Sshd Configuration: Difference between revisions
(37 intermediate revisions by the same user not shown) | |||
Line 5: | Line 5: | ||
=Overview= | =Overview= | ||
The system-wide sshd server configuration file is /etc/ssh/sshd_config | The system-wide sshd server configuration file is <code>/etc/ssh/sshd_config</code>. | ||
man sshd_config | |||
=Change the Default Port= | |||
Uncomment and/or update the default "Port" value in <code>/etc/ssh/sshd_config</code>: | |||
#Port 22 | |||
Port 12345 | |||
If the system is SELinux-enabled, you need to confiture SELinux as well, see [[#Change_the_Default_Port_on_a_SELinux_System|below]]. | |||
# | |||
==Change the Default Port on a SELinux System== | ==Change the Default Port on a SELinux System== | ||
If SELinux is | If SELinux is enabled, you have to tell SELinux about the port change: | ||
<pre> | <pre> | ||
Line 33: | Line 30: | ||
==Update the Firewall Rules== | ==Update the Firewall Rules== | ||
If iptables is enabled, there | If iptables is enabled, there is a firewall rule that allows ssh access, and it usually mentions the port. Check if the rule is in place and update it with the new port: | ||
{{Internal|Iptables_Command_Line_Tool_Examples#Allow_SSH_Only_From_the_Internal_Network_on_a_Non-Standard_Port|Update SSH iptables rules}} | |||
=Change the Network Interface to Listen On= | =Change the Network Interface to Listen On= | ||
ListenAddress 192.168.1.10 | |||
ListenAddress 192.168.1.10 | |||
=Prevent from Listening on IPV6= | |||
AddressFamily inet | |||
=Turn Off Client Name DNS Verification= | =Turn Off Client Name DNS Verification= | ||
Line 53: | Line 54: | ||
The service needs to be restarted after reconfiguration. | The service needs to be restarted after reconfiguration. | ||
= | =root Access= | ||
In /etc/ssh/sshd_config: | ==Allow root To Connect with Password== | ||
In <code>/etc/ssh/sshd_config</code>: | |||
PermitRootLogin yes | PermitRootLogin yes | ||
Root access is enabled by default. | |||
==Disallow root to Connect== | |||
</ | PermitRootLogin no | ||
in <code>/etc/ssh/sshd_config</code>. | |||
Before doing that and rebooting, make sure there's another way to connect to the system (other user, direct access, virsh console, etc). | |||
==Allow root Access only with Public Key== | |||
In <code>/etc/ssh/sshd_config</code>: | |||
PermitRootLogin prohibit-password | |||
Add the corresponding public key in <code>/root/.ssh/authorized_keys</code>. Note that [[#PubkeyAuthentication|PubkeyAuthentication]] must be set to "yes" for access to work. | |||
=Logging Verbosity= | =Logging Verbosity= | ||
Line 74: | Line 89: | ||
Increased log output will be available in /var/log/secure. | Increased log output will be available in /var/log/secure. | ||
=Allow Port Forwarding= | |||
AllowTcpForwarding yes | |||
=sshd Security Hardening= | |||
{{Internal|Linux_Security_Hardening#sshd|Security Hardening}} | |||
=<span id='Configuration_Directives'></span>Configuration Reference= | |||
==ClientAliveInterval== | |||
Sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. | |||
{{Internal|Ssh_Configure_the_SSH_Connection_Timeout#Server-Side_Configuration|Configure ssh Connection Timeout}} | |||
==ClientAliveCountMax== | |||
Sets the number of client alive messages which may be sent without sshd receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive. The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become inactive. | |||
{{Internal|Ssh_Configure_the_SSH_Connection_Timeout#Server-Side_Configuration|Configure ssh Connection Timeout}} | |||
==UsePrivilegeSeparation== | |||
Specifies whether sshd separates privileges by creating an unprivileged child process to deal with incoming network traffic. After successful authentication, another process will be created that has the privilege of the authenticated user. The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. If UsePrivilegeSeparation is set to "sandbox"' then the pre-authentication unprivileged process is subject to additional restrictions. The default is "sandbox". | |||
==X11Forwarding== | |||
{{Internal|Sshd_Configure_X_Forwarding#Server_Configuration| X11Forwarding}} | |||
==PermitRootLogin== | |||
Specifies whether root can log in using ssh. The argument can be: | |||
* "yes" (default) | |||
* "no" | |||
* "prohibit-password", "without-password": Password and keyboard-interactive authentication are disabled for root. | |||
* "forced-commands-only": root login with public key authentication is allowed, but only if the command option has been specified. This may be useful for taking remote backups even if root login is normally not allowed. All other authentication methods are disabled for root. | |||
==MaxAuthTries== | |||
Specifies the maximum number of failed authentication attempts per connection after which additional failures are logged. Default is 6. | |||
==StrictMode== | |||
Specifies whether sshd should check file modes and ownership of the user's files and home directory before accepting login. The default is "yes". Note that this does not apply to ChrootDirectory, whose permissions and ownership are checked unconditionally. | |||
==PubkeyAuthentication== | |||
Specifies whether public key authentication is allowed. The default is yes. | |||
==AddressFamily== | |||
Specifies which address family should be used by sshd: "any" (default), "inet" (use IPv4 only) and "inet6" (use IPv6 only). |
Latest revision as of 02:26, 6 August 2023
Internal
Overview
The system-wide sshd server configuration file is /etc/ssh/sshd_config
.
