Configuration

OpenSSH is the encrypted network service everyone uses to do remote logins and network copying. We often use it to do file transfer, remote administration and the like. OpenSSH is considered a standard tool for remote system work.

Installing and Configuring SSH

On apt systems like Debian and Ubuntu do:

apt install ssh-server

On RedHat:

sudo dnf update
sudo dns install ssh-server

Generating the System Host Keys

Each ssh server has a host key in addition to any user keys generated. The system’s public key is transferred to the user and placed in the ~/.ssh/known_hosts. Host keys contain no passphrases.

If for some reason the host key becomes damaged or compromised, you should re-create them in the following way:

ssh-keygen -t rsa -f /etc/ssh/ssh_host_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_ed25519_key -N ""

Sometimes hosts get re-installed and the user will have the old copy of the host key and get this error message:

Possible SSH Man-In-The-Middle Attack.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@          WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!               @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
Add correct host key in /home/joe/.ssh/known_hosts to get rid of
this message. Offending key in /home/joe/.ssh/known_hosts:4

You probably want to edit your ~/.ssh/known_hosts and remove the entry for the server you wish to connect to. Then you can retry your connection, and accept the new host key.

Server Configuration

The server configuration that we will strive for in this section is the least permissive possible while still allowing connections we need. With this in mind, we want other hosts to connect to us, use X11 forwarding, and use only SSH protocol 2 (the most secure). Below is a sample of the most relevant server configuration entries in /etc/ssh/sshd_config:

# An Abbreviated SSH Server Configuration File
Port 22
Protocol 2
PermitRootLogin no
StrictModes yes         # StrictMode checks for file permissions etc.
X11Forwarding yes
X11DisplayOffset 10
DSAAuthentication yes
RSAAuthentication no    # since it only works for PV 1.
RhostsAuthentication no
IgnoreRhosts yes        # ignor user's ~/.rhosts and ~/.shosts

Finally, restart your server in the traditional way for your distro, e.g.

systemctl restart sshd

Client Configuration

SSH client configuration is controlled by /etc/ssh/ssh_config and should only permit protocol version 2 and allow X11 forwarding. The entries to change are obvious, so go ahead and make these now. Note that the default values are commented out:

# An Abbreviated SSH Client Configuration File
Protocol 2
ForwardX11 yes
#   RhostsAuthentication no
#   RhostsRSAAuthentication no
RSAAuthentication no
#   PasswordAuthentication yes
#   CheckHostIP yes
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/id_ed25519