Go to main content

Managing Secure Shell Access in Oracle® Solaris 11.3

Exit Print View

Updated: June 2019
 
 

Sharing .ssh/config Files Between Multiple Oracle Solaris Releases

If your home directory is on a network, you can share the ~/.ssh/config file among multiple systems, even if those systems are running different Oracle Solaris releases or different Secure Shell implementations. However, Secure Shell implementations might not recognize all the configuration options from different Secure Shell implementations. In some cases, Secure Shell implementations might not recognize configuration options from different versions of the same Secure Shell implementation.

For Oracle Solaris 10 Update 11 and later releases, when the Secure Shell configuration options cannot be recognized by the different systems on the network, you can modify the ssh_config file so that it will ignore options that are unrecognized, thus enabling use of the shared ~/.ssh/config file among multiple systems.

Secure Shell Implementations and Ignore Keywords

Two keywords, IgnoreIfUnknown and IgnoreUnknown, can be used to ignore Secure Shell configuration keywords that are unrecognized among multiple systems. The IgnoreIfUnknown keyword is available in SunSSH and the IgnoreUnknown keyword is available in OpenSSH.

Both IgnoreIfUnknown and IgnoreUnknown specify a comma-separated list of ssh_config keywords, which, if unknown to the ssh program, are ignored by Secure Shell. However, while IgnoreIfUnknown applies to the entire configuration file, IgnoreUnknown applies only to unknown keywords that follow it in the configuration file.

The following table identifies the Secure Shell implementations in each Oracle Solaris release and the Ignore keywords that are available in each implementation.

Table 2  Ignore Keywords in Secure Shell
Release
Secure Shell Implementation
Supported Ignore Keyword
Oracle Solaris 11.3
SunSSH
IgnoreIfUnknown and IgnoreUnknown
Oracle Solaris 11.3
OpenSSH
IgnoreUnknown
Oracle Solaris 11 releases prior to Oracle Solaris 11.3
SunSSH
IgnoreIfUnknown
Oracle Solaris 10 Update 11
SunSSH
IgnoreIfUnknown

    The following releases do not support the Ignore keywords and cannot be included as part of a shared Secure Shell configuration over a network.

  • Oracle Solaris 9

  • Oracle Solaris 10 prior to Update 11

  • OpenSSH 6.2 and older OpenSSH versions

Ignoring Secure Shell Keywords to Enable Interoperability

If your ~/.ssh/config file is on a network whose systems run different implementations of Secure Shell, you can enable the Secure Shell configuration keywords to work by adding the IgnoreUnknown and IgnoreIfUnknown keywords to the file.


Note -  All systems must be able to use at least one of the Ignore keywords as listed in Figure 2, Table 2, Ignore Keywords in Secure Shell.
Example 1  Sharing a Secure Shell Configuration Across Releases That Support Different Keywords

This example shows how to use the HostBasedKeyTypes keyword that was introduced in OpenSSH 6.8. The users are on a network where some systems are running a release of Secure Shell that does not support this keyword.

Add the following entries to the ssh_config file:

---
IgnoreUnknown HostBasedKeyTypes,IgnoreIfUnknown
IgnoreIfUnknown HostBasedKeyTypes,IgnoreUnknown

HostBasedKeyTypes ssh-rsa-cert-v01@openssh.com, ssh-rsa
---

You add both the Ignore keywords to enable all Secure Shell implementations to communicate. For more information, see the ssh_config (4) man page.