Client Configuration

Most SSH security pertains to the server, but SSH clients have security-related settings too. Here are a few tips:

  • Whenever you leave a computer while SSH clients are running, lock the computer’s display with a password-protected screen locker. This is particularly important if you’re running an agent that permits an intruder to access your remote accounts without a passphrase.

  • In your client configuration file, turn on some safety features as mandatory values:

        # OpenSSH
    # Put at the top of your configuration file
    Host *
      GatewayPorts no
      StrictHostKeyChecking ask
     ForwardX11Trusted no

    # Tectia
    # Put at the bottom of your configuration file
    *:
     GatewayPorts no
     StrictHostKeyChecking ask
     TrustX11Applications no

    The GatewayPorts value forbids remote clients from connecting to locally forwarded ports. Finally, rather than blindly connect, the StrictHostKeyChecking value warns you of any changed host keys and asks what you want to do. For X11 forwarding we elect to generate a new, untrusted xauth key rather than inherit the trust already in effect. [9.4.5.3]

Get SSH, The Secure Shell: The Definitive Guide, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial