sshd: OpenSSH Server


sshd: OpenSSH Server

This section discusses how to set up an OpenSSH server.

Prerequisites

Install the following packages:

  • openssh

  • openssh-server

Run chkconfig to cause sshd to start when the system enters multiuser mode: 

# /sbin/chkconfig sshd on

See "" (page ) for information on starting the server for the first time.

Notes

Firewall

An OpenSSH server normally uses TCP port 22. If the OpenSSH server system is running a firewall, you need to open this port. Using the Red Hat graphical firewall tool (page ), select SSH from the Trusted Services frame to open this port. For more general information see , which details iptables.

SELinux

When SELinux is set to use a targeted policy, sshd is protected by SELinux. You can disable this protection if necessary. For more information refer to "" on page .

JumpStart: Starting the sshd Daemon

Install the requisite packages and start the sshd daemon as described following. Look in /var/log/secure to make sure everything is working properly.

Recommended Settings

The configuration files provided by Red Hat establish a mostly secure system and may or may not meet your needs. The Red Hat /etc/ssh/sshd_config file turns on X11 forwarding (page ). For a more secure system, you can set PermitRootLogin to no, thereby removing a known-name, privileged account that is exposed to the outside world with only password protection.

Starting sshd for the First Time

When you start the sshd OpenSSH daemon for the first time, generally when you first boot the system after installation, it automatically creates host key files (page ) in /etc/ssh: 

# /sbin/service sshd start
Generating SSH1 RSA host key:                               [  OK  ]
Generating SSH2 RSA host key:                               [  OK  ]
Generating SSH2 DSA host key:                               [  OK  ]
Starting sshd:                                              [  OK  ]

OpenSSH uses the files it creates to identify the server.

Authorized Keys: Automatic Login

You can configure OpenSSH so you do not have to enter a password each time you connect to a remote system. To set things up, you need to generate a personal authentication key, place the public part of the key on the remote server, and keep the private part of the key on the local client. When you connect, the remote system issues a challenge based on the public part of the key. The private part of the key is required to respond properly to the challenge. If the local system provides the appropriate response, the remote system logs you in.

The first step in setting up an automatic login is to generate your personal authentication keys. Check whether these authentication keys already exist: Look in ~/.ssh for either id_dsa and id_dsa.pub or id_rsa and id_rsa.pub. If one of these pairs of files is present, skip the next step (do not create a new key).

The ssh-keygen utility creates the public and private parts of an RSA key:

ssh-keygen 

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/sam/.ssh/id_rsa):RETURN
Created directory '/home/sam/.ssh'.
Enter passphrase (empty for no passphrase):RETURN
Enter same passphrase again:RETURN
Your identification has been saved in /home/sam/.ssh/id_rsa.
Your public key has been saved in /home/sam/.ssh/id_rsa.pub.
The key fingerprint is:
f2:eb:c8:fe:ed:fd:32:98:e8:24:5a:76:1d:0e:fd:1d sam@peach

Replace rsa with to generate DSA keys. In this example, the user pressed RETURN in response to each query. You have the option of specifying a passphrase (1030 characters is a good length) to encrypt the private part of the key. There is no way to recover a lost passphrase. See the following security tip for more information about the passphrase.

The ssh-keygen utility generates two keys: a private key or identification in ~/.ssh/id_rsa and a public key in ~/.ssh/id_rsa.pub. No one except the owner should be able to write to either of these files. Only the owner should be able to read from the private key file.

authorized_keys

To enable you to log in on or copy files from/to another system without supplying a password, first create a ~/.ssh directory with permissions set to 700 on the remote system. Next copy ~/.ssh/id_rsa.pub on the local system to a file named ~/.ssh/authorized_keys on the remote system. No one except the owner should be able to read from or write to this file. Now when you run ssh or scp to access the remote system, you do not have to supply a password. To make the system even more secure, you can disable password authentication by setting PasswordAuthentication to no in /etc/sshd_config.

Security: When you encrypt your personal key

The private part of the key is kept in a file that only you can read. If a malicious user compromises either your account or the root account on the local system, that user then has access to your account on the remote system because she can read the private part of your personal key.

