| |||||
A Beginner's Guide to SSH Servers (sshd)SSH Server OverviewOpenBSD and some recent Linux distributions include sshd, the SSH server in the base install and start it automatically. To make the simplest connection you only need to type "ssh host_name_or_ip" to start a connection from the client side. UNIX clients assume the current user name unless another is provided and Windows clients include a field to provide a user name. The standard configuration file for sshd is sshd_config. This is located in /etc on OpenBSD systems. On Linux systems it is likely to be in the /etc/ssh directory with other SSH related files. sshd_config is a very simple configuration file format with "ValueName Value" pairs with a simple space as a separator. Comment lines begin with a "#" sign. When any changes are made to this file, the sshd daemon must be restarted. "# kill -HUP `cat /var/run/sshd.pid`" will work on OpenBSD and some Linux systems. If this doesn't work on Linux, find the appropriate initialization script and run it manually. If the server has an /etc/hosts.deny file that deny client host access, then OpenBSD and some distributions of Linux require client machines to be listed in /etc/hosts.allow. Other than an obscure reference near the end of the man pages this does not seem to be documented. If you are having trouble making an ssh connection (the terminal window closes in a few seconds or you see a message similar to "Connection closed by remote host."), be sure that computer attempting to make the client connection is allowed in /etc/hosts.allow. The simplest /etc/hosts.allow would contain one line "sshd: ALL". This is strongly NOT recommend (except for testing purposes) and should only be used if you have many incoming connections from many users with too many diverse origins to consider controlling. A single host can be allowed by hostname but IP addresses are preferred as they are faster and somewhat more reliable. A single host can be specified as 10.11.12.27/255.255.255.255 and a class C or /24 ("slash twenty four") network as 10.11.12.0/255.255.255.0. It is not necessary to restart sshd when hosts.allow or hosts.deny changes are made, as they are checked each time a connection attempt is made. The safest hosts.deny file is a simple one line "ALL: ALL" which denies all connections not explicitly authorized in hosts.allow. If the sshd server allows password authorization, users will be allowed to login by providing their username and password only. This is the default on OpenBSD. This is set in the sshd_config when the line "PasswordAuthentication yes" is included. Password authentication is based only on what someone, who is hopefully the legitimate user, knows. If the user has a poor password or has been careless with it, this is not much protection. Password logins can be disabled by setting "PasswordAuthentication no" and allowing RSAAuthentication which is on by default. Some default sshd_config files, including OpenBSD allow direct remote root logins with the line "PermitRootLogin yes". I consider this to be a serious mistake and think this line should always be changed to "PermitRootLogin no". This forces a remote user to know two user passwords to login as root. First they must know a normal user's password, then they must know root's password as well. If the system is set up properly, the user will also need to be a member of the group wheel, security or root, depending on the system, to have access to su. Direct root logins should not be allowed regardless of whether password authentication is allowed or RSA authentication, discussed next, is required. If root logins are not allowed and RSA authentication is used, then the user will need to know the normal user's RSA passphrase plus the root password. Another default to consider changing is the ListenAddress setting. On a machine with only one NIC, this won't matter. On machines with two or more NICs, typically routers and firewalls, the default is to listen on all network interfaces. Often on machines with more than one network card there will be good reasons for restricting ssh access to a specific card or cards. The ListenAddress can be used to restict sshd to listening only on the specified NICs. Assuming the Port has already been set, all that is needed is to place the IP address of the NIC to be allowed after the ListenAddress option. If the machine has three or more network cards, more than one ListenAddress option may be used. If a ListenAddress option is provided, any NIC that has not been specified will not accept ssh connections. With RSA authentication allowed and password authentication disallowed, users will be forced to login using a key pair. This should be more secure than just a password login because now the user has to know something, the passphrase for the key pair and have something, the private key. Also, someone who already has access to the remote machine, must put the public key in the correct location. Of course the user can pick a very poor password or do something stupid with it like leaving it on a Post-it near the computer with the private key or save the passphrase on the same machine as the private key. OpenBSDThe simplest OpenBSD configuration