Blue Light
Space shortcuts
Child pages
  • ssh server configuration

Versions Compared

Old Version 16

changes.mady.by.user Charles

Saved on

compared with

New Version 17

changes.mady.by.user Charles

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

(warning) Warning: if doing this remotely, when implementing configuration changes, keep the existing ssh session open and test by starting a new one.

(warning) If a parameter keyword value is set twice, it may be the first value in the file which is may be effective!  Experiment showed that was true for PermitRootLogin and not for UsePAM.  For simplicity we decided not to have any parameter's set twiceset any keywords twice (outside conditional sections).

A pro-forma file is available in the Blue Light git at conf/ssh/sshd_config.Explanation of some of the recommended changes

The parameters we sometimes change:

  • AllowUsers tightens security.  We set this to root and add others as the need arises.
  • GSSAPIAuthentication no turns off several authentication methods which are not needed when using private/public keys or passwords.  Reference: http://en.wikipedia.org/wiki/Generic_Security_Services_Application_Program_Interface
  • PasswordAuthentication no or without-password disables login via password.
  • PermitRootLogin no or without-password disables login via password.  We always use without-password, sometimes globally and sometimes within Match Address conditional section(s).
  • UsePrivilegeSeparation yes allows ssh to function in lxc containers (otherwise we use the as-installed no).
  • UsePAM no avoids messages like "PAM service(sshd) ignoring max retries; 6 > 3".  
    (info) The message is caused by PAM's compiled-in retry limit being less than sshd's.
  • UseDNS no disables reverse DNS lookups to see if your hostname matches the IP address you are connecting from.  Does not make sense with dynamic IP addresses.
  • GSSAPIAuthentication no turns off several authentication methods which are not needed when using private/public keys or passwords.  Reference: http://en.wikipedia.org/wiki/Generic_Security_Services_Application_Program_Interface
    • Compression yes enhances throughput, as long as the CPU is not slow or overloaded.

Match Address stanzas

We are still evolving how we use these.  TODO: does the order matter (does sshd stop processing these stanzas after the first match?)?  TODO: do these PermitRootLogin values override any global setting?

Some samples:

# Allow root login from the BLUE OpenVPN addresses
Match Address 10.42.23.0/24
    PermitRootLogin without-password

# Allow root login from the BL OpenVPN server
Match Address 10.42.0.1
    PermitRootLogin without-password

# Allow root login from blav2
Match Address 148.251.233.235
    PermitRootLogin without-password
Match Address 10.42.0.2
    PermitRootLogin without-password

/etc/default/ssh

root@localhost:~# diff /etc/default/ssh{.org,}
5c5
< SSHD_OPTS=
---
> SSHD_OPTS=-u0

...