Docs/Drafts/CryptoGuide/SSH
From FedoraProject
Moving to XML
Contents |
Introduction
Secure Shell (SSH) is a powerful tool used to communicate with another *nix system. The transmissions over SSH are all encrypted and protected from interception. Cryptographic log-on can also be utilized to provide a better authentication method over traditional usernames and passwords.
Setting up SSH
SSH is very easy to setup. By simply starting the sshd service, the system will accept connect requests from anyone and will allow access to the system when a proper username and password is provided.
Changes to the sshd_config file
SSH gets its configuration instructions from a file named sshd_config. This file is located at /etc/ssh/ and can be quite confusing if you aren't used to reading it. We will go over some of the major points in the file and explain what they mean and what they do.
Allowing specific ports access via SSH
The standard port for SSH is 22. If you want to utilize a different port to access your system you should specify it here.
Port 23 Port 22
The above example shows that SSH will listen on both port 22 and port 23.
Note: If you are using SELinux, you will have to create a separate rule to allow that additional port...
Authentication
Authentication is extremely important to the safe operation of SSH. By starting the SSH service you are allowing anyone on your network (or on the Internet if your network is connected)
# Authentication: LoginGraceTime 1m PermitRootLogin no #StrictModes yes MaxAuthTries 3 DSAAuthentication no RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysFile2 %h/.ssh/authorized_keys2 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes PermitEmptyPasswords no PasswordAuthentication yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no UsePAM yes # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no #ChrootDirectory none # no default banner path #Banner none # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server AllowUsers ''Put allowed users here.''
