sections in this module City College of San Francisco - CS260A
Linux System Administration

Module: ssh and sshd configuration
module list

ssh and sshd configuration

This class does not cover general configuration of network services. That is left to a follow-on class. However, there are a few configuration options of ssh that should be explained as they are very useful to junior administrators. We have seen one of these options to sshd already - PermitRootLogin. This section covers a few more.

The master configuration files for ssh and sshd are in the /etc/ssh directory.

ssh configuration

Unlike sshd, ssh configuration is under user control. The configuration parameters are set using the base settings in /etc/ssh/ssh_config. These are modified by settings in ~/.ssh/config, then by configuration parameters on the ssh command-line. Thus, command-line options override file settings, and user file settings override system defaults.

You can apply ssh configuration settings in your config file (or in ssh_config) to individual hosts or groups of hosts. Settings that apply to a particular host or group of hosts are preceded by a Host xxx line, where xxx specifies the host(s). The configuration settings that follow the line apply to those host(s). This continues until the next Host line. Default settings to apply to all hosts should be preceded by a Hosts * line.

We cover the following configuration options

ForwardX11 yes|no  Setting this to yes will turn on the -X option in all ssh commands. Note that the server must be configured to allow X11 forwarding

ForwardX11Trusted yes|no  Setting this to yes will turn on the -Y option in all ssh commands. Again, the server must be configured to allow X11 forwarding. Some X11 operations that are enabled by -Y are disallowed by -X, but the specifics of this are not clear. I dont believe anything we are doing in this class requires a trusted X11 connection. (see the Note below)

SendEnv var [var ... ]  Send these environment variables to the remote sshd server. The server must be configured to accept them (see AcceptEnv below)

StrictHostKeyChecking yes|no|ask controls what ssh will do when it encounters a host which do not have a host key in known_hosts. If StrictHostKeyChecking is set to yes, ssh will never add a new host to known_hosts. no means it will always add a host to known_hosts. ask (the default) means it will only add the new host after asking the user.
ssh will never connect to a host whose host key does not match an existing one in known_hosts.

User name  ssh will prefix name@ to outgoing connections.

Example:

The following configuration file will turn on the -X option by default for ssh connections going to any machine on the 147.144.23 subnet and will attempt all logins to hills.ccsf.edu as the user xyzuser:

$ cat ~/.ssh/config
Host hills.ccsf.edu
User xyzuser

Host 147.144.23.*
ForwardX11 yes

Note: although the ForwardX11 option in ssh_config or the user's config file seems to work fine, the same is not true of ForwardX11Trusted which does not set the DISPLAY variable correctly. To enable trusted X11 forwarding you still must use the -Y option.

sshd configuration

There are a few parameters in the sshd configuration file /etc/ssh/sshd_config that are important to new sysadmins.

PermitRootLogin yes|no|without-password We have mentioned the PermitRootLogin option before, but it has a third important setting, without-password. This means that root logins are allowed using ssh keys, but not using a password. This is very useful for automating processes on client machines.

X11Forwarding yes|no  This setting determines whether sshd will forward X11 connections. In order to successfully forward X11 connections, this option must be yes and the X11 forwarding must be enabled for the ssh connection using one of the techniques discussed previously.

Port N  specifies the port number N that sshd will listen on (by default 22). Some think it is a security precaution to have sshd use a non-standard port. If this is the case, the ssh connection must use the -P N (e.g., -P 10020) option to initiate the connection. You can see a list of well-known ports and the services that use them in /etc/services.

allow/deny users

Access to ssh can be restricted to certain users and/or groups (by using the AllowUsers and/or AllowGroups directives) or to everyone except certain users and/or groups (by using the DenyUsers and/or DenyGroups directives). By default, ssh allows connections for all users.

Example:   Denyusers student guest    allows all users except student and guest to connect using ssh.

If a user tries to connect via ssh and the connection is denied by one of these directives, it will appear as though the password doesnt work.

Remember, if you change the sshd configuration file, you must restart the service in order for it to take effect.

Prev This page was made entirely with free software on linux:  
Kompozer, the Mozilla Project
and Openoffice.org    
Next

Copyright 2015 Greg Boyd - All Rights Reserved.