MandrakeUser.Org - Your Mandrake-Linux Knowledge Base!


 
 

*DocIndex - Security

SSH III - Configuration

* Configuring The Client
* Configuring The Server

Related Resources:

Ssh FAQ
Getting started with SSH
man ssh, man sshd

Revision / Modified: Sep. 27, 2001 / July 14, 2000
Author: Tom Berger

 

* Configuring The Client

OpenSSH knows three configuration levels: command line options, user configuration file, and system-wide configuration file ('/etc/ssh/ssh_config'). Options given on the command line prevail over configuration file options, options given in the user's configuration file prevail over those in the system-wide configuration file. All commandline options are available as configuration file options.
Since there is no user configuration file installed by default, copy and rename '/etc/ssh/ssh_config' to '~/.ssh/config' (or edit '/etc/ssh/ssh_config' in place as 'root').

The standard configuration file looks like this:

[lots of explanations and possible options listed]
# Be paranoid by default
Host *
ForwardAgent no
ForwardX11 no
FallBackToRsh no

[Available options are explained in man ssh, chapter CONFIGURATION FILES]

The configuration file is read sequentially, i.e. the first setting that matches a pattern 'wins'.
Let's say you have an account at www.foobar.com and your account name is 'bilbo'. Furthermore you want to use the 'ssh-agent' - 'ssh-add' combo (discussed on the previous page) as well as data compression to speed up transfers. And since you are too lazy to type the full hostname every time, you want to use 'fbc' as an abbreviation for 'www.foobar.com'.
Your configuration file should then look like this:

Host *fbc
HostName www.foobar.com
User bilbo
ForwardAgent yes
Compression yes
# Be paranoid by default
Host *
ForwardAgent no
ForwardX11 no
FallBackToRsh no

Next time you enter ssh fbc, SSH will look up the full hostname, use your user name to login and authenticate using the key managed by the 'ssh-agent'. It can't get much easier than that, can it? ;)

SSH connections to all other hosts will still use the 'paranoid' default settings, the configured accounts only those paranoid settings which haven't been explicitly turned off in their configuration or on the command line.
In the example above, an SSH connection to www.foobar.com will have these options set to 'yes': 'ForwardAgent' and 'Compression', these options however will still be set to 'no' unless overridden by command line arguments: 'ForwardX11' and 'FallBackToRsh'.

Further options you might want to have a look at include:

  • CheckHostIP yes
    This option performs an additional IP address check on the remote host to prevent DNS spoofing.
  • CompressionLevel
    The compression level ranges from '1' (fast) to '9' (best). Default is '6'.
  • ForwardX11 yes
    You will need this option to run remote X applications locally.
  • LogLevel DEBUG
    This option comes in handy when you've got trouble with your SSH connection. The default setting is INFO.

* section index * top

* Configuring The Server

SSH server configuration is done via the file '/etc/ssh/sshd_config', options are explained in the file itself and in man sshd. Note that OpenSSH does not have different configuration files for SSH 1.x and 2.x.

Among the default options you might want to have a look at, are:

  • PermitRootLogin yes
    A preferable option might be PermitRootLogin without-password, which disables 'root' logins from machines without a matching key pair. Setting this option to 'no' disables 'root' logins completely and you have to use su from a user account.

  • X11Forwarding no
    Change this option to 'yes' to allow your users to run X apps on your machine. Furthermore, disabling this option doesn't improve your server's security since "users can always install their own forwarders" (man sshd).

  • PasswordAuthentication yes
    Setting this option to 'no' will only allow SSH logins using the key mechanism. This might annoy users who are logging in from different machines frequently but is a boost to server security (password-based authentication schemes are weak).

  • # Subsystem /usr/local/sbin/sftpd
    Removing the leading hash (#) and changing the path to '/usr/bin/sftpserv' will allow your users to use 'sftp', an SSH tunneled version of FTP ('sftpserv' is part of the sftp package). Given the familiarity of many users with FTP and the somewhat cumbersome handling of 'scp', this might be a worthwhile thing to provide. Moreover, the popular graphical 'gftp program supports transfers via 'sftp' since version 2.0.7 (which makes up for the missing features in pure 'sftp').

* section index * top

Now that you've got it working right, check out * how to copy files using SSH.

 
Legal: All texts on this site are covered by the GNU Free Documentation License. Standard disclaimers of warranty apply. Copyright LSTB (Tom Berger) and Mandrakesoft 1999-2002.