The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.
Difference between revisions of "Package:OpenSSH"
Threesixes (talk | contribs) m |
|||
Line 5: | Line 5: | ||
}} | }} | ||
= Introduction = | == Introduction == | ||
SSH is a cryptographically confidential network protocol for data transmission between 2 networked computers. There are 2 protocol versions; SSH-1 and SSH-2. | SSH is a cryptographically confidential network protocol for data transmission between 2 networked computers. There are 2 protocol versions; SSH-1 and SSH-2. | ||
= Default Installation = | == Default Installation == | ||
Funtoo uses the OpenSSH daemon (sshd) to provide the SSH service by default. sshd is a member of [[OpenRC_(Funtoo)|OpenRC]]'s default runlevel. | Funtoo uses the OpenSSH daemon (sshd) to provide the SSH service by default. sshd is a member of [[OpenRC_(Funtoo)|OpenRC]]'s default runlevel. | ||
By default login is allowed for all users via the ssh daemon on port 22 with any valid username and password combination. | By default login is allowed for all users via the ssh daemon on port 22 with any valid username and password combination. | ||
= Service configuration = | == Service configuration == | ||
There are 2 means of configuring <code>sshd</code>. The first is required, the second is optional. | There are 2 means of configuring <code>sshd</code>. The first is required, the second is optional. | ||
Line 19: | Line 19: | ||
# <code>sshd</code> may be configured to use PAM.<br/>Permission may be granted or denied via PAM, allowing you to store usernames etc. using text files. | # <code>sshd</code> may be configured to use PAM.<br/>Permission may be granted or denied via PAM, allowing you to store usernames etc. using text files. | ||
= Protocol version selection = | == Protocol version selection == | ||
The '''''default''''' protocol version is SSH-2. SSH-1 requires explicit activation. To select a protocol version, use the <code>Protocol</code> directive. | The '''''default''''' protocol version is SSH-2. SSH-1 requires explicit activation. To select a protocol version, use the <code>Protocol</code> directive. | ||
e.g. <code>Protocol 2</code> | e.g. <code>Protocol 2</code> | ||
= Cipher selection = | == Cipher selection == | ||
The <code>Ciphers</code> directive specifies the ciphers allowed for protocol version 2. | The <code>Ciphers</code> directive specifies the ciphers allowed for protocol version 2. | ||
= User Authentication = | == User Authentication == | ||
== Single authentication method == | === Single authentication method === | ||
# Password authentication<br/>This is enabled by '''''default''''', it is configured using the <code>PasswordAuthentication</code> directive. Valid parameters are <code>yes</code> or <code>no</code>.<br/>When <code>PasswordAuthentication yes</code> is configured, the state of the <code>PermitEmptyPasswords</code> directive is evaluated. | # Password authentication<br/>This is enabled by '''''default''''', it is configured using the <code>PasswordAuthentication</code> directive. Valid parameters are <code>yes</code> or <code>no</code>.<br/>When <code>PasswordAuthentication yes</code> is configured, the state of the <code>PermitEmptyPasswords</code> directive is evaluated. | ||
# Public key authentication | # Public key authentication | ||
Line 51: | Line 51: | ||
# Host-based authentication | # Host-based authentication | ||
== Requiring multiple authentication factors == | === Requiring multiple authentication factors === | ||
These options are only available for SSH-2. The '''''default''''' is not to require multiple authentication. To identify to the daemon that you wish to require more than one authentication, you must use the <code>AuthenticationMethods</code> directive. This directive is followed by one or more comma separated lists of authentication method names. Lists are separated with a space. Successful authentication requires completion of every method in at least one of these lists. | These options are only available for SSH-2. The '''''default''''' is not to require multiple authentication. To identify to the daemon that you wish to require more than one authentication, you must use the <code>AuthenticationMethods</code> directive. This directive is followed by one or more comma separated lists of authentication method names. Lists are separated with a space. Successful authentication requires completion of every method in at least one of these lists. | ||
