User Tools

Site Tools


build:ssh

This is an old revision of the document!


SSH

SSH is the Secure Shell, a secure replacement for telnet. I've installed the OpenSSH client and server.

Installation

Install the package:

apt-get install ssh

Accept the default settings when asked.

Configuration

Fix it so root cannot log in. Edit /etc/ssh/sshd_config to change the PermitRootLogin setting:

PermitRootLogin no

Allow connections on port 443 in case port 22 is blocked. Edit /etc/ssh/sshd_config to add a second Port statement:

Port 443

Add greeting message to connections. Edit /etc/ssh/sshd_config to uncomment the "Banner /etc/issue.net" statement. Edit /etc/issue.net to replace "Debian GNU/Linux 3.1 %h" with the desired message.

Startup

Restart to have the settings take effect:

/etc/init.d/ssh restart

Or just send the daemon a HUP signal to have it reread the configuration file and activate the changes.

kill -HUP `cat /var/run/sshd.pid`

Testing

Log into the system as a user via SSH.

Try logging in as root via SSH. Make sure the access is denied, and that the attempt is logged.

Logging

SSH access to the system is logged in /var/log/auth.log.

Security

We've disabled direct root login via SSH. The OpenSSH server and client come built with just about every feature possible to help ensure as secure a connection as possible.

After installation, and any time the SSH server keys change, update http://www.sluug.org/members/bbs/ssh_keys.shtml with the new public key fingerprints. The fingerprints can be listed with:

ssh-keygen -l -f /etc/ssh/ssh_host_key.pub
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub

Notes

While SSH replaces Telnet, we've kept the telnet client installed, because it's very helpful in troubleshooting network services by telnetting directly to the port the service runs on. The telnet client should never be used to log into a shell account. The telnet server should never be installed, except perhaps for non-critical non-shell restricted access.

TODO

Enable/disable some more features to provide better security.

Determine when it is appropriate to use key-based authentication instead of password authentication, and configure for such. Use ssh-agent and ssh-add as appropriate. (Note that users can use those already.)

Comments

build/ssh.1166854835.txt.gz · Last modified: 2007/05/30 20:38 (external edit)