Securing SSHD

Where Penguins and Daemons chill together in the warmth of the Sun.

Moderators: SecretSquirrel, notfred

Securing SSHD

Postposted on Thu Feb 07, 2008 12:53 pm

Ah, the joys of running your Web server: the limitless creativity, freedom to deploy whatever software the heart desires, the unrestricted space, the crackers...

Now that I've eliminated plain FTP, it's time for me to look at securing SSHD. I have very strong passwords on my server, but I'd like to secure it further. Recently, I've suffered a brute force attack for my root account. Fortunately, the cracker never gained access, but it got me thinking about strengthening my security measures.

Here are some goals:
  • Restrict root access to the LAN
  • Block access after a certain number of failed attempts
  • chroot users to their home directory
  • Use of keys in addition to passwords

Code: Select all
#   $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

Port 22
#AddressFamily any
ListenAddress 192.168.1.51
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile   .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem   sftp   /usr/lib/misc/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   ForceCommand cvs server
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 7:00 pm
Location: Great Smoky Mountains

Re: Securing SSHD

Postposted on Thu Feb 07, 2008 1:12 pm

have you checked out fail2ban? it's swell.
Sic Semper Tyranis
InnerKOss
Gerbil
 
Posts: 64
Joined: Sat Dec 16, 2006 12:57 pm
Location: Mobile, AL

Re: Securing SSHD

Postposted on Thu Feb 07, 2008 1:16 pm

titan wrote:Restrict root access to the LAN
Just add:
Code: Select all
AllowUsers root@10.1.1.*

to your sshd config file (substituting the proper LAN subnet).

titan wrote:Block access after a certain number of failed attempts
Denyhosts does this. I also gave some other suggestions in the thread you posted about this in the networking forum.

titan wrote:chroot users to their home directory
Users won't be able to run any programs if they're chrooted to their home directory (unless you copy statically linked binaries, and/or binaries+libraries and parts of /etc to their home directory...). What are you really trying to accomplish here?

titan wrote:Use of keys in addition to passwords
Just enable PubkeyAuthentication and RSAAuthentication.
bitvector
Grand Gerbil Poohbah
 
Posts: 3234
Joined: Wed Jun 22, 2005 4:39 pm
Location: Mountain View, CA

Re: Securing SSHD

Postposted on Thu Feb 07, 2008 1:37 pm

InnerKOss wrote:have you checked out fail2ban? it's swell.

I don't have a firewall installed on the server. Also, I just want to do temporary bans.

bitvector wrote:
titan wrote:Restrict root access to the LAN
Just add:
Code: Select all
AllowUsers root@10.1.1.*

to your sshd config file (substituting the proper LAN subnet).

Wouldn't that prevent users other than root from logging in? I don't have very many users, so this really isn't a problem. Let's say I make a group called "ssh", would "AllowGroup ssh" allowing that group allow any user in the ssh group login, or would the users need to be explicitly stated in the AllowUsers directive as well?

bitvector wrote:
titan wrote:Block access after a certain number of failed attempts
Denyhosts does this. I also gave some other suggestions in the thread you posted about this in the networking forum.
Yes, I saw that one. I may implement it, but I remember seeing somewhere that after a certain number of failed attempts the IP is suspended for an hour before allowing connections again. It was using PAM in some way. I just can't find it now. I guess the other thing would be to operate in this way: failed attempt, wait thirty seconds before allowing attempt, repeat for three more failed attempts, and increase wait to one hour. Is there a way to do that? If that's not going to work, I'll use DenyHosts.

bitvector wrote:
titan wrote:chroot users to their home directory
Users won't be able to run any programs if they're chrooted to their home directory (unless you copy statically linked binaries, and/or binaries+libraries and parts of /etc to their home directory...). What are you really trying to accomplish here?
root, aka me, is the only one that needs to run programs. The other users just need file write in their respective directories. I'm looking at this as more of an SFTP rather than terminal access.

bitvector wrote:
titan wrote:Use of keys in addition to passwords
Just enable PubkeyAuthentication and RSAAuthentication.

