Linux/sshd

sshd
SSH Daemon

Configuration Options
More information: man sshd_config

Allow Tunneling
Allow Tunneling (/etc/ssh/sshd_config): AllowTcpForwarding yes

Allow Reverse Tunnel
Reverse: ssh -R 8000:localhost:80 oli@remote-machine

Allow this with:

/etc/ssh/sshd_config: Match User oli GatewayPorts yes

ref: https://askubuntu.com/questions/50064/reverse-port-tunnelling

keywords reverse tunnel reverse proxy

SFTP
To provide SFTP access to linux accounts only (no shell access) change user's shell to: /usr/libexec/openssh/sftp-server test:x:501:50::/ftp:/usr/libexec/openssh/sftp-server

See vsftpd

/etc/ssh/sshd_config: Subsystem      sftp    /usr/libexec/openssh/sftp-server
 * 1) override default of no subsystems

chroot
/etc/ssh/sshd_config Subsystem sftp internal-sftp
 * 1) Subsystem     sftp    /usr/libexec/openssh/sftp-server

Match User ezra ChrootDirectory /home/%u #ForceCommand internal-sftp AllowTcpForwarding no

If you want to use 'sftp-server' in the chroot, you have to copy it and add the appropriate libraries, but why bother when internal-sftp works just fine.

Setup chroot home directory: NEWUSER=ezra adduser $NEWUSER

chown root:root /home/$NEWUSER chmod 755 /home/$NEWUSER

cd /home/$NEWUSER

mkdir home/$NEWUSER mv .bash* home/$NEWUSER/

mkdir -p home/$NEWUSER/.ssh chown $NEWUSER:$NEWUSER home/$NEWUSER touch home/$NEWUSER/.ssh/authorized_keys chmod 600 home/$NEWUSER/.ssh/authorized_keys chmod 700 home/$NEWUSER/.ssh chmod 755 home/$NEWUSER ln -s home/$NEWUSER/.ssh .ssh # sshd still tries to access the real /home/user/.ssh path
 * 1) ssh keys

mkdir {bin,dev,dev/pts,lib64,home,home/$NEWUSER} cp -p /bin/{bash,cat,cp,ls,mv} bin/ cp -p /lib64/{ld-linux-x86-64.so.2,libacl.so.1,libattr.so.1,libcap.so.2,libc.so.6,libdl.so.2,libpthread.so.0,librt.so.1,libselinux.so.1,libtinfo.so.5} lib64/ mknod dev/null c 1 3 mknod dev/zero c 1 5 chmod 0666 dev/{null,zero} mknod -m 666 dev/tty c 5 0 mknod -m 666 dev/ptmx c 5 2 chmod 755 dev/pts
 * 1) libs for shell apps and ssh access

find missing libraries (eg. ldd /bin/bash)

chroot sftp only
/etc/ssh/sshd_config Subsystem sftp internal-sftp
 * 1) Subsystem     sftp    /usr/libexec/openssh/sftp-server

Match User ezra ChrootDirectory /home/%u ForceCommand internal-sftp AllowTcpForwarding no

/etc/passwd: ezra:x:507:507::/home/ezra:/bin/false

Setup chroot home directory: NEWUSER=ezra adduser $NEWUSER cd /home/$NEWUSER

chown root:root /home/$NEWUSER chmod 755 /home/$NEWUSER

mkdir -p home/$NEWUSER chown $NEWUSER:$NEWUSER home/$NEWUSER mv .bash* home/$NEWUSER/

mkdir home/$NEWUSER/.ssh touch home/$NEWUSER/.ssh/authorized_keys chmod 600 home/$NEWUSER/.ssh/authorized_keys chmod 700 home/$NEWUSER/.ssh chmod 755 home/$NEWUSER chown $NEWUSER:$NEWUSER home/$NEWUSER/.ssh -R ln -s home/$NEWUSER/.ssh .ssh # sshd still tries to access the real /home/user/.ssh path
 * 1) ssh keys

mkdir pub chmod 775 pub chown $NEWUSER:$NEWUSER pub
 * 1) pub directory

Allow and Deny Users
/etc/ssh/sshd_config:

DenyUsers user1 user2 user3 DenyGroups group1 group2 AllowUsers user1 user2 AllowGroups group1 group2

no reverse dns lookup
If you are having delays due to DNS lookups, these can be disabled:

/etc/ssh/sshd_config: UseDNS no
 * 1) UseDNS yes

man sshd_config: UseDNS Specifies whether sshd should look up the remote host name and check that the resolved host name for the remote IP             address maps back to the very same IP address. The default is “yes”.

Banner
/etc/ssh/sshd_config: Banner /etc/sshd/sshd-banner

sample /etc/sshd/sshd-banner:

NOTICE TO USERS

WARNING! The use of this system is restricted to authorized users, unauthorized access is forbidden and will be prosecuted by law.

All information and communications on this system are subject to review, monitoring and recording at any time, without notice or permission. Users should have no                           expectation of privacy.




 * How to force sshd server to display login banner before login (change the ssh server login banner) - http://www.cyberciti.biz/tips/change-openssh-sshd-server-login-banner.html
 * Login Banner | SSH Banner Howto - http://www.review-ninja.com/2009/05/login-banner-ssh-banner-howto.html

Allow Public Key Authentication
/etc/ssh/sshd_config: RSAAuthentication no PubkeyAuthentication yes AuthorizedKeysFile    .ssh/authorized_keys
 * 1) enable public-key authentication

Fancy key location: AuthorizedKeysFile /etc/ssh/keys-%u/authorized_keys

Additional Details:

Configuring OpenSSH to accept public-key authentication - http://linux-sxs.org/networking/openssh.putty.html

To enable your OpenSSH to accept version 2 public key, you would need to modify /etc/ssh/sshd_config. You could use vi editor (or whatever editor you are familiar with) to uncomment/add/modify the following lines to /etc/ssh/sshd_config:

Port 22
 * 1) the default SSH port is 22, you could alter it if necessary

Protocol 2
 * 1) accept version 2 keys only

PermitRootLogin no StrictModes yes MaxAuthTries 3
 * 1) NEVER allow root to login directly over the net

RSAAuthentication no PubkeyAuthentication yes
 * 1) enable public-key authentication

RhostsRSAAuthentication no HostbasedAuthentication no IgnoreUserKnownHosts yes PermitEmptyPassword no
 * 1) securing your OpenSSH
 * 2) do not use host-based authentication for security reason

ChallengeResponseAuthentication no PasswordAuthentication no
 * 1) do not allow telnet-type login for security reason

X11Forwarding yes X11DisplayOffset 10

Setup SSHD
mkdir -p /etc/ssh touch /etc/ssh/sshd_config

ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key    # rsa v1 ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key  # rsa v2 default ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key # dsa v2
 * 1) you only have to have one of these to start sshd, but might as well have all

/sbin/sshd

Secure Linux
If you have copied keys using ssh-copy-id, you may need to fix the Secure Linux permissions: restorecon -r -v ~/.ssh

keywords
ssh sshd secure shell