|
Softpanorama |
May the source be with you, but remember the KISS principle ;-)
|
In order of precedence, Secure Shell configuration occurs at the following places: the software build-time, the server command-line options, the server configuration file (sshd_config), the client command-line options, the user client configuration file (~/.ssh/config), and the global client configuration file (ssh_config). Build-time configuration is the strongest. It cannot be changed without rebuilding the software. This makes it inconvenient if a change is needed.
The server configuration involves the following: how the sshd(1M) daemon will present itself on the network, what protocols and authentication methods are acceptable, and how the user environment is constructed. The client configuration involves the following: determining which server to transact with which protocol, verifying the server identity, determining the user identity presentation, and choosing the ease-of-use features. Policy details are implemented on the server side. The client cannot override or provide a feature that the server does not offer.
The available features can be enabled or disabled by either command-line options or the applicable configuration file. Command-line options apply to a particular instantiation of either the server or client. Configuration file options are persistent until the file is altered and a new instantiation started. The most reliable configuration method uses the configuration file. This gives a repeatable, reproducible invocation. Changes can also be tracked by using source control. For information on command-line options, consult the vendor documentation.
When OpenSSH is built, sshd_config and ssh_config are placed at the location specified by sysconfdir. Usual locations are /etc,/usr/local/etc,/etc/ssh or /etc/openssh. The Solaris Secure Shell software stores the two files at /etc/ssh. These files should be owned by user root and group sys. The file permission mode should be either 644 or 444.
Configuration files contain two types of entries: comments and keyword-value pairs. Comments are blank lines and lines beginning with the hash mark (#). Keyword-value pairs consist of an identifier (keyword), a space, and the value associated with the identifier. Keywords are case insensitive, where as values are case sensitive.
Traditionally, the first letter of each word in a keyword is capitalized for readability. Some values are lists that are either comma delimited or space delimited, depending on the keyword. Consider keeping configuration files under source control to track revisions. The source control tags can be hidden by the comment character (the hash mark).
server configuration options supported by the Solaris Secure Shell software and OpenSSH. The list is formatted in the following manner:
Name of the option and the value or values it takes
Description
Default in the Solaris Secure Shell software and OpenSSH
Recommendation, as applicable
References, as applicable
Example, given in a code box
Note: Server options override the client's configuration.
AllowGroups pattern
Specifies a group access control list. After authentication, access is granted if the user's primary group matches the pattern given. The primary group is the GID field listed in /etc/passwd. The pattern is the token listed in /etc/group. Wildcards of asterisk (*), matching any number of characters, or question mark (?), matching a single character, can be used. Patterns are space delimited. Use only one of the following access control keywords in the server configuration file: AllowGroups, AllowUser, DenyGroups, or DenyUsers.
The Solaris Secure Shell software and OpenSSH default to allow access.
See also AllowUser, DenyGroups, and DenyUser.
# Allow only the sysadmins access AllowGroups sysadmin |
# Allow both staff and sysadmin access AllowGroups s* |
AllowUsers pattern
Specifies a user access control list. After authentication, access is granted if the user's login matches the pattern given. The pattern can be alphanumeric, but not the numerical UID value. Wildcards of asterisk (*), matching any number of characters, or question mark (?), matching a single character, can be used. Patterns are space delimited. Use only one of the following access control keywords in the server configuration file: AllowGroups, AllowUser, DenyGroups, or DenyUsers.
The Solaris Secure Shell software and OpenSSH default to allow access.
See also AllowGroups, DenyGroups, and DenyUser.
|
# Allow only Suzie and Buster access. AllowUsers suzie buster |
AllowTCPForwarding yes | no
Specifies whether or not TCP forwarding (also known as port forwarding) is allowed.
The Solaris Secure Shell software defaults to no. OpenSSH defaults to yes.
If you want users to protect their mail, Web, or other traffic, enable this option. Setting UseLogin to yes in OpenSSH disables this feature.
See also GatewayPorts and X11Forwarding.
Note
If users have shell access, they can install their own port forwarders. If this is an issue, consider RBAC to limit access.
|
# Protect user's traffic AllowTCPForwarding yes
|
|
# Only allow a remote job restricted access to gather logs. AllowTCPForwarding no
|
Banner value
Specifies a banner that is displayed along with the authentication prompt. If your environment requires this banner, set to /etc/issue so that only one banner exists for the entire system.
The Solaris Secure Shell software and OpenSSH default to no banner.
|
Banner /etc/issue
|
CheckMail yes | no
Specifies whether or not the server should check for new mail. In the Solaris OE, the login shell should check for new mail only during the beginning of interactive logins.
The Solaris Secure Shell software defaults to no. New versions of OpenSSH no longer honor this keyword.
Recommended value is no.
See also PrintMotd.
|
CheckMail no
|
Ciphers list
For Protocol 2 only, specifies which ciphers are available. The cipher list is comma delimited, and the clients use the first available choice, unless overridden on the command line.
The Solaris Secure Shell software defaults to aes128-cbc,blowfish-cbc,3des-cbc. OpenSSH defaults to aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc.
|
Ciphers aes128-cbc,blowfish-cbc,3des-cbc
|
Compression yes | no
Specifies whether or not compression can be used.
The Solaris Secure Shell software and OpenSSH default to yes.
Recommended value is yes.
|
Compression yes
|
DenyGroups pattern
Specifies a group access control list. After authentication, access is denied if the user's primary group matches the given pattern. The primary group is the GID field listed in /etc/passwd. The pattern is the token listed in /etc/group. Wildcards of asterisk (*), matching any number of characters, or question mark(?), matching a single character, can be used. Patterns are space delimited. Use only one of the following access control keywords in the server configuration file: AllowGroups, AllowUser, DenyGroups, or DenyUsers.
The Solaris Secure Shell software and OpenSSH default to allow access.
See also AllowGroups, AllowUsers, and DenyUsers.
|
# Prevent the users from logging in to the server DenyGroups users
|
DenyUsers pattern
Specifies a user access control list. After authentication, access is denied if the user's login matches the pattern given. The pattern can be alphanumeric, but not the numerical UID value. Wildcards of asterisk (*), matching any number of characters, or question mark (?), matching a single character, can be used. Patterns are space delimited. Use only one of the following access control keywords in the server configuration file: AllowGroups, AllowUser, DenyGroups, or DenyUsers.
The Solaris Secure Shell software and OpenSSH default to allow access.
See also AllowGroups, AllowUsers, and DenyGroups.
|
DenyUsers Cheng Atkinson
|
DSAAuthentication yes | no
For Protocol 2 only, specifies whether or not DSA authentication is allowed.
The Solaris Secure Shell software and OpenSSH default to yes.
Recommended value is yes.
