Difference between revisions of "SSH config"

From Noah.org
Jump to navigationJump to search
 
(21 intermediate revisions by the same user not shown)
Line 4: Line 4:
 
== SSH config tweaks ==
 
== SSH config tweaks ==
  
Most default SSH installations need a little tweaking for speed or extra security. There are two config files to worry about. One is for the sshd server on the host you are trying to connect to and the other is for the SSH client on your localhost.
+
Most default SSH installations need a little tweaking for speed or extra security. There are two config files of interest. One is for the SSH server on the host accepting connections and the other is for the SSH client on your localhost.
  
=== /etc/ssh/sshd_config ===
+
=== Server side: /etc/ssh/sshd_config ===
  
 
These are changes I always make to /etc/ssh/sshd_config. See also [http://www.fail2ban.org/ fail2ban] for protecting against scripts doing dictionary attacks.
 
These are changes I always make to /etc/ssh/sshd_config. See also [http://www.fail2ban.org/ fail2ban] for protecting against scripts doing dictionary attacks.
  
 
<pre>
 
<pre>
# this speeds up logins.
+
# This speeds up logins.
 
UseDNS no
 
UseDNS no
# Don't make this 1. Public keys count as 1st try. If this is 1 and
+
# TCPKeepAlive is dumb. It may seem counterintuitive to shut it off,
# the public key fails then sshd will not allow a password as a second attempt.
+
# but it will actually force sessions to terminate after a timeoutf.
 +
# The ClientAlive settings are probably closer to
 +
# what most people expect when they think of "keep alive".
 +
TCPKeepAlive no
 +
# Client Alive messages are sent over the encrypted link, so they
 +
# cannot be blocked or spoofed by a firewall. These settings tell
 +
# the server to check the client every 30 seconds. If the client
 +
# does not respond 40 times in a row then the session is closed.
 +
# This allows for up to 20 minutes of network interruption.
 +
ClientAliveCountMax 40
 +
ClientAliveInterval 30
 +
 
 +
# Do not set MaxAuthTries to '''1''' because SSH first tries
 +
# public key authentication which counts against the number
 +
# of failed tries, so if the key fails then sshd will disconnect
 +
# and never attempt to ask for a password.
 
MaxAuthTries 2
 
MaxAuthTries 2
# Scripts often check these accounts for weak passwords:
+
# Bot scripts often check these accounts for weak passwords:
DenyUsers root test admin guest nobody www
+
DenyUsers root test admin guest nobody www www-data
# For extra security, limit access to only these users:
+
# For extra security, allow access only to specific users.
# Uncomment the line below and replace user1, user2, and user3 the list of usernames you want to allow.
+
# Replace "user1 user2 user3" with a list of users to allow.
 
#AllowUsers user1 user2 user3
 
#AllowUsers user1 user2 user3
 +
 +
# Needed for VPN.
 +
PermitTunnel yes
 +
 +
# Allow client to pass locale environment variables.
 +
AcceptEnv LANG LC_*
 
</pre>
 
</pre>
  
Use the following to support SSH1. <em>I no longer use this.</em>
+
Use the following to support SSH1 only if you need it.
 +
'''SSH1 is ancient history and should be avoided.'''
 +
Unless you know you need this then you don't need this.
 +
 
 
<pre>
 
<pre>
 
# this is required if you want to support SSH1
 
# this is required if you want to support SSH1
Line 31: Line 55:
 
</pre>
 
</pre>
  
=== /etc/ssh/ssh_config or ~/.ssh/config ===
+
=== Client side: /etc/ssh/ssh_config or ~/.ssh/config ===
  
Edit the client SSH config if you are getting slow logins. This is sometimes caused by GSSAPI Authentication. I also like to turn on KeepAlive.
+
Edit the client SSH config if you are getting slow logins. This is usually caused by GSSAPI Authentication.
  
 
<pre>
 
<pre>
 
Host *
 
Host *
# This sometimes fixes slow logins on Ubuntu.
+
# This fixes slow logins. Don't use this if you use Kerberos or GSSAPI.
# Don't use this if you use Kerberos or GSSAPI.
 
