icenix
Jan 19 2004, 01:43 PM
This is just a simple configuration file for sshd (the ssh server/daemon from the openssh suite of tools, as available from
http://www.openssh.org ). The how-to is for a recent version of openssh (3.4 or later).
1. The configuration file sshd_config usually is located in /etc/ssh/ and only the root can modify it. If you have installed from source, this configuration file may be located in a different directory.
2. Make a backup of the current sshd_config file first. Login as root and open a new file and add the following lines
| CODE |
# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#AFSTokenPassing no
# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no
# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes
#Allow X display forwarding
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#Compression yes
#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no
# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
#Do not allow root login
PermitRootLogin no
|
Save this file over your current sshd_config file in the /etc/ssh directory.
Note
This configuration
* does not allow remote root login for security reasons.
* allows X display forwarding (remote X display). To disable the feature, comment out the line X11Forwarding yes or change it to X11Forwarding no.
* allows incoming sftp (secure FTP) connections.
Grinler
Jan 20 2004, 06:41 PM
Excellent. May I suggest you also add the line:
#Only v2 SSH Protocol
Protocol 2
This will force your clients to only be able to use SSH2, which should not be a problem with most clients these days.
raif
Jan 21 2004, 10:29 PM
| QUOTE (Grinler @ Jan 20 2004, 01:41 PM) |
Excellent. May I suggest you also add the line:
#Only v2 SSH Protocol
Protocol 2
This will force your clients to only be able to use SSH2, which should not be a problem with most clients these days. |
agreed, what with the earlier protocols being crackable and all. good post though
bitwild
Feb 19 2004, 12:38 PM
maybe tune: KeyRegenerationInterval, ServerKeyBits
tyler.durden
Feb 20 2004, 04:58 PM
thanks... this is usefull.
I use the sshd by cygwin, and I'll merge this conf with it (cause I dont know if they are 100% compatibles).
I would like to ask you if can be possible to log ssh on /var/log/ssh.log, and not in windows registry. I looked on google and only found that impossible, only eventi viewer is possible... but I dont want to believe it!
thank you
Grinler
Feb 20 2004, 06:16 PM
I am not that familiar with cygwin. Is that how cygwin's syslog logs its entries; to only event viewer?
tyler.durden
Feb 21 2004, 11:40 PM
| QUOTE (Grinler @ Feb 20 2004, 06:16 PM) |
| I am not that familiar with cygwin. Is that how cygwin's syslog logs its entries; to only event viewer? |
yes... I can found log only into event viewer...
this is not good for me, cause I use it for connect to my pc from office. My next step is to install a real Linux distro, ehehhe
radien
Jun 26 2004, 06:53 AM
and I suggest these lines to get added:
#Default is yes
#StrictModes yes
#I like this one
PrintLastLog yes
#
DenyGroups root
#It's good, trust me
LoginGraceTime 120 # 2 minutes
#Any unusual port
Port 3189
forza
Jul 2 2004, 10:23 PM
perhaps use private and public key
HostKey /etc/ssh/ssh_host_key
twistedps
Jul 8 2004, 12:52 AM
and dont run it on 22!
6066up9r
Jul 13 2004, 03:20 AM
not running on 22 will save you a lot trouble as long as you aren't in a production environment where port 22 ssh is expected
as0l0
Jul 13 2004, 04:37 AM
good post, thanks for sharing.
SyN/AcK
Aug 9 2004, 04:31 PM
Your title with the words "Perfectly Secure" makes me shudder. I hesitate to say that anything is perfectly secure unless its unplugged from the wall. Good config file though.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
