Difference between pages "Package:OpenSSH" and "User:Lo0na"

(Difference between pages)
m
 
(Added Jabber Info)
 
Line 1: Line 1:
{{Ebuild
+
{{Person
|Summary=Port of OpenBSD's free SSH release
+
|Geoloc=48.1852, 11.38947
|CatPkg=net-misc/openssh
+
|Blogs=
|Homepage=http://www.openssh.com/
+
 
}}
 
}}
 
+
XMPP/Jabber: loona@fu411.com
= Introduction =
+
SSH is a cryptographically confidential network protocol for data transmission between 2 networked computers. There are 2 protocol versions; SSH-1 and SSH-2.
+
 
+
= Default Installation =
+
Funtoo uses the OpenSSH daemon (sshd) to provide the SSH service by default. sshd is a member of [[OpenRC_(Funtoo)|OpenRC]]'s default runlevel.
+
 
+
By default login is allowed for all users via the ssh daemon on port 22 with any valid username and password combination.
+
 
+
= Service configuration =
+
There are 2 means of configuring <code>sshd</code>. The first is required, the second is optional.
+
 
+
# <code>sshd</code> reads its configuration data from <code>/etc/ssh/sshd_config</code> by '''''default'''''.
+
# <code>sshd</code> may be configured to use PAM.<br/>Permission may be granted or denied via PAM, allowing you to store usernames etc. using text files.
+
 
+
= Protocol version selection =
+
The '''''default''''' protocol version is SSH-2. SSH-1 requires explicit activation. To select a protocol version, use the <code>Protocol</code> directive.
+
 
+
e.g. <code>Protocol 2</code>
+
 
+
= Cipher selection =
+
The <code>Ciphers</code> directive specifies the ciphers allowed for protocol version 2.
+
 
+
= User Authentication =
+
== Single authentication method ==
+
# Password authentication<br/>This is enabled by '''''default''''', it is configured using the <code>PasswordAuthentication</code> directive. Valid parameters are <code>yes</code> or <code>no</code>.<br/>When <code>PasswordAuthentication yes</code> is configured, the state of the <code>PermitEmptyPasswords</code> directive is evaluated.
+
# Public key authentication
+
This is enabled with combinations of <code>AuthorizedKeysFile</code>, <code>AuthorizedKeysCommand</code> and <code>AuthorizedKeysCommandUser</code>.
+
 
+
=== Passwordless Authentication ===
+
==== Client ====
+
on your client run
+
<console>###i## ssh-keygen -t rsa</console>
+
Dialogs will be presented, you can press enter several times to accept defaults.
+
 
+
<code>~/.ssh/id_rsa.pub</code> will be generated.  Copy or append the contents of this file to the servers <code>~/.ssh/authorized_keys</code>
+
 
+
==== Server ====
+
Create a user, or select which user the client will be accessing the server as,  then place clients id_rsa.pub file into the users <code>~/.ssh/authorized_keys</code>
+
 
+
==== Single Machine Testing ====
+
<console>###i## ssh-keygen -t rsa</console>
+
Press enter several times to accept default settings.
+
<console>###i## cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys</console>
+
<console>###i## ssh localhost</console>
+
 
+
# Host-based authentication
+
== Requiring multiple authentication factors ==
+
These options are only available for SSH-2. The '''''default''''' is not to require multiple authentication. To identify to the daemon that you wish to require more than one authentication, you must use the <code>AuthenticationMethods</code> directive. This directive is followed by one or more comma separated lists of authentication method names. Lists are separated with a space. Successful authentication requires completion of every method in at least one of these lists.
+
 
+
# password
+
# publickey
+
# keyboard-interactive
+
 
+
e.g. <code>AuthenticationMethods "password,publickey password,keyboard-interactive"</code>
+
== Password authentication using <code>sshd_config</code> ==
+
The following 4 directives are listed in order of evaluation by OpenSSH. They are configured directly; within <code>sshd_config</code>. Only user or group _names_ are valid, numerical IDs are not recognized. If the pattern takes the form <code>USER@HOST</code> then access is restricted to the <code>USER</code> when originating from the <code>HOST</code>.
+
 
+
;<code>DenyUsers PATTERN PATTERN ...</code>
+
:Login is forbidden for users whose username matches one of the patterns
+
 
+
;<code>AllowUsers PATTERN PATTERN ...</code>
+
:Login is permitted to users whose username matches one of the patterns
+
 
+
;<code>DenyGroups PATTERN PATTERN ...</code>
+
:Login is forbidden for users whose primary group or supplementary group list matches one of the patterns
+
 
+
;<code>AllowGroups PATTERN PATTERN ...</code>
+
:Login is permitted to users whose primary group or supplementary group list matches one of the patterns
+
 
+
== Public key authentication ==
+
<code>AuthorizedKeysFile</code>
+
<code>AuthorizedKeysCommand</code>
+
<code>AuthorizedKeysCommandUser</code>
+
 
+
 
+
== Host based authentication ==
+
 
+
= Access control =
+
== Controlling root access ==
+
Access by the root user can be controlled using the <code>PermitRootLogin</code> directive.
+
=== Permit empty passwords ===
+
Access to accounts with empty (i.e. blank) passwords can be controlled using the <code>PermitEmptyPasswords</code> directive.
+
 
+
 
+
ChallengeResponseAuthentication
+
Ciphers
+
 
+
GSSAPIAuthenticaion
+
GSSAPICleanupCredentials
+
GSSAPIStrictAcceptorCheck
+
HostBasedAuthentication
+
HostBasedUsesNameFromPacketOnly
+
HostCertificate
+
HostKey
+
HostKeyAgent
+
LoginGraceTime
+
MAC
+
MaxAuthTries
+
MaxSessions
+
MaxStartups
+
PasswordAuthentication
+
PermitEmptyPasswords
+
PubkeyAuthentication
+
RevokedKeys
+
RhostsRSAAuthentication
+
RSAAuthentication
+
TrustedUserCAKeys
+
UseLogin
+
UsePAM
+
 
+
= X11 Forwarding =
+
 
+
By default X11 forwarding is disabled in OpenSSHd,
+
 
+
If you would like to forward X11 from your Funtoo box to a remote system you must first edit your /etc/ssh/sshd_config file
+
 
+
change
+
<pre>
+
#X11Forwarding no
+
#X11DisplayOffset 10
+
#X11UseLocalhost yes
+
</pre>
+
to<br />
+
<pre>
+
X11Forwarding yes
+
X11DisplayOffset 10
+
X11UseLocalhost yes
+
</pre>
+
 
+
 
+
X forwarding will now be enabled from that machine, so if you connect from your remote with 'ssh -X <user>@<ipaddress>' X sessions will be forwarded
+
 
+
== Intrusion Prevention ==
+
ssh is a commonly attacked service. {{package|app-admin/sshguard}} monitors logs, and black list remote users who have repeatedly failed to login.
+
 
+
[[Category:Networking]]
+
 
+
{{EbuildFooter}}
+

Latest revision as of 04:03, January 27, 2015



Contact

freenode: lo0na

Location

Loading map...


XMPP/Jabber: loona@fu411.com