See also PubKeyAuthentication.
|
DSAAuthentication yes
|
GatewayPorts yes | no
Specifies whether or not remote hosts are allowed to connect to ports forwarded by the client. This can be used to form a limited VPN setup. Setting UseLogin to yes in OpenSSH disables this feature.
The Solaris Secure Shell software and OpenSSH default to no.
Recommended value is no.
Note
Users can chain together port forwarders (that is, create a bouncer) on the local machine to circumvent this restriction.
See also AllowTCPForwarding.
|
GatewayPorts no
|
HostKey value
Specifies the private host key files. These keys are used to securely identify the server. ssh_host_key is needed for Protocol 1 support. ssh_host_rsa_key is needed for Protocol 2 RSA authentication. ssh_host_dsa_key is needed for Protocol 2 DSA authentication. The keys must be generated with ssh-keygen if they do not exist before first invocation of sshd(1M).
The Solaris Secure Shell software defaults to: /etc/ssh OpenSSH defaults to: /usr/local/etc
|
HostKey /etc/ssh/ssh_host_key HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key
|
IgnoreRhosts yes | no
For Protocol a only, specifies whether or not a user's. .rhosts and .shosts files are used for authentication.
The Solaris Secure Shell software and OpenSSH default to no.
Recommended value is yes.
See also RhostsAuthentication.
|
IgnoreRhosts yes
|
IgnoreUserKnownHosts yes | no
For Protocol 1, specifies whether or not a user's ~/.ssh/known_hosts file will be used during RhostsRSAAuthentication.
The Solaris Secure Shell software and OpenSSH default to no.
Recommended value is yes.
See also RhostsRSAAuthentication.
|
IgnoreUserKnownHosts yes
|
KeepAlive yes | no
Specifies whether or not TCP keep-alives are sent. If they are sent, the death of a connection, crash of a machine, or downing of a route will be noticed, and the connection terminated. This prevents connections from hanging and consuming resources.
The Solaris Secure Shell software and OpenSSH default to yes.
Recommended value is yes.
|
keepAlive yes
|
KeyRegenerationInterval value
For Protocol 1 only, the ephemeral key (that is, the key to encrypt data, not the one to identify the server) is regenerated after the designated time in seconds, if it has been used.
The Solaris Secure Shell software and OpenSSH default to 3600 seconds.
Recommend value is 1800 seconds. Do not set this value too low, or the server will spend all of its time generating new keys.
|
KeyRegenerationInterval 1800
|
ListenAddress value
Specifies the local address on which the server should listen. For multihomed machines, you can limit the server to listening on only one address. The port keyword must be placed before this keyword.
The Solaris Secure Shell software and OpenSSH default to listen to all local addresses.
Recommended value is to limit to only administrative address interfaces, when possible.
|
ListenAddress 192.168.0.5
|
LoginGraceTime value
Specifies the grace time during which a connection can exist without successful authentication.
The Solaris Secure Shell software defaults to 600 seconds.
OpenSSH defaults to 120 seconds.
Recommended value is 60 seconds.
See also MaxStartups.
|
LoginGraceTime 60
|
LogLevel value
Specifies the verbosity of logging information. Information is logged by using syslog(3). Higher levels generate a larger volume of log data.
The Solaris Secure Shell software and OpenSSH default to INFO.
See also SyslogFacility.
See syslog(3), syslog.conf(4), and syslogd(1M) for information.
|
LogLevel DEBUG
|
MACs list
For Protocol 2 only, specifies which message authentication code (MAC) algorithms are available. The MAC list is comma delimited. The clients use the first match, unless overridden on the command line.
The Solaris Secure Shell software defaults to hmac-sha1, hmac-md5. OpenSSH defaults to hmac-md5, hmac-sha1, hmac-ripemd160, hmac-sha1-96, hmac-md5-96.
|
MACS hmac-sha1, hmac-md5
|
MaxAuthTries value
For the Solaris Secure Shell software only, specifies the maximum number of retries for authentication before a connection is dropped.
The default is 6. This value cannot be overridden by ConnectionAttempts in the client configuration file.
|
MaxAuthTries 6
|
The following is an example of when MaxAuthTries is set to 2, and the user fails to log in successfully:
|
hook /home/suzi $ ssh blackbeard suzi@blackbeard's password: password Permission denied, please try again. suzi@blackbeard's password: password Received disconnect: 2: too many failed userauth_requests hook /home/suzi $
|
MaxAuthTriesLog value
For the Solaris Secure Shell software only, specifies the number of retries for authentication before a warning message is logged.
The default is MaxAuthTries divided by two.
See also LogLevel and SyslogFacility.
|
MaxAuthTriesLog 3 |
MaxStartups value
Specifies the maximum number of concurrent unauthenticated connections. When the limit is reached, no new connections are allowed until the count drops.
The Solaris Secure Shell software and OpenSSH default to 10.
See also LoginGraceTime.
|
MaxStartups 10 |
PAMAuthenticationViaKBDInt yes|no
Specifies whether or not to use pluggable authentication modules through the keyboard interactive method for authentication. Setting the value to yes allows the use of custom pluggable authentication modules.
The Solaris Secure Shell software and OpenSSH default to yes.
Recommended value is yes.
|
PAMAuthenticationViaKBDInt yes |
PasswordAuthentication yes|no
Specifies whether or not passwords can be used for authentication. For systems with many users on internal corporate accounts, password authentication is sufficient. For remote users or automated execution, use key-based authentication.
The Solaris Secure Shell software and OpenSSH default to yes.
See also PermitEmptyPasswords, PermitRootLogin, and PubKeyAuthentication.
|
# Internal mail server PasswordAuthentication yes |
|
# DMZ Bastion host PasswordAuthentication no
|
PermitEmptyPasswords yes|no
Specifies whether or not accounts with empty passwords are allowed to log in.
The Solaris Secure Shell software and OpenSSH default to no.
Recommended value is no.
See also PasswordAuthentication.
|
PermitEmptyPasswords no
|
PermitRootLogin yes|no|without-password|forced-commands-only
Specifies whether or not the superuser (root) account can log in over the network. without-password allows logins by using key-based authentication only. For OpenSSH only, the additional value, forced-commands-only, can be used. This requires key-based authentication and a command to be associated with the particular key.
The Solaris Secure Shell software defaults to no. OpenSSH defaults to yes.
Recommended value is no.
See also PasswordAuthentication and PubKeyAuthentication.
|
# Force the system admins to su PermitRootLogin no
|
|
# Only a root account exists PermitRootLogin without-password
|
PermitUserEnvironment yes|no
For OpenSSH only, specifies whether or not the server should process environment options in ~/.ssh/environment or ~/.ssh/authorized keys.
