Linux/sshd
sshd
SSH Daemon
Configuration Options
More information:
man sshd_config
Allow Tunneling
Allow Tunneling (/etc/ssh/sshd_config):
AllowTcpForwarding yes
Allow Reverse Tunnel
Reverse:
ssh -R 8000:localhost:80 oli@remote-machine
Allow this with:
/etc/ssh/sshd_config:
Match User oli GatewayPorts yes
ref: https://askubuntu.com/questions/50064/reverse-port-tunnelling
keywords reverse tunnel reverse proxy
SFTP
To provide SFTP access to linux accounts only (no shell access) change user's shell to:
/usr/libexec/openssh/sftp-server test:x:501:50::/ftp:/usr/libexec/openssh/sftp-server
See vsftpd
/etc/ssh/sshd_config:
# override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server
chroot
/etc/ssh/sshd_config
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match User ezra
ChrootDirectory /home/%u
#ForceCommand internal-sftp
AllowTcpForwarding no
If you want to use 'sftp-server' in the chroot, you have to copy it and add the appropriate libraries, but why bother when internal-sftp works just fine.
Setup chroot home directory:
NEWUSER=ezra
adduser $NEWUSER
chown root:root /home/$NEWUSER
chmod 755 /home/$NEWUSER
cd /home/$NEWUSER
mkdir home/$NEWUSER
mv .bash* home/$NEWUSER/
# ssh keys
mkdir -p home/$NEWUSER/.ssh
chown $NEWUSER:$NEWUSER home/$NEWUSER
touch home/$NEWUSER/.ssh/authorized_keys
chmod 600 home/$NEWUSER/.ssh/authorized_keys
chmod 700 home/$NEWUSER/.ssh
chmod 755 home/$NEWUSER
ln -s home/$NEWUSER/.ssh .ssh # sshd still tries to access the real /home/user/.ssh path
# libs for shell apps and ssh access
mkdir {bin,dev,dev/pts,lib64,home,home/$NEWUSER}
cp -p /bin/{bash,cat,cp,ls,mv} bin/
cp -p /lib64/{ld-linux-x86-64.so.2,libacl.so.1,libattr.so.1,libcap.so.2,libc.so.6,libdl.so.2,libpthread.so.0,librt.so.1,libselinux.so.1,libtinfo.so.5} lib64/
mknod dev/null c 1 3
mknod dev/zero c 1 5
chmod 0666 dev/{null,zero}
mknod -m 666 dev/tty c 5 0
mknod -m 666 dev/ptmx c 5 2
chmod 755 dev/pts
find missing libraries (eg. ldd /bin/bash)
chroot sftp only
/etc/ssh/sshd_config
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match User ezra
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTcpForwarding no
/etc/passwd:
ezra:x:507:507::/home/ezra:/bin/false
Setup chroot home directory:
NEWUSER=ezra adduser $NEWUSER cd /home/$NEWUSER chown root:root /home/$NEWUSER chmod 755 /home/$NEWUSER mkdir -p home/$NEWUSER chown $NEWUSER:$NEWUSER home/$NEWUSER mv .bash* home/$NEWUSER/ # ssh keys mkdir home/$NEWUSER/.ssh touch home/$NEWUSER/.ssh/authorized_keys chmod 600 home/$NEWUSER/.ssh/authorized_keys chmod 700 home/$NEWUSER/.ssh chmod 755 home/$NEWUSER chown $NEWUSER:$NEWUSER home/$NEWUSER/.ssh -R ln -s home/$NEWUSER/.ssh .ssh # sshd still tries to access the real /home/user/.ssh path # pub directory mkdir pub chmod 775 pub chown $NEWUSER:$NEWUSER pub
Allow and Deny Users
/etc/ssh/sshd_config:
DenyUsers user1 user2 user3 DenyGroups group1 group2 AllowUsers user1 user2 AllowGroups group1 group2
no reverse dns lookup
If you are having delays due to DNS lookups, these can be disabled:
/etc/ssh/sshd_config:
#UseDNS yes UseDNS no
man sshd_config:
UseDNS Specifies whether sshd should look up the remote host name and check that the resolved host name for the remote IP
address maps back to the very same IP address. The default is “yes”.
Banner
/etc/ssh/sshd_config:
Banner /etc/sshd/sshd-banner
sample /etc/sshd/sshd-banner:
*****************************************************************************
NOTICE TO USERS
WARNING! The use of this system is restricted to authorized users,
unauthorized access is forbidden and will be prosecuted by law.
All information and communications on this system are subject
to review, monitoring and recording at any time,
without notice or permission. Users should have no
expectation of privacy.
*****************************************************************************
- How to force sshd server to display login banner before login (change the ssh server login banner) - http://www.cyberciti.biz/tips/change-openssh-sshd-server-login-banner.html
- Login Banner | SSH Banner Howto - http://www.review-ninja.com/2009/05/login-banner-ssh-banner-howto.html
Allow Public Key Authentication
/etc/ssh/sshd_config:
# enable public-key authentication RSAAuthentication no PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys
Fancy key location:
AuthorizedKeysFile /etc/ssh/keys-%u/authorized_keys
Additional Details:
Configuring OpenSSH to accept public-key authentication - http://linux-sxs.org/networking/openssh.putty.html
To enable your OpenSSH to accept version 2 public key, you would need to modify /etc/ssh/sshd_config. You could use vi editor (or whatever editor you are familiar with) to uncomment/add/modify the following lines to /etc/ssh/sshd_config:
# the default SSH port is 22, you could alter it if necessary Port 22 # accept version 2 keys only Protocol 2 # NEVER allow root to login directly over the net PermitRootLogin no StrictModes yes MaxAuthTries 3 # enable public-key authentication RSAAuthentication no PubkeyAuthentication yes # securing your OpenSSH # do not use host-based authentication for security reason RhostsRSAAuthentication no HostbasedAuthentication no IgnoreUserKnownHosts yes PermitEmptyPassword no # do not allow telnet-type login for security reason ChallengeResponseAuthentication no PasswordAuthentication no X11Forwarding yes X11DisplayOffset 10
Setup SSHD
mkdir -p /etc/ssh touch /etc/ssh/sshd_config
# you only have to have one of these to start sshd, but might as well have all ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key # rsa v1 ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key # rsa v2 default ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key # dsa v2
/sbin/sshd
Secure Linux
If you have copied keys using ssh-copy-id, you may need to fix the Secure Linux permissions:
restorecon -r -v ~/.ssh
Regenerate Host Keys
If you try to connect, but it immediately returns without error, your host keys might be corrupted. Syslog:
sshd[2697]: Error loading host key "/etc/ssh/ssh_host_rsa_key": invalid format sshd[2697]: Error loading host key "/etc/ssh/ssh_host_rsa_key": invalid format sshd[2697]: Could not load host key: /etc/ssh/ssh_host_rsa_key
To regenerate your host keys:
ssh-keygen -A
keywords
ssh sshd secure shell