file is a zero byte /etc/sshd_config. The /usr/sbin/sshd daemon won't start unless this file is present but it does not have to have any contents. Sshd will run with all defaults. The default configuration file provided with OpenBSD turns off the least secure option RhostsAuthentication and also disables X11 forwarding which is enabled by default. The sshd defaults allow password authentication and root logins so any user including root, may login in directly from any remote locations, unless /etc/hosts.allow and hosts.deny are used to control what machines are allowed access via ssh, or a firewall controls host access outside SSH. The default configuration file does not allow empty password logins but that's also the default. Two recent default OpenBSD systems will allow ssh connections with no additional configuration changes. The necessary server keys are created automatically the first time the system boots after the install. Red Hat 7.1 LinuxI did a workstation install which installed the SSH client, ssh, but not the server, sshd. This is probably included by default in the server install but I'm not sure. If you want to use both on the same machine, check the box that allows you to select individual packages and be sure both are checked. If you miss either or both, they are easy to install after the fact. Both packages are included in /mnt/cdrom/RedHat/RPMS/ on the first install disk. The server package is openssh-server-2.5.2p2-5.i386.rpm. Either cd to that directory and type "# rpm -i package_name" or type "# rpm -i" with the full path and package name. If you are at all curious about the start up script, after sshd is installed, cd to /etc/rc.d/init.d and take a look at sshd. Then, to start the server, type "# ./sshd start". To simply start the server you can type "# /etc/rc.d/init.d/sshd start" from anywhere. The configuration files are located in /etc/ssh. If the ssh client is installed, ssh_config will be present here. sshd_config will be added by rpm. "# /etc/rc.d/init.d/sshd start" will generate the server keys in /etc/ssh. The defaults are the same as OpenBSD except that X11 forwarding is enabled. Like OpenBSD, RhostsAuthentication is disabled. Password authentication and root logins are also enabled so any user including root, may login in directly from remote locations allowed by the combination of /etc/hosts.allow /etc/hosts.deny. For an extra layer of security, add authorized hosts to /etc/hosts.allow. If /etc/hosts.deny has restrictive rules, unauthorized client computers will not be able to log in. The default /etc/hosts.deny contains only comments. Add a new line that is simply "ALL: ALL"; this restricts all access to only those hosts specifically permitted in /etc/hosts.allow. During the Red Hat 7.1 installation, I'm almost sure that I specifically enabled ssh connections in the firewall configuration. If I did it did not take. To allow ssh connections on Red Hat 7.1 Linux, if you are using the default firewall, ipchains, installed with RH 7.1, you may need to add a new line to /etc/sysconfig/ipchains, the configuration file for ipchains. The line should be similar to "-A input -s allowed_net/nn -d 0/0 22 -p tcp -j accept" following the -s for source (in this case ssh client) computer(s) put the allowed network or hosts and slash type network mask. For example if the local segment is 10.20.30.0 with up to 255 hosts and all computers on that segment can ssh into the new server, use 10.20.30.0/24. If only one management workstation was allowed access to the server that could be specified like 10.20.30.27/32. The "0/0 22" following "-d" allows connections to any computer, 0/0, to port 22. If this is a single host with one network interface and not a firewall with multiple network interfaces, this is permissible and allows the host's IP address to be reconfigured without having to reexamine the firewall rules. If this were on an actual firewall protecting other hosts with multiple network interfaces, then the destination would need to be the computers that were allowed to have outside ssh connections only and access to other computers should be blocked. This can't be a firewall tutorial but for any host running firewall software, the firewall must be configured to allow appropriate connections, in addition to any configuration steps required by SSH. EnGarde Secure LinuxThere is little point in reviewing the SSH setup with EnGarde Linux. Everything, including a working windows client, is provided on CD and instructions in the manual. The EnGarde setup assumes that the web management interface is being run from a computer which will act as a management workstation for the EnGarde server. It's key generation function automatically puts the public key in the user's .ssh/authorized_keys files on the server and invokes the browser to download the private key to the computer running the browser. They pretty much assume the person doing the setup will be the one using ssh to access the server. The settings go to what look like the standard location for Linux, /etc/ssh and are somewhat more conservative than OpenBSD or Red Hat. Password authentication is disabled. Only SSH 1, RSAAuthentication, is supported. One could manually edit the