Well the ultimate way to tweak a program (besides modify the source)
is to edit the configure file. This is what we are gonna talk about in
this part.
There are two kind of config file for OpenSSH: for the server side and
for the client side.
- For the server side
The server side configure file is usually /etc/ssh/sshd_config. No
matter you are using SSH1 or SSH2, or running a server that support
both.
“PermitRootLogin” specifies if root can login through SSH. Many
Linux distros set this to “yes” by default. And this is really not a
good idea from security point of view. Imagine the root is logging
in with a password and someone is listening…. It is more secure to
set this to “no” and ask users with enough privilege to “su” to
root. Another choice is to use “without-password” for this option,
so root can only do remote login through key based SSH.
“PasswordAuthentication” is the option to set if you want every one
to use key based authentication. Set this to “no” if you really
cares about security. If you’ve been a system administrator for some
time, you may already seen logs like this:
Jun 4 03:21:19 readonline sshd[59429]: Invalid user test from 201.6.xx.xx
Jun 4 10:08:07 readonline sshd[8791]: Invalid user andrew from 210.53.xx.xx
This is someone is trying to find a user on your system with a weak
password. If you allow password based authentication then there is a
chance they find it and break into your system. Also note many
machines running this scan is not owned by the cracker themselves,
they are just machines with weak points and cracked by the crackers.
Usually setting the above 2 options is good enough. If you are
really care about security, you can set “AllowUsers”, “DenyUsers”,
“AllowGroups”, and “DenyGroups” to say which user/group are
allowed/not allowed to do a remote login via ssh. The directives are
checked in the order of DenyUsers, AllowUsers, DenyGroups, and
AllowGroups. The first rule matched will be effective. As you can
see the order is carefully choosed to get most security.
- The client side
As most Unix command line programs, there are two client side
configure files: /etc/ssh/ssh_config as the system wide configure
file, and ~/.ssh/config as the personal configure file, and the
later would take privilege is the same settings are in both of the
two file. And of cause , the command line arguments takes the most
privilege.
“Host” is the mark of the start of a section. All the settings after
a “Host” is for that host only, until the next “Host” option. If you
want some global settings, you can put that before the first “Host”
option or after a “Host *” statement.
“HostName” specifies the real host name, and “User” specifies the
user name on the remote machine.
Using the three options above could save a lot of typing. Say my
user name is “ddliu” on my desktop, and on some servers my user name
is “dryice”. Normally I will do
to logon to that machine. Note the “-l” option is used to specify a
user name other than the one on my local machine. It is boring to
type that long line every time.
If I have
HostName the-long-remote-machine-name.com
User dryice
in my ~/.ssh/config file, I can just use
to get there. Much simpler 
Sometimes the network connection is not stable, like me using an
ADSL at home, the connection went up and down sometime. And whenever
this happens, my ssh session went down. Besides I’ll need to
re-connect to the remote machine, if I’m not using screen, my work
will be lost.
The two option “ServerAliveInterval” and “ServerAliveCountMax” are
for this condition. The formal one specifies a time interval, in
seconds.If the ssh client side haven’t got data from the server for
this long, it will send a message to the server to request a
response. The second one “ServerAliveCountMax” is a threshold. If
the client send this many requests to the server and didn’t get a
single reply, it will end the session. The default is 3.
So having something like
ServerAliveCountMax 1000
will keep me online all the day.
Please note the following when use these options:
- They are for SSH2 only. So they take no effect if you are using
SSH1. - The default value of “ServerAliveInterval” is 0, which means no
message will be send. So you can’t use “ServerAliveCountMax” by
itself. - The ssh server side could terminate the session too if it doesn’t
get any data from the client for a long time. So you may want to
set “ServerAliveInterval” small enough, but not too small to bore
the server and waste the bandwidth. Normally 5 seconds is a good
choice.
Well we’ve just talked the most commonly used options here. The most
accurate document is of cause the sshd_config(5) and the ssh_config(5)
man page. So go ahead and dive in the document if you want to really
master OpenSSH. It will worth it.
Post a Comment
You could use <code type="name"> to get your code colorized