SSH Daemon
Configuration Options
More information:
man sshd_config
Allow Tunneling
Allow Tunneling (/etc/ssh/sshd_config):
AllowTcpForwarding yes
Allow Reverse Tunnel
ssh -R 8000:localhost:80 oli@remote-machine
Allow this with:
# Allow reverse tunnel # Ref: Match User oli,kpx GatewayPorts yes
keywords reverse tunnel reverse proxy
To provide SFTP access to linux accounts only (no shell access) change user's shell to:
/usr/libexec/openssh/sftp-server test:x:501:50::/ftp:/usr/libexec/openssh/sftp-server
See vsftpd
# override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server
#Subsystem sftp /usr/libexec/openssh/sftp-server Subsystem sftp internal-sftp Match User ezra ChrootDirectory /home/%u #ForceCommand internal-sftp AllowTcpForwarding no
If you want to use 'sftp-server' in the chroot, you have to copy it and add the appropriate libraries, but why bother when internal-sftp works just fine.
Setup chroot home directory:
NEWUSER=ezra adduser $NEWUSER chown root:root /home/$NEWUSER chmod 755 /home/$NEWUSER cd /home/$NEWUSER mkdir home/$NEWUSER mv .bash* home/$NEWUSER/ # ssh keys mkdir -p home/$NEWUSER/.ssh chown $NEWUSER:$NEWUSER home/$NEWUSER touch home/$NEWUSER/.ssh/authorized_keys chmod 600 home/$NEWUSER/.ssh/authorized_keys chmod 700 home/$NEWUSER/.ssh chmod 755 home/$NEWUSER ln -s home/$NEWUSER/.ssh .ssh # sshd still tries to access the real /home/user/.ssh path # libs for shell apps and ssh access mkdir {bin,dev,dev/pts,lib64,home,home/$NEWUSER} cp -p /bin/{bash,cat,cp,ls,mv} bin/ cp -p /lib64/{,,,,,,,,,} lib64/ mknod dev/null c 1 3 mknod dev/zero c 1 5 chmod 0666 dev/{null,zero} mknod -m 666 dev/tty c 5 0 mknod -m 666 dev/ptmx c 5 2 chmod 755 dev/pts
find missing libraries (eg. ldd /bin/bash)
chroot sftp only
#Subsystem sftp /usr/libexec/openssh/sftp-server Subsystem sftp internal-sftp Match User ezra ChrootDirectory /home/%u ForceCommand internal-sftp AllowTcpForwarding no
Setup chroot home directory:
NEWUSER=ezra adduser $NEWUSER cd /home/$NEWUSER chown root:root /home/$NEWUSER chmod 755 /home/$NEWUSER mkdir -p home/$NEWUSER chown $NEWUSER:$NEWUSER home/$NEWUSER mv .bash* home/$NEWUSER/ # ssh keys mkdir home/$NEWUSER/.ssh touch home/$NEWUSER/.ssh/authorized_keys chmod 600 home/$NEWUSER/.ssh/authorized_keys chmod 700 home/$NEWUSER/.ssh chmod 755 home/$NEWUSER chown $NEWUSER:$NEWUSER home/$NEWUSER/.ssh -R ln -s home/$NEWUSER/.ssh .ssh # sshd still tries to access the real /home/user/.ssh path # pub directory mkdir pub chmod 775 pub chown $NEWUSER:$NEWUSER pub
Allow and Deny Users
DenyUsers user1 user2 user3 DenyGroups group1 group2 AllowUsers user1 user2 AllowGroups group1 group2
no reverse dns lookup
If you are having delays due to DNS lookups, these can be disabled:
#UseDNS yes UseDNS no
man sshd_config:
UseDNS Specifies whether sshd should look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. The default is “yes”.
Banner /etc/sshd/sshd-banner
sample /etc/sshd/sshd-banner:
***************************************************************************** NOTICE TO USERS WARNING! The use of this system is restricted to authorized users, unauthorized access is forbidden and will be prosecuted by law. All information and communications on this system are subject to review, monitoring and recording at any time, without notice or permission. Users should have no expectation of privacy. *****************************************************************************
- How to force sshd server to display login banner before login (change the ssh server login banner) -
- Login Banner | SSH Banner Howto -
Allow Public Key Authentication
# enable public-key authentication RSAAuthentication no PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys
Fancy key location:
AuthorizedKeysFile /etc/ssh/keys-%u/authorized_keys
Additional Details:
Configuring OpenSSH to accept public-key authentication -
To enable your OpenSSH to accept version 2 public key, you would need to modify /etc/ssh/sshd_config. You could use vi editor (or whatever editor you are familiar with) to uncomment/add/modify the following lines to /etc/ssh/sshd_config:
# the default SSH port is 22, you could alter it if necessary Port 22 # accept version 2 keys only Protocol 2 # NEVER allow root to login directly over the net PermitRootLogin no StrictModes yes MaxAuthTries 3 # enable public-key authentication RSAAuthentication no PubkeyAuthentication yes # securing your OpenSSH # do not use host-based authentication for security reason RhostsRSAAuthentication no HostbasedAuthentication no IgnoreUserKnownHosts yes PermitEmptyPassword no # do not allow telnet-type login for security reason ChallengeResponseAuthentication no PasswordAuthentication no X11Forwarding yes X11DisplayOffset 10
Setup SSHD
mkdir -p /etc/ssh touch /etc/ssh/sshd_config
# you only have to have one of these to start sshd, but might as well have all ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key # rsa v1 ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key # rsa v2 default ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key # dsa v2
Secure Linux
If you have copied keys using ssh-copy-id, you may need to fix the Secure Linux permissions:
restorecon -r -v ~/.ssh
Regenerate Host Keys
If you try to connect, but it immediately returns without error, your host keys might be corrupted. Syslog:
sshd[2697]: Error loading host key "/etc/ssh/ssh_host_rsa_key": invalid format sshd[2697]: Error loading host key "/etc/ssh/ssh_host_rsa_key": invalid format sshd[2697]: Could not load host key: /etc/ssh/ssh_host_rsa_key
To regenerate your host keys:
ssh-keygen -A
ssh sshd secure shell