|
OpenSSH. A Survival Guide for Secure Shell Handling, Version 1.0 Authors: Hudak T., Sibley B. Published year: 2002 Pages: 14-16/90 |
 |
Action 1.1.6: Configure the sshd_config configuration file
Now that the OpenSSH software is installed, we need to make sure the server configuration is set up correctly. The configuration file for the SSH daemon is usually located in /etc/ssh and is called sshd_config. You can leave most of the settings alone as the defaults should work for most installations. However, the following should be verified to make sure they are set correctly.
Appendix A of this book contains a sample sshd_config file with comments pertaining to each option. This sample configuration file should work for most, if not all, current versions of OpenSSH.
| Note |
In the OpenSSH configuration files, the absence of an option means OpenSSH will use the default settings for that option as specified in the man page for sshd. |
-
Protocol “ The Protocol option sets which SSH protocol version to use. By default, SSHv1 and SSHv2 are permitted. Protocol version 1 has a number of vulnerabilities and its use is discouraged. More information on protocol version 1's problems can be found at http://www.openSSH.com/security.html
OpenSSH should be set to only allow SSHv2 connections. To do this, uncomment the line "Protocol" in sshd_config and place only a "2" after it, as shown below:
Protocol 2
-
PermitRootLogin “ is a setting which specifies whether or not root is allowed to log in remotely to the server. By default, OpenSSH allows this. Allowing root to log in remotely is typically discouraged since it provides one more avenue for an attacker to target and if root is compromised, an entire system is compromised. To disable the ability to remotely log in as root, change the "PermitRootLogin" as shown below:
PermitRootLogin no
-
PubkeyAuthentication “ specifies whether or not SSHv2 public key authentication is allowed to be used. By default, this is set to "yes". If you plan on using public key authentication, you should verify that this option is still set to "yes". You can manually allow public key authentication by setting the option as shown below:
PubkeyAuthentication yes
-
X11Forwarding “ specifies whether or not the OpenSSH daemon will allow connecting clients to use X11 Forwarding. X11 Forwarding is explained in detail in Step 6.3.
By default, this is not allowed. If you wish to allow incoming clients the ability to use the X11 Forwarding feature of OpenSSH, set the X11Forwarding option as shown below:
X11Forwarding yes
-
Banner “ The Banner option specifies a text file that will be displayed whenever anyone connects to the server with an SSH client. This may be required for legal purposes. The Banner option can be set as shown below:
banner /etc/issue
Action 1.1.7: Configure auto-start of sshd daemon (for OpenSSH server)
The OpenSSH server daemon, sshd, must be started before OpenSSH clients will be allowed to connect.
You can simply launch the sshd daemon as root and place it in the background as follows :
# /usr/local/sbin/sshd &
You should also place this command in a startup script so that it launches each time the system is booted . For example, on Solaris 8 we could use an editor to insert and save the above command in the file /etc/init.d/sshd_start , then issue the following commands:
# ln /etc/init.d/sshd_start /etc/rc3.d/S95sshd
Now each time the system is booted, the sshd daemon will start automatically as user "sshd".
Step 1.2: Install SSH Windows Clients to Access Remote Machines Securely
Overview
Problem: Many times administrators will find themselves on a Windows machine with no way to access a remote server securely since Microsoft does not yet package an SSH client.
There are a number of excellent tools available that provide SSH client connectivity from a Windows platform. A list of these tools is available at http://www.openSSH.com/windows.html.
| Note |
It is possible to use Cygwin, a UNIX environment for Windows, to compile OpenSSH and run an OpenSSH server daemon. However, installing and configuring Cygwin is beyond the scope of this book and will not be discussed. Cygwin can be found at http://sources.redhat.com/cygwin/. |
|
OpenSSH. A Survival Guide for Secure Shell Handling, Version 1.0 Authors: Hudak T., Sibley B. Published year: 2002 Pages: 14-16/90 |
|
Similar books
Similar materials
- Options
- The Point-to-Point Protocol (PPP)
- The Internet Protocol (IP)
- 7.5 When Should Data Profiling Be Done?
- Chapter 6: Sample Requirements and Design
- Choose What and If
- Configuring ASP.NET
- Step 7.4: Write the code for the new class
- 29.6 libnet : Packet Creation and Injection Library
- Recipe 8.5 Testing That CGI Is Set Up Correctly