SSH chroot

http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/

Restrict users to scp and sftp only
http://www.pizzashack.org/rssh/

SSH Multiplexing

Create or append these to ~.ssh/config. First ssh connection will be set as a parent process and and subsequent connections will be made as children processes. This speeds up subsequent processes, and you will not need to authenticate again. This is similar to the Tectia ssh client which opens additional terminals under the parent connection.

config
Host *
    ControlMaster auto
    ControlPath ~/.ssh/master-%r@%h:%p


It may be desirable to start a background master process
ssh -Nf user@host


Starting second instance of ssh on port 24

Put this in rc or supervise
/usr/sbin/sshd -De -p 24 -f /etc/ssh/my_sshd_config


my_sshd_config can look like this:
Port 24
Protocol 2
HostKey /etc/ssh/ssh_host_key
HostDsaKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 120
KeyRegenerationInterval 3600
PermitRootLogin yes
MaxStartups 10:30:60
IgnoreRhosts yes
StrictModes yes
X11Forwarding no
PrintMotd yes
KeepAlive yes
SyslogFacility AUTH
LogLevel INFO
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
Subsystem      sftp    /usr/libexec/sftp-server
AllowUsers root
PidFile /var/run/sshd24.pid


Using certificate for SSH authentication

Generate a user certificate
ssh-keygen -t dsa -b 2048


Append content of .ssh/id_dsa.pub to target server's .ssh/authorized_keys and make sure the followings are activated on sshd config file:
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile     .ssh/authorized_keys


Logging IP instead of DNS

Start sshd with -u0 option

Building ssh from source

Obtain openssh from http://www.openssh.org
Compile with these options on RHEL5 - PAM support is not required for key-based authentication

./configure --sysconfdir=/etc/ssh --with-pam --with-md5-passwords
If you are upgrading openssl as well, add --with-ssl-dir=/usr/local to compile option.


Related knowledges
ssh attacks

There are no comments on this page. [Add comment]

Valid XHTML 1.0 Transitional :: Valid CSS :: Powered by WikkaWiki