and usage: OpenSSH, SSH Communications’ SSH server, and VanDyke Software’s
VShell SSH server. In chapter one, we install all three of these servers;
however, we do not discuss the configuration, the uses, and the different features
of these servers. While the three main SSH servers offer similar SSH services,
they provide different levels of functionality, several of which may be
better for your environment than others. The type of SSH server you use can
significantly affect the type of SSH experience you have. For example, several
SSH servers offer both command line access and secure file transfer; however,
if SSH is being deployed for port forwarding only (discussed in Chapters 6
and 7) or for file transfer, giving the user command line access may not be
acceptable.
This chapter discusses the three main SSH servers available for Unix and
Windows. Also, the focus of the chapter is on selected configuration items and
the menus of the three SSH servers, in terms of customization and optimal
usage. The following SSH servers are examined in this chapter:
■■ OpenSSH server
■■ Unix and Windows
■■ SSH Communications’ SSH server
■■ Unix
■■ *Windows
■■ VanDyke’s Software VShell SSH server
■■ Windows
OpenSSH
OpenSSH servers are available on both Windows and Unix environments. The
Windows version is actually a port of OpenSSH’s Unix version using the popular
Cygwin utility (see www.cygwin.com for more details). While the Windows
port of OpenSSH uses Cygwin, note that the port is not a full installation
of Cygwin and does not require additional Cygwin utilities, which is ideal
since Cygwin requires a separate installation procedure. Since both the Unix
and Windows versions of OpenSSH use the same configuration file for the
SSH server, the sshd_config file, I discuss the file itself in detail. It can apply to
both Windows and Unix platforms. To view the configuration file, enter the
following commands.
On Unix:
#cd /etc/ssh
#more sshd_config
On Windows:
C:\cd “Program Files”\OpenSSH\bin
C:\Programe Files\OpenSSH\bin\type sshd_config
NOTE All lines in the sshd_config file that are changed must be
uncommented (the # must be deleted from the beginning of the line).
The first section I present is the simple network configuration:
#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
Table 2.1 Options in the sshd_config File
OPTION DESCRIPTION
Port Sets the port number for SSH to listen on. The
default port is 22; however, listening on several
ports, including other nonstandard ports, such as
80, 443, or 8080, may be optimal, since business
travelers may not be able to make outbound
connections on port 22, but since port 80 or 443
are usually available. To listen on multiple ports, add
the following lines:
Port 22
Port 80
Port 443
Port 8080
Protocol Allows the usage of only SSH version 1, SSH version
2, or both. Since SSH version 1 is more insecure, it
may be a good option to only use version 2;
however, several devices do not support SSH
version 2 yet. To use only SSH version two, add the
following line:
Protocol 2
ListenAddress Sets the IP address to have the SSH daemon listen
on. The default, which is 0.0.0.0, enables the SSH
services on all interfaces. If there are interfaces
where SSH should not be listening, such as the
external interface of a firewall, remove 0.0.0.0
and add the appropriate IP addresses. To listen on
only select interfaces, addl the following lines:
ListenAddress 172.16.1.1
ListenAddress 192.168.0.1
The next section discusses the host-key section. The host-key section discusses
parameters around the SSH server’s host key, which is the fingerprint
used to identify the SSH server.
# HostKey for protocol version 1
# HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
# HostKey /etc/ssh/ssh_host_rsa_key
# HostKey /etc/ssh/ssh_host_dsa_key
This section of the sshd_config file is fairly straightforward. It simply states
the location of the host-key file for both the SSH version 1 format and the SSH
version 2 format. Also, for SSH version 2, the section states the location of both
the RSA and DSA keys.
The next section addresses the server key:
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768
This section sets specifics on the server key. The KeyRegenerationInterval is
the time, in seconds, to regenerate the server key; the ServerKeyBits is the
number of bits to be used.
