Sshd Configuration: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 67: Line 67:


==Allow root Access only with Public Key==
==Allow root Access only with Public Key==
In /etc/ssh/sshd_config:
PermitRootLogin prohibit-password
Add the corresponding public key in /root/.ssh/authorized_keys.


=Logging Verbosity=
=Logging Verbosity=

Revision as of 04:36, 22 April 2018

Internal

Overview

The system-wide sshd server configuration file is /etc/ssh/sshd_config (or /etc/sshd_config for cygwin).

Change the Default Port

Uncomment and/or update the default "Port" value in /etc/ssh/sshd_config:

#Port 22
Port 12345

Change the Default Port on a SELinux System

If SELinux is enable, you have to tell SELinux about the port change:

semanage port -a -t ssh_port_t -p tcp 12345

Also see How to install SELinux semanage.

Update the Firewall Rules

If iptables is enabled, there's a firewall rule that allows ssh access, and it usually mentions the port. You may want to check and change that: Iptables_Command_Line_Tool_Examples#Allow_SSH_Only_From_the_Internal_Network_on_a_Non-Standard_Port

Change the Network Interface to Listen On

ListenAddress 192.168.1.10

Turn Off Client Name DNS Verification

sshd can be configured with a "UseDNS" option, which specifies whether sshd should look up the remote host name and check that the resolved host name for the remote IP address maps back to the same IP address. The default is “yes” but in some case this causes the initial connection setup to take a long time, so it is best to turn this verification off:

...
UseDNS no
...

The service needs to be restarted after reconfiguration.

root Access

Allow root To Connect with Password

In /etc/ssh/sshd_config:

PermitRootLogin yes

Root access is enabled by default.

Disallow root to Connect

PermitRootLogin no

in /etc/ssh/sshd_config.

Before doing that and rebooting, make sure there's another way to connect to the system (other user, direct access, virsh console, etc).

Allow root Access only with Public Key

In /etc/ssh/sshd_config:

PermitRootLogin prohibit-password

Add the corresponding public key in /root/.ssh/authorized_keys.

Logging Verbosity

By default, sshd logs at INFO level:

LogLevel INFO

Options: DEBUG, DEBUG1, DEBUG2, DEBUG3

Increased log output will be available in /var/log/secure.

Allow Port Forwarding

AllowTcpForwarding yes

sshd Security Hardening

Security Hardening

Configuration Reference

ClientAliveInterval

ClientAliveInterval

ClientAliveCountMax

ClientAliveCountMax

UsePrivilegeSeparation

Specifies whether sshd separates privileges by creating an unprivileged child process to deal with incoming network traffic. After successful authentication, another process will be created that has the privilege of the authenticated user. The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. If UsePrivilegeSeparation is set to "sandbox"' then the pre-authentication unprivileged process is subject to additional restrictions. The default is "sandbox".

X11Forwarding

X11Forwarding

PermitRootLogin

Specifies whether root can log in using ssh. The argument can be:

  • "yes" (default)
  • "no"
  • "prohibit-password", "without-password": Password and keyboard-interactive authentication are disabled for root.
  • "forced-commands-only": root login with public key authentication is allowed, but only if the command option has been specified. This may be useful for taking remote backups even if root login is normally not allowed. All other authentication methods are disabled for root.