The default and recommended value is no.
|
PermitUserEnvironment no
|
Port value
Specifies the port on which the server is to listen. The Internet Assigned Numbers Authority (IANA) assigned port for Secure Shell is 22. If your firewall blocks low-value ports (less than 1024), a higher value might be needed. You can have multiple listings of this keyword.
The Solaris Secure Shell software and OpenSSH default to 22.
|
# For LAN access Port 22 # For Internet access Port 2345
|
PrintMotd yes|no
Specifies whether or not the server should display the message-of-the-day (MOTD). In the Solaris OE, the login shell should display the MOTD at the beginning of interactive logins.
The Solaris Secure Shell software defaults to no. OpenSSH defaults to yes.
Recommended value is no.
See also CheckMail.
|
PrintMotd no
|
Protocol list
Specifies the Secure Shell protocols available. The first version of the protocol has been deprecated because of flaws in the protocol allowed packet insertion and password length-determination attacks. The second version of the protocol was developed to address the problems. The client uses the first available protocol in the list.
The Solaris Secure Shell software defaults to 2. OpenSSH defaults to 2,1.
Recommended value is 2.
|
# Protocol 2 only is recommended Protocol 2
|
|
# Enable legacy support but default to Protocol 2. Protocol 2,1
|
PubKeyAuthentication yes|no
Specifies whether or not public keys can be used for Shell software and OpenSSH default to yes.
Recommended value is yes.
See also PasswordAuthentication.
|
PubKeyAuthentication yes
|
RhostsAuthentication yes|no
For protocol 1 only, specifies whether or not rhosts(4) or hosts.equiv(4) authentication is sufficient.
The Solaris Secure Shell software and OpenSSH default to no.
Recommended value is no.
See also IgnoreRhosts.
|
RhostsAuthentication no
|
RhostsRSAAuthentication yes|no
For Protocol 1 only, specifies whether or not rhosts(4) or hosts.equiv(4) authentication with RSA host authentication is allowed.
The Solaris Secure Shell software and OpenSSH default to no.
Recommended value is no.
See also IgnoreUserKnownHosts.
|
RhostsRSAAuthentication no
|
RSAAuthentication yes|no
For Protocol 1 only, specifies whether or not RSA Protocol 1 user authentication is allowed.
The Solaris Secure Shell software and OpenSSH default to yes.
Recommended value is yes.
|
RSAAuthentication yes
|
ServerKeyBits value
For Protocol 1 only, this is the size in bits of the server key.
The Solaris Secure Shell software and OpenSSH default to 768.
Recommended value is 1024.
|
ServerKeyBits 1024
|
StrictModes yes|no
In case a user's home directory or .ssh files are world writable or if they are owned by someone else, the server will prevent a login. This action prevents a compromise.
The Solaris Secure Shell software and OpenSSH default to yes.
Recommended value is yes.
|
StrictModes yes
|
SyslogFacility value.value
Specifies the facility and security codes to use when logging by using syslog(3).
The Solaris Secure Shell software and OpenSSH default to AUTH.INFO.
See also LogLevel.
Consult syslog(3), syslog.conf(4), and syslogd(1M) for more information.
|
SyslogFacility AUTH.INFO
|
UseLogin yes|no
For OpenSSH only, specifies whether or not login(1) is called for interactive sessions. This feature is required for BSM auditing. Turning it on will disable X11 and port forwarding. cron(1M) will also partially break. See "Auditing" on page 81 for details on the consequences of UseLogin and on getting BSM auditing to work successfully. This feature will not work if UsePrivilegeSeparation is set to yes.
The default value is no.
Recommended value is no.
|
UseLogin no
|
UsePrivilegeSeparation yes|no
For OpenSSH only, specifies whether or not the server separates privileges by having an unprivileged child process deal with incoming network traffic. After successful authentication, a separate process is created with the privileges of the user. This is an attempt to prevent a root compromise by any corruption from the incoming network traffic (for example, a buffer overflow). This feature does not work with pluggable authentication modules on the Solaris OE.
Note
The compilations options presented in Chapter 2 disable this feature.
The default value is yes.
Recommended value is no.
|
UsePrivilegeSeparation no
|
X11DisplayOffset value
Specifies the first display number available for the server's X11 forwarding. This option prevents interference with real X11 servers.
The Solaris Secure Shell software and OpenSSH default to 10. For Sun Ray™ appliance servers, if this value is too low, increase by the maximum number of clients, plus a margin for error.
|
# For desktops or server X11DisplayOffset 10
|
|
# For Sun Ray appliance servers, may need to be more. X11DisplayOffset 100
|
X11Forwarding yes|no
Specifies whether or not X11 forwarding is permitted. In OpenSSH, setting UseLogin to yes disables this feature. If you want users to protect their X11 traffic, enable this option.
The Solaris Secure Shell software and OpenSSH default to no.
Note
Users with shell access can install their own X11 forwarders. If this is an issue, consider RBAC to limit access. For Solaris 9 OE systems, consider using X with the -nolisten flag to limit exposure. This flag limits the X11 applications to running only on the server.
See also AllowTCPForwarding.
|
# Protect user's X sessions X11Forwarding yes
|
|
# Only allow restricted access for a remote job X11Forwarding no
|
XAuthLocation Value
Specifies the location of the xauth(1) program. This option will not override the default that is used when the software is compiled.
The Solaris Secure Shell software defaults to: /usr/X/bin/xauth OpenSSH defaults to: /usr/openwin/bin/xauth
Recommended value is: /usr/X/bin/xauth
|
XAuthLocation /usr/X/bin/xauth
|
This appendix contains a list of the client configuration options supported by the Solaris Secure Shell software and OpenSSH. The list is formatted in the following manner:
Name of the option and the value or values it takes
Description
Default in the Solaris Secure Shell software and OpenSSH
Recommendation, as applicable
References, as applicable
Example, given in a code box
Note
Client options cannot override the server's configuration.
BatchMode yes|no
Specifies whether or not the password or passphrase prompting is disabled. Use this option in scripts for automated logins.
The Solaris Secure Shell software and OpenSSH default to no.
|
# For automated scripts BatchMode yes
|
CheckHostIP yes|no
Specifies whether or not to check the server IP address in the known_hosts file. This option detects DNS spoofing.
The Solaris Secure Shell software and OpenSSH default to yes.
Recommended value is yes.
See also StrictHostKeyChecking.
|
CheckHostIP yes
|
Cipher 3des|blowfish|des
For Protocol 1 only, specifies the ciphers to use when encrypting the session, in order of preference. Multiple ciphers are comma delimited.
The Solaris Secure Shell software and OpenSSH default to 3des. des is supported only on OpenSSH.
Recommended value is 3des.