I need a little hand holding on this one. Could you point me to a HOWTO, or tell me yourself? I would need to be able to tell my users how to implement this as well.
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 7:00 pm
Location: Great Smoky Mountains

Re: Securing SSHD

Postposted on Thu Feb 07, 2008 1:42 pm

What I do on my server is deny root login on sshd, login as the normal user and then su or sudo if I need to do anything that requires root access.
notfred
Grand Gerbil Poohbah
 
Posts: 3736
Joined: Tue Aug 10, 2004 10:10 am
Location: Ottawa, Canada

Re: Securing SSHD

Postposted on Thu Feb 07, 2008 1:44 pm

notfred wrote:What I do on my server is deny root login on sshd, login as the normal user and then su or sudo if I need to do anything that requires root access.

The only thing I do on my server is to do things that only root can do. I use Samba for everything else.
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 7:00 pm
Location: Great Smoky Mountains

Re: Securing SSHD

Postposted on Thu Feb 07, 2008 2:03 pm

titan wrote:Wouldn't that prevent users other than root from logging in? I don't have very many users, so this really isn't a problem. Let's say I make a group called "ssh", would "AllowGroup ssh" allowing that group allow any user in the ssh group login, or would the users need to be explicitly stated in the AllowUsers directive as well?
Yeah, you'll need to allow other users somehow. Man sshd_config to see how they interact: it checks the {Allow,Deny}{Users,Groups} directives in a specific order.

titan wrote:I'm looking at this as more of an SFTP rather than terminal access.
Then you should probably look at rssh and set their shell to that.

titan wrote:I need a little hand holding on this one. Could you point me to a HOWTO, or tell me yourself? I would need to be able to tell my users how to implement this as well.
Well, once you've enabled key-based authentication, a specific user can create a key with ssh-keygen. E.g.:
$ ssh-keygen -t rsa -C (comment)

That generates a public and private key pair. Add the public part (.pub) to the ~/.ssh/authorized_keys file on the host you want to log in to*, and make sure the private key is on the host you are logging in from. By default ssh will only look for ~/.ssh/id_dsa and ~/.ssh/id_rsa when sshing in to a host (the default key file); if you use a different filename, you'll need to put an entry in your ~/.ssh/config with IdentityFile pointing at the private key or do something like ssh host -o IdentityFile=~/.ssh/blah. Google and look into ssh-agent for info on how to avoid having to re-type your password (it also eliminates the need for the IdentityFile part if you explicitly ssh-add your key before running ssh).

When you put the public key in the authorized_keys file, you can prepend special restrictions to a key entry that restrict its use. e.g. command="/bin/true",no-X11-forwarding,no-port-forwarding, no-agent-forwarding,no-pty,from=10.0.0.*, etc.

* A slick way to do that is:
$ cat .ssh/id_rsa.pub | ssh user@server "cat - >> .ssh/authorized_keys"
Last edited by bitvector on Thu Feb 07, 2008 2:04 pm, edited 1 time in total.
bitvector
Grand Gerbil Poohbah
 
Posts: 3234
Joined: Wed Jun 22, 2005 4:39 pm
Location: Mountain View, CA

Re: Securing SSHD

Postposted on Thu Feb 07, 2008 2:04 pm

I don't know if there is a way to restrict root access to the LAN. I know that you can restrict root (or any other user) such that they can only access from specific hosts. Another option (and the one I would personally go for) would be to simply deny root SSH access altogether; in order to gain root access, a user must connect via another account, then use su (or sudo) to perform tasks requiring root permissions.

I don't think the standard SSHD has a way of blocking access after a given number of attempts. The closest thing I can find is that it does allow you to limit the number of tries per connection.

