OpenSSH server: Difference between revisions
(http://trig.com/derlasod/biography#97070 buy ambien no prescription - buy ambien online without prescription http://trig.com/helaonse/biography#59658 buy cialis online without a prescription - buy cia) |
m (Reverted edits by 94.142.134.56 (Talk) to last revision by Saruman!) |
||
| Line 1: | Line 1: | ||
==OpenSSH Server== | |||
This package is essential when you want to be able to (safely) administer your server from another place than the console. | |||
To install: simpy use ''sudo aptitude install openssh-server''. This will install the OpenSSH server, plus the OpenSSH client. Since the SSL vulnerbility of may '08, also the ssh-blacklist package is downloaded. | |||
After installing, we need to make the following changes to the default settings in file ''/etc/ssh/sshd-config'': | |||
* line ''PermitRootLogin yes'' should be set to ''no'', so that user ''root'' CANNOT log in over SSH! ([http://www.debian-administration.org/articles/573 big security gap!]). | |||
* add a line ''AllowGroups wheel''; adding this ensures that NOBODY can log in over SSH unless you specifically assigned them to the ''wheel'' group, reducing the attack surface of your SSH user. Should you need more than one group (e.g. you want to add the group "ldapwheel"), then add the groups separated by spaces: ''AllowGroups wheel ldapwheel''. | |||
* Change your banner by editing the [[MOTD file]]. | |||
Next, make sure the ''wheel'' group exist, and add all users to it that are allowed ssh-access: | |||
groupadd -g 117 wheel | |||
usermod -a -G wheel jan | |||
In the groupadd line, the groupID is explicitly set to 117, but this really is optional. In the usermod line, be sure to use the ''-a'' so that your user gets the ssh-users group added, instead of replacing all supplementary groups with this one ssh-users. | |||
If you've added a group that exists in your LDAP server, make sure that those LDAP users are member of that group that you want to give SSH access. This is ofcourse managed from your LDAP management console (be it the commandline ''ldapmodify'' or a graphic tool like [[Filling_an_OpenLDAP_database#Adding_a_user_with_LAM | LDAP Account Manager]] | |||
When all this is changed, the service should be restarted with ''sudo /etc/init.d/ssh restart''. | |||
One of the nice things of a correctly configured SSH server, is the ability to use [[scp]] to copy files between machines. | |||
== Changing RSA keys == | |||
Occasionally you'll find the RSA key of one of your machines has changed. This may have a number of reasons, a.o. a reinstall or migration of said machine. In any case, when you try to SSH to the machine you get a message like this: | |||
localhost:~# '''ssh insomnia@easton.saruman.biz''' | |||
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | |||
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ | |||
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | |||
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! | |||
Someone could be eavesdropping on you right now (man-in-the-middle attack)! | |||
It is also possible that the RSA host key has just been changed. | |||
The fingerprint for the RSA key sent by the remote host is | |||
f7:1a:5a:11:ca:20:99:fa:db:1b:b8:75:8e:e5:f1:12. | |||
Please contact your system administrator. | |||
Add correct host key in /home/sixpacjo/.ssh/known_hosts to get rid of this message. | |||
Offending key in /home/sixpacjo/.ssh/known_hosts:4 | |||
RSA host key for easton.saruman.biz has changed and you have requested strict checking. | |||
Host key verification failed. | |||
localhost:~# _ | |||
When you get this message it is not possible to connect to the machine mentioned, until you've solved the problem of the RSA key. There are multiple ways to correct the key, but the simplest method seems to be to simply remove the offending key with ''ssh-keygen''. Note that Debian "Lenny" stores the RSA key in ''two'' places: one for the host name, one for the IP number. To prevent annoying messages like this: | |||
Warning: the RSA host key for 'easton.saruman.biz' differs from the key for the IP address '192.168.67.5' | |||
Offending key for IP in /home/sixpacjo/.ssh/known_hosts:4 | |||
you should remove the RSA key for the IP number as well. This you do with the following two commands: | |||
localhost:~# '''ssh-keygen -R easton.saruman.biz''' | |||
/home/sixpacjo/.ssh/known_hosts updated. | |||
Original contents retained as /home/sixpacjo/.ssh/known_hosts.old | |||
localhost:~# '''ssh-keygen -R 192.168.67.5''' | |||
/home/sixpacjo/.ssh/known_hosts updated. | |||
Original contents retained as /home/sixpacjo/.ssh/known_hosts.old | |||
localhost:~# _ | |||
After deleting the "offending RSA keys" like this, you can SSH to the box in question, and your SSH client will save the (new) RSA key for you in your ''known_hosts'' file. | |||
Revision as of 22:54, 3 November 2010
OpenSSH Server
This package is essential when you want to be able to (safely) administer your server from another place than the console.