Line 59: | Line 59: | ||
e.g. <code>AuthenticationMethods "password,publickey password,keyboard-interactive"</code> | e.g. <code>AuthenticationMethods "password,publickey password,keyboard-interactive"</code> | ||
== Password authentication using <code>sshd_config</code> == | === Password authentication using <code>sshd_config</code> === | ||
The following 4 directives are listed in order of evaluation by OpenSSH. They are configured directly; within <code>sshd_config</code>. Only user or group _names_ are valid, numerical IDs are not recognized. If the pattern takes the form <code>USER@HOST</code> then access is restricted to the <code>USER</code> when originating from the <code>HOST</code>. | The following 4 directives are listed in order of evaluation by OpenSSH. They are configured directly; within <code>sshd_config</code>. Only user or group _names_ are valid, numerical IDs are not recognized. If the pattern takes the form <code>USER@HOST</code> then access is restricted to the <code>USER</code> when originating from the <code>HOST</code>. | ||
Line 74: | Line 74: | ||
:Login is permitted to users whose primary group or supplementary group list matches one of the patterns | :Login is permitted to users whose primary group or supplementary group list matches one of the patterns | ||
== Public key authentication == | === Public key authentication === | ||
<code>AuthorizedKeysFile</code> | <code>AuthorizedKeysFile</code> | ||
<code>AuthorizedKeysCommand</code> | <code>AuthorizedKeysCommand</code> | ||
<code>AuthorizedKeysCommandUser</code> | <code>AuthorizedKeysCommandUser</code> | ||
===Host based authentication === | |||
== | == Access control == | ||
=== Controlling root access === | |||
== Controlling root access == | |||
Access by the root user can be controlled using the <code>PermitRootLogin</code> directive. | Access by the root user can be controlled using the <code>PermitRootLogin</code> directive. | ||
=== Permit empty passwords === | ==== Permit empty passwords ==== | ||
Access to accounts with empty (i.e. blank) passwords can be controlled using the <code>PermitEmptyPasswords</code> directive. | Access to accounts with empty (i.e. blank) passwords can be controlled using the <code>PermitEmptyPasswords</code> directive. | ||
ChallengeResponseAuthentication | ChallengeResponseAuthentication | ||
Line 115: | Line 113: | ||
UsePAM | UsePAM | ||
= X11 Forwarding = | == X11 Forwarding == | ||
By default X11 forwarding is disabled in OpenSSHd, | By default X11 forwarding is disabled in OpenSSHd, | ||
Line 133: | Line 131: | ||
X11UseLocalhost yes | X11UseLocalhost yes | ||
</pre> | </pre> | ||
X forwarding will now be enabled from that machine, so if you connect from your remote with 'ssh -X <user>@<ipaddress>' X sessions will be forwarded | X forwarding will now be enabled from that machine, so if you connect from your remote with 'ssh -X <user>@<ipaddress>' X sessions will be forwarded | ||
== Intrusion Prevention == | === Intrusion Prevention === | ||
ssh is a commonly attacked service. {{package|app-admin/sshguard}} monitors logs, and black list remote users who have repeatedly failed to login. | ssh is a commonly attacked service. {{package|app-admin/sshguard}} monitors logs, and black list remote users who have repeatedly failed to login. | ||
Revision as of 02:46, December 28, 2014
OpenSSH
We welcome improvements to this page. To edit this page, Create a Funtoo account. Then log in and then click here to edit this page. See our editing guidelines to becoming a wiki-editing pro.
Introduction
SSH is a cryptographically confidential network protocol for data transmission between 2 networked computers. There are 2 protocol versions; SSH-1 and SSH-2.
Default Installation
Funtoo uses the OpenSSH daemon (sshd) to provide the SSH service by default. sshd is a member of OpenRC's default runlevel.
By default login is allowed for all users via the ssh daemon on port 22 with any valid username and password combination.
Service configuration
There are 2 means of configuring sshd
. The first is required, the second is optional.
sshd
reads its configuration data from/etc/ssh/sshd_config
by default.sshd
may be configured to use PAM.