Chrooting SSH sessions was a PITA the last time I checked. Maybe it has gotten better.

Using keys is a good idea if you completely disable password authentication, and encrypt the keys with a passphrase. That way, someone has to get a copy of the key file, and know the passphrase to decrypt it, before they can log in.

If you've got the man pages installed, typing man sshd_config in a terminal window should get you a detailed description of the options in the configuration file.

Edit: Heh... that's what I get for starting a post then going to lunch before finishing it. Looks like bitvector already said all of this (and more).
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37705
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Securing SSHD

Postposted on Thu Feb 07, 2008 3:08 pm

bitvector wrote:
titan wrote:Wouldn't that prevent users other than root from logging in? I don't have very many users, so this really isn't a problem. Let's say I make a group called "ssh", would "AllowGroup ssh" allowing that group allow any user in the ssh group login, or would the users need to be explicitly stated in the AllowUsers directive as well?
Yeah, you'll need to allow other users somehow. Man sshd_config to see how they interact: it checks the {Allow,Deny}{Users,Groups} directives in a specific order.


Well darn. It looks like if I use the AllowUsers directive I have no choice but to explicitly state which users may connect. Something that would be cool though is to set "PermitRootLogin without-password" and just use a key for me.
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 7:00 pm
Location: Great Smoky Mountains

Re: Securing SSHD

Postposted on Thu Feb 07, 2008 3:43 pm

titan wrote:Well darn. It looks like if I use the AllowUsers directive I have no choice but to explicitly state which users may connect. Something that would be cool though is to set "PermitRootLogin without-password" and just use a key for me.
Yeah, the irritating thing is that you can negate host patterns in the "from=(list)" clause in authorized_keys, but from what I understand (and have tried), not in AllowUsers or DenyUsers. It'd be nice to say DenyUsers root@!10.0.0.* or whatever. Unfortunately, the PATTERNS section of ssh_config seems to indicate that the negation operator only works with list of hosts and not an individual host pattern ("Patterns within pattern-lists may be negated by preceding them with an exclamation mark (‘!’)"). Since Deny/Allow stuff only take a single host per entry and not a list, I guess you can't do what you want with the DenyUsers clause (well, not without expanding the negation of 10.0.0.* into a bazillion positive clauses).
bitvector
Grand Gerbil Poohbah
 
Posts: 3234
Joined: Wed Jun 22, 2005 4:39 pm
Location: Mountain View, CA

Re: Securing SSHD

Postposted on Thu Feb 07, 2008 4:21 pm

bitvector wrote:Well, once you've enabled key-based authentication, a specific user can create a key with ssh-keygen. E.g.:
$ ssh-keygen -t rsa -C (comment)

That generates a public and private key pair. Add the public part (.pub) to the ~/.ssh/authorized_keys file on the host you want to log in to*, and make sure the private key is on the host you are logging in from. By default ssh will only look for ~/.ssh/id_dsa and ~/.ssh/id_rsa when sshing in to a host (the default key file); if you use a different filename, you'll need to put an entry in your ~/.ssh/config with IdentityFile pointing at the private key or do something like ssh host -o IdentityFile=~/.ssh/blah. Google and look into ssh-agent for info on how to avoid having to re-type your password (it also eliminates the need for the IdentityFile part if you explicitly ssh-add your key before running ssh).

When you put the public key in the authorized_keys file, you can prepend special restrictions to a key entry that restrict its use. e.g. command="/bin/true",no-X11-forwarding,no-port-forwarding, no-agent-forwarding,no-pty,from=10.0.0.*, etc.

* A slick way to do that is:
$ cat .ssh/id_rsa.pub | ssh user@server "cat - >> .ssh/authorized_keys"

Could I have just one private/public pair? My idea here is to make it easy for my users. Such as, "Take this file and put it in folder x." So, I'd have the private key, and they'd have the public key.
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 7:00 pm
Location: Great Smoky Mountains

Re: Securing SSHD

Postposted on Thu Feb 07, 2008 4:30 pm

titan wrote:Could I have just one private/public pair? My idea here is to make it easy for my users. Such as, "Take this file and put it in folder x." So, I'd have the private key, and they'd have the public key.