The next section addresses logging:
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
This section sets the logging option for the SSH service. The differentiation
between QuiteMode and FascistLogging is that QuiteMode logs only fatal
errors, whereas FascistLogging enables verbose logging. SyslogFacility specifies
the syslog code to use when logging messages from SSH, such as Daemon
and Auth. Loglevel specifies the level used when logging messages from SSH,
such as only informational messages (INFO).
The next section addresses authentication options with SSH:
#Authentication
#LoginGraceTime 120
#PermitRootLogin yes
#StrictModes yes
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
Table 2.2 describes the authentication options available for the SSH server.
Table 2.2 Authentication Options
OPTION DESCRIPTION
LoginGraceTime The amount of time the user has to complete the
authentication process. Specifically, from the time
the user initiates the connection to the time the
user enters his or her username/password or
public/private key password.
Table 2.2 (continued)OPT
OPTION DESCRIPTION
PermitRootLogin Option to allow (yes) or disallow (no) the root user
to log in to the SSH session. Best practice is to
restrict root access and have only users ‘su’ or ‘sudo’
to root. Also, if the root account must be able to log
in directly, the value of “nopwd” can allow root to
log in directly, but only with public-key
authentication.
StrictModes Enables (yes) or disables (no) the checking of a
users’ permission in their home directory and rhosts
files before accepting authentication. This should be
set to yes to protect against world-writeable files in
home directories.
RSAAuthentication Option to allow RSA authentication.
PubkeyAuthentication Option to allow public-key authentication; possible
values are yes and no.
AuthorizedKeysFile The directory where the user’s public key will be
stored. The default is .ssh/authorized_keys, which is
the users’ home directory in the .ssh folder (for
example, /home/
on Program Files\OpenSSH\.ssh on Windows).
Under the authentication section in the ssh_config file is an authentication
option for using rhosts with RSH. While rhosts usage is not recommended due
to its poor security standards, the following lines address rhost configuration
options:
# rhosts authentication should not be used
#RhostsAuthentication no
# Don’t read the user’s ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in
/etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don’t trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
Table 2.3 describes the rhost authentication options available for the SSH
server.
Table 2.3 Rhost Configuration Options
OPTION DESCRIPTION
RhostAuthenication To allow rhosts authentication
Ignore Rhosts To ignore (yes) or read (no) rhosts files in the users
home directory, stored in .rhosts or .shosts files
RhostsRSAAuthenication To attempt rhosts authentication from RSA host keys
HostbasedAuthenication Enable (yes) or disable (no) host-based
authentication under SSH version 2
IgnoreUserKnownHosts Ignore (no) or read (yes) the known hosts file in the
users’ home directory
The last authentication section for the sshd_config file addresses more password
options, including Kerberos usage:
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#AFSTokenPassing no
# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no
Table 2.4 describes the password and Kerberos authentication options available
for the SSH server.
Table 2.4 Password and Kerberos Options
OPTION DESCRIPTION
PasswordAuthentication To enable (yes) or disable (no) password
authentication.
PermitEmptyPasswords To allow (yes) or disallow (no) the use of blank
passwords.
Table 2.4 (continued)OPT
OPTION DESCRIPTION
ChallengeResponse Enable (yes) or disable (no) challenge/response
Authentication authentication. Challenge/Response authentication
occurs when the server sends the client a challenge;
the client’s response will determine if authentication
is allowed.
Kerberos Authentication To enable (yes) or disable (no) Kerberos
authentication, which involves session tickets.
KerberosOrLocalPasswd To permit (yes) Kerberos or local-system passwords
for authentication.
KerberosTicketCleanup To enable (yes) or disable (no) the ability to
automatically delete the Kerberos ticket upon logout.
AFSTokenPassing To enable (yes) or disable (no) the ability to use AFS
tokens for authentication.
KerberosTgtPassing To enable (yes) or disable (no) the ability to use
Kerberos Ticket Granting Tickets for authentication.
The next section of the sshd_config file addresses X11 options that can be
used with forwarding:
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
X11 forwarding can be enabled or disabled in this section of the sshd_config
file. If X11 forwarding is enabled, the offset can be set, where 10 is the default,
and the option to use the localhost can be enabled, which is the most typical
installation of X11 forwarding. Using the localhost to forward X11 connections
allows all X11 traffic to prorogate from the local machine.
