Skip to content
Skip to breadcrumbs
Skip to header menu
Skip to action menu
Skip to quick search

Page History

Versions Compared

Key

This line was added.
This line was removed.
Formatting was changed.

...

Standard Blue Light sshd configuration

...

/etc/ssh/sshd_config

...

The AllowUsers and Match Address changes made in this example may need adjusting for local requirements:.
`root@localhost:/etc/ssh# diff sshd_config{.org,} 27c27 < PermitRootLogin yes --- > PermitRootLogin no 51a52 > PasswordAuthentication no 87c88,100 < UsePAM yes --- > UsePAM no > > # Blue Light changes to improve performance > UseDNS no > GSSAPIAuthentication no > Compression yes > > # Blue Light extras > AllowUsers root > Match Address 192.168.10.0/24 > PermitRootLogin without-password > Match Address 10.42.0.1 > PermitRootLogin without-password`
...
`"PasswordAuthentication no" disables login via password, many sites recommend to then also set UsePAM to no. There was no clear enough reason worth mentioning here.`
`"UsePAM no" avoids messages like "PAM service(sshd) ignoring max retries; 6 > 3".`
`"UseDNS no" disables reverse DNS lookups to see if your hostname matches the IP-address you are connecting from. Does not make sense with dynamic IPs`
...
"Compression yes" On fast machines this will enhance throughputChange .
"`AllowUsers root`" TBC
"`Match Address 192.168.10.0/24`" matches the Blue Light LAN in the Town Hall. Only required on ssh servers in the Town Hall.
"`Match Address 10.42.0.1`" matches the Blue Light OpenVPN network node "blav" and so requires that OpenVPN clients (appear to) come from blav.

/etc/default/ssh

root@localhost:/etc/default# diff ssh{.org,}
5c5
< SSHD_OPTS=
---
> SSHD_OPTS=-u0

...