Actually, it's the other way around -- the server gets the public key, the people logging in to it get the private key.

But to answer your question, sure, you can give multiple users the same key. But if you do that, your users will be able to log in to each others' accounts. Not sure that's what you want...

And if you're concerned about the private key files getting stolen, you should protect them with a passphrase.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37705
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Securing SSHD

Postposted on Thu Feb 07, 2008 4:57 pm

Depending on how many users you have, you can randomly cycle the port number.
Usacomp2k3
Gerbil God
 
Posts: 21294
Joined: Thu Apr 01, 2004 4:53 pm
Location: Orlando, FL

Re: Securing SSHD

Postposted on Thu Feb 07, 2008 9:28 pm

Usacomp2k3 wrote:Depending on how many users you have, you can randomly cycle the port number.


I wasn't going to go so far as suggesting port cycling, but certainly move sshd off of port 22. People make fun of security by obscurity, but in this case it does add a little something. Most attacks are going to be script kids with canned tools. Removing the easy target takes you out of the running for someone looking for an easy scripted hack. With sshd not on port 22, someone trying to get in has to find it first.

No it doesn't actually secure sshd, it just makes it a bit harder to exploit any problems. I actually learned this lesson the hard way. I moved the port after getting hacked through an sshd exploit. I haven't had a single attempt since then.

--SS
SecretSquirrel
Gerbil Jedi
Gold subscriber
 
 
Posts: 1715
Joined: Tue Jan 01, 2002 7:00 pm
Location: The Colony, TX (Dallas suburb)

Re: Securing SSHD

Postposted on Fri Feb 08, 2008 9:35 am

How hard would it be to figure out that a random open port has sshd listening to it? I don't know anything about the protocol, but if it requires the client to speak first, it may be somewhat difficult to even find out that sshd is listening to that port.

If you open a connection to that port and you get something to the extent of "welcome to ssh version x.y, please enter your passwork/key/etc" then it makes moving the port a little less helpful.
Desktop: FX-8350 | 32 GB | XFX Radeon 6950 | Windows 7 x64
Laptop: i7 740QM | 12 GB | Mobility Radeon 5850 | Windows 8.1.1.1.1 x64
SuperSpy
Gerbil Jedi
Gold subscriber
 
 
Posts: 1583
Joined: Thu Sep 12, 2002 9:34 pm
Location: TR Forums

Re: Securing SSHD

Postposted on Fri Feb 08, 2008 12:49 pm

SuperSpy wrote:How hard would it be to figure out that a random open port has sshd listening to it? I don't know anything about the protocol, but if it requires the client to speak first, it may be somewhat difficult to even find out that sshd is listening to that port.

If you open a connection to that port and you get something to the extent of "welcome to ssh version x.y, please enter your passwork/key/etc" then it makes moving the port a little less helpful.

It isn't difficult, I guess, but it's the scripts that are defeated. A script kiddie would write a script that tries using brute force to gain access via SSH on port 22. That's the default port. The script isn't likely to be smart enough to try different ports. Instead, the script might just fire back that there is no SSH server available.
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 7:00 pm
Location: Great Smoky Mountains

Re: Securing SSHD

Postposted on Fri Feb 08, 2008 1:35 pm

Okay, this was still a little tricky for me, but I finally got root working with a key.

