Standard Blue Light sshd configuration
/etc/ssh/sshd_config
Warning: if doing this remotely, when implementing configuration changes, keep the existing ssh session open and test by starting a new one.
If a parameter is set twice, it may be the first value in the file which is effective! Experiment showed that was true for PermitRootLogin and not for UsePAM. For simplicity we decided not to have any parameter's set twice.
A pro-forma file is available in the Blue Light git at conf/ssh/sshd_config.
Explanation of some of the recommended changes
PasswordAuthentication
no or without-password disables login via password.UsePAM
no avoids messages like "PAM service(sshd) ignoring max retries; 6 > 3".
The message is caused by PAM's compiled-in retry limit being less than sshd's.UseDNS
no disables reverse DNS lookups to see if your hostname matches the IP address you are connecting from. Does not make sense with dynamic IP addresses.GSSAPIAuthentication
no turns off several authentication methods which are not needed when using private/public keys or passwords. Reference: http://en.wikipedia.org/wiki/Generic_Security_Services_Application_Program_InterfaceCompression
yes enhances throughput, as long as the CPU is not slow or overloaded.
/etc/default/ssh
root@localhost:~# diff
/etc/default
/ssh{.org,}5c5
< SSHD_OPTS=
---
> SSHD_OPTS=-u0
Warning: if doing this remotely, keep the existing ssh session open and test by starting a new one.
Enable the new configuration by service ssh restart
authorized_keys
command=
Security can be tightened by specifying the command that an authorised key can run by inserting command=<command> before the key itself. Details in the sshd man page, in the command="command" section.
Sometimes this is not convenient because several commands are to be run. A solution is to specify a script in authorized_keys and for the script to validate the commands. For example:
#!/bin/bash
# Purpose: validates the command a remote host is attempting to execute by ss
df_regex='^df '
rsync_server_regex='^rsync --server '
stat_regex='^stat --format=%F '
if [[ $SSH_ORIGINAL_COMMAND =~ $df_regex \
|| $SSH_ORIGINAL_COMMAND =~ $rsync_server_regex \
|| $SSH_ORIGINAL_COMMAND =~ $stat_regex \
]]; then
exec $SSH_ORIGINAL_COMMAND
else
echo "${0##*/}: command did not pass validation ($SSH_ORIGINAL_COMMAND)" >&2
exit 1
fi
TODO: enhance the script to read the regexes from a config file.