This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
build:ssh [2007/05/31 11:28] 71.10.176.218 Fixed a typo. (CMB) |
build:ssh [2008/02/02 18:37] 4.245.73.121 |
||
---|---|---|---|
Line 8: | Line 8: | ||
apt-get install -y ssh | apt-get install -y ssh | ||
</code> | </code> | ||
- | |||
===== Configuration ===== | ===== Configuration ===== | ||
- | Fix it so ''root'' cannot log in: | + | Fix it so ''root'' cannot log in, but allow selected commands, which will be authenticated by authprogs: |
<code rootshell> | <code rootshell> | ||
- | sed -i -e 's/^PermitRootLogin .*$/PermitRootLogin no/' /etc/ssh/sshd_config | + | sed -i -e 's/^PermitRootLogin .*$/PermitRootLogin forced-commands-only/' /etc/ssh/sshd_config |
</code> | </code> | ||
Line 25: | Line 24: | ||
sed -i -e 's:#Banner .*$:Banner /etc/issue.net:' /etc/ssh/sshd_config | sed -i -e 's:#Banner .*$:Banner /etc/issue.net:' /etc/ssh/sshd_config | ||
</code> | </code> | ||
+ | |||
+ | **Add alternate port:** Have SSH accept connections on an alternate port for situations where port 22 is blocked at the client's end, or blocked by mistake on the server's end. Edit /etc/ssh/sshd_config to add new statement "Port 443" (without the quotes) after the existing Port statement. | ||
+ | |||
+ | **This step seems obsolete and no longer needed since the reload of the systems.** Correct problem with "Request for subsystem 'sftp' failed on channel 0" when using SSH protocol version 2. Edit /etc/ssh/sshd_config to change value on sftp statement from "/usr/libexec/openssh/sftp-server" (which doesn't exist) to "/usr/lib/sftp-server". Also tell sshd to reread configuration using the kill command documented below. This was probably due to the upgrade to ssh a month or two ago on budlight and might not be needed on future uprades or installations. If "sftp -2" to the system works, then it is probably ok. | ||
===== Startup ===== | ===== Startup ===== | ||
Line 39: | Line 42: | ||
===== Testing ===== | ===== Testing ===== | ||
Log into the system as a user via SSH. | Log into the system as a user via SSH. | ||
+ | |||
+ | Log into the system as a user via sftp and try to transfer any file. | ||
Try logging in as ''root'' via SSH. Make sure the access is denied, and that the attempt is logged. | Try logging in as ''root'' via SSH. Make sure the access is denied, and that the attempt is logged. | ||
Line 48: | Line 53: | ||
We've disabled direct root login via SSH. The OpenSSH server and client come built with just about every feature possible to help ensure as secure a connection as possible. | We've disabled direct root login via SSH. The OpenSSH server and client come built with just about every feature possible to help ensure as secure a connection as possible. | ||
- | After installation, and any time the SSH server keys change, update http://www.sluug.org/members/bbs/ssh_keys.shtml with the new public key fingerprints. The fingerprints can be listed with: | + | After installation, and any time the SSH server keys change, update http://www.sluug.org/members/accounts/ssh_keys.shtml with the new public key fingerprints. The fingerprints can be listed with: |
<code> | <code> | ||
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub | ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub | ||
Line 58: | Line 63: | ||
===== TODO ===== | ===== TODO ===== | ||
- | Publish the host public keys. | ||
- | |||
Enable/disable some more features to provide better security. | Enable/disable some more features to provide better security. | ||
Line 67: | Line 70: | ||
===== Comments ===== | ===== Comments ===== | ||
- |