See also Ciphers.
|
# For legacy protocol 1 servers only Cipher 3des,blowfish
|
Ciphers list
For Protocol 2 only, specifies the ciphers to use when encrypting the session, in order of preference. Multiple ciphers are comma delimited.
The Solaris Secure Shell software defaults to 3des-cbc,blowfish-cbc,aes- 128-cbc. OpenSSH defaults to aes128-cbc,3des-cbc,blowfish- cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc.
See also Cipher.
|
Ciphers 3des-cbc,blowfish-cbc,aes-128-cbc
|
Compression yes|no
Specifies whether or not to use compression. Compression can improve performance over low-bandwidth network connections. No performance will be gained in the transfer of minimally compressible data such as MPEG2 files or GZIP compressed files.
The Solaris Secure Shell software and OpenSSH default to no.
Recommended value is yes, if transferring a large amount of text data (for example, logs).
See also CompressionLevel.
|
Compression yes
|
CompressionLevel value
Specifies the compression level to use. Valid values are 1 (least compression, but fastest performance) through 9 (most compression, but slowest performance). This keyword requires Compression set to yes.
The Solaris Secure Shell software and OpenSSH default to 6.
See also Compression.
|
CompressionLevel 9
|
ConnectionAttempts value
Specifies the number of attempts to make a connection before exiting or falling back to rsh(1).
The Solaris Secure Shell software and OpenSSH default to 3.
See also FallbackToRsh and NumberOfPasswordPrompts.
|
ConnectionAttempts 3
|
DSAAuthentication yes|no
For Protocol 2 only, specifies whether or not to attempt DSA authentication. This option requires a DSA identity file.
The Solaris Secure Shell software and OpenSSH default to yes.
Recommended value is yes.
See also PasswordAuthentication and PubkeyAuthentication.
|
DSAAuthentication yes
|
EscapeChar Value
Specifies the escape character. Valid values are a single character or a caret (^) followed by a character to symbolize a control character. The value can also be left empty to have no escape character.
The Solaris Secure Shell software and OpenSSH default to tilde (~).
|
# Completely transparent connection EscapeChar
|
FallBackToRsh yes|no
Specifies whether or not the client should use rsh(1) if it is unable to make a secure connection.
The Solaris Secure Shell software and OpenSSH default to no.
Recommended value is no.
See also ConnectionAttempts and UseRsh.
|
FallBackToRsh no
|
ForwardAgent yes|no
Specifies whether or not the agent connection will be forwarded to the server.
The Solaris Secure Shell software and OpenSSH default to no.
Recommended value is no.
|
ForwardAgent no
|
ForwardX11 yes|no
Specifies whether or not to enable X11 connection forwarding.
The Solaris Secure Shell software defaults to no. OpenSSH defaults to yes.
Recommended value is yes if users need to protect X connections.
|
ForwardX11 yes
|
GatewayPorts yes|no
Specifies whether or not other hosts may use forwarded ports.
The Solaris Secure Shell software and OpenSSH default to no.
Recommended value is no.
See also LocalForward and RemoteForward.
|
GatewayPorts no
|
GlobalKnownHostsFile value
Specifies global known host file, other than the default.
The Solaris Secure Shell software defaults to: /etc/ssh_known_hosts OpenSSH defaults to: /usr/local/etc/ssh_known_hosts
See also UserKnownHostsFile.
|
GlobalKnownHostsFile /etc/ssh_known_hosts
|
Host value
Restricts keyword designations to a particular host until the next Host keyword. The Host value is given on the command line. Wildcards of asterisk (*), matching any number of characters, or question mark (?), matching a single character, can be used. An asterisk by itself is used to set global defaults.
See also HostName.
|
# Only for legacy host Host legacy Protocol 1 # defaults Host * Protocol 2 CheckHostIP yes ConnectionAttempts 3
|
HostName value
Specifies the real host name to which to connect. Allows abbreviations or nicknames to be specified on the command line. Numeric IP addresses are also allowed. Use with the Host keyword.
See also Host.
|
Host legacy HostName legacy.extremefoosticks.com. Protocol 1
|
IdentityFile value
Specifies the file from which to read identities. Multiple listings can be given that will be checked sequentially.
The Solaris Secure Shell software and OpenSSH default to ~/ .ssh/identity for Protocol 1, ~/ .ssh/id_rsa for RSA authentication in Protocol 2, and ~/ .ssh/id_dsa for DSA authentication in Protocol 2.
|
IdentityFile ~/ .ssh/dsa_ident_2
|
KeepAlive yes | no
Specifies whether or not TCP keep-alives are sent. If they are sent, the death of a connection, crash of a machine, or downing of a route will be noticed, and the connection will be terminated. This option prevents connections from hanging and consuming resources.
The Solaris Secure Shell software and OpenSSH default to yes.
Recommended value is yes.
|
KeepAlive yes
|
LocalForward localhost_port destination_host:port
Specifies that localhost_port be forwarded to the destination_host and port through the server. Only the superuser can forward privileged ports (numbered below1024).
The Solaris Secure Shell software and OpenSSH default to no forwardings.
See also GatewayPorts and RemoteForward.
|
LocalForward 8080 intranet.extremefoosticks.com:80
|
LogLevel value
Specifies the level of logging from the client. Possible values are QUIET, FATAL, ERROR, INFO, VERBOSE, and DEBUG, in order of increasing verbosity. OpenSSH additionally has DEBUG1, DEBUG2, DEBUG3.
The Solaris Secure Shell software and OpenSSH default to INFO.
|
LogLevel DEBUG
|
MACs list
For Protocol 2 only, specifies which message authentication algorithm (MAC) to use in order of preference. This is a comma-delimited list.
The Solaris Secure Shell software defaults to hmac-sha1, hmac-md5. OpenSSH defaults to hmac-md5, hmac-sha1, hmac-ripemd160, hmac-sha1-96, hmac-md5-96.
|
MACs hmac-sha1, hmac-md5
|
NumberOfPasswordPrompts value
Specifies the number of password prompts allowed before exiting.
The Solaris Secure Shell software and OpenSSH default to 3.
See also ConnectionAttempts.
|
NumberOfPasswordPrompts 3
|
PasswordAuthentication yes | no
Specifies whether or not to attempt password Shell software and OpenSSH default to yes.
See also PubkeyAuthentication.
|
PasswordAuthentication yes
|
Port value
Specifies the port to connect to on the server. The port assigned to the Secure Shell by the Internet Assigned Numbers Authority (IANA) is 22.
The Solaris Secure Shell software and OpenSSH default to 22.
|
Port 22
|
Protocol list
Specifies the Secure Shell protocol to use, in order of preference. The first version of the protocol has been deprecated because flaws in the protocol allowed packet insertion and password length-determination attacks. The second version of the protocol was developed to address these problems. This is a comma-delimited list.