The last section of the sshd_config file addresses a variety of options that can
be set with the service, such as printing, banner information, and subsystems:
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
Table 2.5 describes the various miscellaneous options that are available for
the SSH server.
Table 2.5 Miscellaneous Options for the SSH Server
OPTION DESCRIPTION
PrintMotd Enables (yes) or disables (no) any text located in
the motd (Message of the day) file (/etc/motd) to
be displayed at login. This is very useful since
messages can be displayed to all users who are
logging in to the system, such as system downtime,
security issues, and so on.
PrintLastLog Enables (yes) or disables (no) information to be
displayed to the screen about the last time a user
logged in to the service.
UseLogin Enables (yes) or disables (no) the authentication
process to be handled internally using
/usr/bin/login instead of the SSH utility.
UserPrivilegeSeparation Enables/Disables the use of separate privileges for
users using the SSH service.
PermitUserEnvironment Allow (yes) or disallow (no) users to have their
environment variables loaded after authentication.
Compression Enable (yes) or disable (no) compression of the SSH
transmission process.
Banner Path to the file that holds the banner messages that
will be displayed after login.
Subsystem sftp Path to the secure file transfer subsystem.
You may have noticed that many of the options in the sshd_config file are
specific to Unix implementations of OpenSSH. While a full sshd_config file
can be used on Windows platforms, many of the items will not apply, since
they do not exist in the Windows world, such as Syslog and rhost authentication.
Once you have opened the sshd_config on the Windows machine, you
should see only an abbreviated portion of the bigger sshd_config file on Unix,
as the following code shows:
HostKey /ssh/ssh_host_key
HostDSAKey /ssh/ssh_host_dsa_key
PidFile /ssh/sshd.pid
Protocol 2
Port 22
PermitRootLogin yes
PasswordAuthentication yes
IgnoreRhosts yes
IgnoreUserKnownHosts yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication no
Subsystem sftp /ssh/sftp-server
Despite the abbreviated portion of the sshd_config file, all the entries have
the same definition described in the previous file portion.
SSH Communications’ SSH server
SSH Communications’ SSH servers are also available on both Windows and
Unix environments. The sshd2_config file is used by SSH Communications’
SSH server for all configuration management for the service. The Windows
version has a different configuration utility, which uses a graphical user interface
(GUI) to display and report changes to the sshd2_config configuration
file. On the other hand, the Unix version provides only the sshd2_config file
for configuration management without any extra configuration tools. Since the
Unix and Windows versions provide different configuration utilities, I address
the sshd2_config file first, since both platforms either rely (Unix) or refer (Windows)
to this file for configuration; then I address the Windows GUI for configuration
management.
SSH Communications’ SSH Server: Unix
To view the configuration file, enter the following commands:
#cd /etc/ssh2
#more sshd2_config
SSH Communications’ sshd2_config file is similar to the sshd_config file of
OpenSSH; however, there are many differences that distinguish the two. The
following paragraphs discuss the various sections of the sshd2_config file.
General
The general section of the sshd2_config file should look similar to the following:
## General
# VerboseMode no
# QuietMode yes
# ForcePTTYAllocation no
# SyslogFacility AUTH
# SyslogFacility LOCAL7
Table 2.6 describes the general options available for the SSH server.
Table 2.6 Options in the General Section of the ssch2_config File (Unix)
OPTION DESCRIPTION
VerberosMode Enables (yes) or disables (no) the SSH session’s
debugging and connection related information to be
displayed to standard output
QuietMode Enables (yes) or disables (no) the SSH session’s
warning and error messages to be displayed to
standard output
ForcePTTYAllocation Enables (yes) or disables (no) the ability to force
allocation of PTTY sessions
SyslogFacility Identifies the Syslog code to use when logging a
message from SSH, such as Daemon, Auth, and
Local
Network
The network section of the sshd2_config file should look like the following:
Port 22
# ListenAddress any
# RequireReverseMapping no
# MaxBroadcastsPerSecond 0
# MaxBroadcastsPerSecond 1
# NoDelay yes
# KeepAlive yes
# MaxConnections 50
# MaxConnections 0
Table 2.7 describes the network options available for the SSH server.
