Standard Blue Light sshd configuration
/etc/ssh/sshd_config
Warning: if doing this remotely, when implementing configuration changes, keep the existing ssh session open and test by starting a new one.
A pro-forma file is available in the Blue Light git at conf/ssh/sshd_config.
Explanation of some of the recommended changes
"PasswordAuthentication no"
disables login via password.
"UsePAM no
" avoids messages like "PAM service(sshd) ignoring max retries; 6 > 3".
"UseDNS no
" disables reverse DNS lookups to see if your hostname matches the IP-address you are connecting from. Does not make sense with dynamic IPs
"GSSAPIAuthentication no
" turns off several authentication methods which are not needed when using private/public keys or passwords. Refrrence: http://en.wikipedia.org/wiki/Generic_Security_Services_Application_Program_Interface
"Compression yes
" enhances throughput, as long as the CPU is not slow or overloaded.
/etc/default/ssh
root@localhost:~# diff
/etc/default
/ssh{.org,}5c5
< SSHD_OPTS=
---
> SSHD_OPTS=-u0
Warning: if doing this remotely, keep the existing ssh session open and test by starting a new one.
Enable the new configuration by service ssh restart
authorized_keys
command=
Security can be tightened by specifying the command that an authorised key can run by inserting command=<command> before the key itself. Details in the sshd man page, in the command="command" section.
Sometimes this is not convenient because several commands are to be run. A solution is to specify a script in authorized_keys and for the script to validate the commands. For example:
#!/bin/bash
# Purpose: validates the command a remote host is attempting to execute by ss
df_regex='^df '
rsync_server_regex='^rsync --server '
stat_regex='^stat --format=%F '
if [[ $SSH_ORIGINAL_COMMAND =~ $df_regex \
|| $SSH_ORIGINAL_COMMAND =~ $rsync_server_regex \
|| $SSH_ORIGINAL_COMMAND =~ $stat_regex \
]]; then
exec $SSH_ORIGINAL_COMMAND
else
echo "${0##*/}: command did not pass validation ($SSH_ORIGINAL_COMMAND)" >&2
exit 1
fi
TODO: enhance the script to read the regexes from a config file.