User Tools

Site Tools


build:ssh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
build:ssh [2007/10/11 15:18]
4.245.77.92
build:ssh [2008/04/02 17:24]
151.145.238.91 Add some corrections from 2008-03-02 installation. (CMB)
Line 4: Line 4:
  
 ===== Installation ===== ===== Installation =====
-Install the package:+Install the SSH client and server packages:
 <code rootshell>​ <code rootshell>​
-apt-get install ​-y ssh+apt-get install ssh openssh-server
 </​code>​ </​code>​
  
 ===== Configuration ===== ===== Configuration =====
-Fix it so ''​root''​ cannot log in:+Fix it so ''​root''​ cannot log in, but allow selected commands, which will be authenticated by authprogs:
 <code rootshell>​ <code rootshell>​
 sed -i -e '​s/​^PermitRootLogin .*$/​PermitRootLogin forced-commands-only/'​ /​etc/​ssh/​sshd_config sed -i -e '​s/​^PermitRootLogin .*$/​PermitRootLogin forced-commands-only/'​ /​etc/​ssh/​sshd_config
Line 19: Line 19:
 echo 'This system for use by SLUUG members ONLY. Unauthorized access prohibited.'​ > /​etc/​issue.net echo 'This system for use by SLUUG members ONLY. Unauthorized access prohibited.'​ > /​etc/​issue.net
 </​code>​ </​code>​
 +
 +NOTE: On Bud, change the word ''​members''​ to ''​administrators''​.
  
 Configure the SSH daemon to add the warning message. Configure the SSH daemon to add the warning message.
Line 25: Line 27:
 </​code>​ </​code>​
  
-Have SSH accept connections on an alternate port for situations where port 22 is blocked at the client'​s end, or blocked by mistake on the server'​s end. Edit /​etc/​ssh/​sshd_config to add new statement "Port 443" (without the quotes) after the existing Port statement.+**Add alternate port:​** ​Have SSH on BudLight ​accept connections on an alternate port for situations where port 22 is blocked at the client'​s end, or blocked by mistake on the server'​s end. Edit /​etc/​ssh/​sshd_config to add new statement "Port 443" (without the quotes) after the existing Port statement.
  
-Correct problem with "​Request for subsystem '​sftp'​ failed on channel 0" when using SSH protocol version 2.  Edit /​etc/​ssh/​sshd_config to change value on sftp statement from "/​usr/​libexec/​openssh/​sftp-server"​ (which doesn'​t exist) to "/​usr/​lib/​sftp-server"​. ​ Also tell sshd to reread configuration using the kill command documented below. ​ This was probably due to the upgrade to ssh a month or two ago on budlight and might not be needed on future uprades or installations. ​ If "sftp -2" to the system works, then it is probably ok.+**This step seems obsolete and no longer needed since the reload of the systems.**  ​Correct problem with "​Request for subsystem '​sftp'​ failed on channel 0" when using SSH protocol version 2.  Edit /​etc/​ssh/​sshd_config to change value on sftp statement from "/​usr/​libexec/​openssh/​sftp-server"​ (which doesn'​t exist) to "/​usr/​lib/​sftp-server"​. ​ Also tell sshd to reread configuration using the kill command documented below. ​ This was probably due to the upgrade to ssh a month or two ago on budlight and might not be needed on future uprades or installations. ​ If "sftp -2" to the system works, then it is probably ok.
  
 ===== Startup ===== ===== Startup =====
Line 34: Line 36:
 /​etc/​init.d/​ssh restart /​etc/​init.d/​ssh restart
 </​code>​ </​code>​
 +
 +NOTE: You can probably run ''/​etc/​init.d/​ssh reload''​ instead of ''/​etc/​init.d/​ssh restart''​ if you like.
  
 Or just send the daemon a HUP signal to have it reread the configuration file and activate the changes. Or just send the daemon a HUP signal to have it reread the configuration file and activate the changes.
Line 42: Line 46:
 ===== Testing ===== ===== Testing =====
 Log into the system as a user via SSH. Log into the system as a user via SSH.
 +
 +Log into the system as a user via sftp and try to transfer any file.
  
 Try logging in as ''​root''​ via SSH. Make sure the access is denied, and that the attempt is logged. Try logging in as ''​root''​ via SSH. Make sure the access is denied, and that the attempt is logged.
Line 51: Line 57:
 We've disabled direct root login via SSH. The OpenSSH server and client come built with just about every feature possible to help ensure as secure a connection as possible. We've disabled direct root login via SSH. The OpenSSH server and client come built with just about every feature possible to help ensure as secure a connection as possible.
  
-After installation,​ and any time the SSH server keys change, update http://​www.sluug.org/​members/​bbs/​ssh_keys.shtml with the new public key fingerprints. ​ The fingerprints can be listed with:+After installation,​ and any time the SSH server keys change, update http://​www.sluug.org/​members/​accounts/​ssh_keys.shtml with the new public key fingerprints. ​ The fingerprints can be listed with:
 <​code>​ <​code>​
 ssh-keygen -l -f /​etc/​ssh/​ssh_host_rsa_key.pub ssh-keygen -l -f /​etc/​ssh/​ssh_host_rsa_key.pub
Line 61: Line 67:
  
 ===== TODO ===== ===== TODO =====
-Publish the host public keys. 
- 
 Enable/​disable some more features to provide better security. Enable/​disable some more features to provide better security.
  
build/ssh.txt ยท Last modified: 2008/05/08 22:42 by 4.245.76.155