Table 2.7 Options in the Network Section (Unix)
OPTION DESCRIPTION
Port Sets the port number for SSH to listen on. Default
port is 22; however, listening on several ports,
including other nonstandard ports, such as 80, 443,
or 8080, may be optimal since business travelers
may not be able to make outbound connections on
port 22, but since port 80 or 443 is usually available.
To listen on multiple ports, add the following lines:
Port 22
Port 80
Port 443
Port 8080
ListenAddress Sets the IP address to have the SSH daemon listen
on. The default, which is 0.0.0.0, enables the SSH
services on all interfaces. If there are interfaces
where SSH should not be listening, such as the
external interface of a firewall, remove 0.0.0.0
and add the appropriate IP addresses. To listen on
only select interfaces, add the following lines:
ListenAddress 172.16.1.1
ListenAddress 192.168.0.1
RequireReverseMapping Enables (yes) or disables (no) the requirement of
DNS lookups to succeed, in order to work with
AllowHost and DenyHost entries. If enabled and the
DNS lookup fails, the request is denied. If disabled
and the DNS lookup fails, the IP address in
AllowHosts and DenyHosts is checked.
MaxBroadcastPerSecond Identifies the number of UDP broadcasts the server
should handle per second. The default value, which
is zero, has no broadcast handled.
NoDelay Enables (yes) or disables (no) the socket option for
TCP_NODELAY.
KeepAlive Enables (yes) or disables (no) whether the SSH
server should send KeepAlive packets to the SSH
clients. This value helps prevent hanging sessions by
determining if the client on the other side is still
running and hasn’t crashed or blue-screened.
MaxConnections Identifies the number of concurrent connections the
SSH server will handle. If the value is set to zero, the
number of concurrent connections is unlimited.
Crypto
The Crypto section of the sshd2_config file should look similar to the following:
# Ciphers AnyCipher
# Following includes “none” ‘cipher’:
# Ciphers AnyStd
#
# Ciphers AnyStdCipher
# Ciphers 3des
# Following includes “none” ‘mac’:
# MACs AnyMAC
#
# MACs AnyStd
# MACs AnyStdMAC
# RekeyIntervalSeconds 3600
Table 2.8 describes the Crypto options available for the SSH server.
Table 2.8 Options in the Crypto Section (Unix)
OPTION DESCRIPTION
Ciphers Lists the types of cipher-text to be used when
encrypting the SSH session. Triple-DES (3DES),
Blowfish, Arcfour, Twofish, CAST – 128, and DES are
supported. More global options can be set, such as
Any, Anystd, anycipher, and anystdcipher. Any and
anystd allows standard ciphers; anycipher allows
any ciphertext; anystdcipher allows any cipher listed
in the IETS SSH draft. The entry of none offers no
cipher.
MACs Message Authentication Code (MAC) is a hash
algorithm used to verify the integrity of the data
before and after transmission. The algorithms
supported are SHA1, MD5, SHA1-96, and MD5-96.
Multiple MACs can also be set.
RekeyIntervalSeconds Specifies the amount of time before the key
exchange process is executed again. The default is
3600 seconds, which is one hour. The key exchange
process can be disabled by setting the value to zero.
Users
The Users section of the sshd2_config file should look like the following:
# PrintMotd yes
# CheckMail yes
# UserConfigDirectory “%D/.ssh2”
# UserConfigDirectory “/etc/ssh2/auth/%U”
# UserKnownHosts yes
# LoginGraceTime 600
# PermitEmptyPasswords no
# StrictModes yes
# IdleTimeOut 1h
Table 2.9 describes the various miscellaneous options available for the SSH
server.