Permission may be granted or denied via PAM, allowing you to store usernames etc. using text files.
Protocol version selection
The default protocol version is SSH-2. SSH-1 requires explicit activation. To select a protocol version, use the Protocol
directive.
e.g. Protocol 2
Cipher selection
The Ciphers
directive specifies the ciphers allowed for protocol version 2.
User Authentication
Single authentication method
- Password authentication
This is enabled by default, it is configured using thePasswordAuthentication
directive. Valid parameters areyes
orno
.
WhenPasswordAuthentication yes
is configured, the state of thePermitEmptyPasswords
directive is evaluated. - Public key authentication
This is enabled with combinations of AuthorizedKeysFile
, AuthorizedKeysCommand
and AuthorizedKeysCommandUser
.
Passwordless Authentication
Client
on your client run
root # ssh-keygen -t rsa
Dialogs will be presented, you can press enter several times to accept defaults.
~/.ssh/id_rsa.pub
will be generated. Copy or append the contents of this file to the servers ~/.ssh/authorized_keys
Server
Create a user, or select which user the client will be accessing the server as, then place clients id_rsa.pub file into the users ~/.ssh/authorized_keys
Single Machine Testing
root # ssh-keygen -t rsa
Press enter several times to accept default settings.
root # cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
root # ssh localhost
- Host-based authentication
Requiring multiple authentication factors
These options are only available for SSH-2. The default is not to require multiple authentication. To identify to the daemon that you wish to require more than one authentication, you must use the AuthenticationMethods
directive. This directive is followed by one or more comma separated lists of authentication method names. Lists are separated with a space. Successful authentication requires completion of every method in at least one of these lists.
- password
- publickey
- keyboard-interactive
e.g. AuthenticationMethods "password,publickey password,keyboard-interactive"
Password authentication using sshd_config
The following 4 directives are listed in order of evaluation by OpenSSH. They are configured directly; within sshd_config
. Only user or group _names_ are valid, numerical IDs are not recognized. If the pattern takes the form USER@HOST
then access is restricted to the USER
when originating from the HOST
.
DenyUsers PATTERN PATTERN ...
- Login is forbidden for users whose username matches one of the patterns
AllowUsers PATTERN PATTERN ...
- Login is permitted to users whose username matches one of the patterns
DenyGroups PATTERN PATTERN ...
- Login is forbidden for users whose primary group or supplementary group list matches one of the patterns
AllowGroups PATTERN PATTERN ...
- Login is permitted to users whose primary group or supplementary group list matches one of the patterns
Public key authentication
AuthorizedKeysFile
AuthorizedKeysCommand
AuthorizedKeysCommandUser
Host based authentication
Access control
Controlling root access
Access by the root user can be controlled using the PermitRootLogin
directive.
Permit empty passwords
Access to accounts with empty (i.e. blank) passwords can be controlled using the PermitEmptyPasswords
directive.
ChallengeResponseAuthentication Ciphers
GSSAPIAuthenticaion GSSAPICleanupCredentials GSSAPIStrictAcceptorCheck HostBasedAuthentication HostBasedUsesNameFromPacketOnly HostCertificate HostKey HostKeyAgent LoginGraceTime MAC MaxAuthTries MaxSessions MaxStartups PasswordAuthentication PermitEmptyPasswords PubkeyAuthentication RevokedKeys RhostsRSAAuthentication RSAAuthentication TrustedUserCAKeys UseLogin UsePAM
X11 Forwarding
By default X11 forwarding is disabled in OpenSSHd,
If you would like to forward X11 from your Funtoo box to a remote system you must first edit your /etc/ssh/sshd_config file
change
#X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes
to
X11Forwarding yes X11DisplayOffset 10 X11UseLocalhost yes
X forwarding will now be enabled from that machine, so if you connect from your remote with 'ssh -X <user>@<ipaddress>' X sessions will be forwarded
Intrusion Prevention
ssh is a commonly attacked service. app-admin/sshguard monitors logs, and black list remote users who have repeatedly failed to login.