To install: simpy use sudo aptitude install openssh-server. This will install the OpenSSH server, plus the OpenSSH client. Since the SSL vulnerbility of may '08, also the ssh-blacklist package is downloaded.
After installing, we need to make the following changes to the default settings in file /etc/ssh/sshd-config:
- line PermitRootLogin yes should be set to no, so that user root CANNOT log in over SSH! (big security gap!).
- add a line AllowGroups wheel; adding this ensures that NOBODY can log in over SSH unless you specifically assigned them to the wheel group, reducing the attack surface of your SSH user. Should you need more than one group (e.g. you want to add the group "ldapwheel"), then add the groups separated by spaces: AllowGroups wheel ldapwheel.
- Change your banner by editing the MOTD file.
Next, make sure the wheel group exist, and add all users to it that are allowed ssh-access:
groupadd -g 117 wheel usermod -a -G wheel jan
In the groupadd line, the groupID is explicitly set to 117, but this really is optional. In the usermod line, be sure to use the -a so that your user gets the ssh-users group added, instead of replacing all supplementary groups with this one ssh-users.
If you've added a group that exists in your LDAP server, make sure that those LDAP users are member of that group that you want to give SSH access. This is ofcourse managed from your LDAP management console (be it the commandline ldapmodify or a graphic tool like LDAP Account Manager
When all this is changed, the service should be restarted with sudo /etc/init.d/ssh restart.
One of the nice things of a correctly configured SSH server, is the ability to use scp to copy files between machines.
Changing RSA keys
Occasionally you'll find the RSA key of one of your machines has changed. This may have a number of reasons, a.o. a reinstall or migration of said machine. In any case, when you try to SSH to the machine you get a message like this:
localhost:~# ssh insomnia@easton.saruman.biz @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is f7:1a:5a:11:ca:20:99:fa:db:1b:b8:75:8e:e5:f1:12. Please contact your system administrator. Add correct host key in /home/sixpacjo/.ssh/known_hosts to get rid of this message. Offending key in /home/sixpacjo/.ssh/known_hosts:4 RSA host key for easton.saruman.biz has changed and you have requested strict checking. Host key verification failed. localhost:~# _
When you get this message it is not possible to connect to the machine mentioned, until you've solved the problem of the RSA key. There are multiple ways to correct the key, but the simplest method seems to be to simply remove the offending key with ssh-keygen. Note that Debian "Lenny" stores the RSA key in two places: one for the host name, one for the IP number. To prevent annoying messages like this:
Warning: the RSA host key for 'easton.saruman.biz' differs from the key for the IP address '192.168.67.5' Offending key for IP in /home/sixpacjo/.ssh/known_hosts:4
you should remove the RSA key for the IP number as well. This you do with the following two commands:
localhost:~# ssh-keygen -R easton.saruman.biz /home/sixpacjo/.ssh/known_hosts updated. Original contents retained as /home/sixpacjo/.ssh/known_hosts.old localhost:~# ssh-keygen -R 192.168.67.5 /home/sixpacjo/.ssh/known_hosts updated. Original contents retained as /home/sixpacjo/.ssh/known_hosts.old localhost:~# _
After deleting the "offending RSA keys" like this, you can SSH to the box in question, and your SSH client will save the (new) RSA key for you in your known_hosts file.