Difference between pages "SSH" and "Package:OpenSSH"

(Difference between pages)
(Threesixes moved page SSH to Package:OpenSSH: because heretics)
 
m
 
Line 1: Line 1:
#REDIRECT [[Package:OpenSSH]]
+
{{Ebuild
 +
|Summary=Port of OpenBSD's free SSH release
 +
|CatPkg=net-misc/openssh
 +
|Homepage=http://www.openssh.com/
 +
}}
 +
 
 +
= Introduction =
 +
SSH is a cryptographically confidential network protocol for data transmission between 2 networked computers. There are 2 protocol versions; SSH-1 and SSH-2.
 +
 
 +
= Default Installation =
 +
Funtoo uses the OpenSSH daemon (sshd) to provide the SSH service by default. sshd is a member of [[OpenRC_(Funtoo)|OpenRC]]'s default runlevel.
 +
 
 +
By default login is allowed for all users via the ssh daemon on port 22 with any valid username and password combination.
 +
 
 +
= Service configuration =
 +
There are 2 means of configuring <code>sshd</code>. The first is required, the second is optional.
 +
 
 +
# <code>sshd</code> reads its configuration data from <code>/etc/ssh/sshd_config</code> by '''''default'''''.
 +
# <code>sshd</code> may be configured to use PAM.<br/>Permission may be granted or denied via PAM, allowing you to store usernames etc. using text files.
 +
 
 +
= Protocol version selection =
 +
The '''''default''''' protocol version is SSH-2. SSH-1 requires explicit activation. To select a protocol version, use the <code>Protocol</code> directive.
 +
 
 +
e.g. <code>Protocol 2</code>
 +
 
 +
= Cipher selection =
 +
The <code>Ciphers</code> directive specifies the ciphers allowed for protocol version 2.
 +
 
 +
= User Authentication =
 +
== Single authentication method ==
 +
# Password authentication<br/>This is enabled by '''''default''''', it is configured using the <code>PasswordAuthentication</code> directive. Valid parameters are <code>yes</code> or <code>no</code>.<br/>When <code>PasswordAuthentication yes</code> is configured, the state of the <code>PermitEmptyPasswords</code> directive is evaluated.
 +
# Public key authentication
 +
This is enabled with combinations of <code>AuthorizedKeysFile</code>, <code>AuthorizedKeysCommand</code> and <code>AuthorizedKeysCommandUser</code>.
 +
 
 +
 
 +
# Host-based authentication
 +
== Requiring multiple authentication factors ==
 +
These options are only available for SSH-2. The '''''default''''' is not to require multiple authentication. To identify to the daemon that you wish to require more than one authentication, you must use the <code>AuthenticationMethods</code> directive. This directive is followed by one or more comma separated lists of authentication method names. Lists are separated with a space. Successful authentication requires completion of every method in at least one of these lists.
 +
 
 +
# password
 +
# publickey
 +
# keyboard-interactive
 +
 
 +
e.g. <code>AuthenticationMethods "password,publickey password,keyboard-interactive"</code>
 +
== Password authentication using <code>sshd_config</code> ==
 +
The following 4 directives are listed in order of evaluation by OpenSSH. They are configured directly; within <code>sshd_config</code>. Only user or group _names_ are valid, numerical IDs are not recognized. If the pattern takes the form <code>USER@HOST</code> then access is restricted to the <code>USER</code> when originating from the <code>HOST</code>.
 +
 
 +
;<code>DenyUsers PATTERN PATTERN ...</code>
 +
:Login is forbidden for users whose username matches one of the patterns
 +
 
 +
;<code>AllowUsers PATTERN PATTERN ...</code>
 +
:Login is permitted to users whose username matches one of the patterns
 +
 
 +
;<code>DenyGroups PATTERN PATTERN ...</code>
 +
:Login is forbidden for users whose primary group or supplementary group list matches one of the patterns
 +
 