 
GSSAPIAuthentication no
 
GSSAPIAuthentication no
# This helps prevent timeout disconnects.
+
# This helps prevent disconnects. Equivalent to the ClientAlive* settings on the serve
TCPKeepAlive yes
 
 
ServerAliveInterval 60
 
ServerAliveInterval 60
 +
ServerAliveCountMax 120
 +
# This is counter-intuitive. TCPKeepAlive should be set to no to help eliminate disconnects.
 +
TCPKeepAlive no
 +
# Allow agent authentication to chain through more than one server.
 +
ForwardAgent yes
 +
# This is equivalent to -X `ssh` option -- limited X11.
 +
ForwardX11 yes
 +
# This is equivalent to -Y `ssh` option -- unlimited X11. This can be compromise security.
 +
# Note that both ForwardX11 and ForwardX11Trusted must be set to yes to silently compromise security.
 +
# If you set only ForwardX11Trusted to yes then you still must use the '-Y' option on the ssh command-line.
 +
#ForwardX11Trusted yes
 +
# This passes some environment variables along to the remote host.
 +
SendEnv LANG LC_*
 
</pre>
 
</pre>
  
 
=== Remote Server Security Enhancement with SSH Keys ===
 
=== Remote Server Security Enhancement with SSH Keys ===
  
You can make port forwarding even more secure by limiting what a privileged account can do. When you add a key to authorized_key you may pass parameters to fine tune the connection. This can be used to restrict what the client is allowed to do. On the remote server, add the following to ~username/.ssh/authorized_keys:
+
You can make port forwarding even more secure by limiting what a privileged account can do. When you add a key to the '''authorized_keys''' file you may add parameters to limit what clients using that key are allowed to do. The following example allows the client to create only IMAP tunnels. On the remote server add the following to '''~username/.ssh/authorized_keys''':
  
 
<pre>
 
<pre>
Line 53: Line 88:
 
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA8XIr8LEXdvc4VZEvNenWkJrerTzNhqTT7QvCD+Y2EjCUPQwfBcSnvhY3oasNigNonghQFqm7/HqWBLpcN+4mqDUrXrEdj6HQmHvCV6WozNUVb5jjiyQ/JF4hqcQd6oelCkVw8wD32I2jlYqydpqOGY4xqakWDAfm3SOx5il3Kl49mKCg5B3GQPexhTujaTT3y/Q1eeT3zGpHE9Mp7k20X8rMxSjp5ncLAmdf42fRh05HY5f1GrupQIEdi0/TDcPNWL1ml89zttrDOLgDnwny7P0x2jmcX41cSxL/8svER7BAk2sroyQe6L21pJ7o2MYz1IwnsQgji/GjJoaA7hTNCQ== username@client.example.com
 
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA8XIr8LEXdvc4VZEvNenWkJrerTzNhqTT7QvCD+Y2EjCUPQwfBcSnvhY3oasNigNonghQFqm7/HqWBLpcN+4mqDUrXrEdj6HQmHvCV6WozNUVb5jjiyQ/JF4hqcQd6oelCkVw8wD32I2jlYqydpqOGY4xqakWDAfm3SOx5il3Kl49mKCg5B3GQPexhTujaTT3y/Q1eeT3zGpHE9Mp7k20X8rMxSjp5ncLAmdf42fRh05HY5f1GrupQIEdi0/TDcPNWL1ml89zttrDOLgDnwny7P0x2jmcX41cSxL/8svER7BAk2sroyQe6L21pJ7o2MYz1IwnsQgji/GjJoaA7hTNCQ== username@client.example.com
 
</pre>
 
</pre>
 +
 +
This is what each parameter means:
  
 
* from="192.168.1.69": accept connection only from the given IP address
 
* from="192.168.1.69": accept connection only from the given IP address
* command="/bin/false": forces this command to be run no matter what is passed via ssh from the client
+
* command="/bin/false": force this command to be run -- ignore what is requested by the client
 
* no-pty: never allocate a PTY for interactivity
 
* no-pty: never allocate a PTY for interactivity
* no-X11-forwarding: No X11  
+
* no-X11-forwarding: No X11
 
* no-agent-forwarding: we don't want or need ssh-agent
 
* no-agent-forwarding: we don't want or need ssh-agent
* no-port-forwarding: prevent ssh -R ...
+
* no-port-forwarding: prevent '''ssh -R ...''', but not '''sss -L ...'''
 
* permitopen="localhost:143": allow only localhost connections to port 143 for `ssh -L` requests
 
* permitopen="localhost:143": allow only localhost connections to port 143 for `ssh -L` requests

Latest revision as of 14:08, 2 March 2015


SSH config tweaks

Most default SSH installations need a little tweaking for speed or extra security. There are two config files of interest. One is for the SSH server on the host accepting connections and the other is for the SSH client on your localhost.

