No contents found at URL
Source Repository:Repository:Gentoo Portage Tree

Summary: Port of OpenBSD's free SSH release

Use Flags

Disable EC/RC5 algorithms in OpenSSL for patent reasons.
Enable high performance ssh
Add support for storing SSH public keys in LDAP
Use LDNS for DNSSEC/SSHFP validation.
Enable root password logins for live-cd environment.
Support the legacy/weak SSH1 protocol
Enable additional crypto algorithms via OpenSSL
Adds support for X.509 certificate authentication



Kits Are Go (And Ego Needs a Manual Bump)

An update on kits and how to manually update to ego-1.1.3-r3 (required steps for some)
2017-08-17 by Drobbins

Kits are Go (Switch to Them!)

Kits are now the official way we do things at Funtoo.
2017-07-31 by Drobbins

Funtoo-Stable Going Away

As we move towards the next generation of Funtoo Linux, funtoo-stable is being retired.
2017-07-11 by Drobbins



We welcome improvements to this page. To edit this page, Create a Funtoo account. Then log in and then click here to edit this page. See our editing guidelines to becoming a wiki-editing pro.


SSH is a cryptographically confidential network protocol for data transmission between 2 networked computers. There are 2 protocol versions; SSH-1 and SSH-2.

Default Installation

Funtoo uses the OpenSSH daemon (sshd) to provide the SSH service by default. sshd is a member of OpenRC's default runlevel.

By default login is allowed for all users via the ssh daemon on port 22 with any valid username and password combination.

Service configuration

There are 2 means of configuring sshd. The first is required, the second is optional.

  1. sshd reads its configuration data from /etc/ssh/sshd_config by default.
  2. sshd may be configured to use PAM.
    Permission may be granted or denied via PAM, allowing you to store usernames etc. using text files.

Protocol version selection

The default protocol version is SSH-2. SSH-1 requires explicit activation. To select a protocol version, use the Protocol directive.

e.g. Protocol 2

Cipher selection

The Ciphers directive specifies the ciphers allowed for protocol version 2.

User Authentication

Single authentication method

  1. Password authentication
    This is enabled by default, it is configured using the PasswordAuthentication directive. Valid parameters are yes or no.
    When PasswordAuthentication yes is configured, the state of the PermitEmptyPasswords directive is evaluated.
  2. Public key authentication

This is enabled with combinations of AuthorizedKeysFile, AuthorizedKeysCommand and AuthorizedKeysCommandUser.

Passwordless Authentication


On your client, run

# ssh-keygen -t rsa

This command will generate a public and private key, stored at ~/.ssh/ and ~/.ssh/id_rsa respectively. The private key should not be shared with anyone. The pubilc key can be freely shared, and can only be used to grant you access to remote systems by use of your private key. To grant yourself access to a remote account, append the contents of ~/.ssh/ to the file ~/.ssh/authorized_keys on a remote system. Note that ~/.ssh/authorized_keys must not be readable by anyone but the user for OpenSSH to process the file -- do this by running chmod -R go-rwx ~/.ssh on the remote system.

Providing a passphrase for your private key will cause it to be stored in an encrypted format, using this passphrase. Before you can use your private key, you will be prompted by OpenSSH to type in this passphrase. This is similar to typing in a password, but with the use of this authentication method, your password is not sent over the network at all.

The program ssh-agent exists to allow decrypted private keys to be cached in memory for easy access, so you do not need to type in your passphrase every time. It can still be quite complex to use, so it's recommended to use a front-end for ssh-agent -- see the Keychain page to learn about such a tool. Keychain is also part of Funtoo.


Create a user, or select which user the client will be accessing the server as, then place clients file into the users ~/.ssh/authorized_keys

Single Machine Testing

# ssh-keygen -t rsa

Press enter several times to accept default settings.

# cp ~/.ssh/ ~/.ssh/authorized_keys
# ssh localhost
  1. Host-based authentication

Requiring multiple authentication factors

These options are only available for SSH-2. The default is not to require multiple authentication. To identify to the daemon that you wish to require more than one authentication, you must use the AuthenticationMethods directive. This directive is followed by one or more comma separated lists of authentication method names. Lists are separated with a space. Successful authentication requires completion of every method in at least one of these lists.

  1. password
  2. publickey
  3. keyboard-interactive

e.g. AuthenticationMethods "password,publickey password,keyboard-interactive"

Password authentication using sshd_config

The following 4 directives are listed in order of evaluation by OpenSSH. They are configured directly; within sshd_config. Only user or group _names_ are valid, numerical IDs are not recognized. If the pattern takes the form USER@HOST then access is restricted to the USER when originating from the HOST.

Login is forbidden for users whose username matches one of the patterns
Login is permitted to users whose username matches one of the patterns
Login is forbidden for users whose primary group or supplementary group list matches one of the patterns
Login is permitted to users whose primary group or supplementary group list matches one of the patterns

Public key authentication

AuthorizedKeysFile AuthorizedKeysCommand AuthorizedKeysCommandUser

Host based authentication

Access control

Controlling root access

Access by the root user can be controlled using the PermitRootLogin directive.

Permit empty passwords

Access to accounts with empty (i.e. blank) passwords can be controlled using the PermitEmptyPasswords directive.

ChallengeResponseAuthentication Ciphers

GSSAPIAuthenticaion GSSAPICleanupCredentials GSSAPIStrictAcceptorCheck HostBasedAuthentication HostBasedUsesNameFromPacketOnly HostCertificate HostKey HostKeyAgent LoginGraceTime MAC MaxAuthTries MaxSessions MaxStartups PasswordAuthentication PermitEmptyPasswords PubkeyAuthentication RevokedKeys RhostsRSAAuthentication RSAAuthentication TrustedUserCAKeys UseLogin UsePAM

X11 Forwarding

By default X11 forwarding is disabled in OpenSSHd,

If you would like to forward X11 from your Funtoo box to a remote system you must first edit your /etc/ssh/sshd_config file


#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes


X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes

X forwarding will now be enabled from that machine, so if you connect from your remote with 'ssh -X <user>@<ipaddress>' X sessions will be forwarded

Intrusion Prevention

ssh is a commonly attacked service. Package:Sshguard monitors logs, and black list remote users who have repeatedly failed to login.