Encrypting the private part of your personal key protects the key and, therefore, restricts access to the remote system should someone compromise your local account. However, if you encrypt your personal key, you must supply the passphrase you used to encrypt the key each time you use the key, negating the benefit of not having to type a password when logging in on the remote system. Also, most passphrases that you can remember can be cracked quite quickly by a powerful computer.

A better idea is to store the private keys on a removable medium, such as a USB flash drive, and have your ~/.ssh directory as the mount point for the filesystem stored on this drive.

Command Line Options

Command line options override declarations in the configuration files. Following are descriptions of some of the more useful sshd options.

d

() Sets debug mode wherein sshd sends debugging messages to the system log and the server stays in the foreground. You can specify this option up to three times to increase the verbosity of the output. See also e. (The ssh client uses v for debugging; see page .)

e

(error) Sends output to standard error, not to the system log. Useful with d.

f file

(file) Specifies the file with the pathname file as the default configuration file instead of /etc/ssh/sshd_config.

t

(test) Checks the configuration file syntax and the sanity of the key files.

D

(noDetach) Keeps sshd in the foreground. Useful for debugging; implied by d.

/etc/ssh/sshd_config Configuration File

The /etc/ssh/sshd_config configuration file contains one-line declarations that start with a keyword, which is not case sensitive, followed by whitespace, and end with case-sensitive arguments.

AllowUsers userlist

The userlist is a SPACE-separated list of usernames that specifies users who are allowed to log in using sshd. This list can include * and ? wildcards. You can specify a user as user or user@host. If you use the second format, make sure that you specify the host as returned by hostname. Without this declaration, any user who can log in locally can log in using an OpenSSH client.

ClientAliveCountMax n

The n specifies the number of client-alive messages that can be sent without receiving a response before sshd disconnects from the client. See ClientAliveInterval. Default is 3.

ClientAliveInterval n

Sends a message through the encrypted channel after n seconds of not receiving a message from the client. See ClientAliveCountMax. Default is 0, meaning that no messages are sent.

This declaration passes messages over the encrypted channel and is not susceptible to IP spoofing (page ). It differs from TCPKeepAlive, which uses the TCP keepalive option and is susceptible to IP spoofing.

HostbasedAuthentication yes | no

Tries rhosts authentication when set to yes. For a more secure system, set to no (default).

IgnoreRhosts yes | no

Ignores .rhosts and .shosts files for authentication. Does not affect the use of /etc/hosts.equiv and /etc/ssh/shosts.equiv files for authentication. For a more secure system, set to yes (default).

LoginGraceTime n

Waits n seconds for a user to log in on the server before disconnecting. A value of 0 means there is no time limit. The default is 120.

LogLevel val

Specifies how detailed the log messages are. Choose val from QUIET, FATAL, ERROR, INFO, and VERBOSE. The default is INFO.

PasswordAuthentication

Permits a user to use a password for authentication. Default is yes.

PermitEmptyPasswords

Permits a user to log in to an account that has an empty password. Default is no.

PermitRootLogin

Permits root to log in using an OpenSSH client. For a more secure system, set to no. The default is yes.

StrictModes yes | no

Checks modes and ownership of user's home directory and files. Login fails if the directories and/or files can be written to by anyone. For security, set to yes (default).

TCPKeepAlive yes | no

Periodically checks whether a connection is alive when set to yes (default). Checking causes the ssh or scp connection to be dropped when the client crashes or the connection dies for another reason, even if it is only temporary. Setting this parameter to no causes the server not to check whether the connection is alive.

This declaration uses the TCP keepalive option, which is not encrypted and is susceptible to IP spoofing (page ). Refer to ClientAliveInterval (page ) for a nonspoofable alternative.

X11Forwarding yes | no

Allows X11 forwarding when set to yes. The default is no, but CentOS Linux sets X11Forwarding to yes. For X11 forwarding to work, the ForwardX11 declaration or the ForwardX11Trusted declaration must also be set to yes in either the ~/.ssh/config or /etc/ssh/ssh_config client configuration file (page ). For more information refer to "" on page .