|
OpenSSH knows three configuration levels: command line
options, user configuration file, and system-wide configuration file ('/etc/ssh/ssh_config').
Options given on the command line prevail over configuration file options,
options given in the user's configuration file prevail over those in the
system-wide configuration file. All commandline options are available as
configuration file options.
Since there is no user configuration file installed by default, copy and rename
'/etc/ssh/ssh_config' to '~/.ssh/config' (or edit '/etc/ssh/ssh_config' in
place as 'root').
The standard configuration file looks like this:
[lots of explanations and possible options listed]
# Be paranoid by default
Host *
ForwardAgent no
ForwardX11 no
FallBackToRsh no
[Available options are explained in man ssh,
chapter CONFIGURATION FILES]
The configuration file is read sequentially, i.e. the
first setting that matches a pattern 'wins'.
Let's say you have an account at www.foobar.com and your account name is 'bilbo'.
Furthermore you want to use the 'ssh-agent' - 'ssh-add' combo (discussed
on the previous page) as well as data compression to speed up transfers.
And since you are too lazy to type the full hostname every time, you want
to use 'fbc' as an abbreviation for 'www.foobar.com'.
Your configuration file should then look like this:
Host *fbc
HostName www.foobar.com
User bilbo
ForwardAgent yes
Compression yes
# Be paranoid by default
Host *
ForwardAgent no
ForwardX11 no
FallBackToRsh no
Next time you enter ssh fbc, SSH will look
up the full hostname, use your user name to login and authenticate using
the key managed by the 'ssh-agent'. It can't get much easier than that, can
it? ;)
SSH connections to all other hosts will still use the
'paranoid' default settings, the configured accounts only those paranoid
settings which haven't been explicitly turned off in their configuration
or on the command line.
In the example above, an SSH connection to www.foobar.com will have these
options set to 'yes': 'ForwardAgent' and 'Compression', these options however
will still be set to 'no' unless overridden by command line arguments: 'ForwardX11'
and 'FallBackToRsh'.
Further options you might want to have a look at include:
CheckHostIP yes
This option performs an additional IP address check on the remote host to
prevent DNS spoofing.CompressionLevel
The compression level ranges from '1' (fast) to '9' (best). Default is '6'.ForwardX11 yes
You will need this option to run remote X applications locally.LogLevel DEBUG
This option comes in handy when you've got trouble with your SSH connection.
The default setting is INFO.
 section index  top
SSH server configuration is done via the file '/etc/ssh/sshd_config',
options are explained in the file itself and in man sshd. Note
that OpenSSH does not have different configuration files for SSH
1.x and 2.x.
Among the default options you might want to have a look
at, are:
-
PermitRootLogin yes
A preferable option might be PermitRootLogin without-password,
which disables 'root' logins from machines without a matching key pair. Setting
this option to 'no' disables 'root' logins completely and you have to use
su from a user account.
-
X11Forwarding no
Change this option to 'yes' to allow your users to run X apps on your machine.
Furthermore, disabling this option doesn't improve your server's security
since "users can always install their own forwarders" (man
sshd).
-
PasswordAuthentication yes
Setting this option to 'no' will only allow SSH logins using the key mechanism.
This might annoy users who are logging in from different machines frequently
but is a boost to server security (password-based authentication schemes
are weak).
-
# Subsystem /usr/local/sbin/sftpd
Removing the leading hash (#) and changing the path to '/usr/bin/sftpserv'
will allow your users to use 'sftp', an SSH tunneled version of FTP ('sftpserv'
is part of the sftp package). Given the familiarity of many users with FTP
and the somewhat cumbersome handling of 'scp', this might be a worthwhile
thing to provide. Moreover, the popular graphical 'gftp program supports transfers via 'sftp'
since version 2.0.7 (which makes up for the missing features in pure 'sftp').
section index top
Now that you've got it working right, check out  how to copy files using SSH.
|
