LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 06-07-2011, 10:31 PM   #1
tallship
Member
 
Registered: Jul 2003
Location: On the Beaches of Super Sunny Southern San Clemente, California USA
Distribution: Slackware - duh!
Posts: 520
Blog Entries: 3

Rep: Reputation: 112Reputation: 112
Short tut on ssh keys and sshd config - checks for accuracy?


Hey I just finished my third edit of an article/tutorial I wrote on setting up RSA keys in OpenSSH and configuring SSHD to be a bit more secure than a fresh out of the box install.

I also removed any derogatories about sudu Linux that might have been there

Anyway, since it's kind of a big deal for anyone who uses it, and could potentially lock them out of their boxes I'd appreciate any comments related to the accuracy of the instructions, if you don't mind

http://bit.ly/setup_ssh

Kindest regards,
 
Old 06-08-2011, 06:05 AM   #2
audriusk
Member
 
Registered: Mar 2011
Location: Klaipėda, Lithuania
Distribution: Slackware
Posts: 248

Rep: Reputation: 107Reputation: 107
Nice tutorial, found some useful bits. Thanks for sharing.

One thing I'd warn about is to be careful when changing sshd port in case there's a firewall enabled which blocks non-default ports. Very easy to get machine locked from yourself.
 
Old 06-08-2011, 07:17 AM   #3
tallship
Member
 
Registered: Jul 2003
Location: On the Beaches of Super Sunny Southern San Clemente, California USA
Distribution: Slackware - duh!
Posts: 520
Blog Entries: 3

Original Poster
Rep: Reputation: 112Reputation: 112
Lightbulb

Quote:
Originally Posted by audriusk View Post
One thing I'd warn about...
Hey thanks for bringing that up!

I added:

Quote:
With consideration to any rules you may need to adjust on firewalls between your workstation and the remote host, you can generally choose...
 
1 members found this post helpful.
Old 06-08-2011, 08:07 AM   #4
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,118

Rep: Reputation: 818Reputation: 818Reputation: 818Reputation: 818Reputation: 818Reputation: 818Reputation: 818
Nice job.

Not a biggie, but you may want to look at
Code:
First, joeuser logs on to localbox, and then he creates the RSA key/pair:

joeuser@localbox:~$ ssh-keygen -b 2048 -t rsa

Remember to create your passphrase. If you insist on having an empty passphrase, then use the following when creating your keys or just hit enter when asked to provide one using the command above:

ssh-keygen -b 1024 -t dsa -f id_dsa -P ''

Note that in the second example, we chose to create DSA keys, while in the first example, we created RSA keys for SSH protocol version 2.

Let's get a rundown on what's occured so far.

The -b flag sets the length of the keys to 1,024-bits.
-t indicates to use the DSA hashing algorithm.
-f sets the file name as id_dsa.
-P '' sets the private key password to be null.
Perhaps,
Code:
The -b flag in the first example sets the length of the keys to 2048 bits and in the second to 1024 bits.
Maybe a little confusing if somebody doesn't read it closely (or maybe does, eh?).

A Trick Learned During a Wasted Youth -- you can, on a user-by-user basis, use a ~/.ssh/config file to set options: on the host named fubar
Code:
Host pita
#ForwardAgent yes
ForwardX11 yes
Compression yes
Protocol 2,1
User <username>

Host snafu
#ForwardAgent yes
ForwardX11 yes
Compression yes
Protocol 2,1
User <username>

Host *
ForwardX11 no
Doing this, you don't need to fiddle around with system-wide configuration and you can sort-of customize for individual users; I should note that all my systems are fixed-IP and their names and addresses are in /etc/hosts (just as easy to use the actual IP address too).

Anyway, nice, nice job.

Hope this helps some.
 
1 members found this post helpful.
Old 06-09-2011, 02:25 AM   #5
tallship
Member
 
Registered: Jul 2003
Location: On the Beaches of Super Sunny Southern San Clemente, California USA
Distribution: Slackware - duh!
Posts: 520
Blog Entries: 3

Original Poster
Rep: Reputation: 112Reputation: 112
Thumbs up

Hey thanks for the feedback! I went ahead and affected changes to the part about the options used, and opted to explain each one individually to alleviate most confusion that might have occured.

