OpenSSH Server Configuration

SSH is the only way one should be connecting a remote shell to their Linux machines. SSH can provide remote shells, secure FTP (SFTP) and functions nicely as a tunnel for rsync. SSH comes with every distribution, 99% anyways, is easy to setup and provides excellent security. This article speaks about OpenSSH 4.2, other implementations exist.

SSH Server Daemon

The sshd daemon provides the server portion of SSH; it's configuration is usually located at /etc/ssh/sshd_config. Distributions vary on the defaults in here, some support protocol one and two, some only two. Regardless of your distribution below are relevant portions of a fairly tightend server with inline comments. Noteably root is denied, passwords are disabled and groups are restricted. Read man sshd_config.

# limit protocol and listen address
Protocol 2
ListenAddress 1.2.3.4
# restrict logins
LoginGraceTime 1m
MaxAuthTries 3
PermitRootLogin no
PasswordAuthentication no
UsePAM yes
AllowUsers sshd_user_a sshd_user_b
DenyUsers *
AllowGroups sshd_users wheel
PrintMotd yes
UseDNS yes
# disable if not needed
# Subsystem       sftp    /usr/lib/misc/sftp-server
# If you can limit this it might be a good idea
MACs hmac-md5

SSH Authorized Keys Automatic Login

SSH can automatically authenticate connections when the client presents an authorized key. A client gives it's public key to a server and then when it connects the server knows it's allowed in and automatically allows the connection. The Keys are specific to users, so a key for user_a will not let user_b in.

Few Simple Steps

1. Create Keys

   If the keys don't exists already you must create them. Look in your ~/.ssh for files called id_rsa and id_rsa.pub. If those files don't exist say ssh-keygen -b 2048 -t rsa to create them.

2. Place Keys on Server

   Copy id_rsa.pub to the server then append that to ~/.ssh/authorized_keys

In the Creo section we have a script to automate this process.

Optionally you can use a DSA key, simply replace `rsa` with `dsa` above.