The Solaris Secure Shell software and OpenSSH default to 2,1.
Recommended value is 2.
# Protocol 2 only is recommended Protocol 2 |
|
# Enable legacy support but default to Protocol 2. Protocol 2,1
|
ProxyCommand
Specifies an external command through which to send the Secure Shell traffic. CheckHostIP is ignored with ProxyCommand. Use with the Host keyword. Line breaks are not permitted in this keyword.
The Solaris Secure Shell software provides two proxies in /usr/lib/ssh: ssh-socks5-proxy-connect and ssh-http-proxy-connect. Consult their respective man pages for more details.
|
Host remote ProxyCommand /usr/lib/ssh /ssh-socks5-proxy-connect -h socks.corp -p 1080 homebox.myhome.org 22
|
PubkeyAuthentication yes | no
For Protocol 2 only, specifies whether or not to attempt public key authentication.
The Solaris Secure Shell software and OpenSSH default to yes.
See also DSAAuthentication and PasswordAuthentication.
|
PubkeyAuthentication yes
|
RemoteForward port destination_host:port
Specifies that the port on the server be forwarded to the destination_host and port through the client. Only the superuser can forward privileged ports (numbered below 1024).
The Solaris Secure Shell software and OpenSSH default to no forwardings.
See also LocalForward.
|
RemoteForward 8080 www.sun.com:80
|
RhostsAuthentication yes|no
For Protocol 1 only, specifies whether or not to attempt rhosts(4) authentication. This option requires OpenSSH to be installed as setuid.
The Solaris Secure Shell software will not do this because it is not installed as setuid. OpenSSH defaults to no.
Recommended value is no.
See also UsePrivilegedPort.
|
RhostsAuthentication no
|
RhostsRSAAuthentication yes|no
For Protocol 1 only, specifies whether or not to attempt rhosts authentication, based on RSA host keys. This option requires OpenSSH to be installed as setuid.
The Solaris Secure Shell software will not do this because it is not installed as setuid. OpenSSH defaults to no.
Recommended value is no.
See also UsePrivilegedPort.
|
RhostsRSAAuthentication no
|
RSAAuthentication yes|no
For Protocol 1 only, specifies whether or not to attempt RSA authentication, provided an identity file exists.
The Solaris Secure Shell software and OpenSSH default to yes.
Recommended value is yes.
|
RSAAuthentication yes
|
StrictHostKeyChecking yes|ask|no
Specifies whether or not the client automatically adds new host keys to the known_hosts file, prompts the user, or never adds the key. In the case of yes and ask, the client will refuse to connect to a host that has a changed host key.
The Solaris Secure Shell software and OpenSSH default to ask.
Recommended value is yes or ask.
See also CheckHostIP.
|
StrictHostKeyChecking yes
|
UsePrivilegedPort yes|no
Specifies whether or not to use a privileged port for outgoing connections. Setting to no disables RhostsAuthentication and RhostsRSAAuthentication authentication.
The Solaris Secure Shell software will not use a privileged port. OpenSSH must be installed as setuid to use a privileged port.
Recommended value is no.
See also RhostsAuthentication and RhostsRSAAuthentication.
|
UsePrivilegedPort no
|
User value
Specifies the user to authenticate. Use with the Host keyword.
The Solaris Secure Shell software and OpenSSH default to the user name that invoked the client.
See also Host.
|
Host legacy User buster44
|
UserKnownHostsFile value
Specifies the user known_hosts file, other than the default.
The Solaris Secure Shell software and OpenSSH default to $HOME/ .ssh/known_hosts.
See also GlobalKnownHostsFile.
|
UserKnownHostsFile /home/suzi/ .ssh /backup_known_hosts
|
UseRsh yes|no
Specifies whether or not to use rsh(1) instead of the Secure Shell protocol. This option requires having rsh(1) installed on the system.
The Solaris Secure Shell software and OpenSSH default to no.
Recommended value is no.
See also FallbackToRsh.
|
UseRsh no
|
XAuthLocation value
Specifies the location of the xauth(1) program. This option will not override the default value that was used when the software was compiled.
The Solaris Secure Shell software and OpenSSH default to: /usr/openwin/bin/xauth
Recommended value is: /usr/X/bin/xauth
|
XAuthLocation /usr/X/bin/xauth
|
The OpenSSH tool provides strong authentication and privacy for network connections. The init script in this section provides a mechanism to start and stop the OpenSSH system daemon at system boot and shutdown. This script is written for the Solaris 2.6, 7, 8, and 9 OE releases. The latest version of this script is available from the Blueprints Online tools area at:
http://www.sun.com/blueprints/tools/
The init script is automatically configured by makeOpenSSHPackage.ksh. It is installed by the resulting package installation.
You can install the init script manually by using the following procedure.
|
1.
|
Edit theinit
script by making the changes to values denoted
by %%.
|
|
|
2.
|
Copy the script to /etc/init.d/openssh.server.
|
|
|
3.
|
Change the permissions to 744.
|
|
|
4.
|
Change the owner of the script.
|
|
|
5.
|
Create the following links:
|
For inquiries or feedback, contact openssh_tools@sun.com.
|
#!/sbin/sh
#
#
umask 022
PATH=/usr/bin
configDir=%%configDir%%
openSSHDir=%%openSSHDir%%
usePRNGD=%%includePRNGD%%
PRNGDConfig=$configDir/prngd.conf
PRNGDEntropyDir=/var/run
PRNGDSeedFile=$PRNGDEntropyDir/prngd-seed
PRNGDEntropyPool=$PRNGDEntropyDir/egd-pool
PRNGDCmd=$openSSHDir/sbin/prngd
PRNGDCmdOptions="--cmdfile $PRNGDConfig --seedfile
$PRNGDSeedFile \
$PRNGDEntropyPool"
DSAKeyFile=$configDir/ssh_host_dsa_key
RSA2KeyFile=$configDir/ssh_host_rsa_key
RSA1KeyFile=$configDir/ssh_host_key
keyGenerator=$openSSHDir/bin/ssh-keygen
sshdConfig=$configDir/sshd_config
sshdPIDFile=sshd.pid
sshdCmd=$openSSHDir/sbin/sshd
sshdCmdOptions=""
#
# Checks for the existence of the host DSA key
(protocol version 2)
#
DSAKeyExists() {
[ -f "$DSAKeyFile" ] && return 0
return 1
}
#
# Checks for the existence of the host RSA key
(protocol version 2)
#
RSA2KeyExists () {
[ -f "$DSAKeyFile" ] && return 0
return 1
}
|
|
#
# Checks for the existence of the RSA host key
(protocol version 1)
#
RSA1KeyExists () {
[ -f "$RSA1KeyFile" ] && return 0
return 1
}
#
# Checks for the existence of the PRNGD initial seed
#
PRNGDSeedExists () {
[ -s "$PRNGDSeedFile" ] && return 0
return 1
}
#
# Configures the appropriate PRNGD config file
#
setPRNGDConfigFile () {
[ ! -f "$PRNGDConfig" ] && {
OSrev= 'uname -r'
case "$OSrev" in
"5.7"|"5.8"|"5.9")
ln -s $PRNGDConfig-solaris-2.7
$PRNGDConfig
;;
*)
ln -s $PRNGDConfig-solaris-2.6
$PRNGDConfig
;;
esac
}
}
#
# Generates DSA (protocol version 2) key
#
generateDSAKey () {
echo "Generating OpenSSH server DSA (protocol
version 2) key...\c"
if $keyGenerator -q -t dsa -f $DSAKeyFile -N
''; then
echo "done."