man sshd_config
Change the Default Port
Uncomment and/or update the default "Port" value in /etc/ssh/sshd_config
:
#Port 22 Port 12345
If the system is SELinux-enabled, you need to confiture SELinux as well, see below.
Change the Default Port on a SELinux System
If SELinux is enabled, you have to tell SELinux about the port change:
semanage port -a -t ssh_port_t -p tcp 12345
Also see How to install SELinux semanage.
Update the Firewall Rules
If iptables is enabled, there is a firewall rule that allows ssh access, and it usually mentions the port. Check if the rule is in place and update it with the new port:
Change the Network Interface to Listen On
ListenAddress 192.168.1.10
Prevent from Listening on IPV6
AddressFamily inet
Turn Off Client Name DNS Verification
sshd can be configured with a "UseDNS" option, which specifies whether sshd should look up the remote host name and check that the resolved host name for the remote IP address maps back to the same IP address. The default is “yes” but in some case this causes the initial connection setup to take a long time, so it is best to turn this verification off:
... UseDNS no ...
The service needs to be restarted after reconfiguration.
root Access
Allow root To Connect with Password
In /etc/ssh/sshd_config
:
PermitRootLogin yes
Root access is enabled by default.
Disallow root to Connect
PermitRootLogin no
in /etc/ssh/sshd_config
.
Before doing that and rebooting, make sure there's another way to connect to the system (other user, direct access, virsh console, etc).
Allow root Access only with Public Key
In /etc/ssh/sshd_config
:
PermitRootLogin prohibit-password
Add the corresponding public key in /root/.ssh/authorized_keys
. Note that PubkeyAuthentication must be set to "yes" for access to work.
Logging Verbosity
By default, sshd logs at INFO level:
LogLevel INFO
Options: DEBUG, DEBUG1, DEBUG2, DEBUG3
Increased log output will be available in /var/log/secure.
Allow Port Forwarding
AllowTcpForwarding yes
sshd Security Hardening
Configuration Reference
ClientAliveInterval
Sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client.
ClientAliveCountMax
Sets the number of client alive messages which may be sent without sshd receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive. The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become inactive.
UsePrivilegeSeparation
Specifies whether sshd separates privileges by creating an unprivileged child process to deal with incoming network traffic. After successful authentication, another process will be created that has the privilege of the authenticated user. The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. If UsePrivilegeSeparation is set to "sandbox"' then the pre-authentication unprivileged process is subject to additional restrictions. The default is "sandbox".
X11Forwarding
PermitRootLogin
Specifies whether root can log in using ssh. The argument can be:
- "yes" (default)
- "no"
- "prohibit-password", "without-password": Password and keyboard-interactive authentication are disabled for root.
- "forced-commands-only": root login with public key authentication is allowed, but only if the command option has been specified. This may be useful for taking remote backups even if root login is normally not allowed. All other authentication methods are disabled for root.
MaxAuthTries
Specifies the maximum number of failed authentication attempts per connection after which additional failures are logged. Default is 6.
StrictMode
Specifies whether sshd should check file modes and ownership of the user's files and home directory before accepting login. The default is "yes". Note that this does not apply to ChrootDirectory, whose permissions and ownership are checked unconditionally.
PubkeyAuthentication
Specifies whether public key authentication is allowed. The default is yes.
AddressFamily
Specifies which address family should be used by sshd: "any" (default), "inet" (use IPv4 only) and "inet6" (use IPv6 only).