[icenix]

This is just a simple configuration file for sshd (the ssh server/daemon from the openssh suite of tools, as available from http://www.openssh.org ). The how-to is for a recent version of openssh (3.4 or later).

1. The configuration file sshd_config usually is located in /etc/ssh/ and only the root can modify it. If you have installed from source, this configuration file may be located in a different directory.

2. Make a backup of the current sshd_config file first. Login as root and open a new file and add the following lines

# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

#Allow X display forwarding
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#Compression yes

#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no

# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server

#Do not allow root login
PermitRootLogin no

Save this file over your current sshd_config file in the /etc/ssh directory.

Note
This configuration

* does not allow remote root login for security reasons.
* allows X display forwarding (remote X display). To disable the feature, comment out the line X11Forwarding yes or change it to X11Forwarding no.
* allows incoming sftp (secure FTP) connections.

[Grinler]

Excellent. May I suggest you also add the line:

#Only v2 SSH Protocol
Protocol 2

This will force your clients to only be able to use SSH2, which should not be a problem with most clients these days.

[raif]

Grinler, on Jan 20 2004, 01:41 PM, said:

Excellent.  May I suggest you also add the line:

#Only v2 SSH Protocol
Protocol 2

This will force your clients to only be able to use SSH2, which should not be a problem with most clients these days.

agreed, what with the earlier protocols being crackable and all. good post though :)

[bitwild]

maybe tune: KeyRegenerationInterval, ServerKeyBits

[tyler.durden]

thanks... this is usefull.

I use the sshd by cygwin, and I'll merge this conf with it (cause I dont know if they are 100% compatibles).

I would like to ask you if can be possible to log ssh on /var/log/ssh.log, and not in windows registry. I looked on google and only found that impossible, only eventi viewer is possible... but I dont want to believe it! :)

thank you ;)

[Grinler]

I am not that familiar with cygwin. Is that how cygwin's syslog logs its entries; to only event viewer?

[tyler.durden]

Grinler, on Feb 20 2004, 06:16 PM, said:

I am not that familiar with cygwin. Is that how cygwin's syslog logs its entries; to only event viewer?

yes... I can found log only into event viewer... :(

this is not good for me, cause I use it for connect to my pc from office. My next step is to install a real Linux distro, ehehhe :D

[radien]

and I suggest these lines to get added:

#Default is yes
#StrictModes yes
#I like this one
PrintLastLog yes
#
DenyGroups root
#It's good, trust me
LoginGraceTime 120 # 2 minutes
#Any unusual port
Port 3189

[forza]

perhaps use private and public key

HostKey /etc/ssh/ssh_host_key

[twistedps]

and dont run it on 22!

[as0l0]

good post, thanks for sharing.