Openssh daemon config: Difference between revisions
From wikinotes
No edit summary |
No edit summary |
||
| Line 8: | Line 8: | ||
</blockquote><!-- Locations --> | </blockquote><!-- Locations --> | ||
= | = General = | ||
<blockquote> | <blockquote> | ||
== Common Options == | == sshd_config == | ||
<blockquote> | |||
=== Common Options === | |||
<blockquote> | <blockquote> | ||
<source lang="bash"> | <source lang="bash"> | ||
| Line 25: | Line 27: | ||
</blockquote><!-- common options --> | </blockquote><!-- common options --> | ||
== Restricting Users == | === Restricting Users === | ||
<blockquote> | <blockquote> | ||
<source lang="bash"> | <source lang="bash"> | ||
| Line 40: | Line 42: | ||
</blockquote><!-- sshd_config --> | </blockquote><!-- sshd_config --> | ||
= host keys = | == host keys == | ||
<blockquote> | <blockquote> | ||
Generated on SSH install, it's pubkey sent to client so it can encrypt data for host.<br> | Generated on SSH install, it's pubkey sent to client so it can encrypt data for host.<br> | ||
A unique host key should be used for every server install. | A unique host key should be used for every server install. | ||
</blockquote><!-- host keys --> | </blockquote><!-- host keys --> | ||
</blockquote><!-- General --> | |||
= Cygwin = | |||
<blockquote> | |||
Autostarting openssh in cygwin on windows: | |||
<syntaxhighlight lang="bash"> | |||
# Pre Setup Tasks | |||
chmod +r /etc/passwd | |||
chmod +r /etc/groups | |||
chmod 555 /var | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="bash"> | |||
# From an ADMINISTRATOR cmd, start cygwin | |||
ssh-host-config # deal with warnings (YOU DO NOT WANT SEPARATED AUTHENTICATION) | |||
ssh-user-config # generate all user keys | |||
chmod +rx /bin/bash # bash must be executable | |||
cygrunsrv -S sshd # test openssh | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="bash"> | |||
# Troubleshooting | |||
# =============== | |||
# if cygwin is not starting, or crashing, you can check the logs in | |||
# /var/log/sshd.log | |||
# make sure your user has a password (in cygwin): | |||
# passwd will | |||
# if your user doesn't have a passwd entry, make one with | |||
# mkpasswd -l >> /etc/passwd | |||
# cygwin's openSSH requires that the account is an administrator | |||
# and that the windows user has a password in order for a user to login. | |||
# (at least this is what is documented, I have reasons to doubt this) | |||
# **NOTE** | |||
# DESPITE THE FACT THAT WINDOWS DOESN'T DISTINGUISH BETWEEN UPPER AND LOWER CASE | |||
# CYGWIN DOES. IF YOUR WINDOWS USER ACCOUNT HAS CAPITAL LETTERS, THE ENTRY IN | |||
# /etc/passwd WILL ALSO HAVE CAPITALS. THIS WILL DENY YOUR LOGIN ATTEMPTS. | |||
# ALSO, DESPITE WHAT IS SAID ON THE INTERNET/DOCUMENTATION, CYGWIN DOES NOT USE | |||
# YOUR WINDOWS USER CREDENTIALS, AND INSTEAD USES THE CYGWIN PASSWD ENTRIES. | |||
# make sure that bash is executable | |||
# test if you can login as cyg_server@localhost. If that's working, then | |||
# perhaps you should run ssh-host-config again without the privileged user | |||
# separation. It's only windows after all... if someone really wants in... | |||
##openSSH will start automatically on the next windows boot. (using windows services) | |||
</syntaxhighlight> | |||
</blockquote><!-- Cygwin --> | |||
Latest revision as of 01:50, 2 July 2022
Locations
/etc/ssh
General
sshd_config
Common Options
Port 22 PermitRootLogin no PasswordAuthentication no PermitEmptyPasswords no # if user is authenticated, do not prevent them from accessing # if their ip addr has changed since last time. IgnoreUserKnownHosts yesRestricting Users
# /etc/ssh/sshd_config # members of unix group 'sftpusers' # are restricted to dir '/var/sftpdata/{username}' # and are only allowed to run 'internal-sftp' command Match Group sftpusers ChrootDirectory /var/sftpdata/%u ForceCommand internal-sftphost keys
Generated on SSH install, it's pubkey sent to client so it can encrypt data for host.
A unique host key should be used for every server install.
Cygwin
Autostarting openssh in cygwin on windows:
# Pre Setup Tasks chmod +r /etc/passwd chmod +r /etc/groups chmod 555 /var# From an ADMINISTRATOR cmd, start cygwin ssh-host-config # deal with warnings (YOU DO NOT WANT SEPARATED AUTHENTICATION) ssh-user-config # generate all user keys chmod +rx /bin/bash # bash must be executable cygrunsrv -S sshd # test openssh# Troubleshooting # =============== # if cygwin is not starting, or crashing, you can check the logs in # /var/log/sshd.log # make sure your user has a password (in cygwin): # passwd will # if your user doesn't have a passwd entry, make one with # mkpasswd -l >> /etc/passwd # cygwin's openSSH requires that the account is an administrator # and that the windows user has a password in order for a user to login. # (at least this is what is documented, I have reasons to doubt this) # **NOTE** # DESPITE THE FACT THAT WINDOWS DOESN'T DISTINGUISH BETWEEN UPPER AND LOWER CASE # CYGWIN DOES. IF YOUR WINDOWS USER ACCOUNT HAS CAPITAL LETTERS, THE ENTRY IN # /etc/passwd WILL ALSO HAVE CAPITALS. THIS WILL DENY YOUR LOGIN ATTEMPTS. # ALSO, DESPITE WHAT IS SAID ON THE INTERNET/DOCUMENTATION, CYGWIN DOES NOT USE # YOUR WINDOWS USER CREDENTIALS, AND INSTEAD USES THE CYGWIN PASSWD ENTRIES. # make sure that bash is executable # test if you can login as cyg_server@localhost. If that's working, then # perhaps you should run ssh-host-config again without the privileged user # separation. It's only windows after all... if someone really wants in... ##openSSH will start automatically on the next windows boot. (using windows services)
