OpenSSH Server Configuration
SSH is the only way one should be connecting a remote shell to their Linux machines. SSH can provide remote shells, secure FTP (SFTP) and functions nicely as a tunnel for rsync. SSH comes with every distribution, 99% anyways, is easy to setup and provides excellent security. This article speaks about OpenSSH 4.2, other implementations exist.
SSH Server Daemon
The sshd daemon provides the server portion of SSH; it's configuration is usually located at/etc/ssh/sshd_config. Distributions vary on the defaults in here, some support protocol one and two, some only two. Regardless of your distribution below are relevant portions of a fairly tightend server with inline comments. Noteably root is denied, passwords are disabled and groups are restricted. Read man sshd_config.
# limit protocol and listen address
ListenAddress 1.2.3.4
Protocol 2
# Restrict Logins, keys only, 20s timeout
LoginGraceTime 20
MaxAuthTries 2
PermitRootLogin without-password
PasswordAuthentication no
# disable this stuffs
UsePAM no
PrintMotd no
UseDNS no
SSH Authorized Keys Automatic Login
SSH can automatically authenticate connections when the client presents an authorized key. A client gives it's public key to a server and then when it connects the server knows it's allowed in and automatically allows the connection. The Keys are specific to users, so a key for user_a will not letuser_b in.
Few Simple Steps
- Create Keys
If the keys don't exists already you must create them. Look in your ~/.ssh for files called id_rsa and id_rsa.pub. If those files don't exist say
ssh-keygen -b 2048 -t rsato create them. - Place Keys on Server
Copy
id_rsa.pubto the server then append that to~/.ssh/authorized_keys
In the Creo section we have a script to automate this process.
Optionally you can use a DSA key, simply replace `rsa` with `dsa` above.
No comments:
Post a Comment