You are not logged in.

#1 2004-10-16 08:13:41

Mith
Member
From: out there
Registered: 2004-10-05
Posts: 163

[Wiki] SSH / SSHD

http://wiki.archlinux.org/index.php/usi … and%20SSHD

I wrote an entry for SSH and SSHD
It's not perfect but I hope a good start smile
If you see something that needs to be fixed tell me, or fix it yourself and then tell me so I know what I did wrong
thx


ArchLinux (x86_64) w/ kdemod

Offline

#2 2004-10-16 08:53:07

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

Re: [Wiki] SSH / SSHD

hmm...according to the hosts.allow manpage

The access control software consults two files. The search stops at the
       first match:
                                                                               
       ·      Access  will  be  granted when a (daemon,client) pair matches an
              entry in the /etc/hosts.allow file.
                                                                               
       ·      Otherwise, access will be denied  when  a  (daemon,client)  pair
              matches an entry in the /etc/hosts.deny file.
                                                                               
       ·      Otherwise, access will be granted.

So, your commenting out the deny all access in hosts.deny is doing more harm than good. It is opening up everything...because if it isn't denyed, it gets allowed eventually.
The allow rule should be read first, and the ssh connection should be let in.

I don't honestly know if it will work that way, as it has been a while since I mucked around in allow/deny files.

Maybe someone else knows exactly what happens....

also, you got some html code in the /etc/ssh/ssh_config section. It could confuse some people--it looks like wiki hosed on the close verbatim tag for some reason...

the same recommendation about changing to protocol 2 only should be made for the sshd server. Even moreso, because if the server is configured to allow 2 only, then that is all that will work...

You might also want to talk about generating ssh keys, and using authorized_keys to allow ssh'ing without password (key based auth). Then maybe a blurb about x11 forwarding, etc.

good start though..

8)

oh, and don't forget, scp works both ways...
scp user@server:/file /localfile
scp /localfile user@server:/file


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#3 2004-10-16 13:14:50

Mith
Member
From: out there
Registered: 2004-10-05
Posts: 163

Re: [Wiki] SSH / SSHD

thank you very much

I tried out the different hosts.allow/deny combinations and you were right,
the deny all part can stay in. I am sure though that I had it like that and it wouldn't work, but now it works so I guess it's ok tongue

I will look into scp and generating keys etc. some more! thanks for the advise / hints


ArchLinux (x86_64) w/ kdemod

Offline

#4 2004-10-16 16:57:45

Dusty
Schwag Merchant
From: Medicine Hat, Alberta, Canada
Registered: 2004-01-18
Posts: 5,986
Website

Re: [Wiki] SSH / SSHD

Thank you for writing this, its been on my wish list for quite a while, but I didn't feel like figuring out how to do it so I could write it. wink Its very comprehensive, well done!

What about adding a section for generating the ssh keys to enable passwordless login?

Dusty

Offline

#5 2004-10-16 18:01:43

Mith
Member
From: out there
Registered: 2004-10-05
Posts: 163

Re: [Wiki] SSH / SSHD

I will I will smile
I intend on writing it tonight so I hope to get it done
I also thing I gonna take out the scp part and put it to a separate wiki page
.mith


ArchLinux (x86_64) w/ kdemod

Offline

#6 2004-10-16 22:16:40

Mith
Member
From: out there
Registered: 2004-10-05
Posts: 163

Re: [Wiki] SSH / SSHD

sorry for spamming but it's the next day so I thought I could just ignore the edit button  :twisted:
I added the ssh keys part.. let me know what you think.
I didn't feel like going into the use multiple keys part since I have no use for them and don't know how to deal with them anyway smile


ArchLinux (x86_64) w/ kdemod

Offline

#7 2004-10-17 00:50:26

hyp0luxa
Member
From: Miami, FL
Registered: 2004-07-10
Posts: 70

Re: [Wiki] SSH / SSHD

Thanks a lot for this Mith. Good work.

Offline

#8 2004-10-17 05:14:29

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

Re: [Wiki] SSH / SSHD

hmm...
don't forget about ssh-add when talking about using a passphrase for your private key. Just an ssh-add, enter your passphrase, and for the rest of your login session, you won't be prompted again for your passphrase.
Very handy, and far more secure than creating a private key with no password....

