This tutorial shows you how to modify sshd_config file in order to configure you SSH server on a Ubuntu Server operating system.
Code used during this tutorial:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 |
# CLI: man page man sshd_config # Be advised, however, if your only method of access to a server is ssh, and you make a mistake in configuring sshd via the /etc/ssh/sshd_config file, you may find you are locked out of the server upon restarting it. # Whatever security precautions you've taken, you might want to set the logging level to VERBOSE for a week, and see how much spurious traffic you get. # Note that the Debian openssh-server package sets several options as standard in /etc/ssh/sshd_config which are not the default in sshd # CLI: edit SSH config file sudo vi /etc/ssh/sshd_config # Specifies the port number that sshd listens on Port 22022 # Specifies the local addresses sshd should listen on ListenAddress 192.168.56.101 # CLI: restart SSH sudo service ssh restart # CLI: connect using 22022 port ssh -p 22022 liviu@http.liviubalan.com # CLI ls -al /etc/ssh/ssh_host_rsa_key sudo vi /etc/ssh/ssh_host_rsa_key sudo vi /etc/ssh/ssh_host_dsa_key sudo vi /etc/ssh/ssh_host_ecdsa_key sudo vi /etc/ssh/ssh_host_ed25519_key # Gives the facility code that is used when logging messages from sshd # The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7 SyslogFacility AUTH # Gives the verbosity level that is used when logging messages from sshd # The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3 LogLevel INFO # CLI: see SSH log tail -f /var/log/auth.log # Change. The server disconnects after this time (seconds) if the user has not successfully logged in # If you set a very small value the user will not be able to log in even if he type the correct password LoginGraceTime 60 # Change. Specifies whether root can log in using ssh PermitRootLogin without-password PermitRootLogin yes PermitRootLogin no # CLI: connect as root. Not recommended ssh root@http.liviubalan.com # Specifies whether sshd(8) should check file modes and ownership of the user's files and home directory before accepting login StrictModes yes # Specifies whether pure RSA authentication is allowed. The default is “yes”. This option applies to protocol version 1 only. RSAAuthentication yes Specifies whether public key authentication is allowed. The default is “yes”. Note that this option applies to protocol version 2 only. PubkeyAuthentication yes # When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. PermitEmptyPasswords no # Change. Permission denied (publickey). PasswordAuthentication no # Change. Specifies whether password authentication is allowed PasswordAuthentication no # CLI: login to SSH using specific key mkdir ~/.ssh/ubuntu-vm ssh-keygen /home/liviu.balan/.ssh/ubuntu-vm/id_rsa ssh-copy-id -i ~/.ssh/ubuntu-vm/id_rsa liviu@http.liviubalan.com ssh -i ~/.ssh/ubuntu-vm/id_rsa liviu@http.liviubalan.com ssh liviu@http.liviubalan.com # Specifies whether X11 forwarding is permitted X11Forwarding yes # CLI: enables X11 forwarding ssh -X liviu@http.liviubalan.com # Specifies the first display number available for sshd(8)'s X11 forwarding. This prevents sshd from interfering with real X11 servers X11DisplayOffset 10 # CLI: value of DISPLAY variable. Useful for debugging echo $DISPLAY # Specifies whether sshd should print /etc/motd when a user logs in interactively PrintMotd no # CLI: system info landscape-sysinfo sudo vi /etc/pam.d/sshd #session optional pam_motd.so motd=/run/motd.dynamic noupdate # Specifies whether sshd should print the date and time of the last user login when a user logs in interactively PrintLastLog yes # Specifies whether the system should send TCP keepalive messages to the other side TCPKeepAlive yes # The contents of the specified file are sent to the remote user before authentication is allowed Banner /etc/issue.net # Specifies what environment variables sent by the client will be copied into the session's environ AcceptEnv LANG LC_* # CLI: send env variable LC_A=1 ssh liviu@http.liviubalan.com echo $LC_A Useful links: http://www.thegeekstuff.com/2011/05/openssh-options/ http://ubuntuforums.org/showthread.php?t=831372 http://www.tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/chap15sec122.html |
Useful links:
http://www.thegeekstuff.com/2011/05/openssh-options/
http://ubuntuforums.org/showthread.php?t=831372
http://www.tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/chap15sec122.html