Table of Contents
Secure Shell, ssh
The Secure Shell is basically an encrypted telnet, but it can do a lot more than telnet ever could such as tunnelling encrypted connections both in forward and reverse directions. Both clients and servers are available SSH on many operating systems.
Also on the security front, further down sshd_config, consider adding a banner warning stating that the system is private and not for public access. In the unlikely event you are hacked and catch the culprit you will have a stronger legal case if you have told any intruders that they should not be there.
. # banner path Banner /etc/issue
/etc/issue is displayed on a console before login, sometimes a
/etc/issue.net is present in case you want to have a different warning for local console users compared to network login users. Bear in mind that ssh -q will not show a banner so don't rely on just this alone as a security warning.
/etc/motd (Message Of The Day) is displayed after a successful login, so any system specific info should go there and not in
After having done this change, you will need to stop (not just restart sshd) with
/etc/rc.d/rc.sshd stop and
And the result? Success!!
zeus:~ andrewst$ ssh 192.168.1.1 -l andrew firstname.lastname@example.org's password: Last login: Tue Apr 20 00:56:35 2004 from 192.168.1.21 Linux 2.4.25. Welcome to Slackware! andrew@corerouter:~$
ssh -L localhost:5222:myxmpp.mydomain.co.uk:5222 -p 443 email@example.com ssh -L localhost:222:ssh.mydomain.co.uk:22 -L localhost:10022:midpoint.myserver.com:22 -p 443 firstname.lastname@example.org
ssh -D 1080 -p 443 email@example.com
Enable TCP keep alives
To avoid ssh sessions timing out or to prevent inactivity causing a firewall to terminate a session, configure a client poll interval edit
TCPKeepAlive yes KeepAlive yes ClientAliveInterval 60
Enable password login
In /etc/ssh/sshd_config, change this directive to “yes”:-
DNS resolution delay
If excessive timeouts are causing a problem, setting
UseDNS no in sshd_config will prevent reverse dns lookups.
Debug config sshd_config
Running the sshd daemon in the foreground allows any error messages to be seen, in this example, syslog was just showing lots of starts and stops and then a final fatal
init: ssh respawning too fast, stopped message. Also by specifying a different port to 22, you can avoid interfering with the normal sshd operation.
This showed the cause:-
root@ftphost01:/etc/ssh# /usr/sbin/sshd -Ddp 10222 /etc/ssh/sshd_config line 96: Directive 'UsePAM' is not allowed within a Match block root@ftphost01:/etc/ssh#
Add this to your .bash_profile:
SSHAGENT=/usr/bin/ssh-agent \\ SSHAGENTARGS="-s" \\ if [ -z "$SSH_AUTH_SOCK" -a -x "$SSHAGENT" ]; then eval `$SSHAGENT $SSHAGENTARGS` trap "kill $SSH_AGENT_PID" 0 fi
Regenerate ssh keys
root@usta02:~# cd /etc/ssh/ root@usta02:/etc/ssh# ls moduli sshd_config ssh_host_dsa_key.pub ssh_host_ecdsa_key.pub ssh_host_rsa_key.pub ssh_config ssh_host_dsa_key ssh_host_ecdsa_key ssh_host_rsa_key ssh_import_id root@usta02:/etc/ssh# rm ssh_host_* old/
Create new keys:-
root@usta02:/etc/ssh# dpkg-reconfigure openssh-server Creating SSH2 RSA key; this may take some time ... Creating SSH2 DSA key; this may take some time ... Creating SSH2 ECDSA key; this may take some time ... ssh stop/waiting ssh start/running, process 2258
Free OTP authenticator for PAM module
Work in progress links
ssh_config - client end
~/.ssh/config file allows host specific information to be added such as protocls to force use of, see ssh to Cisco 3750.