configuration files to provide other options but there is no reason to assume that the web management interfaces would recognize and not subsequently overwrite such changed settings. Baring a thorough knowledge of the details of how EnGarde Linux, including its web management interface works, it seems wisest to stay within the parameters acknowledged as supported. Other LinuxsThe locations of the files and directories /etc/ssh, /etc/sysconfig and /etc/rc.d mentioned under Red Hat do not appear to be included in either the recently adopted Linux Standard Base or affiliated Filesystem Hierarchy Standard. EnGarde uses /etc/ssh but not /etc/sysconfig or /etc/rc.d. The following general steps are suggested. As root, check if sshd is running with "# ps ax|grep sshd". If its running, a line of output with a process number and /usr/sbin/sshd or possibly just sshd should appear. Don't confuse this with the line that is likely to show ending with "grep sshd"; that's the grep process. If sshd is an active process and you have not manually started it, then it's likely installed and running as a result of system initialization scripts. If sshd is not an active process do an "ls -l /usr/bin/sshd"; if there is no output it's likely that sshd is not installed or present on the system. You could try as root, "# find / -name sshd" and if you still get no output, you can be quite sure it's not installed. If you need to install sshd, because OpenSSH is an OpenBSD product and you need to get the correct source version for your Linux system, I'd recommend finding a pre built binary package for your specific distribution of Linux, rather than building it from source. Use rpm, dpkg or other appropriate package command to install the SSH server and or client as appropriate. After installing, you'll need to locate the initialization script which should be in some /etc/rc.d* subdirectory. Try "#find /etc -name sshd" to locate the initialization script. You should run this to start sshd; look it over first to see if it expects a "start" or other parameter. Afterwards when the system reboots, sshd should start automatically. If it does not, use "#chkconfig --list" to see how sshd is set. It should show as on for runlevels 3, 4, and 5. If it shows as off, then run "#chkconfig sshd on". If it does not show in the list at all (use less or grep to be sure if there is more than a screen of output) then run "#chkconfig --add sshd; chkconfig sshd on". You could check the configuration settings, typically /etc/ssh/sshd_config, but these are probably fine for initial testing. After verifying that sshd is working in it's more basic modes, you may wish to review the sshd configuration and see if changing any settings is appropriate to your environment. Once sshd is running, an ssh client that attempts to connect to it should tell you that the authenticity of the host cannot be established. If instead you see a "connection closed by remote host" message, you almost certainly have to adjust /etc/hosts.allow. If you are having any trouble getting an ssh connection then add the line "sshd: ALL" to /etc/hosts.allow. If this fixes the problem or later when any other problems are fixed, come back and change this so only specific allowed hosts or LANs can connect. Put "ALL: ALL" in /etc/hosts.deny to prevent any but authorized connections. If the ssh client prompts you that the host can't be authenticated, then the ssh client and sshd server are communicating. If you cannot complete a login, then check the sshd_config file to be sure that "PasswordAuthentication yes" is set. If not, you'll never get to log in using passwords but ssh won't tell you that for security reasons. It will let you keep trying passwords all day long and every several attempts close the connection. If "PasswordAuthentication no" is in the sshd_config file change the no to yes to allow password authentication or if "RSAAuthentication yes" is present and you only want the more secure connection form, then generate and locate the appropriate key pair as described in the client section. After making any sshd_config file changes, sshd, must be restarted. On most systems "# kill -HUP `cat /var/run/sshd.pid`" should work. If not try the sshd initialization script under /etc/rc* with a restart or start option. 
Copyright © 2000 - 2014 by George Shaffer. This material may be
distributed only subject to the terms and conditions set forth in
http://GeodSoft.com/terms.htm
(or http://GeodSoft.com/cgi-bin/terms.pl).
These terms are subject to change. Distribution is subject to
the current terms, or at the choice of the distributor, those
in an earlier, digitally signed electronic copy of
http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the
time of the distribution. Distribution of substantively modified
versions of GeodSoft content is prohibited without the explicit written
permission of George Shaffer. Distribution of the work or derivatives
of the work, in whole or in part, for commercial purposes is prohibited
unless prior written permission is obtained from George Shaffer.
Distribution in accordance with these terms, for unrestricted and
uncompensated public access, non profit, or internal company use is
allowed.
|
|||||
