Setting up Open SSH server
I am writing this post mostly for my own information, but knowing also that others may find these instructions useful.
Warning: This post will be technical in nature. This document is more of a reference for those who already understand ssh then for new comers.
Background:
SSH or Secure SHell is a way of executing commands on a remote computer similar to telnet. The difference being that SSH was designed with information security in mind. SSH encrypts information sent in both directions. For more information see the SSH wikipedia article. Open SSH is a freely available implementation of the SSH standard.
I am no expert, I am simply combining tips I've found elsewhere. There are many more changes that can be done to limit access to ssh from external computers, but each also restricts your own access as well.
Be sure you understand each change I am making here and consult with ssh man pages or other documentation as needed. You also may want to consult my own links related to ssh stored on delicious.
Instructions:
Modify ssh configuration to prevent log in as root and to prevent X11 forwarding in order to make the setup more secure. Modify your port to hide the fact you are running ssh. Makes it a bit harder for the script kiddies.
Edit /etc/ssh/sshd_config
Change
PermitRootLogin yes
to
PermitRootLogin no
Change
X11Forwarding yes
to
X11Forwarding no
Change
Port 22
by replacing 22 with a positive integer of your choice.
Change
PasswordAuthentication yes
to
PasswordAuthentication no
(Uncomment this line if needed)
Add
AllowUsers usernamelist
with usernamelist replaced with a list of users you want to allow to use ssh. You may also use DenyUsers instead to specify the list of users you wish to block.
Edit /etc/hosts.allow:
Add
sshd: 192.168.1.0/255.255.255.0
or possibly
all: 192.168.1.0/255.255.255.0
This is just an example. Your own network may use a different ip address range.
From the machine you want to ssh from execute
ssh-keygen -t dsa
to generate an ssh key. then
ssh-copy-id -i .id_dsa.pub username@yourservername
to copy the key to your server.
If you generated the keys on the server you still want to do the copy in order to place you key in authorized keys. You could simply execute this instead:
cp ~/.ssh/id_dsa.pub ~/.ssh/authorized_keys
ssh yourservername
to verify that login is now working correctly. Because you created a secret key to use to login a password is no longer required.
Once regular log in works restart ssh (on the server) with
sudo /etc/init.d/ssh restart
Finally, edit ~/.ssh/config on the client and add the lines
Host
Port PortNumberHere
This is so that ssh knows that you changed the port number for your server.
Warning: This post will be technical in nature. This document is more of a reference for those who already understand ssh then for new comers.
Background:
SSH or Secure SHell is a way of executing commands on a remote computer similar to telnet. The difference being that SSH was designed with information security in mind. SSH encrypts information sent in both directions. For more information see the SSH wikipedia article. Open SSH is a freely available implementation of the SSH standard.
I am no expert, I am simply combining tips I've found elsewhere. There are many more changes that can be done to limit access to ssh from external computers, but each also restricts your own access as well.
Be sure you understand each change I am making here and consult with ssh man pages or other documentation as needed. You also may want to consult my own links related to ssh stored on delicious.
Instructions:
Modify ssh configuration to prevent log in as root and to prevent X11 forwarding in order to make the setup more secure. Modify your port to hide the fact you are running ssh. Makes it a bit harder for the script kiddies.
Edit /etc/ssh/sshd_config
Change
PermitRootLogin yes
to
PermitRootLogin no
Change
X11Forwarding yes
to
X11Forwarding no
Change
Port 22
by replacing 22 with a positive integer of your choice.
Change
PasswordAuthentication yes
to
PasswordAuthentication no
(Uncomment this line if needed)
Add
AllowUsers usernamelist
with usernamelist replaced with a list of users you want to allow to use ssh. You may also use DenyUsers instead to specify the list of users you wish to block.
Edit /etc/hosts.allow:
Add
sshd: 192.168.1.0/255.255.255.0
or possibly
all: 192.168.1.0/255.255.255.0
This is just an example. Your own network may use a different ip address range.
From the machine you want to ssh from execute
ssh-keygen -t dsa
to generate an ssh key. then
ssh-copy-id -i .id_dsa.pub username@yourservername
to copy the key to your server.
If you generated the keys on the server you still want to do the copy in order to place you key in authorized keys. You could simply execute this instead:
cp ~/.ssh/id_dsa.pub ~/.ssh/authorized_keys
ssh yourservername
to verify that login is now working correctly. Because you created a secret key to use to login a password is no longer required.
Once regular log in works restart ssh (on the server) with
sudo /etc/init.d/ssh restart
Finally, edit ~/.ssh/config on the client and add the lines
Host
Port PortNumberHere
This is so that ssh knows that you changed the port number for your server.
posted by James Gray | 6:54 PM
|
0 comments
