Blue Light
Space shortcuts
Child pages
  • ssh server configuration
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

Standard Blue Light sshd configuration

/etc/ssh/sshd_config

(warning) Warning: if doing this remotely, when implementing configuration changes, keep the existing ssh session open and test by starting a new one.

(warning) If a parameter is set twice, it is the first value in the file which is effective!  Found for PermitRootLogin.  More information in BLAVORG-590.

A pro-forma file is available in the Blue Light git at conf/ssh/sshd_config.

Explanation of some of the recommended changes

"PasswordAuthentication no" disables login via password.

"UsePAM no" avoids messages like "PAM service(sshd) ignoring max retries; 6 > 3".

"UseDNS no" disables reverse DNS lookups to see if your hostname matches the IP-address you are connecting from. Does not make sense with dynamic IPs

"GSSAPIAuthentication no" turns off several authentication methods which are not needed when using private/public keys or passwords.  Refrrence: http://en.wikipedia.org/wiki/Generic_Security_Services_Application_Program_Interface

"Compression yes"  enhances throughput, as long as the CPU is not slow or overloaded.

/etc/default/ssh

root@localhost:~# diff /etc/default/ssh{.org,}
5c5
< SSHD_OPTS=
---
> SSHD_OPTS=-u0

Warning: if doing this remotely, keep the existing ssh session open and test by starting a new one.

Enable the new configuration by service ssh restart

authorized_keys

command=

Security can be tightened by specifying the command that an authorised key can run by inserting command=<command> before the key itself.  Details in the sshd man page, in the command="command" section.

Sometimes this is not convenient because several commands are to be run.  A solution is to specify a script in authorized_keys and for the script to validate the commands.  For example:

#!/bin/bash
# Purpose: validates the command a remote host is attempting to execute by ss

df_regex='^df '
rsync_server_regex='^rsync --server '
stat_regex='^stat --format=%F '

if [[ $SSH_ORIGINAL_COMMAND =~ $df_regex \
    || $SSH_ORIGINAL_COMMAND =~ $rsync_server_regex \
    || $SSH_ORIGINAL_COMMAND =~ $stat_regex \
]]; then
    exec $SSH_ORIGINAL_COMMAND
else
    echo "${0##*/}: command did not pass validation ($SSH_ORIGINAL_COMMAND)" >&2
    exit 1
fi

TODO: enhance the script to read the regexes from a config file.

  • No labels