Managing .ssh for multiple clients on MacOS

We have hundreds of clients where I work, and now some of us, finally, get to use Macs.  We use mRemoteNG for managing ssh connections on Windows, but we needed a solution for Macs.  We needed an easy-to-use solution that allowed us to control who had access where.

One of the issues with how our mRemoteNG is currently configured is that we have one .xml file that we import into mRemoteNG and that person now has all servers for all clients setup.  Which sounds nice, but not as secure or manageable as we’ve learned we need.

Luckily on Mac, ssh has a config file that handles includes built-in, and with a little thinking becomes the perfect solution.  Basically, add a config file, add an include for a subdirectory, and then add client config files as needed.

Note: I’m assuming you are using keys for access.  The user’s public key(s) still has to be added to the servers for all of this to work. If you use a different key per client, use IdentityFile to define keys per hostname.

Setup

  1. Navigate to ~/.ssh
    cat ~/.ssh
  2. Create config file
    touch config
  3. Create subdirectory
    mkdir config.d
  4. Edit config file
    vi config

    1. Use i to enter into edit mode, and then add at the top of the config file
      Include config.d/*
    2. Use esc to exit edit mode, Save and exit
      :wq
  5. Go into subdirectory
    cd config.d
  6. Add sub-files as needed.
    touch xxx-sshconfig

Now that we have the structure put together, using some naming schemes makes this all come together.  We use a 3-letter code for our clients, so each config file is xxx-sshconfig.  We store the config files with the client passwords in our password manager.  If you have access to the passwords, you also have access to this config.

The other important naming scheme you want to set up is the host line for each server.  If you use a naming scheme, then you’ll just know what it is, without having to look it up.

Basic ’empty’ file:

# Client:  

Host 
     Hostname
     User

Host 
     Hostname
     User

Host 
     Hostname
     User

Example:

# Client: BUR - 

Host bur-prod-01
    Hostname sss.prod-01.domain.tld
    User username01

Host bur-prod-02
    Hostname sss.prod-01.domain.tld
    User username02

Host bur-stage-01
    Hostname sss.stage-01.domain.tld
    User username03
    IdentityFile ~/.ssh/id_rsa

And finally, how to use it

ssh bur-prod-01

 

There is A LOT more that can be configured in these ssh configs, see the official documentation for more ideas and solutions.

Leave a Reply

Your email address will not be published. Required fields are marked *