Configuration
OpenSSH is the encrypted network service everyone uses to do remote logins and network copying. We’ve already used it several times to do file transfer and the like. There is a lot more to OpenSSH than that though, and we want to now show you some of the advanced features of this wonderful tool.
Installing and Configuring SSH
On apt systems like Debian and Ubuntu do:
apt install ssh-server
On RedHat:
sudo dnf update
sudo dns install ssh-server
Generating the System Host Keys
Each ssh server has a host key in addition to any user keys generated. The system’s public key is transferred to the user and placed in the /home/joe/.ssh/known_hosts or /home/joe/.ssh/known_hosts, depending on whether the key is protocol 1 or protocol 2 respectively. Host keys contain no passphrases.
The format for /home/joe/.ssh/known_hosts contains the following elements, each space separated:
hostnames bits exponent modulus comment
If for some reason the host key becomes damaged or compromised, you can create or re-create them in the following way:
ssh-keygen -t rsa -f /etc/ssh/ssh_host_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_ed25519_key -N ""
Sometimes hosts get re-installed and the user will have the old copy of the host key and get this error message:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
Add correct host key in /home/joe/.ssh/known_hosts to get rid of
this message. Offending key in /home/joe/.ssh/known_hosts:4
You probably want to edit your /home/joe/.ssh/known_hosts and remove the entry for the server you wish to connect to. Then you can retry your connection.
Server Configuration
The server configuration that we will strive for in this section is the least permissive possible while still allowing connections we need. With this in mind, we want other hosts to connect to us, use X11 forwarding, and use only SSH protocol 2 (the most secure). Below is a sample of the most relevant server configuration entries in /etc/ssh/sshd_config:
# An Abbreviated SSH Server Configuration File
Port 22
Protocol 2
PermitRootLogin no
StrictModes yes # StrictMode checks for file permissions etc.
X11Forwarding yes
X11DisplayOffset 10
DSAAuthentication yes
RSAAuthentication no # since it only works for PV 1.
RhostsAuthentication no
IgnoreRhosts yes # ignor user's ~/.rhosts and ~/.shosts
Finally, start your server in the traditional way for your distro, e.g.
/etc/init.d/sshd start
Client Configuration
SSH client configuration is controlled by /etc/ssh/ssh_config and should only permit protocol version 2 and allow X11 forwarding. The entries to change are obvious, so go ahead and make these now. Note that the default values are commented out:
# An Abbreviated SSH Client Configuration File
Protocol 2
ForwardX11 yes
# RhostsAuthentication no
# RhostsRSAAuthentication no
RSAAuthentication no
# PasswordAuthentication yes
# CheckHostIP yes
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/id_ed25519