This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
build:ssh [2006/12/23 00:20] 64.48.129.28 |
build:ssh [2008/05/08 22:42] (current) 4.245.76.155 |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== SSH ====== | ====== SSH ====== | ||
- | SSH is the Secure Shell, a secure replacement for telnet. I've installed the OpenSSH client and server. | + | SSH is the Secure Shell, a secure replacement for telnet. The OpenSSH client comes in the default Debian install. We've installed the OpenSSH server to provide for remote access to our systems. |
===== Installation ===== | ===== Installation ===== | ||
- | Install the package: | + | Install the SSH client and server packages: |
<code rootshell> | <code rootshell> | ||
- | apt-get install ssh | + | apt-get install ssh openssh-server |
</code> | </code> | ||
- | |||
- | Accept the default settings when asked. | ||
===== Configuration ===== | ===== Configuration ===== | ||
- | Fix it so ''root'' cannot log in. Edit ''/etc/ssh/sshd_config'' to change the ''PermitRootLogin'' setting: | + | Fix it so ''root'' cannot log in, but allow selected commands, which will be authenticated by authprogs: |
- | <file> | + | <code rootshell> |
- | PermitRootLogin no | + | sed -i -e 's/^PermitRootLogin .*$/PermitRootLogin forced-commands-only/' /etc/ssh/sshd_config |
- | </file> | + | </code> |
- | Allow connections on port 443 in case port 22 is blocked. Edit ''/etc/ssh/sshd_config'' to add a second Port statement: | + | Edit ''/etc/issue.net'' to present a warning message to users connecting via SSH: |
- | <code> | + | <code rootshell> |
- | Port 443 | + | echo 'This system for use by SLUUG members ONLY. Unauthorized access prohibited.' > /etc/issue.net |
+ | cat /etc/issue.net > /etc/issue | ||
</code> | </code> | ||
- | Add greeting message to connections. Edit /etc/ssh/sshd_config to uncomment the "Banner /etc/issue.net" statement. Edit /etc/issue.net to replace "Debian GNU/Linux 3.1 %h" with the desired message. | + | NOTE: On Bud, change the word ''members'' to ''administrators''. |
- | ===== Startup ===== | + | Configure the SSH daemon to add the warning message. |
+ | <code rootshell> | ||
+ | sed -i -e 's:#Banner .*$:Banner /etc/issue.net:' /etc/ssh/sshd_config | ||
+ | </code> | ||
+ | **Add alternate port:** Have SSH on BudLight accept connections on an alternate port for situations where port 22 is blocked at the client's end, or blocked by mistake on the server's end. Edit /etc/ssh/sshd_config to add new statement "Port 443" (without the quotes) after the existing Port statement. | ||
+ | |||
+ | **This step seems obsolete and no longer needed since the reload of the systems.** Correct problem with "Request for subsystem 'sftp' failed on channel 0" when using SSH protocol version 2. Edit /etc/ssh/sshd_config to change value on sftp statement from "/usr/libexec/openssh/sftp-server" (which doesn't exist) to "/usr/lib/sftp-server". Also tell sshd to reread configuration using the kill command documented below. This was probably due to the upgrade to ssh a month or two ago on budlight and might not be needed on future uprades or installations. If "sftp -2" to the system works, then it is probably ok. | ||
+ | |||
+ | ===== Startup ===== | ||
Restart to have the settings take effect: | Restart to have the settings take effect: | ||
<code rootshell> | <code rootshell> | ||
/etc/init.d/ssh restart | /etc/init.d/ssh restart | ||
</code> | </code> | ||
+ | |||
+ | NOTE: You can probably run ''/etc/init.d/ssh reload'' instead of ''/etc/init.d/ssh restart'' if you like. | ||
Or just send the daemon a HUP signal to have it reread the configuration file and activate the changes. | Or just send the daemon a HUP signal to have it reread the configuration file and activate the changes. | ||
- | <code> | + | <code rootshell> |
kill -HUP `cat /var/run/sshd.pid` | kill -HUP `cat /var/run/sshd.pid` | ||
</code> | </code> | ||
Line 38: | Line 47: | ||
===== Testing ===== | ===== Testing ===== | ||
Log into the system as a user via SSH. | Log into the system as a user via SSH. | ||
+ | |||
+ | Log into the system as a user via sftp and try to transfer any file. | ||
Try logging in as ''root'' via SSH. Make sure the access is denied, and that the attempt is logged. | Try logging in as ''root'' via SSH. Make sure the access is denied, and that the attempt is logged. | ||
Line 43: | Line 54: | ||
===== Logging ===== | ===== Logging ===== | ||
SSH access to the system is logged in ''/var/log/auth.log''. | SSH access to the system is logged in ''/var/log/auth.log''. | ||
- | |||
===== Security ===== | ===== Security ===== | ||
We've disabled direct root login via SSH. The OpenSSH server and client come built with just about every feature possible to help ensure as secure a connection as possible. | We've disabled direct root login via SSH. The OpenSSH server and client come built with just about every feature possible to help ensure as secure a connection as possible. | ||
- | After installation, and any time the SSH server keys change, update http://www.sluug.org/members/bbs/ssh_keys.shtml with the new public key fingerprints. The fingerprints can be listed with: | + | After installation, and any time the SSH server keys change, update http://www.sluug.org/members/accounts/ssh_keys.shtml with the new public key fingerprints. The fingerprints can be listed with: |
<code> | <code> | ||
- | ssh-keygen -l -f /etc/ssh/ssh_host_key.pub | ||
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub | ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub | ||
ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub | ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub | ||
Line 62: | Line 71: | ||
Determine when it is appropriate to use key-based authentication instead of password authentication, and configure for such. Use ''ssh-agent'' and ''ssh-add'' as appropriate. (Note that users can use those already.) | Determine when it is appropriate to use key-based authentication instead of password authentication, and configure for such. Use ''ssh-agent'' and ''ssh-add'' as appropriate. (Note that users can use those already.) | ||
+ | |||
+ | Installation suggested installing ''ssh-askpass'', ''rssh'', ''molly-guard''. Check into whether those might be of use. | ||
===== Comments ===== | ===== Comments ===== |