|
|
Line 1: |
Line 1: |
| = Introduction = | | == keys == |
| SSH is a cryptographically confidential network protocol for data transmission between 2 networked computers. There are 2 protocol versions; SSH-1 and SSH-2.
| | === Passwordless Authentication === |
| | ==== Client ==== |
| | on your client run |
| | <console>###i## ssh-keygen -t rsa</console> |
| | then hit enter like 5 times to generate your key |
| | move the client ~/.ssh/id_rsa.pub to the server user your logging in as ~/.ssh/authorized_keys |
|
| |
|
| = Default Installation = | | ==== Server ==== |
| Funtoo uses the OpenSSH daemon (sshd) to provide the SSH service by default. sshd is a member of [[OpenRC_(Funtoo)|OpenRC]]'s default runlevel.
| | useradd a user |
|
| |
|
| By default login is allowed for all users via the ssh daemon on port 22 with any valid username and password combination.
| | then place clients id_rsa.pub file into the new users ~/.ssh/authorized_keys |
|
| |
|
| = Service configuration = | | ==== Single Machine Testing ==== |
| There are 2 means of configuring <code>sshd</code>. The first is required, the second is optional.
| | <console>###i## ssh-keygen -t rsa</console> |
| | enter 5 times |
|
| |
|
| # <code>sshd</code> reads its configuration data from <code>/etc/ssh/sshd_config</code> by '''''default'''''.
| | <console>###i## mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys</console> |
| # <code>sshd</code> may be configured to use PAM.<br/>Permission may be granted or denied via PAM, allowing you to store usernames etc. using text files.
| | <console>###i## ssh localhost</console> |
|
| |
|
| = Protocol version selection =
| |
| The '''''default''''' protocol version is SSH-2. SSH-1 requires explicit activation. To select a protocol version, use the <code>Protocol</code> directive.
| |
|
| |
|
| e.g. <code>Protocol 2</code>
| | == Intrusion Prevention == |
| | | ssh is a commonly attacked service. [[sshguard]] & [[fail2ban]] monitor logs and black list remote users who have repeatedly failed to login. |
| = Cipher selection =
| |
| The <code>Ciphers</code> directive specifies the ciphers allowed for protocol version 2.
| |
| | |
| = User Authentication = | |
| == Single authentication method ==
| |
| # Password authentication<br/>This is enabled by '''''default''''', it is configured using the <code>PasswordAuthentication</code> directive. Valid parameters are <code>yes</code> or <code>no</code>.<br/>When <code>PasswordAuthentication yes</code> is configured, the state of the <code>PermitEmptyPasswords</code> directive is evaluated.
| |
| # Public key authentication
| |
| This is enabled with combinations of <code>AuthorizedKeysFile</code>, <code>AuthorizedKeysCommand</code> and <code>AuthorizedKeysCommandUser</code>.
| |
| | |
| | |
| # Host-based authentication
| |
| == Requiring multiple authentication factors ==
| |
| These options are only available for SSH-2. The '''''default''''' is not to require multiple authentication. To identify to the daemon that you wish to require more than one authentication, you must use the <code>AuthenticationMethods</code> directive. This directive is followed by one or more comma separated lists of authentication method names. Lists are separated with a space. Successful authentication requires completion of every method in at least one of these lists.
| |
| | |
| # password
| |
| # publickey
| |
| # keyboard-interactive
| |
| | |
| e.g. <code>AuthenticationMethods "password,publickey password,keyboard-interactive"</code>
| |
| == Password authentication using <code>sshd_config</code> ==
| |
| The following 4 directives are listed in order of evaluation by OpenSSH. They are configured directly; within <code>sshd_config</code>. Only user or group _names_ are valid, numerical IDs are not recognized. If the pattern takes the form <code>USER@HOST</code> then access is restricted to the <code>USER</code> when originating from the <code>HOST</code>.
| |
| | |
| ;<code>DenyUsers PATTERN PATTERN ...</code>
| |
| :Login is forbidden for users whose username matches one of the patterns
| |
| | |
| ;<code>AllowUsers PATTERN PATTERN ...</code>
| |
| :Login is permitted to users whose username matches one of the patterns
| |
| | |
| ;<code>DenyGroups PATTERN PATTERN ...</code>
| |
| :Login is forbidden for users whose primary group or supplementary group list matches one of the patterns
| |
| | |
| ;<code>AllowGroups PATTERN PATTERN ...</code>
| |
| :Login is permitted to users whose primary group or supplementary group list matches one of the patterns
| |
| | |
| == Public key authentication ==
| |
| <code>AuthorizedKeysFile</code>
| |
| <code>AuthorizedKeysCommand</code>
| |
| <code>AuthorizedKeysCommandUser</code>
| |
| | |
| | |
| == Host based authentication ==
| |
| | |
| = Access control =
| |
| == Controlling root access ==
| |
| Access by the root user can be controlled using the <code>PermitRootLogin</code> directive.
| |
| === Permit empty passwords ===
| |
| Access to accounts with empty (i.e. blank) passwords can be controlled using the <code>PermitEmptyPasswords</code> directive.
| |
| | |
| | |
| ChallengeResponseAuthentication
| |
| Ciphers
| |
| | |
| GSSAPIAuthenticaion
| |
| GSSAPICleanupCredentials
| |
| GSSAPIStrictAcceptorCheck
| |
| HostBasedAuthentication
| |
| HostBasedUsesNameFromPacketOnly
| |
| HostCertificate
| |
| HostKey
| |
| HostKeyAgent
| |
| LoginGraceTime
| |
| MAC
| |
| MaxAuthTries
| |
| MaxSessions
| |
| MaxStartups
| |
| PasswordAuthentication
| |
| PermitEmptyPasswords
| |
| PubkeyAuthentication
| |
| RevokedKeys
| |
| RhostsRSAAuthentication
| |
| RSAAuthentication
| |
| TrustedUserCAKeys
| |
| UseLogin
| |
| UsePAM
| |
| | |
| = X11 Forwarding =
| |
| | |
| By default X11 forwarding is disabled in OpenSSHd,
| |
| | |
| If you would like to forward X11 from your Funtoo box to a remote system you must first edit your /etc/ssh/sshd_config file
| |
| | |
| change
| |
| <pre>
| |
| #X11Forwarding no
| |
| #X11DisplayOffset 10
| |
| #X11UseLocalhost yes
| |
| </pre>
| |
| to<br />
| |
| <pre>
| |
| X11Forwarding yes
| |
| X11DisplayOffset 10
| |
| X11UseLocalhost yes
| |
| </pre>
| |
| | |
| | |
| X forwarding will now be enabled from that machine, so if you connect from your remote with 'ssh -X <user>@<ipaddress>' X sessions will be forwarded
| |
| | |
| [[Category:Networking]]
| |