sshd configuration

glock19 · 04-24-2002, 06:48 PM

Can anyone give a quick step-by-step review on how to setup ssh on my network?

I have a server running the sshd (Red Hat 7.2), but I'm not sure what commands to execute to generate keys.

Also, what commands need to be executed on the client side in order to communicate with the sshd server?

finegan · 04-24-2002, 06:57 PM

If you have the ssh server running on the RH7.2 machine, it generated the keys the first time you booted it. To log into it from one of the clients, assuming the others are *Nix machines and have the client on them:

ssh username@192.168.0.1 (this is assuming that the ssh machine doesn't have a real domain name... sub in whatever IP you gave it. If you give the machine an entry in /etc/hosts, you can use that instead.)

If the clients are winboxen, and you don't have an ssh client, plug "putty" into google and take the first hit.

Cheers,

Finegan

glock19 · 04-24-2002, 07:12 PM

This is what I get:

Code:

[jwp@space jwp]$ ssh root@192.168.168.251
The authenticity of host '192.168.168.251 (192.168.168.251)' can't be established.
RSA key fingerprint is fa:69:cd:82:7d:93:c6:56:4d:b9:fc:9d:8a:e6:05:eb.
Are you sure you want to continue connecting (yes/no)?

What does that mean? Should I continue?

finegan · 04-24-2002, 07:17 PM

Yes, that's the key exchange, it'll be stored in a file called .ssh/known_hosts or known_hosts2 and compared every time you make the connection. Therefore if the key every changes suddenly, you would know that you are not actually connecting to the machine you want to.

That would make more sense if you image that the ssh server is a machine out there in the world.

Yes, it will only ask that one time.

Cheers,

Finegan

glock19 · 04-24-2002, 07:31 PM

Ok that worked. But, how does that make things secure?

Now anyone can just ssh onto my server willy nilly?

Dave_bsr · 04-24-2002, 08:14 PM

SSH checks user name and password. so if you don't have a password on a certain account, and someone tries to connect on that account, yes of course they can log in. Otherwise you are secure. The reason for SSH is that it encrypts data being sent, so that no one can read it. Telnet, as i understand it, was the precursor to this sort of thing, and it sent passwords as plain text so that just about anyone could get the passwords, which was unfortunate. SSH is not vulnerable to this.
Essentially, now you are as secure as your system's passwords and accounts are. don't have dictionary passwords (normal words like car and sandwich, use snDwch8X as it is harder to guess), and change them every so often, and you will be fine.

finegan · 04-24-2002, 08:18 PM

The keys are more for the client's protection; if they don't match, the client will refuse to finish the connection. For instance, if someone hijacks the domain you're ssh'ing into, but doesn't have the key... you get a warning about that and the ssh client spams your screen about a "man in the middle attack". Also once you have that key on your side, no information travelling between the client and the server is ever un-encrypted. That's really the whole point. Of course anyone can ssh to your machine willy-nilly, but without a password what can they do?

Cheers,

Finegan

glock19 · 04-24-2002, 08:21 PM

So, in this case, I am relying on the strength of my server's user accounts and passwords.

But, I don't want to allow anyone from the Internet even the ability to reach a login prompt on my server.

The last time I did ssh, I had to copy the server's public key to each client that I wanted to grant access to. And for all the clients that I didn't copy the public key to, they simply could not even reach a login prompt.

How do I make it like this?

finegan · 04-24-2002, 08:26 PM

A better way may be to bind the ssh server to your Class C 192 address, so unless you are port forwarding 22 somewhere from the NAT box (which I highly doubt), then 22 is never exposed to the outside world. In RedHat the init script is probably (I run Slack mostly), /etc/init.d/sshd and should bind by default to 0.0.0.0 or 127.0.0.1.

Cheers,

Finegan

glock19 · 04-25-2002, 11:41 AM

Does anyone know how to bind my ssh server to my private internal 192.168.168.0 network?

finegan · 04-25-2002, 03:09 PM

Locate a file called sshd_config, probably in /etc/sshd. Its read every time the daemon starts. One of the first lines in it is ListenAddress, and by default its commented out. Try binding it to the class C. and then try to ssh into the machine from the outside world through its public IP. Also, if you don't know about this toy already, you may want to try nmap to check your network to see if its running anything its shouldn't be.

Sorry, I didn't have access to a Linux box yesterday to poke around.

Cheers,

Finegan

glock19 · 04-25-2002, 03:14 PM

Ok, I uncommented that line. Now it looks like this:

Code:

ListenAddress 192.168.168.0

But when I try to connect from any machine on my private internal network, it says "Secure connection refused".

finegan · 04-25-2002, 03:26 PM

That's the broadcast address, you need to bind it to the exact specific address. I think you were using 192.168.168.251?

Cheers,

Finegan

glock19 · 04-25-2002, 03:31 PM

Well actually the broadcast address for my network is 192.168.168.255.

192.168.168.0 is the network, since the netmask is 255.255.255.0.

But if I put in 192.168.168.251 into the sshd config file, how does it know what network I am on? For example, my netmask could be anything like 255.255.255.192. It seems to be assuming that my netmask is 255.255.255.0 (correctly in this case).

Anyhow, it worked. Thanks.