KBTAG: kben10000035
URL:
http://www.securityportal.com/lskb/10000000/kben10000035.html
Date created: 15/04/2000
Date modified:
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Installing, configuring and maintaining
OpenSSH for Linux
Keywords: Servers/SSH
Implementation information:
Difficulty: medium
Requirements: rpm or compiler
Time (approx.): 10 minutes
Comments: Requires RSA, in US you must use
RSAREF.
There are several SSH solutions for Linux, however OpenSSH (a sub project of OpenBSD) is probably the best one overall. OpenSSH has been extensively audited (a root hack found in SSH with RSAREF had already been fixed in OpenSSH), and has an OpenSource license. OpenSSH allows you to encrypt a wide variety of network traffic, replacing telnet, RCP, etc.
OpenSSH is a cleaned up version of SSH, you will require OpenSSL for the crypto components, OpenSSL and OpenSSH are readily available in source and a number of binary packages. To install either download the appropriate binary packages for your system (see "Downloads" at the end) or get the source code and build it (typical ./configure ; make ; make install type software). Both packages are extremely mature and you should have no problems on a well maintained system.
The next item is configuring OpenSSH. OpenSSH, being based on SSH uses the same configuration so if you know how to administer SSH there is no learning curve to speak of. Most OpenSSH packages support TCP_WRAPPERS, so you can use hosts.allow and hosts.deny to control access to the daemon, one advantage of TCP_WRAPPERS is the ability to specify other actions when a hosts that is not allowed to connect tries to (such as fingering the host). To grant OpenSSH access to an internal network (10.*) and not allow any other hosts simply put the following in "/etc/hosts.allow":
sshd: 10.0.0.0/255.0.0.0
and then in "/etc/hosts.deny":
sshd: 0.0.0.0/0.0.0.0
SSH also has a wonderful configuration file, /etc/sshd/sshd_config by default in most installations. You can easily restrict who is allowed to login, which hosts, and what type of authentication they are allowed to use. The default configuration file is relatively safe but following is a more secure one with explanations. Please note all this info can be obtained by a man sshd which is one of the few well written man pages out there. The following is a typical sshd_config file:
Port 22 # runs on port 22, the standard ListenAddress 0.0.0.0 # listens to all interfaces, you might only want to bind a secure host # to an internal address HostKey /etc/ssh/ssh_host_key # where the host key is RandomSeed /etc/ssh/ssh_random_seed # where the random seed is ServerKeyBits 768 # how long the server key is LoginGraceTime 300 # how long they get to punch their credentials in KeyRegenerationInterval 3600 # how often the server key gets regenerated PermitRootLogin no # permit root to login? no IgnoreRhosts yes # ignore .rhosts files in users dir? yes StrictModes yes # ensures users don't do silly things QuietMode no # if yes it doesn't log anything. yikes. we want to log logins/etc. X11Forwarding no # forward X11? shouldn't have to on a server FascistLogging no # maybe we don't want to log too much. PrintMotd yes # print the message of the day? always nice KeepAlive yes # ensures sessions will be properly disconnected SyslogFacility DAEMON # who's doing the logging? RhostsAuthentication no # allow rhosts to be used for authentication? the default is no # but specify to be safe RhostsRSAAuthentication no # authenticate using rhosts or /etc/hosts.equiv, somewhat insecure # not in my mind. the default is yes so lets turn it off. RSAAuthentication yes # allow pure RSA authentication? this one is pretty safe and makes # life easier for power users PasswordAuthentication yes # allow users to use their normal login/passwd? PermitEmptyPasswords no # permit accounts with empty password to log in? no
Other useful sshd_config directives include:
AllowGroups admin # explicitly allow group(s) to login using ssh, useful on servers that have # user accounts but shouldn't be logging in DenyGroups badusers # explicitly disallows group(s) from logging in, useful for locking users out AllowUsers bob jane joe # explicitly allow users to login in using ssh DenyUsers dopey sleepy grumpy # explicitly blocks users from logging in AllowHosts firewall.example.org # allow certain hosts, the rest will be denied, useful if you didn't compile # in TCP_WRAPPERS support and want to be paranoid DenyHosts badmachine.example.org # blocks certain hosts, the rest will be allowed, useful for blocking naughty machines IdleTimeout 10m # time in minutes/hours/days/etc, forces a logout by SIGHUP'ing the process, useful # for preventing users from leaving unattended session (i.e. going out for lunch).
ftp://ftp.openssl.org/ - Primary site for OpenSSL, includes source, and binary packages
ftp://ftp.redhat.de/pub/rh-addons/security/ - Security packages for Red Hat 6.1 and 6.1, including OpenSSL and OpenSSH.
http://www.cryptoarchive.net/cgi-bin/file-search.cgi - Search engine at CryptoArchive, mirrors 2 gigs of OpenSource crypto