Difference between revisions of "SSH config"
Line 54: | Line 54: | ||
* from="192.168.1.69": accept connection only from the given IP address | * from="192.168.1.69": accept connection only from the given IP address | ||
− | * command="/bin/false": | + | * command="/bin/false": force this command to be run -- ignore what is requested by the client |
* no-pty: never allocate a PTY for interactivity | * no-pty: never allocate a PTY for interactivity | ||
* no-X11-forwarding: No X11 | * no-X11-forwarding: No X11 |
Revision as of 01:02, 14 August 2008
Contents
SSH config tweaks
Most default SSH installations need a little tweaking for speed or extra security. There are two config files to worry about. One is for the sshd server on the host you are trying to connect to and the other is for the SSH client on your localhost.
Server side: /etc/ssh/sshd_config
These are changes I always make to /etc/ssh/sshd_config. See also fail2ban for protecting against scripts doing dictionary attacks.
# this speeds up logins. UseDNS no # Don't make this 1. Public keys count as 1st try. If this is 1 and # the public key fails then sshd will not allow a password as a second attempt. MaxAuthTries 2 # Scripts often check these accounts for weak passwords: DenyUsers root test admin guest nobody www # For extra security, limit access to only these users: # Uncomment the line below and replace user1, user2, and user3 the list of usernames you want to allow. #AllowUsers user1 user2 user3
Use the following to support SSH1. I no longer use this.
# this is required if you want to support SSH1 Protocol 2,1 # this is required if you want to support SSH1 PasswordAuthentication yes
Client side: /etc/ssh/ssh_config or ~/.ssh/config
Edit the client SSH config if you are getting slow logins. This is usually caused by GSSAPI Authentication. I also like to turn on KeepAlive.
Host * # This fixes slow logins. Don't use this if you use Kerberos or GSSAPI. GSSAPIAuthentication no # This helps prevent timeout disconnects. TCPKeepAlive yes ServerAliveInterval 60
Remote Server Security Enhancement with SSH Keys
You can make port forwarding even more secure by limiting what a privileged account can do. When you add a key to authorized_key you may pass parameters to fine tune the connection. This can be used to restrict what the client is allowed to do. On the remote server, add the following to ~username/.ssh/authorized_keys:
from="192.168.1.69",command="/bin/false",no-pty,no-X11-forwarding,no-agent-forwarding,no-port-forwarding,permitopen="localhost:143" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA8XIr8LEXdvc4VZEvNenWkJrerTzNhqTT7QvCD+Y2EjCUPQwfBcSnvhY3oasNigNonghQFqm7/HqWBLpcN+4mqDUrXrEdj6HQmHvCV6WozNUVb5jjiyQ/JF4hqcQd6oelCkVw8wD32I2jlYqydpqOGY4xqakWDAfm3SOx5il3Kl49mKCg5B3GQPexhTujaTT3y/Q1eeT3zGpHE9Mp7k20X8rMxSjp5ncLAmdf42fRh05HY5f1GrupQIEdi0/TDcPNWL1ml89zttrDOLgDnwny7P0x2jmcX41cSxL/8svER7BAk2sroyQe6L21pJ7o2MYz1IwnsQgji/GjJoaA7hTNCQ== username@client.example.com
- from="192.168.1.69": accept connection only from the given IP address
- command="/bin/false": force this command to be run -- ignore what is requested by the client
- no-pty: never allocate a PTY for interactivity
- no-X11-forwarding: No X11
- no-agent-forwarding: we don't want or need ssh-agent
- no-port-forwarding: prevent ssh -R ...
- permitopen="localhost:143": allow only localhost connections to port 143 for `ssh -L` requests