Formatting code for ssh
{{parent page="GeneralUnix"}}
===SSH chroot===
http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/
==Restrict users to scp and sftp only==
http://www.pizzashack.org/rssh/
===SSH Multiplexing===
Create or append these to ~.ssh/config. First ssh connection will be set as a parent process and and subsequent connections will be made as children processes. This speeds up subsequent processes, and you will not need to authenticate again. This is similar to the Tectia ssh client which opens additional terminals under the parent connection.
%%(text;config)
Host *
ControlMaster auto
ControlPath ~/.ssh/master-%r@%h:%p
%%
It may be desirable to start a background master process
%%
ssh -Nf user@host
%%
=== Starting second instance of ssh on port 24 ===
Put this in rc or supervise
%%
/usr/sbin/sshd -De -p 24 -f /etc/ssh/my_sshd_config
%%
my_sshd_config can look like this:
%%
Port 24
Protocol 2
HostKey /etc/ssh/ssh_host_key
HostDsaKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 120
KeyRegenerationInterval 3600
PermitRootLogin yes
MaxStartups 10:30:60
IgnoreRhosts yes
StrictModes yes
X11Forwarding no
PrintMotd yes
KeepAlive yes
SyslogFacility AUTH
LogLevel INFO
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
Subsystem sftp /usr/libexec/sftp-server
AllowUsers root
PidFile /var/run/sshd24.pid
%%
=== Using certificate for SSH authentication ===
Generate a user certificate
%%
ssh-keygen -t dsa -b 2048
%%
Append content of .ssh/id_dsa.pub to target server's .ssh/authorized_keys and make sure the followings are activated on sshd config file:
%%
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
%%
=== Logging IP instead of DNS ===
Start sshd with **-u0** option
===Building ssh from source===
Obtain openssh from http://www.openssh.org
Compile with these options on RHEL5 - PAM support is not required for key-based authentication
%%
./configure --sysconfdir=/etc/ssh --with-pam --with-md5-passwords
If you are upgrading openssl as well, add --with-ssl-dir=/usr/local to compile option.
%%
==Related knowledges==
[[SecurityAttacks ssh attacks]]
===SSH chroot===
http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/
==Restrict users to scp and sftp only==
http://www.pizzashack.org/rssh/
===SSH Multiplexing===
Create or append these to ~.ssh/config. First ssh connection will be set as a parent process and and subsequent connections will be made as children processes. This speeds up subsequent processes, and you will not need to authenticate again. This is similar to the Tectia ssh client which opens additional terminals under the parent connection.
%%(text;config)
Host *
ControlMaster auto
ControlPath ~/.ssh/master-%r@%h:%p
%%
It may be desirable to start a background master process
%%
ssh -Nf user@host
%%
=== Starting second instance of ssh on port 24 ===
Put this in rc or supervise
%%
/usr/sbin/sshd -De -p 24 -f /etc/ssh/my_sshd_config
%%
my_sshd_config can look like this:
%%
Port 24
Protocol 2
HostKey /etc/ssh/ssh_host_key
HostDsaKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 120
KeyRegenerationInterval 3600
PermitRootLogin yes
MaxStartups 10:30:60
IgnoreRhosts yes
StrictModes yes
X11Forwarding no
PrintMotd yes
KeepAlive yes
SyslogFacility AUTH
LogLevel INFO
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
Subsystem sftp /usr/libexec/sftp-server
AllowUsers root
PidFile /var/run/sshd24.pid
%%
=== Using certificate for SSH authentication ===
Generate a user certificate
%%
ssh-keygen -t dsa -b 2048
%%
Append content of .ssh/id_dsa.pub to target server's .ssh/authorized_keys and make sure the followings are activated on sshd config file:
%%
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
%%
=== Logging IP instead of DNS ===
Start sshd with **-u0** option
===Building ssh from source===
Obtain openssh from http://www.openssh.org
Compile with these options on RHEL5 - PAM support is not required for key-based authentication
%%
./configure --sysconfdir=/etc/ssh --with-pam --with-md5-passwords
If you are upgrading openssl as well, add --with-ssl-dir=/usr/local to compile option.
%%
==Related knowledges==
[[SecurityAttacks ssh attacks]]
