Difference between revisions of "SSH"

Line 1: Line 1:
 
= Default Installation =
 
= Default Installation =
Funtoo uses the OpenSSH daemon to provide the SSH service by default. <code>sshd</code> is a member of [[OpenRC_(Funtoo)|OpenRC]]'s default runlevel. <code>sshd</code> reads its configuration data from <code>/etc/ssh/sshd_config</code>.
+
By default login is allowed for all users via the ssh daemon on port 22 with any valid username and password combination.
  
 +
Funtoo uses the OpenSSH daemon to provide the SSH service by default. <code>sshd</code> is a member of [[OpenRC_(Funtoo)|OpenRC]]'s default runlevel.
  
By default login is allowed for all users via the ssh daemon on port 22 with any valid username and password combination.
+
= Service configuration =
 +
There are 2 means of configuring <code>sshd</code>. The first is required, the second is optional.
  
 +
# <code>sshd</code> reads its configuration data from <code>/etc/ssh/sshd_config</code> by '''''default'''''.
 +
# <code>sshd</code> may be configured to use PAM.<br/>Permission may be granted or denied via PAM, allowing you to store usernames etc. using text files.
  
 
= User Authentication =
 
= User Authentication =
There are 3 equivalent ways of allowing or denying access via sshd.
+
There are 3 means of authenticating a client
 +
# Password authentication<br/>This is enabled by '''''default''''', it is configured using the <code>PasswordAuthentication</code> directive. Valid parameters are <code>yes</code> or <code>no</code>.
 +
# Public key authentication
 +
# Host-based authentication
  
 
+
== Password authentication using <code>sshd_config</code> ==
1. PAM Authentication
+
Permission may also be granted or denied via PAM configuration allowing you to store usernames etc. using text files.
+
 
+
2. Challenge Response Authentication
+
3. Password Authentication
+
== Controlling root access ==
+
Access by the root user can be controlled using the <code>PermitRootLogin</code> directive.
+
 
+
 
+
== Controlling access by <code>sshd_config</code> ==
+
 
The following 4 directives are listed in order of evaluation by OpenSSH. They are configured directly; within <code>sshd_config</code>. Only user or group _names_ are valid, numerical IDs are not recognized. If the pattern takes the form <code>USER@HOST</code> then access is restricted to the <code>USER</code> when originating from the <code>HOST</code>.
 
The following 4 directives are listed in order of evaluation by OpenSSH. They are configured directly; within <code>sshd_config</code>. Only user or group _names_ are valid, numerical IDs are not recognized. If the pattern takes the form <code>USER@HOST</code> then access is restricted to the <code>USER</code> when originating from the <code>HOST</code>.
  
Line 33: Line 30:
 
;<code>AllowGroups PATTERN PATTERN ...</code>  
 
;<code>AllowGroups PATTERN PATTERN ...</code>  
 
:Login is permitted to users whose primary group or supplementary group list matches one of the patterns
 
:Login is permitted to users whose primary group or supplementary group list matches one of the patterns
 +
 +
== Public key authentication ==
 +
== Host based authentication ==
 +
 +
= Access control =
 +
== Controlling root access ==
 +
Access by the root user can be controlled using the <code>PermitRootLogin</code> directive.
  
  

Revision as of 12:56, December 19, 2013

Default Installation

By default login is allowed for all users via the ssh daemon on port 22 with any valid username and password combination.

Funtoo uses the OpenSSH daemon to provide the SSH service by default. sshd is a member of OpenRC's default runlevel.

Service configuration

There are 2 means of configuring sshd. The first is required, the second is optional.

  1. sshd reads its configuration data from /etc/ssh/sshd_config by default.
  2. sshd may be configured to use PAM.
    Permission may be granted or denied via PAM, allowing you to store usernames etc. using text files.

User Authentication

There are 3 means of authenticating a client

  1. Password authentication
    This is enabled by default, it is configured using the PasswordAuthentication directive. Valid parameters are yes or no.
  2. Public key authentication
  3. Host-based authentication

Password authentication using sshd_config

The following 4 directives are listed in order of evaluation by OpenSSH. They are configured directly; within sshd_config. Only user or group _names_ are valid, numerical IDs are not recognized. If the pattern takes the form USER@HOST then access is restricted to the USER when originating from the HOST.

DenyUsers PATTERN PATTERN ...
Login is forbidden for users whose username matches one of the patterns
AllowUsers PATTERN PATTERN ...
Login is permitted to users whose username matches one of the patterns
DenyGroups PATTERN PATTERN ...
Login is forbidden for users whose primary group or supplementary group list matches one of the patterns
AllowGroups PATTERN PATTERN ...
Login is permitted to users whose primary group or supplementary group list matches one of the patterns

Public key authentication

Host based authentication

Access control

Controlling root access

Access by the root user can be controlled using the PermitRootLogin directive.




AuthenticationMethods AuthorizedKeysCommand AuthorizedKeysCommandUser AuthorizedKeysFile ChallengeResponseAuthentication Ciphers

GSSAPIAuthenticaion GSSAPICleanupCredentials GSSAPIStrictAcceptorCheck HostBasedAuthentication HostBasedUsesNameFromPacketOnly HostCertificate HostKey HostKeyAgent LoginGraceTime MAC MaxAuthTries MaxSessions MaxStartups PasswordAuthentication PermitEmptyPasswords PubkeyAuthentication RevokedKeys RhostsRSAAuthentication RSAAuthentication TrustedUserCAKeys UseLogin UsePAM

X11 Forwarding

By default X11 forwarding is disabled in OpenSSHd,

If you would like to forward X11 from your Funtoo box to a remote system you must first edit your /etc/ssh/sshd_config file

change

#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes

to

X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes


X forwarding will now be enabled from that machine, so if you connect from your remote with 'ssh -X <user>@<ipaddress>' X sessions will be forwarded