else
echo "failed!"
fi
}
#
# Generates RSA (protocol version 2) key
#
generateRSA2Key () {
|
|
echo "Generating OpenSSH server RSA (protocol
version 2) key...\c"
if $keyGenerator -q -t rsa -f $RSA2KeyFile -N
''; then
echo "done."
else
echo "failed!"
fi
}
#
# Generates RSA (protocol version 1) key
#
generateRSA1Key () {
echo "Generating OpenSSH server RSA (protocol
version 1) key...\c"
if $keyGenerator -q -t rsal -f $RSA1KeyFile -N
''; then
echo "done."
else
echo "failed!"
fi
}
#
# Checks for keys and generates them if necessary
#
generateKeys () {
if DSAKeyExists; then
echo "OpenSSH DSA key exists: $DSAKeyFile"
else
generateDSAKey
fi
if RSA2KeyExists; then
echo "OpenSSH RSA2 key exists: $RSA2KeyFile"
else
generateRSA2Key
fi
if RSA1KeyExists; then
echo "OpenSSH RSA1 key exists: $RSA1KeyFile"
else
generateRSA1Key
fi
}
#
# Checks for the seed file and generates one if
necessary
#
generateSeed () {
if [ "$usePRNGD" = "yes" ]; then
if PRNGDSeedExists; then
|
|
echo "PRNGD seed exists: $PRNGDSeedFile"
else
echo "Generating PRNGD initial seed file
...\c"
touch $PRNGDSeedFile
chmod 600 $PRNGDSeedFile
# Newly installed system may not have
log files
[ -s /var/adm/messages ] && \
cat /var/adm/messages >> $PRNGDSeedFile
[ -s /var/log/syslog ] && \
cat /var/log/syslog >> $PRNGDSeedFile
[ -s /var/cron/log ] && \
cat /var/cron/log >> $PRNGDSeedFile
1s -alni /proc >> $PRNGDSeedFile
ps -efly >> $PRNGDSeedFile
chmod 400 $PRNGDSeedFile
echo "done".
fi
fi
}
#
# Start the OpenSSH server process
#
startSSHD() {
# check for configuration file
if [ ! -f "$sshdConfig" ] ; then
echo "OpenSSH is not configured. Missing
file $sshdConfig."
exit 1
fi
# check for all of the keys
if DSAKeyExists && RSA2KeyExists &&
RSA1KeyExists; then
:
else
generatekeys
fi
$sshdCmd $sshdCmdOptions
}
#
# Start the PRNGD process
#
startPRNGD() {
if [ "$usePRNGD" = "yes" ] ; then
if PRNGDSeedExists; then
:
else
generateSeed
|
|
fi
setPRNGDConfigFile
# check that the directory containing the
entropy pool exists
[ ! -d $PRNGDEntropyDir ] && mkdir -p
$PRNGDEntropyDir
$PRNGDCmd $PRNGDCmdOptions
fi
}
#
# Stop the OpenSSH server process
#
stopSSHD() {
realPIDFile=""
if [ -r "/etc/$sshdPIDFile" ] ; then
realPIDFile=/etc/$sshdPIDFile
elif [ -r "/var/run/$sshdPIDFile" ] ; then
realPIDFile=/var/run/$sshdPIDFile
else
echo "OpenSSH server process ID (PID) file
cannot be located."
fi
[ -n "$realPIDFile" ] && kill -TERM 'cat
$realPIDFile'
}
#
# Stop the PRNGD process
#
stopPRNGD() {
# PRNGD has its own built method to shutdown
and save its seed
$PRNGDCmd --kill $PRNGDEntropyPool > /dev/null
2>&1
}
#
# Parse command argument
#
case "$1" in
'start')
# start the PRNGD process first to gather
entropy
startPRNGD
startSSHD
;;
'stop')
stopSSHD
stopPRNGD
;;
|
|
'restart')
stopSSHD
stopPRNGD
startPRNGD
startSSHD
;;
'keygen')
# start PRNGD because key generation requires it
stopSSHD
startPRNGD
generateKeys
stopPRNGD
;;
'seedgen')
generateSeed
;;
*)
echo "Usage: $0 { start | stop | restart |
keygen | seedgen }"
;;
esac
exit 0
|
The packaging script in this section creates an OpenSSH Solaris package. After OpenSSH is compiled, use this script to create a Solaris package stream. This script has been updated to support OpenSSH 3.5p1. For further information, refer to the Sun BluePrints OnLine articles titled "Building and Deploying OpenSSH on the Solaris Operating Environment" and "Building OpenSSH—Tools and Tradeoffs".
The latest version of this script is available at the Sun BluePrints OnLine tools area:
http://www.sun.com/blueprints/tools/
Execute this script in the top-level OpenSSH source directory. If needed, copy the script to the OpenSSH source directory. After OpenSSH has been compiled, check the script variables listed in the script to verify the configuration for the environment in which OpenSSH is to be installed.
Note
This script borrows heavily from the Sun Enterprise™ Network Security Service (SENSS) makepackage script. This script uses the openssh.server init script, which is copied over and some of its contents are changed based on the variables set in this script.
For inquiries or feedback, contact openssh_tools@sun.com.
|
#!/usr/bin/ksh
#
#
--------------------------------------------------------------------
# User configuration variables
#
--------------------------------------------------------------------
#
# Installation directory.
#
# This should be a local directory on the systems
that will install it.
# If /opt is specified, the package name will be
appended to the
# install directory name (ie. /opt/OBSDssh).
#
# The default value, if no argument is supplied on
the command line, is
# /opt. Otherwise, the argument specified will be
used.
