build:ssh
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
|
build:ssh [2005/08/23 22:51] 10.42.69.100 created - copied from misc page (CMB) |
build:ssh [2008/05/08 22:42] (current) 4.245.76.155 |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ===== SSH ===== | + | ====== SSH ====== |
| - | apt-get install ssh | + | |
| - | Accept the default settings when asked. | + | SSH is the Secure Shell, a secure replacement for telnet. The OpenSSH client comes in the default Debian install. We've installed the OpenSSH server to provide for remote access to our systems. |
| - | Fix it so root cannot log in. Edit /etc/ssh/sshd_config to change the PermitRootLogin setting: | + | ===== Installation ===== |
| - | PermitRootLogin no | + | Install the SSH client and server packages: |
| + | <code rootshell> | ||
| + | apt-get install ssh openssh-server | ||
| + | </code> | ||
| + | ===== Configuration ===== | ||
| + | Fix it so ''root'' cannot log in, but allow selected commands, which will be authenticated by authprogs: | ||
| + | <code rootshell> | ||
| + | sed -i -e 's/^PermitRootLogin .*$/PermitRootLogin forced-commands-only/' /etc/ssh/sshd_config | ||
| + | </code> | ||
| + | |||
| + | Edit ''/etc/issue.net'' to present a warning message to users connecting via SSH: | ||
| + | <code rootshell> | ||
| + | echo 'This system for use by SLUUG members ONLY. Unauthorized access prohibited.' > /etc/issue.net | ||
| + | cat /etc/issue.net > /etc/issue | ||
| + | </code> | ||
| + | |||
| + | NOTE: On Bud, change the word ''members'' to ''administrators''. | ||
| + | |||
| + | Configure the SSH daemon to add the warning message. | ||
| + | <code rootshell> | ||
| + | sed -i -e 's:#Banner .*$:Banner /etc/issue.net:' /etc/ssh/sshd_config | ||
| + | </code> | ||
| + | |||
| + | **Add alternate port:** Have SSH on BudLight accept connections on an alternate port for situations where port 22 is blocked at the client's end, or blocked by mistake on the server's end. Edit /etc/ssh/sshd_config to add new statement "Port 443" (without the quotes) after the existing Port statement. | ||
| + | |||
| + | **This step seems obsolete and no longer needed since the reload of the systems.** Correct problem with "Request for subsystem 'sftp' failed on channel 0" when using SSH protocol version 2. Edit /etc/ssh/sshd_config to change value on sftp statement from "/usr/libexec/openssh/sftp-server" (which doesn't exist) to "/usr/lib/sftp-server". Also tell sshd to reread configuration using the kill command documented below. This was probably due to the upgrade to ssh a month or two ago on budlight and might not be needed on future uprades or installations. If "sftp -2" to the system works, then it is probably ok. | ||
| + | |||
| + | ===== Startup ===== | ||
| Restart to have the settings take effect: | Restart to have the settings take effect: | ||
| - | /etc/init.d/ssh restart | + | <code rootshell> |
| + | /etc/init.d/ssh restart | ||
| + | </code> | ||
| + | |||
| + | NOTE: You can probably run ''/etc/init.d/ssh reload'' instead of ''/etc/init.d/ssh restart'' if you like. | ||
| + | |||
| + | Or just send the daemon a HUP signal to have it reread the configuration file and activate the changes. | ||
| + | <code rootshell> | ||
| + | kill -HUP `cat /var/run/sshd.pid` | ||
| + | </code> | ||
| + | |||
| + | ===== Testing ===== | ||
| + | Log into the system as a user via SSH. | ||
| + | |||
| + | Log into the system as a user via sftp and try to transfer any file. | ||
| + | |||
| + | Try logging in as ''root'' via SSH. Make sure the access is denied, and that the attempt is logged. | ||
| + | |||
| + | ===== Logging ===== | ||
| + | SSH access to the system is logged in ''/var/log/auth.log''. | ||
| + | |||
| + | ===== Security ===== | ||
| + | We've disabled direct root login via SSH. The OpenSSH server and client come built with just about every feature possible to help ensure as secure a connection as possible. | ||
| + | |||
| + | After installation, and any time the SSH server keys change, update http://www.sluug.org/members/accounts/ssh_keys.shtml with the new public key fingerprints. The fingerprints can be listed with: | ||
| + | <code> | ||
| + | ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub | ||
| + | ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub | ||
| + | </code> | ||
| + | |||
| + | ===== Notes ===== | ||
| + | While SSH replaces Telnet, we've kept the ''telnet'' client installed, because it's very helpful in troubleshooting network services by telnetting directly to the port the service runs on. The telnet client should never be used to log into a shell account. The telnet server should never be installed, except perhaps for non-critical non-shell restricted access. | ||
| + | |||
| + | ===== TODO ===== | ||
| + | Enable/disable some more features to provide better security. | ||
| + | |||
| + | Determine when it is appropriate to use key-based authentication instead of password authentication, and configure for such. Use ''ssh-agent'' and ''ssh-add'' as appropriate. (Note that users can use those already.) | ||
| + | |||
| + | Installation suggested installing ''ssh-askpass'', ''rssh'', ''molly-guard''. Check into whether those might be of use. | ||
| + | ===== Comments ===== | ||
build/ssh.1124855505.txt.gz · Last modified: 2006/01/16 20:54 (external edit)
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
