Difference between pages "Package:OpenSSH" and "Template:ArticleFooter"

From Funtoo
(Difference between pages)
Jump to navigation Jump to search
 
 
Line 1: Line 1:
{{Ebuild
{{#vardefine:Summary:{{#show:{{FULLPAGENAME}}|?Summary}}}}
|Summary=Port of OpenBSD's free SSH release
{{#vardefine:Author:{{#show:{{FULLPAGENAME}}|?Author}}}}
|CatPkg=net-misc/openssh
{{#vardefine:Icon:{{#show:{{FULLPAGENAME}}|?Icon}}}}
|Homepage=http://www.openssh.com/
{{#var:Author}}
}}
{{#widget:NewsInfo|body={{#var:Summary|}}|user={{#var:Author|}}|icon_url={{#if:{{#var:Icon|}}|{{filepath:{{#sub:{{#var:Icon}}|5}}|80}}|http://www.gravatar.com/avatar/{{#show: {{FULLPAGENAME}} | ?Gravatar MD5}}/?s=80&d=retro&r=g}}}}
== Introduction ==
{{#show: {{#var:Author}} | ?Bio }}
SSH is a cryptographically confidential network protocol for data transmission between 2 networked computers. There are 2 protocol versions; SSH-1 and SSH-2.
{{#var:Author}}
 
== Default Installation ==
Funtoo uses the OpenSSH daemon (sshd) to provide the SSH service by default. sshd is a member of [[OpenRC_(Funtoo)|OpenRC]]'s default runlevel.
 
By default login is allowed for all users via the ssh daemon on port 22 with any valid username and password combination.
 
== Service configuration ==
There are 2 means of configuring <code>sshd</code>. The first is required, the second is optional.
 
# <code>sshd</code> reads its configuration data from <code>/etc/ssh/sshd_config</code> by '''''default'''''.
# <code>sshd</code> may be configured to use PAM.<br/>Permission may be granted or denied via PAM, allowing you to store usernames etc. using text files.
 
== Protocol version selection ==
The '''''default''''' protocol version is SSH-2. SSH-1 requires explicit activation. To select a protocol version, use the <code>Protocol</code> directive.
 
e.g. <code>Protocol 2</code>
 
== Cipher selection ==
The <code>Ciphers</code> directive specifies the ciphers allowed for protocol version 2.
 
== User Authentication ==
=== Single authentication method ===
# Password authentication<br/>This is enabled by '''''default''''', it is configured using the <code>PasswordAuthentication</code> directive. Valid parameters are <code>yes</code> or <code>no</code>.<br/>When <code>PasswordAuthentication yes</code> is configured, the state of the <code>PermitEmptyPasswords</code> directive is evaluated.
# Public key authentication
This is enabled with combinations of <code>AuthorizedKeysFile</code>, <code>AuthorizedKeysCommand</code> and <code>AuthorizedKeysCommandUser</code>.
 
=== Passwordless Authentication ===
==== Client ====
On your client, run
 
<console>###i## ssh-keygen -t rsa</console>
 
This command will generate a public and private key, stored at <code>~/.ssh/id_rsa.pub</code> and <code>~/.ssh/id_rsa</code> respectively. The private key should not be shared with anyone. The pubilc key can be freely shared, and can only be used to ''grant'' you access to remote systems by use of your private key. To grant yourself access to a remote account, append the contents of <code>~/.ssh/id_rsa.pub</code> to the file <code>~/.ssh/authorized_keys</code> on a remote system. Note that <code>~/.ssh/authorized_keys</code> must not be readable by anyone but the user for OpenSSH to process the file -- do this by running <code>chmod -R go-rwx ~/.ssh</code> on the remote system.
 
Providing a passphrase for your private key will cause it to be stored in an encrypted format, using this passphrase. Before you can use your private key, you will be prompted by OpenSSH to type in this passphrase. This is similar to typing in a password, but with the use of this authentication method, your password is not sent over the network at all.
 
