Secure - How to ssh server & client

From Linux - Help
Jump to navigation Jump to search

Goal: Understand how to configure a good SSH server & client, this document is not intended to just copy past and hope that it works ^^.

Server configuration example (SSHD):

Here bellow is an example for a SSHD server configuration:

 Port 22
 ListenAddress ::
 Protocol 2
 HostKey /etc/ssh/ssh_host_rsa_key
 LoginGraceTime 60
 PermitRootLogin no
 IgnoreRhosts yes
 StrictModes yes
 X11Forwarding no
 X11DisplayOffset 10
 PrintMotd yes
 SyslogFacility DAEMON
 PasswordAuthentication no
 PermitEmptyPasswords no
 UsePrivilegeSeparation yes
 PubkeyAuthentication yes
 UseDNS no
 Banner /etc/ssh/banner
  • Port: Specifies the port number that sshd(8) listens on. The default is 22 (or 2222). Multiple options of this type are permitted. See also ListenAddress.
  • ListenAddress: Specifies the local addresses sshd(8) should listen on. The following forms may be used:
 ListenAddress host|IPv4_addr|IPv6_addr
 ListenAddress host|IPv4_addr:port
 ListenAddress [

NOTE: If port is not specified, sshd will listen on the address and all prior Port options specified. The default is to listen on all local addresses. Multiple ListenAddress options are permitted. Additionally, any Port options must precede this option for non-port qualified addresses.

  • Protocol: Specifies the protocol versions sshd(8) supports. The possible values are '1' and '2'. Multiple versions must be comma-separated. The default is 2,1. Note that the order of the protocol list does not indicate preference, because the client selects among multiple protocol versions offered by the server. Specifying 2,1 is identical to 1,2.
  • HostKey: Specifies a file containing a private host key used by SSH. The default is /etc/ssh/ssh_host_key for protocol version 1, and /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for protocol version 2. Note that sshd(8) will refuse to use a file if it is group/world-accessible. It is possible to have multiple host key files. rsa1 keys are used for version 1 and dsa or rsa are used for version 2 of the SSH protocol.
  • LoginGraceTime: The server disconnects after this time if the user has not successfully logged in. If the value is 0, there is no time limit. The default is 120 seconds.
  • PermitRootLogin: Specifies whether root can log in using ssh(1). The argument must be yes, without-password, forced-commands-only, or no. The default is yes. If this option is set to without-password, password authentication is disabled for root. If this option is set to forced-commands-only, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root. If this option is set to no, root is not allowed to log in.
  • IgnoreRhosts: Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication.
  • StricModes: Specifies whether sshd(8) should check file modes and ownership of the user's files and home directory before accepting login. This is normally desirable because novices sometimes accidentally leave their directory or files world-writable. The default is yes.
  • X11Forwarding: Specifies whether X11 forwarding is permitted. The argument must be yes or no. The default is no.
  • X11DisplayOffset: Specifies the first display number available for sshd(8)'s X11 forwarding. This prevents sshd from interfering with real X11 servers. The default is 10.
  • PrintMotd: Specifies whether sshd(8) should print /etc/motd when a user logs in interactively. (On some systems it is also printed by the shell, /etc/profile, or equivalent.) The default is yes.
  • SyslogFacility: Gives the facility code that is used when logging messages from sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH.
  • PasswordAuthentication: Specifies whether password authentication is allowed. The default is yes.
  • PermitEmptyPasswords: When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The default is no.
  • UsePrivilegeSeparation: Specifies whether sshd(8) separates privileges by creating an unprivileged child process to deal with incoming network traffic. After successful authentication, another process will be created that has the privilege of the authenticated user. The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. The default is yes.
  • PubkeyAuthentication: Specifies whether public key authentication is allowed. The default is yes. Note that this option applies to protocol version 2 only.
  • UseDNS: Specifies whether sshd(8) should look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. The default is yes.
  • Banner: The contents of the specified file are sent to the remote user before authentication is allowed. If the argument is none then no banner is displayed. This option is only available for protocol version 2. By default, no banner is displayed.

Client configuration example (SSH):

For the client configuration, you need to add a file name config in ~/.ssh, the folder .ssh should have 700 as permission and 600 for the files in .ssh:

 $ mkdir ~/.ssh && chmod 700 ~/.ssh
 $ touch ~/.ssh/config && chmod 600 ~/.ssh/config

NOTE: only the *.pub files: should have 644:

 $ chmod 644 ~/.ssh/

Then edit your config file with your preffered editor (nano or vi / vim):

 $ vi ~/.ssh/config

And add:

 Host  nas
       User root
       IdentityFile ~/.ssh/is_rsa
 Host  ldap
       User root
       IdentityFile ~/.ssh/id_rsa
 Host  example
       User oswinfox
       IdentityFile ~/.ssh/id_rsa
 Host  *
       ServerAliveInterval 30
       User root
       IdentityFile ~/.ssh/id_rsa

Find here bellow all option available for ssh (some option will only work if the server allow the option):

  • AddressFamily
  • BatchMode
  • BindAddress
  • ChallengeResponseAuthentication
  • CheckHostIP
  • Cipher
  • Ciphers
  • ClearAllForwardings
  • Compression
  • CompressionLevel
  • ConnectionAttempts
  • ConnectTimeout
  • ControlMaster
  • ControlPath
  • DynamicForward
  • EscapeChar
  • ExitOnForwardFailure
  • ForwardAgent
  • ForwardX11
  • ForwardX11Trusted
  • GatewayPorts
  • GlobalKnownHostsFile
  • GSSAPIAuthentication
  • GSSAPIDelegateCredentials
  • HashKnownHosts
  • Host'
  • HostbasedAuthentication
  • HostKeyAlgorithms
  • HostKeyAlias
  • HostName
  • IdentityFile
  • IdentitiesOnly
  • KbdInteractiveDevices
  • LocalCommand
  • LocalForward
  • LogLevel
  • MACs'
  • NoHostAuthenticationForLocalhost
  • NumberOfPasswordPrompts
  • PasswordAuthentication
  • PermitLocalCommand
  • Port'
  • PreferredAuthentications
  • Protocol
  • ProxyCommand
  • PubkeyAuthentication
  • RekeyLimit
  • RemoteForward
  • RhostsRSAAuthentication
  • RSAAuthentication
  • SendEnv
  • ServerAliveInterval
  • ServerAliveCountMax
  • SmartcardDevice
  • StrictHostKeyChecking
  • TCPKeepAlive
  • Tunnel
  • TunnelDevice
  • UsePrivilegedPort
  • User'
  • UserKnownHostsFile
  • VerifyHostKeyDNS
  • VisualHostKey
  • XAuthLocation