 +
;<code>AllowGroups PATTERN PATTERN ...</code>
 +
:Login is permitted to users whose primary group or supplementary group list matches one of the patterns
 +
 
 +
== Public key authentication ==
 +
<code>AuthorizedKeysFile</code>
 +
<code>AuthorizedKeysCommand</code>
 +
<code>AuthorizedKeysCommandUser</code>
 +
 
 +
 
 +
== Host based authentication ==
 +
 
 +
= Access control =
 +
== Controlling root access ==
 +
Access by the root user can be controlled using the <code>PermitRootLogin</code> directive.
 +
=== Permit empty passwords ===
 +
Access to accounts with empty (i.e. blank) passwords can be controlled using the <code>PermitEmptyPasswords</code> directive.
 +
 
 +
 
 +
ChallengeResponseAuthentication
 +
Ciphers
 +
 
 +
GSSAPIAuthenticaion
 +
GSSAPICleanupCredentials
 +
GSSAPIStrictAcceptorCheck
 +
HostBasedAuthentication
 +
HostBasedUsesNameFromPacketOnly
 +
HostCertificate
 +
HostKey
 +
HostKeyAgent
 +
LoginGraceTime
 +
MAC
 +
MaxAuthTries
 +
MaxSessions
 +
MaxStartups
 +
PasswordAuthentication
 +
PermitEmptyPasswords
 +
PubkeyAuthentication
 +
RevokedKeys
 +
RhostsRSAAuthentication
 +
RSAAuthentication
 +
TrustedUserCAKeys
 +
UseLogin
 +
UsePAM
 +
 
 +
= X11 Forwarding =
 +
 
 +
By default X11 forwarding is disabled in OpenSSHd,
 +
 
 +
If you would like to forward X11 from your Funtoo box to a remote system you must first edit your /etc/ssh/sshd_config file
 +
 
 +
change
 +
<pre>
 +
#X11Forwarding no
 +
#X11DisplayOffset 10
 +
#X11UseLocalhost yes
 +
</pre>
 +
to<br />
 +
<pre>
 +
X11Forwarding yes
 +
X11DisplayOffset 10
 +
X11UseLocalhost yes
 +
</pre>
 +
 
 +
 
 +
X forwarding will now be enabled from that machine, so if you connect from your remote with 'ssh -X <user>@<ipaddress>' X sessions will be forwarded
 +
 
 +
[[Category:Networking]]
 +
 
 +
{{EbuildFooter}}

Revision as of 22:49, December 27, 2014

net-misc/openssh


Source Repository:Repository:Funtoo Overlay

http://www.openssh.com/

Summary: Port of OpenBSD's free SSH release

Use Flags

bindist
Disable EC/RC5 algorithms in OpenSSL for patent reasons.
hpn
Enable high performance ssh
ldap
Add support for storing SSH public keys in LDAP
ldns
Use LDNS for DNSSEC/SSHFP validation.
sctp
Support for Stream Control Transmission Protocol
X509
Adds support for X.509 certificate authentication

News

Drobbins

IP Space Migration Continues

All Funtoo user containers in the 8.28 IP space will be moving into our new IP space (172.97) over the next few days. If you have DNS set up -- be sure to watch your container and update to the new IP! container.host.funtoo.org DNS will be updated after the move.
2015-08-27 by Drobbins
Drobbins

Funtoo Hosting IP Move

Funtoo user containers with IPs in the 72.18.x.x range will be gradually migrating to new IP addresses this week. If you have DNS entries for your containers, please be aware that your DNS will need to be updated.
2015-08-11 by Drobbins
Drobbins

New ARM Stages

New ARM Stages, built with a new toolchain, are now hitting mirrors. Existing ARM users should re-install using these stages (dated Aug 3, 2015 or later,) rather than upgrade using emerge.
2015-08-06 by Drobbins
More...

OpenSSH

Tip

We welcome improvements to this page. To edit this page, Create a Funtoo account. Then log in and then click here to edit this page. See our editing guidelines to becoming a wiki-editing pro.


