Configuring OpenSSH

SSH is the only way one should be connecting a remote shell to their Linux machines. SSH can provide remote shells, secure FTP (SFTP) and functions nicely as a tunnel for rsync. SSH comes with every distribution, 99% anyways, is easy to setup and provides excellent security. This article speaks about OpenSSH 4.2, other implementations exist.

SSH Server Daemon

The sshd daemon provides the server portion of SSH; it's configuration is usually located at /etc/ssh/sshd_config. Distributions vary on the defaults in here, some support protocol one and two, some only two. Regardless of your distribution below are relevant portions of a fairly tightend server with inline comments. Noteably root is denied, passwords are disabled and groups are restricted. Read man sshd_config.

# limit protocol and listen address
Protocol 2
# Restrict Logins, keys only, 20s timeout
LoginGraceTime 20
MaxAuthTries 2
PermitRootLogin without-password
PasswordAuthentication no
# disable this stuffs
UsePAM no
PrintMotd no
UseDNS no

SSH Authorized Keys Automatic Login §

SSH can automatically authenticate connections when the client presents an authorized key. A client gives it's public key to a server and then when it connects the server knows it's allowed in and automatically allows the connection. The Keys are specific to users, so a key for user_a will not let user_b in.

Few Simple Steps

  1. Create Keys

    If the keys don't exists already you must create them. Look in your ~/.ssh for files called id_rsa and id_rsa.pub. If those files don't exist say ssh-keygen -b 2048 -t rsa to create them.

  2. Place Keys on Server

    Copy id_rsa.pub to the server then append that to ~/.ssh/authorized_keys

In the Creo section we have a script to automate this process.

Optionally you can use a DSA key, simply replace `rsa` with `dsa` above.

Once this public side is added to the users authorized_keys on the server the user can connect w/o a password. We can see the process by running ssh in verbose mode: ssh -v with some output trimmed below, important stuff in bold

user@host $ ssh john@remote.host.tld
OpenSSH_5.5p1, OpenSSL 1.0.0a 1 Jun 2010
debug1: Reading configuration data /home/user/.ssh/config
debug1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to ...
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type 1
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024>1024>8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'remote.host.tld' is known and matches the RSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/user/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
john@remote ~ $

Command Restriction §

One super cool feature of RSA key authentication is that commands can be restricted so one key can do only one thing, very neat. This allows for very high level of automation & security on say, backup scripts, monitoring scripts, maintenance scripts, etc.

Create a line as follows in the /home/john/.ssh/authorized_keys file for the server side user.

command="/usr/bin/rsync -a /opt/company/ /mnt/backup/company/" ssh-rsa [ KEY HERE ] backup@autobot.domain.tld

With this command when a client connects as the user John and presents the matching RSA key the SSH server will run that command, then terminate the connection. Other command options can be given.

At Edoceo we use this method for backups, allowing an unprivilged user on a central host to issue commands to remote hosts by connecting with a specific key (ssh -i [key file]).

See Also

Loading Comments from Disqus...