the file. Moreover, if you manage several different computers (like I do) have to do a more complex configuration merging.

SSH allows an include directory. The only(!) configuration directive required for that in .ssh/config file looks like this:

Include config.d/*.conf

If you want to define some defaults and enforce them to be read last, add them below this line. However – for easier management – all you need to do is to create a directory config.d under .ssh and populate it with a modular files. Each file with a .conf suffix, containing its own directive. This makes configuration merging easier and easier to automate.

Ubuntu SSH to OEL8 with ‘Connection Corrupted’ message

I was failing to connect from Ubuntu to OEL8 (and probably RHEL8 as well. Did not test with RHEL9, though) with an error message showing “Connection corrupted” and a “bad packet length”. While now I do not seem to suffer from it anymore, at that time it was very frustrating. I believe that for systems updated at that time this issue might still pose a problem). A custom ciphers limit configuration for the target host could be a very safe around this problem. The configuration file should look like this (placed in the modular configuration directory .ssh/config.d/myserver.conf):

Host 192.168.10.254 myserver.mydomain.com myserver
  Ciphers [email protected]

Following that, connection would return to normal. I found the solution here, so I am linking it.

Configuring SSH client to automatically use Jump Server

Using a Jump Server (Bastion) to reach a remote SSH host is a more complex idea. For manual labour, manually skipping through the Jump Server to reach the remote is annoying, but not enough to force me to find a solution. However, when I started using Ansible without direct SSH access to the remote host not through the Jump Server, it became a necessity. It appears the SSH client configuration supports this act, and will allow for through-proxy connection (using automatic key transfer, as it seems with me) to reach the remote host. Moreover – this solution integrates seamlessly with Ansible when the transport is SSH. An example of such a configuration:

Host my-bastion
	User root
	Hostname 192.168.10.10

Host 172.16.0.*
	ProxyJump my-bastion

In this example we can see two definitions – one for the ‘my-bastion’ Jump Server, and one for the entire network of hosts behind it. Now I can run ‘ssh 172.16.0.10’ and the ssh command will automatically jump through my-bastion to reach the remote host.

Additional resources regarding SSH client config file can be found in this knowledge base, from which I took some information to make my ongoing life a little better, and to share here.