Table 2.9 Miscellaneous Options in the User Section (Unix)
OPTION DESCRIPTION
PrintMotd Enables (yes) or disables (no) any text located in
the motd (Message of the Day) file (/etc/motd) to
be displayed at log in. This is very useful since
messages can be displayed to all users who are
logging in to the system, such as system downtime,
legal statements, and security issues.
CheckMail Enables (yes) or disables (no) the ability of the SSH
server to check for new mail after the user has been
authenticated.
UserConfigDirectory Identifies the locations of user-specific configuration
data, such as keys and identification files. The
default is the .ssh2 folder in the users’ home
directory, such as /home/
Documents and Settings\
than one location can be identified for configuration
data.
UserKnownHosts Identifies the locations of user-specific known host
file. The default is the .ssh2 folder in the users’
home directory, such as /home/
or Documents and Settings\
More than one location can be identified.
Table 2.9 (continued)
OPTION DESCRIPTION
LoginGraceTime The amount of time, in seconds, the user has to
compete the login process after initiating an
authentication request. Values range from zero, no
limit, to 600 seconds.
PermitEmptyPasswords Allows (yes) or rejects (no) the ability for users to
have empty passwords. In most situations, this
should be no.
StrictModes Enables (yes) or disables (no) the checking of a
users’ permission in their home directory and rhosts
files before accepting authentication. This should be
set to yes to protect against world-writeable files in
home directories.
IdleTimeOut The amount of time, in minutes, the session can
remain unused before it is automatically closed. A
setting of zero specifies no timeout, which may be
ideal in certain backup processes.
User Public Key Authentication
The User Public Key Authentication section of the sshd2_config file should
look like the following:
# HostKeyFile hostkey
# PublicHostKeyFile hostkey.pub
# RandomSeedFile random_seed
# IdentityFile identification
# AuthorizationFile authorization
# AllowAgentForwarding yes
Table 2.10 describes the User Public Key options available for the SSH server.
Table 2.10 Options in the User Public Key Authentication Section (Unix)
OPTION DESCRIPTION
HostKeyFile Identifies the location of the private host-key file.
The default is called hostkey, located on the local
file system.
PublicHostKeyFile Identifies the location of the public host-key file. The
default is called hostkey.pub, located on the local
file system.
RandomSeedFile Identifies the location of the random seed file. This
file is used to generate randomness for the SSH
server.
IdentityFile Identifies the location of the identity file, usually
name identification. It is located in the users’ home
directory on the SSH client. This file is used by the
SSH client to indicate which private keys are
authorized for use during the process of
authentication. For example, if a user has two
private keys for authentication, such as
id_dsa_2048_a and id_rsa_2048_a, the contents of
the identification file will look like the following:
IdKey id_dsa_2048_a
IdKey id_rsa_2048_a
Note: The private keys listed in the identification file
need to be in the users’ home directory also,
discussed further in Chapter 4.
AuthorizationFile Identifies the location of the authorization file,
usually name authorization and located in the users’
home directory on the SSH server. This file is used
by the SSH server to indicate which public keys are
authorized for acceptance during the process of
authentication. For example, if a user has two public
keys for authentication, such as id_dsa_2048_a.pub
and id_rsa_2048_a.pub, the contents of the
authorization file will look like the following:
Key id_dsa_2048_a.pub
Key id_rsa_2048_a.pub
Note: The public keys listed in the authorization file
need to be in the users’ home directory also,
discussed further in Chapter 4.
AllowAgentForwarding Enables (yes) or disables (no) the SSH agent utility
to forwarded logins remotely over SSH. This option
uses the ssh-agent2 binary, a program that stores
private keys for automated authentication.
Tunneling
The Tunneling section of the sshd2_config file should look similar to the
following:
# AllowX11Forwarding yes
# AllowTcpForwarding yes
# AllowTcpForwardingForUsers sjl, cowboyneal@slashdot\.org
# DenyTcpForwardingForUsers 2[[:isdigit:]]*4,peelo
# AllowTcpForwardingForGroups priviliged_tcp_forwarders
# DenyTcpForwardingForGroups coming_from_outside
Table 2.11 describes the tunneling options available for the SSH server.