Introduction

SSH is a cryptographically confidential network protocol for data transmission between 2 networked computers. There are 2 protocol versions; SSH-1 and SSH-2.

Default Installation

Funtoo uses the OpenSSH daemon (sshd) to provide the SSH service by default. sshd is a member of OpenRC's default runlevel.

By default login is allowed for all users via the ssh daemon on port 22 with any valid username and password combination.

Service configuration

There are 2 means of configuring sshd. The first is required, the second is optional.

  1. sshd reads its configuration data from /etc/ssh/sshd_config by default.
  2. sshd may be configured to use PAM.
    Permission may be granted or denied via PAM, allowing you to store usernames etc. using text files.

Protocol version selection

The default protocol version is SSH-2. SSH-1 requires explicit activation. To select a protocol version, use the Protocol directive.

e.g. Protocol 2

Cipher selection

The Ciphers directive specifies the ciphers allowed for protocol version 2.

User Authentication

Single authentication method

  1. Password authentication
    This is enabled by default, it is configured using the PasswordAuthentication directive. Valid parameters are yes or no.
    When PasswordAuthentication yes is configured, the state of the PermitEmptyPasswords directive is evaluated.
  2. Public key authentication

This is enabled with combinations of AuthorizedKeysFile, AuthorizedKeysCommand and AuthorizedKeysCommandUser.


  1. Host-based authentication

Requiring multiple authentication factors

These options are only available for SSH-2. The default is not to require multiple authentication. To identify to the daemon that you wish to require more than one authentication, you must use the AuthenticationMethods directive. This directive is followed by one or more comma separated lists of authentication method names. Lists are separated with a space. Successful authentication requires completion of every method in at least one of these lists.

  1. password
  2. publickey
  3. keyboard-interactive

e.g. AuthenticationMethods "password,publickey password,keyboard-interactive"

Password authentication using sshd_config

The following 4 directives are listed in order of evaluation by OpenSSH. They are configured directly; within sshd_config. Only user or group _names_ are valid, numerical IDs are not recognized. If the pattern takes the form USER@HOST then access is restricted to the USER when originating from the HOST.

DenyUsers PATTERN PATTERN ...
Login is forbidden for users whose username matches one of the patterns
AllowUsers PATTERN PATTERN ...
Login is permitted to users whose username matches one of the patterns
DenyGroups PATTERN PATTERN ...
Login is forbidden for users whose primary group or supplementary group list matches one of the patterns
AllowGroups PATTERN PATTERN ...
Login is permitted to users whose primary group or supplementary group list matches one of the patterns

Public key authentication

AuthorizedKeysFile AuthorizedKeysCommand AuthorizedKeysCommandUser


Host based authentication

Access control

Controlling root access

Access by the root user can be controlled using the PermitRootLogin directive.

Permit empty passwords

Access to accounts with empty (i.e. blank) passwords can be controlled using the PermitEmptyPasswords directive.


ChallengeResponseAuthentication Ciphers

GSSAPIAuthenticaion GSSAPICleanupCredentials GSSAPIStrictAcceptorCheck HostBasedAuthentication HostBasedUsesNameFromPacketOnly HostCertificate HostKey HostKeyAgent LoginGraceTime MAC MaxAuthTries MaxSessions MaxStartups PasswordAuthentication PermitEmptyPasswords PubkeyAuthentication RevokedKeys RhostsRSAAuthentication RSAAuthentication TrustedUserCAKeys UseLogin UsePAM

X11 Forwarding

By default X11 forwarding is disabled in OpenSSHd,

If you would like to forward X11 from your Funtoo box to a remote system you must first edit your /etc/ssh/sshd_config file

change

#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes

to

X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes


X forwarding will now be enabled from that machine, so if you connect from your remote with 'ssh -X <user>@<ipaddress>' X sessions will be forwarded