Difference between pages "Package:OpenSSH" and "Package talk:OpenSSH"

(Difference between pages)
m (Threesixes moved page SSH to Package:OpenSSH: because heretics)
 
m (Threesixes moved page Talk:SSH to Package talk:OpenSSH: because heretics)
 
Line 1: Line 1:
= Introduction =
+
== keys ==
SSH is a cryptographically confidential network protocol for data transmission between 2 networked computers. There are 2 protocol versions; SSH-1 and SSH-2.
+
=== Passwordless Authentication ===
 +
==== Client ====
 +
on your client run
 +
<console>###i## ssh-keygen -t rsa</console>
 +
then hit enter like 5 times to generate your key
 +
move the client ~/.ssh/id_rsa.pub to the server user your logging in as ~/.ssh/authorized_keys
  
= Default Installation =
+
==== Server ====
Funtoo uses the OpenSSH daemon (sshd) to provide the SSH service by default. sshd is a member of [[OpenRC_(Funtoo)|OpenRC]]'s default runlevel.
+
useradd a user
  
By default login is allowed for all users via the ssh daemon on port 22 with any valid username and password combination.
+
then place clients id_rsa.pub file into the new users ~/.ssh/authorized_keys
  
= Service configuration =
+
==== Single Machine Testing ====
There are 2 means of configuring <code>sshd</code>. The first is required, the second is optional.
+
<console>###i## ssh-keygen -t rsa</console>
 +
enter 5 times
  
# <code>sshd</code> reads its configuration data from <code>/etc/ssh/sshd_config</code> by '''''default'''''.
+
<console>###i## mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys</console>
# <code>sshd</code> may be configured to use PAM.<br/>Permission may be granted or denied via PAM, allowing you to store usernames etc. using text files.
+
<console>###i## ssh localhost</console>
  
= Protocol version selection =
 
The '''''default''''' protocol version is SSH-2. SSH-1 requires explicit activation. To select a protocol version, use the <code>Protocol</code> directive.
 
  
e.g. <code>Protocol 2</code>
+
== Intrusion Prevention ==
 
+
ssh is a commonly attacked service. [[sshguard]] & [[fail2ban]] monitor logs and black list remote users who have repeatedly failed to login.
= Cipher selection =
+
The <code>Ciphers</code> directive specifies the ciphers allowed for protocol version 2.
+
 
+
= User Authentication =
+
== Single authentication method ==
+
# Password authentication<br/>This is enabled by '''''default''''', it is configured using the <code>PasswordAuthentication</code> directive. Valid parameters are <code>yes</code> or <code>no</code>.<br/>When <code>PasswordAuthentication yes</code> is configured, the state of the <code>PermitEmptyPasswords</code> directive is evaluated.
+
# Public key authentication
+
This is enabled with combinations of <code>AuthorizedKeysFile</code>, <code>AuthorizedKeysCommand</code> and <code>AuthorizedKeysCommandUser</code>.
+
 
+
 
+
# Host-based authentication
+
== Requiring multiple authentication factors ==
+
These options are only available for SSH-2. The '''''default''''' is not to require multiple authentication. To identify to the daemon that you wish to require more than one authentication, you must use the <code>AuthenticationMethods</code> directive. This directive is followed by one or more comma separated lists of authentication method names. Lists are separated with a space. Successful authentication requires completion of every method in at least one of these lists.
+
 
+
# password
+
# publickey
+
# keyboard-interactive
+
 
+
e.g. <code>AuthenticationMethods "password,publickey password,keyboard-interactive"</code>
+
== Password authentication using <code>sshd_config</code> ==
+
The following 4 directives are listed in order of evaluation by OpenSSH. They are configured directly; within <code>sshd_config</code>. Only user or group _names_ are valid, numerical IDs are not recognized. If the pattern takes the form <code>USER@HOST</code> then access is restricted to the <code>USER</code> when originating from the <code>HOST</code>.
+
 
+
;<code>DenyUsers PATTERN PATTERN ...</code>
+
:Login is forbidden for users whose username matches one of the patterns
+
 
+
;<code>AllowUsers PATTERN PATTERN ...</code>
+
:Login is permitted to users whose username matches one of the patterns
+
 
+
;<code>DenyGroups PATTERN PATTERN ...</code>
+
:Login is forbidden for users whose primary group or supplementary group list matches one of the patterns
+
 
+
;<code>AllowGroups PATTERN PATTERN ...</code>
+
:Login is permitted to users whose primary group or supplementary group list matches one of the patterns
+
 
+
== Public key authentication ==
+
<code>AuthorizedKeysFile</code>
+
<code>AuthorizedKeysCommand</code>
+
<code>AuthorizedKeysCommandUser</code>
+
 
+
 
+
== Host based authentication ==
+
 
+
= Access control =
+
== Controlling root access ==
+
Access by the root user can be controlled using the <code>PermitRootLogin</code> directive.
+
=== Permit empty passwords ===
+
Access to accounts with empty (i.e. blank) passwords can be controlled using the <code>PermitEmptyPasswords</code> directive.
+
 
+
 
+
ChallengeResponseAuthentication
+
Ciphers
+
 
+
GSSAPIAuthenticaion
+
GSSAPICleanupCredentials
+
GSSAPIStrictAcceptorCheck
+
HostBasedAuthentication
+
HostBasedUsesNameFromPacketOnly
+
HostCertificate
+
HostKey
+
HostKeyAgent
+
LoginGraceTime
+
MAC
+
MaxAuthTries
+
MaxSessions
+
MaxStartups
+
PasswordAuthentication
+
PermitEmptyPasswords
+
PubkeyAuthentication
+
RevokedKeys
+
RhostsRSAAuthentication
+
RSAAuthentication
+
TrustedUserCAKeys
+
UseLogin
+
UsePAM
+
 
+
= X11 Forwarding =
+
 
+
By default X11 forwarding is disabled in OpenSSHd,
+
 
+
If you would like to forward X11 from your Funtoo box to a remote system you must first edit your /etc/ssh/sshd_config file
+
 
+
change
+
<pre>
+
#X11Forwarding no
+
#X11DisplayOffset 10
+
#X11UseLocalhost yes
+
</pre>
+
to<br />
+
<pre>
+
X11Forwarding yes
+
X11DisplayOffset 10
+
X11UseLocalhost yes
+
</pre>
+
 
+
 
+
X forwarding will now be enabled from that machine, so if you connect from your remote with 'ssh -X <user>@<ipaddress>' X sessions will be forwarded
+
 
+
[[Category:Networking]]
+

Revision as of 22:35, December 27, 2014

keys

Passwordless Authentication

Client

on your client run

# ssh-keygen -t rsa

then hit enter like 5 times to generate your key move the client ~/.ssh/id_rsa.pub to the server user your logging in as ~/.ssh/authorized_keys

Server

useradd a user

then place clients id_rsa.pub file into the new users ~/.ssh/authorized_keys

Single Machine Testing

# ssh-keygen -t rsa

enter 5 times

# mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
# ssh localhost


Intrusion Prevention

ssh is a commonly attacked service. sshguard & fail2ban monitor logs and black list remote users who have repeatedly failed to login.