Table 2.11 Options in the Tunneling Section (Unix)
OPTION DESCRIPTION
AllowX11Forwarding Enables (yes) or disables (no) the ability for X11
applications to forward over SSH.
AllowTcpForwardingForUsers Enables specific users to forward ports, both
locally and remotely. This setting accepts
usernames and patterns, such as DNS patterns.
DenyTcpForwardingForUsers Disables the ability for specific users to forward
ports, both locally and remotely. This setting
accepts usernames and patterns, such as DNS
patterns.
AllowTcpForwardingForGroups Enables groups to forward ports, both locally
and remotely. This setting accepts usernames
and patterns, such as DNS patterns.
DenyTcpForwardingForGroups Disables the ability for specific groups to
forward ports, both locally and remotely. This
setting accepts usernames and patterns, such
as DNS patterns.
Authentication
The Authentication section of the sshd2_config file should look like the
following:
# BannerMessageFile /etc/ssh2/ssh_banner_message
# BannerMessageFile /etc/issue.net
# PasswordGuesses 3
# AllowedAuthentications hostbased,publickey,password
# AllowedAuthentications publickey,pam-1@ssh.com
# AllowedAuthentications publickey,password
# RequiredAuthentications publickey,password
# HostbasedAuthForceClientHostnameDNSMatch no
# SshPAMClientPath ssh-pam-client
Table 2.12 describes the authentication options available for the SSH server.
Table 2.12 Options in the Authentication Section (Unix)
OPTION DESCRIPTION
BannerMessageFile Identifies the location of the file that contains the
text to be displayed before the client logs in to the
SSH server. This is very useful for legal disclaimers.
PasswordGuesses Identifies the number of attempts a user is given
before being disconnected if valid authentication is
not submitted.
AllowedAuthentications Identifies the types of authentication methods that
are valid. Options include password, publickey, and
hostbased.
RequiredAuthentications Identifies the types of authentication methods
required for authentication. If the value is empty,
any values in AllowedAuthentication will be
honored.
HostbasedAuthForce Requires an exact match of the SSH client’s
ClientHostnameDNSMatch hostname and the client’s DNS entry.
SshPAMClientPath Identifies the location of the SSH PAM client to use
in order for PAM authentication to take place. The
default location is /usr/local/bin/ssh-pam-client.
Host Restrictions
The Host Restrictions section of the sshd2_config file should look like the
following:
#AllowHosts localhost, foobar.com, friendly.org
##AllowHosts t..l.\..*
## AllowHosts ([[:digit:]]{1\,3}\.){3}[[:digit:]]{1\,3}
## AllowHosts \i.*
##
# DenyHosts evil\.org, aol\.com
# AllowSHosts trusted\.host\.org
# DenySHosts not\.quite\.trusted\.org
# IgnoreRhosts no
# IgnoreRootRHosts no
Table 2.13 describes the Host Restrictions options available for the SSH server.
Table 2.13 Options in the Host Restrictions Section (Unix)
OPTION DESCRIPTION
AllowHosts Identifies the only hostnames, IP addresses, and/or
patterns allowed to log in to the SSH server
DenyHosts Identifies the hostnames, IP addresses, and/or
patterns not allowed to log in to the SSH server
AllowSHosts Identifies the hosts that are allowed hostbased
authentication, based on /etc/shosts.equiv and
AllowSHosts entries
DenySHosts Identifies the hosts that are not allowed hostbased
authentication, based on /etc/shosts.equiv and
AllowSHosts entries
IgnoreRhosts Enables (yes) or disables (no) the ability to allow
only global configuration files (hosts.equiv and
shosts.equiv)
IgnoreRootRHosts Enables (yes) or disables (no) the ability to allow
only root’s global configuration files (hosts.equiv
and shosts.equiv)
Users Restrictions
The Users Restrictions section of the sshd2_config file should look like the
following:
# AllowUsers sj.*,s[[:isdigit:]]*,s(jl|amza)
# DenyUsers skuuppa,warezdude,31373
# DenyUsers don@untrusted\.org
# AllowGroups staff,users
# DenyGroups guest
# PermitRootLogin nopwd
PermitRootLogin no
Table 2.14 describes the Users Restrictions options available for the SSH
server.
