Blue Light
Space shortcuts
Child pages
  • ssh server configuration

Versions Compared

Old Version 13

changes.mady.by.user Charles

Saved on

compared with

New Version 14

changes.mady.by.user Charles

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

Table of Contents

Standard Blue Light sshd configuration

/etc/ssh/sshd_config

(warning) Warning: if doing this remotely, when implementing configuration changes, keep the existing ssh session open and test by starting a new one.

(warning) If a parameter is set twice, it may be the first value in the file which is effective!  Found for PermitRootLogin.  Found not to be true for UsePAM.  More information in BLAVORG-590.

A pro-forma file is available in the Blue Light git at conf/ssh/sshd_config.

Explanation of some of the recommended changes

"PasswordAuthentication no" disables login via password.

"UsePAM no" avoids messages like "PAM service(sshd) ignoring max retries; 6 > 3".

"UseDNS no" disables reverse DNS lookups to see if your hostname matches the IP-address you are connecting from. Does not make sense with dynamic IPs

"GSSAPIAuthentication no" turns off several authentication methods which are not needed when using private/public keys or passwords.  Refrrence: http://en.wikipedia.org/wiki/Generic_Security_Services_Application_Program_Interface

"Compression yes"  enhances throughput, as long as the CPU is not slow or overloaded.

/etc/default/ssh

root@localhost:~# diff /etc/default/ssh{.org,}
5c5
< SSHD_OPTS=
---
> SSHD_OPTS=-u0

Warning: if doing this remotely, keep the existing ssh session open and test by starting a new one.

Enable the new configuration by service ssh restart

authorized_keys

command=

Security can be tightened by specifying the command that an authorised key can run by inserting command=<command> before the key itself.  Details in the sshd man page, in the command="command" section.

Sometimes this is not convenient because several commands are to be run.  A solution is to specify a script in authorized_keys and for the script to validate the commands.  For example:

#!/bin/bash
# Purpose: validates the command a remote host is attempting to execute by ss

df_regex='^df '
rsync_server_regex='^rsync --server '
stat_regex='^stat --format=%F '

if [[ $SSH_ORIGINAL_COMMAND =~ $df_regex \
    || $SSH_ORIGINAL_COMMAND =~ $rsync_server_regex \
    || $SSH_ORIGINAL_COMMAND =~ $stat_regex \
]]; then
    exec $SSH_ORIGINAL_COMMAND
else
    echo "${0##*/}: command did not pass validation ($SSH_ORIGINAL_COMMAND)" >&2
    exit 1
fi

TODO: enhance the script to read the regexes from a config file.