SSH setup info

This page contains some notes on using and setting up ssh for sys admins.
Other useful information is on the ITG user information page .
Also try the Berkeley Lab ssh page , which includes Windows 95 and Macintosh versions.

You should first at least skim through the info at the SSH Home Page .

There are many levels of security provided by ssh. I feel the the most important one at this point is the elimination of clear text passwords. The instructions below describe how we use ssh in our environment. This does not cover all of the ssh protection options.

Preparing a host for ssh logins:

1. Build and install the ssh binaries : ssh sshd ssk-keygen ssh-add ssh-agent
MAGIC folks can also grab pre-compiled binaries from here .

2. generate /etc/ssh_host_key

	ssh-keygen -b 1024 -f /etc/ssh_host_key -N ''

This gives the host machine a unique ID. This guards against IP spoofing.

3. Create the /etc/sshd_config file

Heres the configuration we use:

   # This is ssh server systemwide configuration file.
   Port 22
   ListenAddress 0.0.0.0
   HostKey /etc/ssh_host_key
   ListenAddress 0.0.0.0
   HostKey /etc/ssh_host_key
   ServerKeyBits 768
   LoginGraceTime 600
   KeyRegenerationInterval 3600
   PermitRootLogin yes
   IgnoreRhosts yes
   QuietMode no
   X11Forwarding yes
   FascistLogging no
   PrintMotd yes
   KeepAlive yes
   SyslogFacility DAEMON
   RhostsAuthentication no
   RhostsRSAAuthentication yes
   RSAAuthentication yes
   PasswordAuthentication yes
   PermitEmptyPasswords yes
   # AllowHosts *.our.com friend.other.com
   # DenyHosts lowsecurity.theirs.com *.evil.org evil.org

4. Start the sshd daemon. This should be started at boot time. Here is a sample startup script: (on Solaris, this is /etc/rc2.d/S99sshd)

   #!/bin/sh
   if [ $1 = "start" ]; then
        if [ -x /usr/local/etc/sshd ]; then
                echo "Starting sshd daemon... "
                /usr/local/etc/sshd 
        fi
   else
        if [ $1 = "stop" ]; then
                pid=`/usr/bin/ps -e | /usr/bin/grep sshd | /usr/bin/grep -v grep | /usr/bin/sed -e 's/^  *//' -e 's/ .*//'`
                if [ "${pid}" != "" ]; then
                        echo "Stopping sshd daemon "
                        /usr/bin/kill ${pid}
                fi
        fi
   fi

5. Optional: To prevent IP spoofing attacks, create the file /etc/ssh_known_hosts.

Build a file (/etc/ssh_known_hosts) containing the public key of each host that will connect to your host. The host's public key is in /etc/ssh_host_key.pub, but you have to rearrange the order of the fields in that file to be: hostname host_address key_size key_value

6. Optional: generate a root access control list (/.ssh/authorized_keys)

For example: if you wish to give a certain user root access: copy the entry from ~user/.ssh/identity.pub to /.ssh/authorized_keys on that host. Then that user will be able to become root with knowing or typing the root password.

Preparing a user account for ssh:

Generate identity key ~/.ssh/identity*

  % ssh-keygen

This will prompt you for a passphrase. A passphrase is recommended, but not required. This phrase helps protect you from your key being divulged if you're broken in to, or if the file permissions are set wrong.

We also recommend each user use the following aliases:

   alias rsh ssh 
   alias rlogin ssh

Or use can change the default encryption to a method that is slightly faster:

   alias rsh ssh -c rc4
   alias rlogin ssh -c rc4

On a slow link (i.e.: modem or ISSD), use compression flag:

   alias rsh ssh -c rc4 -C
   alias rlogin ssh -c rc4 -C

X windows security:

To make all x clients secure, start the xserver using ssh-agent

ie: ssh-agent /usr/openwin/bin/openwin
    or: ssh-agent /usr/bin/X11/xinit

If you have questions about any of this, please contact CTLarsen@lbl.gov. [an error occurred while processing this directive]

This page last modified: [an error occurred while processing this directive]