A Bit of Sense

Here I talk about my expericne with computers, software and computer programming. Let me warn you that some of this stuff will be technical. I'll aim to give you fair notice for technical posts.

My Photo
Name:
Location: Massachusetts, United States

Sunday, January 24, 2010

Setting up Open SSH server

I am writing this post mostly for my own information, but knowing also that others may find these instructions useful.

Warning: This post will be technical in nature. This document is more of a reference for those who already understand ssh then for new comers.

Background:
SSH or Secure SHell is a way of executing commands on a remote computer similar to telnet. The difference being that SSH was designed with information security in mind. SSH encrypts information sent in both directions. For more information see the SSH wikipedia article. Open SSH is a freely available implementation of the SSH standard.

I am no expert, I am simply combining tips I've found elsewhere. There are many more changes that can be done to limit access to ssh from external computers, but each also restricts your own access as well.

Be sure you understand each change I am making here and consult with ssh man pages or other documentation as needed. You also may want to consult my own links related to ssh stored on delicious.

Instructions:

Modify ssh configuration to prevent log in as root and to prevent X11 forwarding in order to make the setup more secure. Modify your port to hide the fact you are running ssh. Makes it a bit harder for the script kiddies.

Edit /etc/ssh/sshd_config

Change
PermitRootLogin yes
to
PermitRootLogin no

Change
X11Forwarding yes
to
X11Forwarding no

Change
Port 22
by replacing 22 with a positive integer of your choice.

Change
PasswordAuthentication yes
to
PasswordAuthentication no
(Uncomment this line if needed)

Add
AllowUsers usernamelist
with usernamelist replaced with a list of users you want to allow to use ssh. You may also use DenyUsers instead to specify the list of users you wish to block.

Edit /etc/hosts.allow:

Add
sshd: 192.168.1.0/255.255.255.0
or possibly
all: 192.168.1.0/255.255.255.0
This is just an example. Your own network may use a different ip address range.

From the machine you want to ssh from execute
ssh-keygen -t dsa
to generate an ssh key. then
ssh-copy-id -i .id_dsa.pub username@yourservername
to copy the key to your server.

If you generated the keys on the server you still want to do the copy in order to place you key in authorized keys. You could simply execute this instead:
cp ~/.ssh/id_dsa.pub ~/.ssh/authorized_keys

ssh yourservername
to verify that login is now working correctly. Because you created a secret key to use to login a password is no longer required.

Once regular log in works restart ssh (on the server) with
sudo /etc/init.d/ssh restart

Finally, edit ~/.ssh/config on the client and add the lines

Host ServerNameHere
Port PortNumberHere

This is so that ssh knows that you changed the port number for your server.