The program <code>ssh-agent</code> exists to allow decrypted private keys to be cached in memory for easy access, so you do not need to type in your passphrase every time.  It can still be quite complex to use, so it's recommended to use a front-end for <code>ssh-agent</code> -- see the [[Keychain]] page to learn about such a tool. [[Keychain]]  is also part of Funtoo.
 
==== Server ====
Create a user, or select which user the client will be accessing the server as,  then place clients id_rsa.pub file into the users <code>~/.ssh/authorized_keys</code>
 
==== Single Machine Testing ====
<console>###i## ssh-keygen -t rsa</console>
Press enter several times to accept default settings.
<console>###i## cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys</console>
<console>###i## ssh localhost</console>
 
# Host-based authentication
=== Requiring multiple authentication factors ===
These options are only available for SSH-2. The '''''default''''' is not to require multiple authentication. To identify to the daemon that you wish to require more than one authentication, you must use the <code>AuthenticationMethods</code> directive. This directive is followed by one or more comma separated lists of authentication method names. Lists are separated with a space. Successful authentication requires completion of every method in at least one of these lists.
 
# password
# publickey
# keyboard-interactive
 
e.g. <code>AuthenticationMethods "password,publickey password,keyboard-interactive"</code>
=== Password authentication using <code>sshd_config</code> ===
The following 4 directives are listed in order of evaluation by OpenSSH. They are configured directly; within <code>sshd_config</code>. Only user or group _names_ are valid, numerical IDs are not recognized. If the pattern takes the form <code>USER@HOST</code> then access is restricted to the <code>USER</code> when originating from the <code>HOST</code>.
 
;<code>DenyUsers PATTERN PATTERN ...</code>
:Login is forbidden for users whose username matches one of the patterns
 
;<code>AllowUsers PATTERN PATTERN ...</code>
:Login is permitted to users whose username matches one of the patterns
 
;<code>DenyGroups PATTERN PATTERN ...</code>
:Login is forbidden for users whose primary group or supplementary group list matches one of the patterns
 
;<code>AllowGroups PATTERN PATTERN ...</code>
:Login is permitted to users whose primary group or supplementary group list matches one of the patterns
 
=== Public key authentication ===
<code>AuthorizedKeysFile</code>
<code>AuthorizedKeysCommand</code>
<code>AuthorizedKeysCommandUser</code>
 
===Host based authentication ===
 
== Access control ==
=== Controlling root access ===
Access by the root user can be controlled using the <code>PermitRootLogin</code> directive.
==== Permit empty passwords ====
Access to accounts with empty (i.e. blank) passwords can be controlled using the <code>PermitEmptyPasswords</code> directive.
 
ChallengeResponseAuthentication
Ciphers
 
GSSAPIAuthenticaion
GSSAPICleanupCredentials
GSSAPIStrictAcceptorCheck
HostBasedAuthentication
HostBasedUsesNameFromPacketOnly
HostCertificate
HostKey
HostKeyAgent
LoginGraceTime
MAC
MaxAuthTries
MaxSessions
MaxStartups
PasswordAuthentication
PermitEmptyPasswords
PubkeyAuthentication
RevokedKeys
RhostsRSAAuthentication
RSAAuthentication
TrustedUserCAKeys
UseLogin
UsePAM
 
== X11 Forwarding ==
 
By default X11 forwarding is disabled in OpenSSHd,
 
If you would like to forward X11 from your Funtoo box to a remote system you must first edit your /etc/ssh/sshd_config file
 
change
<pre>
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
</pre>
to<br />
<pre>
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
</pre>
 
X forwarding will now be enabled from that machine, so if you connect from your remote with 'ssh -X <user>@<ipaddress>' X sessions will be forwarded
 
=== Intrusion Prevention ===
ssh is a commonly attacked service. {{package|app-admin/sshguard}} monitors logs, and black list remote users who have repeatedly failed to login.
 
[[Category:Networking]]
{{EbuildFooter}}

Revision as of 08:05, December 28, 2014



By /
{{#show: | ?Bio }}

Retrieved from "https://www.funtoo.org/index.php?title=Package:OpenSSH&oldid=7878"