Docs/Drafts/CryptoGuide/SSH

= Introduction = Secure Shell (SSH) is a powerful tool used to communicate with another *nix system. The transmissions over SSH are all encrypted and protected from interception. Cryptographic log-on can also be utilized to provide a better authentication method over traditional usernames and passwords.

= Setting up SSH = SSH is very easy to setup. By simply starting the sshd service, the system will accept connect requests from anyone and will allow access to the system when a proper username and password is provided.

Changes to the sshd_config file
SSH gets its configuration instructions from a file named. This file is located at  and can be quite confusing if you aren't used to reading it. We will go over some of the major points in the file and explain what they mean and what they do.

Allowing specific ports access via SSH
The standard port for SSH is 22. If you want to utilize a different port to access your system you should specify it here.

Port 23 Port 22

The above example shows that SSH will listen on both port 22 and port 23.

Note: If you are using SELinux, you will have to create a separate rule to allow that additional port...

Authentication
Authentication is extremely important to the safe operation of SSH. By starting the SSH service you are allowing anyone on your network (or on the Internet if your network is connected)


 * 1) Authentication:

LoginGraceTime 1m PermitRootLogin no MaxAuthTries 3
 * 1) StrictModes yes

DSAAuthentication no RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile	.ssh/authorized_keys
 * 1) AuthorizedKeysFile2    %h/.ssh/authorized_keys2


 * 1) For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 * 2) RhostsRSAAuthentication no
 * 3) similar for protocol version 2
 * 4) HostbasedAuthentication no
 * 5) Change to yes if you don't trust ~/.ssh/known_hosts for
 * 6) RhostsRSAAuthentication and HostbasedAuthentication
 * 7) IgnoreUserKnownHosts no
 * 8) Don't read the user's ~/.rhosts and ~/.shosts files
 * 9) IgnoreRhosts yes

PermitEmptyPasswords no PasswordAuthentication yes
 * 1) To disable tunneled clear text passwords, change to no here!
 * 2) PasswordAuthentication yes

ChallengeResponseAuthentication no
 * 1) Change to no to disable s/key passwords
 * 2) ChallengeResponseAuthentication yes


 * 1) Kerberos options
 * 2) KerberosAuthentication no
 * 3) KerberosOrLocalPasswd yes
 * 4) KerberosTicketCleanup yes
 * 5) KerberosGetAFSToken no

GSSAPIAuthentication yes GSSAPICleanupCredentials yes
 * 1) GSSAPI options
 * 2) GSSAPIAuthentication no
 * 1) GSSAPICleanupCredentials yes

UsePAM yes
 * 1) Set this to 'yes' to enable PAM authentication, account processing,
 * 2) and session processing. If this is enabled, PAM authentication will
 * 3) be allowed through the ChallengeResponseAuthentication and
 * 4) PasswordAuthentication.  Depending on your PAM configuration,
 * 5) PAM authentication via ChallengeResponseAuthentication may bypass
 * 6) the setting of "PermitRootLogin without-password".
 * 7) If you just want the PAM account and session checks to run without
 * 8) PAM authentication, then enable this but set PasswordAuthentication
 * 9) and ChallengeResponseAuthentication to 'no'.
 * 10) UsePAM no

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE X11Forwarding yes
 * 1) Accept locale-related environment variables
 * 1) AllowTcpForwarding yes
 * 2) GatewayPorts no
 * 3) X11Forwarding no
 * 1) X11DisplayOffset 10
 * 2) X11UseLocalhost yes
 * 3) PrintMotd yes
 * 4) PrintLastLog yes
 * 5) TCPKeepAlive yes
 * 6) UseLogin no
 * 7) UsePrivilegeSeparation yes
 * 8) PermitUserEnvironment no
 * 9) Compression delayed
 * 10) ClientAliveInterval 0
 * 11) ClientAliveCountMax 3
 * 12) ShowPatchLevel no
 * 13) UseDNS yes
 * 14) PidFile /var/run/sshd.pid
 * 15) MaxStartups 10
 * 16) PermitTunnel no
 * 17) ChrootDirectory none


 * 1) no default banner path
 * 2) Banner none

Subsystem	sftp	/usr/libexec/openssh/sftp-server
 * 1) override default of no subsystems

AllowUsers Put allowed users here.
 * 1) Example of overriding settings on a per-user basis
 * 2) Match User anoncvs
 * 3) 	X11Forwarding no
 * 4) 	AllowTcpForwarding no
 * 5) 	ForceCommand cvs server