SSH config

From Noah.org
Revision as of 00:34, 27 February 2009 by Root (talk | contribs)
Jump to navigationJump to search


SSH config tweaks

Most default SSH installations need a little tweaking for speed or extra security. There are two config files of interest. One is for the SSH server on the host accepting connections and the other is for the SSH client on your localhost.

Server side: /etc/ssh/sshd_config

These are changes I always make to /etc/ssh/sshd_config. See also fail2ban for protecting against scripts doing dictionary attacks.

# This speeds up logins.
UseDNS no
# TCPKeepAlive is dumb. The ClientAlive settings are smarter.
# They serve a similar purpose, but are unrelated to TCPKeepAlive.
TCPKeepAlive yes
# Client Alive messages are sent over the encrypted link, so they
# cannot be blocked or spoofed by a firewall. These settings tell
# the server to check the client every 30 seconds. If the client
# does not respond 4 times in a row then the session is closed.
# This allows for up to 2 minutes if network interruption.
ClientAliveCountMax 4
ClientAliveInterval 30

# Don't make set MaxAuthTries to 1. Public keys count as the first try, so if
# the public key fails then sshd will not fall-back to asking for a password.
MaxAuthTries 2
# Scripts often check these accounts for weak passwords:
DenyUsers root test admin guest nobody www www-data
# For extra security, limit access to only these users:
# Uncomment and replace "user1 user2 user3" with a list of user names to allow.
#AllowUsers user1 user2 user3

Use the following to support SSH1. I no longer use this.

# this is required if you want to support SSH1
Protocol 2,1
# this is required if you want to support SSH1
PasswordAuthentication yes

Client side: /etc/ssh/ssh_config or ~/.ssh/config

Edit the client SSH config if you are getting slow logins. This is usually caused by GSSAPI Authentication.

Host *
# This fixes slow logins. Don't use this if you use Kerberos or GSSAPI.
GSSAPIAuthentication no
# This helps prevent timeout disconnects.
TCPKeepAlive yes
ServerAliveInterval 60
# Allow agent authentication to chain through more than one server.
ForwardAgent yes
# Allow some limited X11 to our local X11 server.
# This is equivalent to -X option.
# "ForwardX11Trusted yes" would be equivalent to -Y option.
ForwardX11 yes
ForwardX11Trusted no
# These settings are equivalent to the ClientAlive* settings on the server.
ServerAliveCountMax 4
ServerAliveInterval 30

Remote Server Security Enhancement with SSH Keys

You can make port forwarding even more secure by limiting what a privileged account can do. When you add a key to authorized_key you may pass parameters to fine tune the connection. This can be used to restrict what the client is allowed to do. On the remote server, add the following to ~username/.ssh/authorized_keys:

from="192.168.1.69",command="/bin/false",no-pty,no-X11-forwarding,no-agent-forwarding,no-port-forwarding,permitopen="localhost:143"
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA8XIr8LEXdvc4VZEvNenWkJrerTzNhqTT7QvCD+Y2EjCUPQwfBcSnvhY3oasNigNonghQFqm7/HqWBLpcN+4mqDUrXrEdj6HQmHvCV6WozNUVb5jjiyQ/JF4hqcQd6oelCkVw8wD32I2jlYqydpqOGY4xqakWDAfm3SOx5il3Kl49mKCg5B3GQPexhTujaTT3y/Q1eeT3zGpHE9Mp7k20X8rMxSjp5ncLAmdf42fRh05HY5f1GrupQIEdi0/TDcPNWL1ml89zttrDOLgDnwny7P0x2jmcX41cSxL/8svER7BAk2sroyQe6L21pJ7o2MYz1IwnsQgji/GjJoaA7hTNCQ== username@client.example.com
  • from="192.168.1.69": accept connection only from the given IP address
  • command="/bin/false": force this command to be run -- ignore what is requested by the client
  • no-pty: never allocate a PTY for interactivity
  • no-X11-forwarding: No X11
  • no-agent-forwarding: we don't want or need ssh-agent
  • no-port-forwarding: prevent ssh -R ...
  • permitopen="localhost:143": allow only localhost connections to port 143 for `ssh -L` requests