Openssh daemon config

From wikinotes

Locations

/etc/ssh

General

sshd_config

Common Options

Port 22

PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no

# if user is authenticated, do not prevent them from accessing
#  if their ip addr has changed since last time.
IgnoreUserKnownHosts	yes

Restricting Users

# /etc/ssh/sshd_config

# members of unix group 'sftpusers'
# are restricted to dir '/var/sftpdata/{username}'
# and are only allowed to run 'internal-sftp' command
Match Group sftpusers
    ChrootDirectory /var/sftpdata/%u
    ForceCommand internal-sftp

host keys

Generated on SSH install, it's pubkey sent to client so it can encrypt data for host.
A unique host key should be used for every server install.

Cygwin

Autostarting openssh in cygwin on windows: 

# Pre Setup Tasks
chmod +r /etc/passwd
chmod +r /etc/groups
chmod 555 /var

# From an ADMINISTRATOR cmd, start cygwin
ssh-host-config                   # deal with warnings (YOU DO NOT WANT SEPARATED AUTHENTICATION)
ssh-user-config                   # generate all user keys
chmod +rx /bin/bash               # bash must be executable
cygrunsrv -S sshd                 # test openssh

# Troubleshooting
# ===============

# if cygwin is not starting, or crashing, you can check the logs in
# /var/log/sshd.log

# make sure your user has a password (in cygwin):
#    passwd will

# if your user doesn't have a passwd entry, make one with
#    mkpasswd -l >> /etc/passwd

# cygwin's openSSH requires that the account is an administrator
# and that the windows user has a password in order for a user to login.
# (at least this is what is documented, I have reasons to doubt this)

# **NOTE**
# DESPITE THE FACT THAT WINDOWS DOESN'T DISTINGUISH BETWEEN UPPER AND LOWER CASE
# CYGWIN DOES. IF YOUR WINDOWS USER ACCOUNT HAS CAPITAL LETTERS, THE ENTRY IN
# /etc/passwd WILL ALSO HAVE CAPITALS. THIS WILL DENY YOUR LOGIN ATTEMPTS.
# ALSO, DESPITE WHAT IS SAID ON THE INTERNET/DOCUMENTATION, CYGWIN DOES NOT USE
# YOUR WINDOWS USER CREDENTIALS, AND INSTEAD USES THE CYGWIN PASSWD ENTRIES.

# make sure that bash is executable
# test if you can login as cyg_server@localhost. If that's working, then
# perhaps you should run ssh-host-config again without the privileged user
# separation. It's only windows after all... if someone really wants in...

##openSSH will start automatically on the next windows boot. (using windows services)
Retrieved from "http://willpittman.net:8080/index.php?title=Openssh_daemon_config&oldid=30802"