Here are the steps I used:

The sshd_config
Code: Select all
Port 22
AddressFamily any
ListenAddress 192.168.1.51
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

AllowUsers root@192.168.1.2
PermitRootLogin without-password
StrictModes yes
LoginGraceTime 30s
MaxAuthTries 4
PasswordAuthentication no
PermitEmptyPasswords no
PermitTunnel no
SyslogFacility DAEMON
LogLevel VERBOSE
PubkeyAuthentication yes
AuthorizedKeysFile   .ssh/authorized_keys
UsePAM yes
Subsystem   sftp   /usr/lib/misc/sftp-server



On the server
Code: Select all
~# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
"Random fingerprint info" root@host
~#cat .ssh/id_rsa.pub >> .ssh/authorized_keys


I used PuTTY as my client. I downloaded PuTTY, Pageant, and PuTTYgen. I copied id_rsa to a directory on my client.
  1. Copied "id_rsa" to the client
  2. Opened PuTTYgen
  3. Clicked "Load"
  4. Selected and opened "id_rsa"
  5. PuTTYgen automatically imports and converts "id_rsa"
  6. Clicked "Save Private Key
  7. Opened Pageant
  8. Right click on the computer with a hat icon in the system tray and selected "View Keys"
  9. Clicked "Add Key"
  10. Select and open "id_rsa.ppk"
  11. Right click on the Pageant icon again
  12. Click "New Session"
  13. PuTTY opens up
  14. Checked to make sure that the right key is being used by going to SSH>AUTH
  15. Click "Open"
  16. Entered "root" as my login and connected without a password
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 7:00 pm
Location: Great Smoky Mountains

Re: Securing SSHD

Postposted on Fri Feb 08, 2008 2:10 pm

On a side note, I just noticed that PuTTY works just like xterm in Linux. Running emerge changes the title of the window to the package that is currently being installed. Makes me happy.

Okay, but back on topic. I was thinking, what else can be done to secure SSHD further?
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 7:00 pm
Location: Great Smoky Mountains

Re: Securing SSHD

Postposted on Fri Feb 08, 2008 5:33 pm

You can run sshd as a non root user to help protect against exploits to sshd itself. If you do this, you can run ssh on any port, but you will only be able to login as the user sshd is running as, and it is possible that password based logins won't work. That said, if someone is able to exploit a hole in sshd, they will not gain root access to your system.

--SS
SecretSquirrel
Gerbil Jedi
Gold subscriber
 
 
Posts: 1715
Joined: Tue Jan 01, 2002 7:00 pm
Location: The Colony, TX (Dallas suburb)

Re: Securing SSHD

Postposted on Sun Feb 24, 2008 5:00 pm

titan wrote:chroot users to their home directory

I saw this post from the OpenSSH devs a few days ago and remembered this thread. The new option they've just added (ChrootDirectory) will probably be in the next stable release of OpenSSH. This represents a built-in alternative to stuff like rssh and scponly.
bitvector
Grand Gerbil Poohbah
 
Posts: 3234
Joined: Wed Jun 22, 2005 4:39 pm
Location: Mountain View, CA

Re: Securing SSHD

Postposted on Sun Feb 24, 2008 6:09 pm

bitvector wrote:I saw this post from the OpenSSH devs a few days ago and remembered this thread. The new option they've just added (ChrootDirectory) will probably be in the next stable release of OpenSSH. This represents a built-in alternative to stuff like rssh and scponly.

Cool! The lack of a built-in feature like this is one of my pet peeves about OpenSSH.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37705
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Securing SSHD

Postposted on Sun Feb 24, 2008 10:23 pm

just brew it! wrote:
bitvector wrote:I saw this post from the OpenSSH devs a few days ago and remembered this thread. The new option they've just added (ChrootDirectory) will probably be in the next stable release of OpenSSH. This represents a built-in alternative to stuff like rssh and scponly.

Cool! The lack of a built-in feature like this is one of my pet peeves about OpenSSH.

Sweet!

