Title: OpenSSH installation and configuration for Linux

KBTAG: kben10000035
URL: http://www.securityportal.com/lskb/10000000/kben10000035.html
Date created: 15/04/2000
Date modified:
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Installing, configuring and maintaining OpenSSH for Linux
Keywords: Servers/SSH

Implementation information:
Difficulty: medium
Requirements: rpm or compiler
Time (approx.): 10 minutes
Comments: Requires RSA, in US you must use RSAREF.

Summary:

There are several SSH solutions for Linux, however OpenSSH (a sub project of OpenBSD) is probably the best one overall. OpenSSH has been extensively audited (a root hack found in SSH with RSAREF had already been fixed in OpenSSH), and has an OpenSource license. OpenSSH allows you to encrypt a wide variety of network traffic, replacing telnet, RCP, etc.

More information:

OpenSSH is a cleaned up version of SSH, you will require OpenSSL for the crypto components, OpenSSL and OpenSSH are readily available in source and a number of binary packages. To install either download the appropriate binary packages for your system (see "Downloads" at the end) or get the source code and build it (typical ./configure ; make ; make install type software). Both packages are extremely mature and you should have no problems on a well maintained system.

The next item is configuring OpenSSH. OpenSSH, being based on SSH uses the same configuration so if you know how to administer SSH there is no learning curve to speak of. Most OpenSSH packages support TCP_WRAPPERS, so you can use hosts.allow and hosts.deny to control access to the daemon, one advantage of TCP_WRAPPERS is the ability to specify other actions when a hosts that is not allowed to connect tries to (such as fingering the host). To grant OpenSSH access to an internal network (10.*) and not allow any other hosts simply put the following in "/etc/hosts.allow":

sshd: 10.0.0.0/255.0.0.0

and then in "/etc/hosts.deny":

sshd: 0.0.0.0/0.0.0.0

SSH also has a wonderful configuration file, /etc/sshd/sshd_config by default in most installations. You can easily restrict who is allowed to login, which hosts, and what type of authentication they are allowed to use. The default configuration file is relatively safe but following is a more secure one with explanations. Please note all this info can be obtained by a “man sshd” which is one of the few well written man pages out there. The following is a typical sshd_config file:

Port 22
# runs on port 22, the standard

ListenAddress 0.0.0.0
# listens to all interfaces, you might only want to bind a secure host
# to an internal address

HostKey /etc/ssh/ssh_host_key
# where the host key is

RandomSeed /etc/ssh/ssh_random_seed
# where the random seed is

ServerKeyBits 768
# how long the server key is

LoginGraceTime 300
# how long they get to punch their credentials in

KeyRegenerationInterval 3600
# how often the server key gets regenerated 

PermitRootLogin no
# permit root to login? no

IgnoreRhosts yes
# ignore .rhosts files in users dir? yes

StrictModes yes
# ensures users don't do silly things

QuietMode no
# if yes it doesn't log anything. yikes. we want to log logins/etc.

X11Forwarding no
# forward X11? shouldn't have to on a server

FascistLogging no
# maybe we don't want to log too much.

PrintMotd yes
# print the message of the day? always nice

KeepAlive yes
# ensures sessions will be properly disconnected

SyslogFacility DAEMON
# who's doing the logging?

RhostsAuthentication no
# allow rhosts to be used for authentication? the default is no
# but specify to be safe

RhostsRSAAuthentication no
# authenticate using rhosts or /etc/hosts.equiv, somewhat insecure
# not in my mind. the default is yes so lets turn it off. 

RSAAuthentication yes
# allow pure RSA authentication? this one is pretty safe and makes
# life easier for power users

PasswordAuthentication yes
# allow users to use their normal login/passwd?

PermitEmptyPasswords no
# permit accounts with empty password to log in? no

Other useful sshd_config directives include:

AllowGroups admin
# explicitly allow group(s) to login using ssh, useful on servers that have
# user accounts but shouldn't be logging in

DenyGroups badusers
# explicitly disallows group(s) from logging in, useful for locking users out

AllowUsers bob jane joe
# explicitly allow users to login in using ssh

DenyUsers dopey sleepy grumpy
# explicitly blocks users from logging in

AllowHosts firewall.example.org
# allow certain hosts, the rest will be denied, useful if you didn't compile
# in TCP_WRAPPERS support and want to be paranoid

DenyHosts badmachine.example.org
# blocks certain hosts, the rest will be allowed, useful for blocking naughty machines

IdleTimeout 10m
# time in minutes/hours/days/etc, forces a logout by SIGHUP'ing the process, useful
# for preventing users from leaving unattended session (i.e. going out for lunch).

 

Downloads:

ftp://ftp.openssl.org/ - Primary site for OpenSSL, includes source, and binary packages

ftp://ftp.redhat.de/pub/rh-addons/security/ - Security packages for Red Hat 6.1 and 6.1, including OpenSSL and OpenSSH.

http://www.cryptoarchive.net/cgi-bin/file-search.cgi - Search engine at CryptoArchive, mirrors 2 gigs of OpenSource crypto