Server side: /etc/ssh/sshd_config

These are changes I always make to /etc/ssh/sshd_config. See also fail2ban for protecting against scripts doing dictionary attacks.

# This speeds up logins.
UseDNS no
# TCPKeepAlive is dumb. It may seem counterintuitive to shut it off, 
# but it will actually force sessions to terminate after a timeoutf.
# The ClientAlive settings are probably closer to 
# what most people expect when they think of "keep alive".
TCPKeepAlive no
# Client Alive messages are sent over the encrypted link, so they
# cannot be blocked or spoofed by a firewall. These settings tell
# the server to check the client every 30 seconds. If the client
# does not respond 40 times in a row then the session is closed.
# This allows for up to 20 minutes of network interruption.
ClientAliveCountMax 40
ClientAliveInterval 30

# Do not set MaxAuthTries to '''1''' because SSH first tries
# public key authentication which counts against the number
# of failed tries, so if the key fails then sshd will disconnect
# and never attempt to ask for a password.
MaxAuthTries 2
# Bot scripts often check these accounts for weak passwords:
DenyUsers root test admin guest nobody www www-data
# For extra security, allow access only to specific users.
# Replace "user1 user2 user3" with a list of users to allow.
#AllowUsers user1 user2 user3

# Needed for VPN.
PermitTunnel yes

# Allow client to pass locale environment variables.
AcceptEnv LANG LC_*

Use the following to support SSH1 only if you need it. SSH1 is ancient history and should be avoided. Unless you know you need this then you don't need this.

# this is required if you want to support SSH1
Protocol 2,1
# this is required if you want to support SSH1
PasswordAuthentication yes

Client side: /etc/ssh/ssh_config or ~/.ssh/config

Edit the client SSH config if you are getting slow logins. This is usually caused by GSSAPI Authentication.

Host *
# This fixes slow logins. Don't use this if you use Kerberos or GSSAPI.
GSSAPIAuthentication no
# This helps prevent disconnects. Equivalent to the ClientAlive* settings on the serve
ServerAliveInterval 60
ServerAliveCountMax 120
# This is counter-intuitive. TCPKeepAlive should be set to no to help eliminate disconnects.
TCPKeepAlive no
# Allow agent authentication to chain through more than one server.
ForwardAgent yes
# This is equivalent to -X `ssh` option -- limited X11.
ForwardX11 yes
# This is equivalent to -Y `ssh` option -- unlimited X11. This can be compromise security.
# Note that both ForwardX11 and ForwardX11Trusted must be set to yes to silently compromise security.
# If you set only ForwardX11Trusted to yes then you still must use the '-Y' option on the ssh command-line.
#ForwardX11Trusted yes
# This passes some environment variables along to the remote host.
SendEnv LANG LC_*

Remote Server Security Enhancement with SSH Keys

You can make port forwarding even more secure by limiting what a privileged account can do. When you add a key to the authorized_keys file you may add parameters to limit what clients using that key are allowed to do. The following example allows the client to create only IMAP tunnels. On the remote server add the following to ~username/.ssh/authorized_keys:

from="192.168.1.69",command="/bin/false",no-pty,no-X11-forwarding,no-agent-forwarding,no-port-forwarding,permitopen="localhost:143"
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA8XIr8LEXdvc4VZEvNenWkJrerTzNhqTT7QvCD+Y2EjCUPQwfBcSnvhY3oasNigNonghQFqm7/HqWBLpcN+4mqDUrXrEdj6HQmHvCV6WozNUVb5jjiyQ/JF4hqcQd6oelCkVw8wD32I2jlYqydpqOGY4xqakWDAfm3SOx5il3Kl49mKCg5B3GQPexhTujaTT3y/Q1eeT3zGpHE9Mp7k20X8rMxSjp5ncLAmdf42fRh05HY5f1GrupQIEdi0/TDcPNWL1ml89zttrDOLgDnwny7P0x2jmcX41cSxL/8svER7BAk2sroyQe6L21pJ7o2MYz1IwnsQgji/GjJoaA7hTNCQ== username@client.example.com

This is what each parameter means:

  • from="192.168.1.69": accept connection only from the given IP address
  • command="/bin/false": force this command to be run -- ignore what is requested by the client
  • no-pty: never allocate a PTY for interactivity
  • no-X11-forwarding: No X11
  • no-agent-forwarding: we don't want or need ssh-agent
  • no-port-forwarding: prevent ssh -R ..., but not sss -L ...
  • permitopen="localhost:143": allow only localhost connections to port 143 for `ssh -L` requests