#
# The location for the config files ie sshd_config
is pulled from
# OpenSSH's config.status.
installDir=/opt
#installDir=/usr/local
#
# OpenSSH Solaris package name.
#
packageName=OBSDssh
# Check for OpenSSH's config.status as
configuration is read from there.
if [[ ! -f config.status ]]; then
print "Unable to read OpenSSH's config.status."
exit 1
fi
#
# Include the PRNGD tool and associate files.
(yes/no)
# Check OpenSSH's config.status for
--with-prngd-socket
#
if grep "with-prngd-socket" config.status > /dev
/null 2>&1; then
includePRNGD=yes
else
includePRNGD=no
fi
#
# PRNGD package location. (PRNGD must already be
compiled.)
#
|
|
PRNGDDir=../prngd-0.9.26
#
# Solaris system init script location.
#
initScript=../openssh.server
#
# Install ssh set-user-ID (SUID). (yes/no)
#
if grep "disable-suid-ssh" config.status > /dev
/null 2>&1; then
installSSHSUID=no
else
installSSHSUID=yes
fi
#
--------------------------------------------------------------------
# No further user configuration should be required
past this point.
#
--------------------------------------------------------------------
PATH=/usr/bin:/usr/ccs/bin
# source/current directory
srcDir=$ (pwd)
# build directory
buildDir=/tmp/$packageName/build
# package build directory
packageDir=/tmp/$packageName/package
# OpenSSH files final location
if [[ $installDir == "/opt" ]]; then
openSSHDir=$installDir/$packageName
else
openSSHDir=$installDir
fi
# Determine config file location based on config
.status of OpenSSH.
# The returned value needs to be a path not a
shell variable.
configDir=$( grep @sysconfdir@ config.status cut
-f3 -d, )
# determine which ssh permissions to use
if [[ $installSSHSUID == "yes" ]]; then
sshMode=4755
else
sshMode=0755
fi
|
|
# cleanup and process
print "Cleaning up any old build files..."
rm -rf $buildDir $packageDir
mkdir -p $buildDir $packageDir
# create build subdirectories
print "Creating build subdirectories..."
mkdir -p $buildDir/$openSSHDir/bin
mkdir -p $buildDir/$openSSHDir/docs/OpenSSH
mkdir -p $buildDir/$openSSHDir/libexec
mkdir -p $buildDir/$openSSHDir/man/cat1
mkdir -p $buildDir/$openSSHDir/man/cat8
mkdir -p $buildDir/$openSSHDir/sbin
mkdir -p $buildDir/$configDir
mkdir -p $buildDir/etc/init.d
mkdir -p $buildDir/etc/rc0.d
mkdir -p $buildDir/etc/rc1.d
mkdir -p $buildDir/etc/rc2.d
mkdir -p $buildDir/etc/rc3.d
mkdir -p $buildDir/etc/rcS.d
[[ $includePRNGD == "yes" ]] && {
mkdir -p $buildDir/$openSSHDir/docs/PRNGD
mkdir -p $buildDir/var/run
}
# copy OpenSSH executables
print "Copying OpenSSH client executables:\c"
dir=$buildDir/$openSSHDir/bin
for file in ssh scp sftp ssh-add ssh-agent
ssh-keygen ssh-keyscan \
ssh-keysign; do
cp $file $dir
strip $dir/$file
chmod 755 $dir/$file
print " $file\c"
done
print "."
# copy OpenSSH server executable
print "Copying OpenSSH server executable: \c"
file=sshd
dir=$buildDir/$openSSHDir/sbin
cp $file $dir
strip $dir/$file
chmod 755 $dir/$file
print " $file."
# copy OpenSSH sftp server executable
print "Copying OpenSSH libexec executables:\c"
|
|
dir=$buildDir/$openSSHDir/libexec
for file in ssh-rand-helper sftp-server; do
cp $file $dir
strip $dir/$file
chmod 755 $dir/$file
print " $file\c"
done
print "."
# install only the preformatted man pages since
Solaris nroff does not
# understand the BSD formatted ones
print "Copying OpenSSH user preformatted man pages:\c"
dir=$buildDir/$openSSHDir/man/cat1
for file in ssh.0 scp.0 sftp.0 ssh-add.0
ssh-keygen.0 ssh-agent.0 \
ssh-keyscan.0 ssh-rand-helper.0 ssh-keysign.0; do
cp $file $dir
chmod 644 $dir/$file
print " $file\c"
done
print "."
print "Copying OpenSSH admin preformatted man
pages:\c"
dir=$buildDir/$openSSHDir/man/cat8
for file in sftp-server.0 sshd.0; do
cp $file $dir
chmod 644 $dir/$file
print " $file\c"
done
print "."
# create symbolic links to slogin and associated
man page
print "Creating symbolic links to slogin and
slogin.0..."
( cd $buildDir/$openSSHDir/bin; ln -s ./ssh slogin )
( cd $buildDir/$openSSHDir/man/cat1; ln -s ./ssh.0
slogin.0 )
# copy over auxilary config files
# (Note: The ssh_prng_cmds file is only necessary
if PRNGD is not used
# but it is included anyways.)
print "Copying OpenSSH config files:\c"
dir=$buildDir/$configDir
for file in ssh_prng_cmds; do
cp $file $dir
chmod 644 $dir/$file
print "$file\c"
done
cp ssh_config.out $dir/ssh_config
cp sshd_config.out $dir/sshd_config
chmod 644 $dir/ssh_config $dir/sshd_config
print " ssh_config sshd_config."
|
|
# copy over, fix permissions and ownerships, and
link up the system
# init script
print "Copying and linking the OpenSSH system init
script..."
cat $initScript | \
sed -e "s#%%configDir%%#$configDir#g"
\
-e "s#%%openSSHDir%%#$openSSHDir#g " \
-e "s#%%includePRNGD%%#$includePRNGD#g "\
> $buildDir/etc/init.d/openssh.server
chmod 744 $buildDir/etc/init.d/openssh.server
ln $buildDir/etc/init.d/openssh.server \
$buildDir/etc/rc3.d/S25openssh.server
ln $buildDir/etc/init.d/openssh.server \
$buildDir/etc/rcS.d/K30openssh.server
ln $buildDir/etc/init.d/openssh.server \
$buildDir/etc/rc0.d/K30openssh.server
ln $buildDir/etc/init.d/openssh.server \
$buildDir/etc/rc1.d/K30openssh.server
ln $buildDir/etc/init.d/openssh.server \
$buildDir/etc/rc2.d/K40openssh.server
# if PRNGD is used, copy over the exectuable and
config files
[[ $includePRNGD == "yes" ]] && {
print "Copying PRNGD Solaris specific config
files..."
cp $PRNGDDir/prngd $buildDir/$openSSHDir/sbin
cp $PRNGDDir/contrib/Solaris-2.6/prngd.conf
.solaris-26 \
$buildDir/$configDir/prngd.conf-solaris-2.6
cp $PRNGDDir/contrib/Solaris-7/prngd.conf
.solaris-7 \
$buildDir/$configDir/prngd.conf-solaris-2.7
}
# copy over documentation files for OpenSSH and PRNGD
print "Copying OpenSSH and PRNGD documentation
files:\c"
dir=$buildDir/$openSSHDir/docs/OpenSSH
for file in CREDITS README LICENCE; do
cp $file $dir
chmod 644 $dir/$file
print " $file\c"
done
[[ $includePRNGD == "yes" ]] && {
cp $PRNGDDir/00README \
$buildDir/$openSSHDir/docs/PRNGD/README
chmod 644 $buildDir/$openSSHDir/docs/PRNGD/README
print " README (PRNGD)\c"
}
print "."
|
|
# create a Solaris package prototype file
print "Creating the Solaris package prototype
file..."
