|
|
Line 1: |
Line 1: |
| {{Ebuild | | {{Ebuild |
| |Summary=Port of OpenBSD's free SSH release | | |Summary=Small forwarding DNS server |
| |CatPkg=net-misc/openssh | | |CatPkg=net-dns/dnsmasq |
| |Homepage=http://www.openssh.com/ | | |Homepage=http://www.thekelleys.org.uk/dnsmasq/ |
| }} | | }} |
| | | {{PageNeedsUpdates}} |
| = Introduction =
| |
| SSH is a cryptographically confidential network protocol for data transmission between 2 networked computers. There are 2 protocol versions; SSH-1 and SSH-2.
| |
| | |
| = Default Installation =
| |
| Funtoo uses the OpenSSH daemon (sshd) to provide the SSH service by default. sshd is a member of [[OpenRC_(Funtoo)|OpenRC]]'s default runlevel.
| |
| | |
| By default login is allowed for all users via the ssh daemon on port 22 with any valid username and password combination.
| |
| | |
| = Service configuration =
| |
| There are 2 means of configuring <code>sshd</code>. The first is required, the second is optional.
| |
| | |
| # <code>sshd</code> reads its configuration data from <code>/etc/ssh/sshd_config</code> by '''''default'''''.
| |
| # <code>sshd</code> may be configured to use PAM.<br/>Permission may be granted or denied via PAM, allowing you to store usernames etc. using text files.
| |
| | |
| = Protocol version selection =
| |
| The '''''default''''' protocol version is SSH-2. SSH-1 requires explicit activation. To select a protocol version, use the <code>Protocol</code> directive.
| |
| | |
| e.g. <code>Protocol 2</code>
| |
| | |
| = Cipher selection =
| |
| The <code>Ciphers</code> directive specifies the ciphers allowed for protocol version 2.
| |
| | |
| = User Authentication =
| |
| == Single authentication method ==
| |
| # Password authentication<br/>This is enabled by '''''default''''', it is configured using the <code>PasswordAuthentication</code> directive. Valid parameters are <code>yes</code> or <code>no</code>.<br/>When <code>PasswordAuthentication yes</code> is configured, the state of the <code>PermitEmptyPasswords</code> directive is evaluated.
| |
| # Public key authentication
| |
| This is enabled with combinations of <code>AuthorizedKeysFile</code>, <code>AuthorizedKeysCommand</code> and <code>AuthorizedKeysCommandUser</code>.
| |
| | |
| === Passwordless Authentication ===
| |
| ==== Client ====
| |
| on your client run
| |
| <console>###i## ssh-keygen -t rsa</console>
| |
| Dialogs will be presented, you can press enter several times to accept defaults.
| |
| | |
| <code>~/.ssh/id_rsa.pub</code> will be generated. Copy or append the contents of this file to the servers <code>~/.ssh/authorized_keys</code>
| |
| | |
| ==== Server ====
| |
| Create a user, or select which user the client will be accessing the server as, then place clients id_rsa.pub file into the users <code>~/.ssh/authorized_keys</code>
| |
| | |
| ==== Single Machine Testing ====
| |
| <console>###i## ssh-keygen -t rsa</console>
| |
| Press enter several times to accept default settings.
| |
| <console>###i## cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys</console>
| |
| <console>###i## ssh localhost</console>
| |
| | |
| # Host-based authentication
| |
| == Requiring multiple authentication factors ==
| |
| These options are only available for SSH-2. The '''''default''''' is not to require multiple authentication. To identify to the daemon that you wish to require more than one authentication, you must use the <code>AuthenticationMethods</code> directive. This directive is followed by one or more comma separated lists of authentication method names. Lists are separated with a space. Successful authentication requires completion of every method in at least one of these lists.
| |
| | |
| # password
| |
| # publickey
| |
| # keyboard-interactive
| |
| | |
| e.g. <code>AuthenticationMethods "password,publickey password,keyboard-interactive"</code>
| |
| == Password authentication using <code>sshd_config</code> ==
| |
| The following 4 directives are listed in order of evaluation by OpenSSH. They are configured directly; within <code>sshd_config</code>. Only user or group _names_ are valid, numerical IDs are not recognized. If the pattern takes the form <code>USER@HOST</code> then access is restricted to the <code>USER</code> when originating from the <code>HOST</code>.
| |
| | |
| ;<code>DenyUsers PATTERN PATTERN ...</code>
| |
| :Login is forbidden for users whose username matches one of the patterns
| |
| | |
| ;<code>AllowUsers PATTERN PATTERN ...</code>
| |
| :Login is permitted to users whose username matches one of the patterns
| |
| | |
| ;<code>DenyGroups PATTERN PATTERN ...</code>
| |
| :Login is forbidden for users whose primary group or supplementary group list matches one of the patterns
| |
| | |
| ;<code>AllowGroups PATTERN PATTERN ...</code>
| |
| :Login is permitted to users whose primary group or supplementary group list matches one of the patterns
| |
| | |
| == Public key authentication ==
| |
| <code>AuthorizedKeysFile</code>
| |
| <code>AuthorizedKeysCommand</code>
| |
| <code>AuthorizedKeysCommandUser</code>
| |
| | |
| | |
| == Host based authentication ==
| |
| | |
| = Access control =
| |
| == Controlling root access ==
| |
| Access by the root user can be controlled using the <code>PermitRootLogin</code> directive.
| |
| === Permit empty passwords ===
| |
| Access to accounts with empty (i.e. blank) passwords can be controlled using the <code>PermitEmptyPasswords</code> directive.
| |
| | |
| | |
| ChallengeResponseAuthentication
| |
| Ciphers
| |
| | |
| GSSAPIAuthenticaion
| |
| GSSAPICleanupCredentials
| |
| GSSAPIStrictAcceptorCheck
| |
| HostBasedAuthentication
| |
| HostBasedUsesNameFromPacketOnly
| |
| HostCertificate
| |
| HostKey
| |
| HostKeyAgent
| |
| LoginGraceTime
| |
| MAC
| |
| MaxAuthTries
| |
| MaxSessions
| |
| MaxStartups
| |
| PasswordAuthentication
| |
| PermitEmptyPasswords
| |
| PubkeyAuthentication
| |
| RevokedKeys
| |
| RhostsRSAAuthentication
| |
| RSAAuthentication
| |
| TrustedUserCAKeys
| |
| UseLogin
| |
| UsePAM
| |
| | |
| = X11 Forwarding =
| |
| | |
| By default X11 forwarding is disabled in OpenSSHd,
| |
| | |
| If you would like to forward X11 from your Funtoo box to a remote system you must first edit your /etc/ssh/sshd_config file
| |
| | |
| change
| |
| <pre>
| |
| #X11Forwarding no
| |
| #X11DisplayOffset 10
| |
| #X11UseLocalhost yes
| |
| </pre>
| |
| to<br />
| |
| <pre>
| |
| X11Forwarding yes
| |
| X11DisplayOffset 10
| |
| X11UseLocalhost yes
| |
| </pre>
| |
| | |
| | |
| X forwarding will now be enabled from that machine, so if you connect from your remote with 'ssh -X <user>@<ipaddress>' X sessions will be forwarded
| |
| | |
| == Intrusion Prevention ==
| |
| ssh is a commonly attacked service. {{package|app-admin/sshguard}} monitors logs, and black list remote users who have repeatedly failed to login.
| |
| | |
| [[Category:Networking]]
| |
| | |
| {{EbuildFooter}} | | {{EbuildFooter}} |