Table 2.14 Options in the Users Restrictions Section (Unix)
OPTION DESCRIPTION
AllowUsers Identifies the only users allowed to log in to the SSH
server. This entry can contain a list of users,
separated by a comma, or a pattern-matching
variable.
DenyUsers Identifies the users not allowed to log in to the SSH
server. This entry can contain a list of users,
separated by a comma, or a pattern-matching
variable.
AllowGroups Identifies the only groups allowed to log in to the
SSH server. This entry can contain a list of groups,
separated by a comma, or a pattern-matching
variable.
DenyGroups Identifies the groups not allowed to log in to the
SSH server. This entry can contain a list of groups,
separated by a comma, or a pattern-matching
variable.
PermitRootLogin Enables (yes) or disables (no) the ability for the root
user to log in to the SSH server. As best practice, this
setting should be set to no, forcing admin-users to
su (switch user) to root. If the root account must be
able to log in directly, the value of “nopwd” can
allow root to log in directly, but with only public-key
authentication.
SSH1 Compatibility
The SSH1 Compatibility section of the sshd2_config file should look similar to
the following:
# Ssh1Compatibility
# Sshd1Path
# Sshd1ConfigFile /etc/sshd_config_alternate
Table 2.15 describes the SS1 Compatibility options available for the SSH
server.
Table 2.15 Options in the SSH1 Compatibility Section (Unix)
OPTION DESCRIPTION
Ssh1Compatibility Enables (yes) or disables (no) compatibility with
SSH version 1, which is an entirely different
implementation of SSH when compared with SSH
version 2. SSH version 1 is insecure, but may be
required.
Sshd1Path Identifies the location of the SSH version 1 binary
(for example, /usr/local/sbin/sshd1).
Sshd1ConfigFile Identifies the location of the SSH version 1
configuration file (for example, /etc
/ssh1/sshd1_config).
Chrooted Environment
The Chrooted Environment allows specific users to be limited to their home
directories, either with a shell or with file transfer. In addition to entering the
correct information in the sshd2_config file, the ssh-chroot manager needs to
be initiated. The Chrooted Environment section of the sshd2_config file should
look like the following:
# ChRootUsers ftp,guest
# ChRootGroups guest
Table 2.16 describes the Chroot options available for the SSH server.
Table 2.16 Options in the Chrooted Environment Section (Unix)
OPTION DESCRIPTION
ChRootUsers Identifies the users that should be limited to their
home directories, thus chroot users
ChRootGroups Identifies the groups that should be limited to their
home directories, thus chroot groups
Subsystem Definitions
The Subsystem Definitions section of the sshd2_config file should look like the
following:
subsystem-sftp sftp-server
Table 2.17 describes the SFTP options available for the SSH server.
Table 2.17 Options in the Subsystem Definitions Section (Unix)
OPTION DESCRIPTION
subsystem-sftp Identifies the path for the SFTP (secure file transfer
protocol) subsystem to be used with SSH (usually
located in /usr/local/bin)
SSH Communications’ SSH server: Windows
SSH Communications’ SSH server in a Windows environment still uses the
sshd2_config file; however, a GUI is included with the package, which is the
recommended method of management. In this section, I discuss both the contents
of the sshd2_config file, location in Program Files\SSH Secure Shell
Server, and GUI management tool, located at Start ➪ Programs ➪ SSH Secure
Shell Server ➪ Configuration.