One other option I'd like to see is to require keys. A user of mine that hasn't had his key set up yet logged in just fine without one. I'm guessing though that once there's a key file the user will need it. My idea here is that a user would need to have a key file before that user would be allowed to connect.
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 7:00 pm
Location: Great Smoky Mountains

Re: Securing SSHD

Postposted on Sun Feb 24, 2008 10:47 pm

titan wrote:One other option I'd like to see is to require keys. A user of mine that hasn't had his key set up yet logged in just fine without one. I'm guessing though that once there's a key file the user will need it. My idea here is that a user would need to have a key file before that user would be allowed to connect.

That's configurable in the sshd_config file (disable the PasswordAuthentication option).

Unless you disable password authentication, users are still allowed to log in with their password only, even if there is a key file associated with their account.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37705
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Securing SSHD

Postposted on Mon Feb 25, 2008 8:12 am

just brew it! wrote:
titan wrote:One other option I'd like to see is to require keys. A user of mine that hasn't had his key set up yet logged in just fine without one. I'm guessing though that once there's a key file the user will need it. My idea here is that a user would need to have a key file before that user would be allowed to connect.

That's configurable in the sshd_config file (disable the PasswordAuthentication option).

Unless you disable password authentication, users are still allowed to log in with their password only, even if there is a key file associated with their account.

I do have it set to no.
Maybe I need to restart the daemon again to get it to use it. I don't remember now.
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 7:00 pm
Location: Great Smoky Mountains

Re: Securing SSHD

Postposted on Mon Feb 25, 2008 8:27 am

titan wrote:I do have it set to no.
Maybe I need to restart the daemon again to get it to use it. I don't remember now.

Yes, you need to restart it to get changes to the settings to take effect.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37705
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Securing SSHD

Postposted on Mon Feb 25, 2008 8:32 am

just brew it! wrote:
titan wrote:I do have it set to no.
Maybe I need to restart the daemon again to get it to use it. I don't remember now.

Yes, you need to restart it to get changes to the settings to take effect.

Yep, that was it. I forgot to restart the daemon. Now I get a disconnect warning stating there's no available authentication method.
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 7:00 pm
Location: Great Smoky Mountains

Re: Securing SSHD

Postposted on Mon Feb 25, 2008 10:09 am

So, after spending a very frustrating hour trying to get FileZilla to connect using the SSH key, I switched over to WinSCP and it just worked on the first go round. Crazy.

The error I was getting from FileZilla was "Error: Disconnect: No authentication method available" or something like that. I did follow this HOWTO to the letter, but it wasn't going to budge.

WinSCP FTW!
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 7:00 pm
Location: Great Smoky Mountains

Re: Securing SSHD

Postposted on Thu May 29, 2008 4:19 pm

I have recently updated my configuration. I would like you guys to take a look at it and tell me if it's good or not.

Code: Select all
#   $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

Port 22
AddressFamily any
ListenAddress 192.168.1.51
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 1h
ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
SyslogFacility DAEMON
LogLevel VERBOSE

# Authentication:
AllowUsers security through obscurity
LoginGraceTime 30s
PermitRootLogin without-password
StrictModes yes
MaxAuthTries 6

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile   .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
IgnoreUserKnownHosts yes
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM no

AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
X11DisplayOffset 10
X11UseLocalhost yes
PrintMotd no
PrintLastLog no
TCPKeepAlive yes
UseLogin no
UsePrivilegeSeparation yes
PermitUserEnvironment no
Compression no
ClientAliveInterval 300
ClientAliveCountMax 3
UseDNS yes
PidFile /var/run/sshd.pid
MaxStartups 3:50:10
PermitTunnel no

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem   sftp   /usr/lib/misc/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   ForceCommand cvs server
The best things in life are free.
http://www.gentoo.org
Guy 1: Surely, you will fold with me.
Guy 2: Alright, but don't call me Shirley.
titan
Grand Gerbil Poohbah
 
Posts: 3276
Joined: Mon Feb 18, 2002 7:00 pm
Location: Great Smoky Mountains


Return to Linux, Unix, and Assorted Madness

Who is online

Users browsing this forum: No registered users and 3 guests