Just make sure that you have ssh-agent running in one of the login scripts...it usually is in most distros..as part of the xinitrc


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#9 2004-10-17 09:51:38

Mith
Member
From: out there
Registered: 2004-10-05
Posts: 163

Re: [Wiki] SSH / SSHD

ok I will have a look into ssh-add and ssh-agent

do you guys think it would be ok to make a new wiki-entry called
"SSH Keys"? There could be a link at the bottom from the ssh/sshd wiki to the ssh-keys page. I think that would be a bit more readable, let me know what you think.


ArchLinux (x86_64) w/ kdemod

Offline

#10 2004-10-17 17:57:08

Dusty
Schwag Merchant
From: Medicine Hat, Alberta, Canada
Registered: 2004-01-18
Posts: 5,986
Website

Offline

#11 2004-10-17 18:18:58

Mith
Member
From: out there
Registered: 2004-10-05
Posts: 163

Re: [Wiki] SSH / SSHD

http://wiki.archlinux.org/index.php/using%20SSH-keys

there you go.. a whole day of work..
first I couldn't get the keychain-PKGBUILD to work and then I couldn't get that supid keychain program to work but HA finally they all had to kneel *g*
anyway,
again let me know what you think!

actually I need to thank you guys for forcing me to read up on all this! I didn't know about all this private/public key ssh stuff and I don't regret learning about it!
Not that I have hundreds of servers to access but still.. Good to know those things


ArchLinux (x86_64) w/ kdemod

Offline

#12 2004-10-17 18:25:33

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

Re: [Wiki] SSH / SSHD

8)


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#13 2004-10-18 04:31:10

kpiche
Forum Fellow
From: Ottawa, ON, Canada
Registered: 2004-03-30
Posts: 246
Website

Re: [Wiki] SSH / SSHD

Good document!  Here's a couple of extra points...  Because of the ssh-add/keychain type programs the "path A" (no passphrase) should not really be done except for automated tasks like backups to non-priviledged accounts on the server so if the client gets hacked not much damage can be done to the server.  Of course this no-passphrase keypair shouldn't be used for anything else, just like you shouldn't use the same password for everything.  smile

Once your ssh login is asking for a passphrase and not the account password, you should disable password logins by setting "PasswordAuthentication no" and restarting sshd.  For debugging, if the keypar doesn't work use "ssh -vv <server>" to see if you can tell what the problem is.

It's recommended to set "PermitRootLogin no" in multiuser environments and make people su to root for the audit trail.  I also disable sftp in favour of scp and rsync.

For GNOME users the ssh-agent is started by gdm when you login so another option is to use ssh-askpass-gnome/x11/fullscreen.  I've packaged ssh-askpass-fullscreen, see http://members.rogers.com/kpiche/ .  To use these programs you add /usr/bin/ssh-add (the SSH_ASKPASS env variable tells it what to do) to your Session profile startup programs and use a high order like 90.  What this does is it asks for your passphrase when you login.  Normally ssh-add is good for the bash it's started in whereas the askpass stuff is good for the whole GNOME session.  Probably your keychain program does this too....  Don't know if KDE or others start ssh-agent or not.

Offline

#14 2004-10-18 10:05:06

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

Re: [Wiki] SSH / SSHD

kpiche wrote:

Don't know if KDE or others start ssh-agent or not.

I think it is distro specific (ie package maintainers), but just about every kde i have used does. Same with gnome..


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#15 2004-10-18 14:02:55

Mith
Member
From: out there
Registered: 2004-10-05
Posts: 163

Re: [Wiki] SSH / SSHD

I picked keychain b/c it runs just in your terminal/shell.. that way it's gnome/kde/ X in general independent which is a good thing I guess. Not everyone uses a graphical environment smile

I tried to emphasis in the wiki entry that path A [ use no passphrase ] shouldn't be picked. I hope that comes out clear, if not let me know and I try to rephrase the whole part smile

Once your ssh login is asking for a passphrase and not the account password, you should disable password logins by setting "PasswordAuthentication no" and restarting sshd. For debugging, if the keypar doesn't work use "ssh -vv <server>" to see if you can tell what the problem is.
It's recommended to set "PermitRootLogin no" in multiuser environments and make people su to root for the audit trail. I also disable sftp in favour of scp and rsync.

Very good idea! I'll try and work that into the wiki somehow


ArchLinux (x86_64) w/ kdemod

Offline

Board footer

Powered by FluxBB