To view the contents of the sshd2_config file, the file that is used to configure
the SSH server, enter the following commands:
C:\cd “Program Files\SSH Secure Shell Server”
C:\notepad sshd2_config
To view the configuration GUI, browse to the following shortcut:
Start ➪ Programs ➪ SSH Secure Shell Server
The configuration screen shows the subheadings on the left that are the
same subsections in the sshd2_config file above. The GUI is just a graphical
tool to modify the sshd2_config file. I will examine both the GUI tool and the
sshd2_config file.
The first screen that appears using the GUI tool is the SSH server settings, as
shown in Figure 2.1. This screen provides information about server status,
event log, and default settings. Server status allows you to start or stop the
server by simply clicking the button. This button starts or stops a service associated
with SSH, which is called SSH Secure Shell 2. The next button, View
Event Log, opens the Windows Event Log in order to view any error or warning
messages from SSH. Lastly, the Restore Default Settings button reinstates
default settings on the SSH server.
The Windows version of sshd2_config file is similar to the Unix version;
however, many differences distinguish the two versions. The following sections
address the Windows sshd2_config file.
General Settings
The general section of the sshd2_config file should look like the following:
## General settings
MaxConnections 0
EventLogFilter error, warning
IdleTimeout 0
BannerMessageFile “”
TerminalProvider “cmd.exe”
DoubleBackspace yes
# ProtocolVersionString
The general section of the SSH configuration GUI should look like Figure 2.2.
Table 2.18 describes the General options available for the SSH server.
Table 2.18 Options from the General Section of the sshd2_config File (Windows)
.OPTION DESCRIPTION
MaxConnections Identifies the number of concurrent connections the
SSH server will handle. If the value is set to zero, the
number of concurrent connections is unlimited.
EventLogFilter Identifies the filter for Windows Event Log settings.
Possible filters can be error, warning, and
information.
IdleTimeout The amount of time, in minutes, the session can
remain unused before it is automatically closed. A
setting of zero specifies no timeout, which may be
ideal in certain backup processes.
BannerMessageFile Identifies the location of the file containing text to
be displayed before the client logs in to the server.
This is very useful for legal disclaimers.
TerminalProvider Identifies the executable that will provide terminal
access to the remote user, which is usually the
command prompt program (cmd.exe).
Network Settings
The network section of the sshd2_config file should look like the following:
Port 443
ListenAddress 0.0.0.0
RequireReverseMapping no
ResolveClientHostName yes
MaxBroadcastsPerSecond 0
NoDelay yes
KeepAlive yes
The network section of the SSH configuration GUI should look like Figure 2.3.
Table 2.19 describes the Network options available for the SSH server.
Table 2.19 Options in the Network Section (Windows)
OPTION DESCRIPTION
Port Sets the port number for SSH to listen on. Default
port is 22; however, listening on several ports,
including other nonstandard ports, such as 80, 443,
or 8080, may be optimal since business travelers
may not be able to make outbound connections on
port 22, but since port 80 or 443 is usually
accessible. To listen on multiple ports, add the
following lines:
Port 22
Port 80
Port 443
Port 8080
ListenAddress Sets the IP address to have the SSH daemon listen
on. The default, which is 0.0.0.0, will enable the
SSH services on all interfaces. If there are interfaces
where SSH should not be listening, such as the
external interface of a firewall, remove 0.0.0.0
and add the appropriate IP addresses. To listen on
only select interfaces, add the following lines:
ListenAddress 172.16.1.1,192.168.0.1
ListenAddress 10.0.0.1
RequireReverseMapping Enables (yes) or disables (no) the requirement of
DNS lookups to succeed, in order to work with
AllowHost and DenyHost entries. If enabled and the
DNS lookup fails, the request is denied. If disabled
and the DNS lookup fails, the IP address in
AllowHosts and DenyHosts is checked.
ResolveClientHostname Enables (yes) or disables (no) the server resolving
(sshd2_config file only) (via DNS) the client’s IP address.
MaxBroadcastPerSecond Identifies the number of UDP broadcasts the server
(sshd2_config file only) should handle per second. The default value, which
is zero, has no broadcast handled.
No comments:
Post a Comment