Standard Blue Light sshd configuration

/etc/ssh/sshd_config

Warning: if doing this remotely, when implementing configuration changes, keep the existing ssh session open and test by starting a new one.

If a parameter is set twice, it may be the first value in the file which is effective!  Experiment showed that was true for PermitRootLogin and not for UsePAM.  For simplicity we decided not to have any parameter's set twice.

A pro-forma file is available in the Blue Light git at conf/ssh/sshd_config.

Explanation of some of the recommended changes

• PasswordAuthentication no or without-password disables login via password.
• UsePAM no avoids messages like "PAM service(sshd) ignoring max retries; 6 > 3".  
  The message is caused by PAM's compiled-in retry limit being less than sshd's.
• UseDNS no disables reverse DNS lookups to see if your hostname matches the IP address you are connecting from.  Does not make sense with dynamic IP addresses.
• GSSAPIAuthentication no turns off several authentication methods which are not needed when using private/public keys or passwords.  Reference: http://en.wikipedia.org/wiki/Generic_Security_Services_Application_Program_Interface
• Compression yes enhances throughput, as long as the CPU is not slow or overloaded.

/etc/default/ssh

root@localhost:~# diff /etc/default/ssh{.org,}
5c5
< SSHD_OPTS=
---
> SSHD_OPTS=-u0

Warning: if doing this remotely, keep the existing ssh session open and test by starting a new one.

Enable the new configuration by service ssh restart

authorized_keys

command=

Security can be tightened by specifying the command that an authorised key can run by inserting command=<command> before the key itself.  Details in the sshd man page, in the command="command" section.

Sometimes this is not convenient because several commands are to be run.  A solution is to specify a script in authorized_keys and for the script to validate the commands.  For example:

#!/bin/bash
# Purpose: validates the command a remote host is attempting to execute by ss

df_regex='^df '
rsync_server_regex='^rsync --server '
stat_regex='^stat --format=%F '

if [[ $SSH_ORIGINAL_COMMAND =~ $df_regex \
    || $SSH_ORIGINAL_COMMAND =~ $rsync_server_regex \
    || $SSH_ORIGINAL_COMMAND =~ $stat_regex \
]]; then
    exec $SSH_ORIGINAL_COMMAND
else
    echo "${0##*/}: command did not pass validation ($SSH_ORIGINAL_COMMAND)" >&2
    exit 1
fi

TODO: enhance the script to read the regexes from a config file.