(
cd $buildDir
find . ! -name prototype sort pkgproto \
awk '
{ $5="root"; $6="other"; }
$3 == "etc"{ $4="?"; $5="?"; $6="?"; }
$3 == "etc/rc0.d" { $4="?"; $5="?";
$6="?"; }
$3 == "etc/rc1.d" { $4="?"; $5="?";
$6="?": }
$3 == "etc/rc2.d" { $4="?"; $5="?";
$6="?"; }
$3 == "etc/rc3.d" { $4="?"; $5="?";
$6="?"; }
$3 == "etc/rcS.d" { $4="?"; $5="?";
$6="?"; }
$3 == "etc/init. d" { $4="?"; $5="?";
$6="?"; }
$3 == "etc/init.d/openssh.server " {
$6="sys"; }
$3 == "etc/prngd.conf-solaris-2.6 " {
$6="sys"; }
$3 == "etc/prngd.conf-solaris-2.7 " {
$6="sys"; }
$3 == "etc/ssh_config " { $6="sys"; }
$3 == "etc/ssh_prng_cmds " { $6="sys"; }
$3 == "etc/sshd_config " { $6="sys"; }
$3 == "var " { $4="?"; $5="?";
$6="?"; }
$3 == "var/run " { $4="?"; $5="?";
$6="?"; }
$3 == "opt " { $4="?"; $5="?";
$6="?"; }
{ print; }
END { print "i pkginfo=info" }' >
prototype.temp
sed -e "s/bin\/ssh 0755/bin\/ssh $sshMode/" <
prototype.temp \
| grep -v prototype.temp > prototype
rm -f prototype.temp
)
# create an info file
print "Creating the Solaris package pkginfo file..."
cat > $buildDir/info << __EOF__
PKG=$packageName
NAME=OpenSSH for Solaris
ARCH=$ (uname -p)
VERSION="$(grep SSH_VERSION $srcDir/version.h sed
-e 's/.*_\([0-9]\)/\1/g')
CATEGORY=application
BASEDIR=/
CLASSES="none"
__EOF__
# make a package, using the prototype/info files,
writing to the scratchdir
print "Creating the Solaris package directory..."
pkgmk -d $packageDir -f $buildDir/prototype -r
$buildDir -o
# store it as Solaris package stream format
print "Creating the Solaris package stream."
|
|
pkgtrans -os $packageDir $srcDir/$packageName.pkg all # messages print print "package stream file is: $srcDir /$packageName.pkg" print "To install: pkgadd -d $packageName.pkg $packageName" # done exit 0
|
|
# Example config file - two comments and one # keyword-value pair Port 22
|
During configuration, you will need to make trade-offs between security, ease-of-use, and legacy compatibility. A wide variety of options covering network and protocol support, authentication, and user environment, obscure the individual option's impact on the whole. This section includes some configuration recommendations and discusses the consequences of their usage.
Note
Only the Solaris Secure Shell software and OpenSSH versions that are current at the time of this writing are used. Not all of the options are covered. Consult the vendor documentation for information on the other options and on the options presented here.
Server configuration specifies how the daemon presents itself on the network, what protocols are offered, and what authentication methods are allowed. Specific recommendations are given for each topic. Recommendations specific to a particular Secure Shell implementation have also been noted.
Two major versions of the Secure Shell protocol exist. Protocol 1 has been deprecated because of vulnerabilities, such as packet insertion and password-length determination. Whenever possible, use Protocol 2. Unfortunately, many legacy clients support only Protocol 1. If this protocol must be enabled, consult the Legacy Support recommendations later in this chapter. Consider migrating to clients that support Protocol 2 as soon as reasonably possible.
By default, the sshd(1M) daemon listens on all network interfaces on its bound ports. For workstations or other systems on which accessibility is desired for all interfaces, this behavior is not a problem. For architectures such as the Service Delivery Network, in which management traffic is limited to a particular interface, this behavior is a problem. Limit network access with the ListenAddress keyword. Access is limited by a particular IP address, not by a network interface.
|
# Listen only to the management network. ListenAddress 192.168.0.10
|
To further narrow down what the daemon will listen to, use either a host-based firewall, such as the SunScreen™ software, or TCP Wrappers.
For information about traffic-limited architectures, consult the Sun BluePrints OnLine article "Building Secure N-Tier Environments" (October 2000).
Occasionally, connections are temporarily suspended when a route is downed, a machine crashes, a connection is hijacked, or a man-in-the-middle attack is attempted. TCP keep-alives should be sent to detect any of these cases. If TCP keep-alives fail, the server will disconnect the connection and return allocated resources. Regular disconnects can aggravate users on faulty networks.
|
KeepAlive yes
|
Optionally, compression can be used on the encrypted data streams. This use results in bandwidth savings for compressible data, such as interactive logins or log files, at the expense of more CPU resources. For uncompressible data such as encrypted or compressed files, the extra CPU time is wasted and decreases performance. For a single Secure Shell session, these losses are inconsequential. For a file server, the extra load could impact performance. In this case, turn compression off to prevent misconfigured clients from driving up the system load.
|
# Transferring ASCII data such as interactive logins or log files Compression yes
|
|
# Transferring random data such as compressed or encrypted files # Prevents performance issues and reduces CPU load Compression no
|
Privilege separation is an OpenSSH-only feature. The sshd(1M) daemon is split into two parts: a privileged process to deal with authentication and process creation and an unprivileged process to deal with incoming network connections. After successful authentication, the privileged process spawns a new process with the privileges of the authenticated user. The goal is to prevent compromise from an error in the network facing process. Unfortunately, privilege separation is not really compatible with pluggable authentication modules or SunSHIELD Basic Security Module (BSM) auditing. Some OpenSSH features are also disabled. If privilege separation is desired, consult the vendor documentation.