Linux/sshd

From Omnia
Jump to: navigation, search

sshd

SSH Daemon

Configuration Options

More information:

man sshd_config

Allow Tunneling

Allow Tunneling (/etc/ssh/sshd_config):

AllowTcpForwarding yes

SFTP

To provide SFTP access to linux accounts only (no shell access) change user's shell to:

/usr/libexec/openssh/sftp-server
test:x:501:50::/ftp:/usr/libexec/openssh/sftp-server

See vsftpd


/etc/ssh/sshd_config:

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server

chroot

/etc/ssh/sshd_config

#Subsystem      sftp    /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

Match User ezra
        ChrootDirectory /home/%u
        #ForceCommand internal-sftp
        AllowTcpForwarding no

If you want to use 'sftp-server' in the chroot, you have to copy it and add the appropriate libraries, but why bother when internal-sftp works just fine.

Setup chroot home directory:

NEWUSER=ezra
adduser $NEWUSER

chown root:root /home/$NEWUSER
chmod 755 /home/$NEWUSER

cd /home/$NEWUSER

mkdir home/$NEWUSER
mv .bash* home/$NEWUSER/

# ssh keys
mkdir -p home/$NEWUSER/.ssh
chown $NEWUSER:$NEWUSER home/$NEWUSER
touch home/$NEWUSER/.ssh/authorized_keys
chmod 600 home/$NEWUSER/.ssh/authorized_keys
chmod 700 home/$NEWUSER/.ssh
chmod 755 home/$NEWUSER
ln -s home/$NEWUSER/.ssh .ssh  # sshd still tries to access the real /home/user/.ssh path

# libs for shell apps and ssh access
mkdir {bin,dev,dev/pts,lib64,home,home/$NEWUSER}
cp -p /bin/{bash,cat,cp,ls,mv} bin/
cp -p /lib64/{ld-linux-x86-64.so.2,libacl.so.1,libattr.so.1,libcap.so.2,libc.so.6,libdl.so.2,libpthread.so.0,librt.so.1,libselinux.so.1,libtinfo.so.5} lib64/
mknod dev/null c 1 3
mknod dev/zero c 1 5
chmod 0666 dev/{null,zero}
mknod -m 666 dev/tty c 5 0
mknod -m 666 dev/ptmx c 5 2
chmod 755 dev/pts

find missing libraries (eg. ldd /bin/bash)

chroot sftp only

/etc/ssh/sshd_config

#Subsystem      sftp    /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

Match User ezra
        ChrootDirectory /home/%u
        ForceCommand internal-sftp
        AllowTcpForwarding no

/etc/passwd:

ezra:x:507:507::/home/ezra:/bin/false

Setup chroot home directory:

NEWUSER=ezra
adduser $NEWUSER
cd /home/$NEWUSER

chown root:root /home/$NEWUSER
chmod 755 /home/$NEWUSER

mkdir -p home/$NEWUSER
chown $NEWUSER:$NEWUSER home/$NEWUSER
mv .bash* home/$NEWUSER/

# ssh keys
mkdir home/$NEWUSER/.ssh
touch home/$NEWUSER/.ssh/authorized_keys
chmod 600 home/$NEWUSER/.ssh/authorized_keys
chmod 700 home/$NEWUSER/.ssh
chmod 755 home/$NEWUSER
chown $NEWUSER:$NEWUSER home/$NEWUSER/.ssh -R
ln -s home/$NEWUSER/.ssh .ssh  # sshd still tries to access the real /home/user/.ssh path

# pub directory
mkdir pub
chmod 775 pub
chown $NEWUSER:$NEWUSER pub

Allow and Deny Users

/etc/ssh/sshd_config:

DenyUsers user1 user2 user3
DenyGroups group1 group2
AllowUsers user1 user2
AllowGroups group1 group2

no reverse dns lookup

If you are having delays due to DNS lookups, these can be disabled:

/etc/ssh/sshd_config:

#UseDNS yes
UseDNS no

man sshd_config:

UseDNS  Specifies whether sshd should look up the remote host name and check that the resolved host name for the remote IP
            address maps back to the very same IP address.  The default is “yes”.

/etc/ssh/sshd_config:

Banner /etc/sshd/sshd-banner

sample /etc/sshd/sshd-banner:

*****************************************************************************

                              NOTICE TO USERS

      WARNING! The use of this system is restricted to authorized users,
        unauthorized access is forbidden and will be prosecuted by law.

         All information and communications on this system are subject
               to review, monitoring and recording at any time,
             without notice or permission. Users should have no
                            expectation of privacy.

*****************************************************************************

Allow Public Key Authentication

/etc/ssh/sshd_config:

# enable public-key authentication
RSAAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile     .ssh/authorized_keys

Fancy key location:

AuthorizedKeysFile /etc/ssh/keys-%u/authorized_keys


Additional Details:

Configuring OpenSSH to accept public-key authentication - http://linux-sxs.org/networking/openssh.putty.html

To enable your OpenSSH to accept version 2 public key, you would need to modify /etc/ssh/sshd_config. You could use vi editor (or whatever editor you are familiar with) to uncomment/add/modify the following lines to /etc/ssh/sshd_config:


# the default SSH port is 22, you could alter it if necessary
Port 22

# accept version 2 keys only
Protocol 2

# NEVER allow root to login directly over the net
PermitRootLogin no
StrictModes yes
MaxAuthTries 3

# enable public-key authentication
RSAAuthentication no
PubkeyAuthentication yes

# securing your OpenSSH
# do not use host-based authentication for security reason
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreUserKnownHosts yes
PermitEmptyPassword no

# do not allow telnet-type login for security reason
ChallengeResponseAuthentication no
PasswordAuthentication no

X11Forwarding yes
X11DisplayOffset 10

Setup SSHD

mkdir -p /etc/ssh
touch /etc/ssh/sshd_config
# you only have to have one of these to start sshd, but might as well have all
ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key     # rsa v1
ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key  # rsa v2 default
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key  # dsa v2
/sbin/sshd

Secure Linux

If you have copied keys using ssh-copy-id, you may need to fix the Secure Linux permissions:

restorecon -r -v ~/.ssh

keywords

ssh sshd secure shell