Also, when doing that, I realized that if I were following along, I would ask the question as to whether RSA or DSA was *better*

So I addressed that point by dodging the bullet. Really, people need to make an informed decision on that matter, and considering the work involved to switch, I figure that it's best to send them on their merry way to determine that for themselves.

We all have our own take on it and also why, so I felt the reader should too.

And the ~/.ssh/config file. Thanks for that too. I've never done that, and it's good to know. I've always had root and done it that way, but this is much better since and I'll be sure to implement it myself here and there in the future.

For the article though, I think it's long enough and I don't want people to think they're reading War and Peace - but it's really good info and there is a comment/talkback link and if you're so inclined...

Thanks again for helping me to improve and clarify the tut

Kindest regards,
 
Old 06-09-2011, 04:04 AM   #6
mRgOBLIN
Slackware Contributor
 
Registered: Jun 2002
Location: New Zealand
Distribution: Slackware
Posts: 999

Rep: Reputation: 227Reputation: 227Reputation: 227
Might be prudent to mention how to use ssh-agent too.

If memory serves me correctly xfce is the only desktop that starts ssh-agent by default.

You'll need at least one key loaded before you can use ssh-copy-id too.
 
Old 06-09-2011, 07:10 AM   #7
tallship
Member
 
Registered: Jul 2003
Location: On the Beaches of Super Sunny Southern San Clemente, California USA
Distribution: Slackware - duh!
Posts: 520
Blog Entries: 3

Original Poster
Rep: Reputation: 112Reputation: 112
Quote:
Originally Posted by mRgOBLIN View Post
Might be prudent to mention how to use ssh-agent too.
Well I was going to skip that but yes, I think you're right that I need to.

I'll get to that tomorrow, I can hardly keep my eyes open now and the sun's going to come up within an hour or so here LOL.

Thanks
 
Old 06-09-2011, 08:21 AM   #8
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,118

Rep: Reputation: 818Reputation: 818Reputation: 818Reputation: 818Reputation: 818Reputation: 818Reputation: 818
I just remembered... the August 2003 issue of Linux Journal had an article by Dennis Allen titled Eleven SSH Tricks; here's a link to it http://www.linuxjournal.com/article/6602.

Might not be useful for purposes of your article but he does discuss some pretty useful means and methods (and I think that's where I got on to ~/.ssh/config).

Hope this helps some.
 
Old 06-09-2011, 05:55 PM   #9
mRgOBLIN
Slackware Contributor
 
Registered: Jun 2002
Location: New Zealand
Distribution: Slackware
Posts: 999

Rep: Reputation: 227Reputation: 227Reputation: 227
I also wrote a bit of a mini-howto here.

http://www.linuxquestions.org/questi...7/#post3762345

Might help a little.
 
Old 06-09-2011, 07:15 PM   #10
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
Here is an odd ssh trick. Using ControlMaster Auto will reuse the socket if you are ssh'ing to the same host, speeding up new connections to the same host.

Simply create a file $HOME/.ssh/config with these contents:
Code:
Host *
        ControlMaster auto
        ControlPath ~/.ssh/control-master/%r@%h:%p
This will work for openSSH version 4.2.
 
Old 07-02-2011, 01:40 PM   #11
hpfeil
Member
 
Registered: Nov 2010
Location: Tucson, Arizona US
Distribution: Slackware Current, custom kernel, amd64, Beyond LinuxFromScratch
Posts: 130
Blog Entries: 1

Rep: Reputation: Disabled
=-=-=-
"... Let's restart sshd:

root@remotebox:~# vim /etc/rc.d/rc.sshd restart
-=-=-=-=-=-==-
You probably want to omit the 'vim' command. As written, one will open rc.sshd in a vim session, then a new file titled 'restart'.

I make a lot of similar copy/paste mistakes. I'll look at the same mistake all day and not notice it. I think it's a good idea to ask the Slackware forum to help out with proofreading. Perhaps we could start a sub-forum dedicated to proofreading? Then we can train ourselves to get the LQ stamp of approval before release.
Good thread!
 
  


Reply

Tags
openssh, rsa, ssh, sshd, sshd_config


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh / sshd config: how enable "tunneling with port forwarding on the network"? frenchn00b Linux - Server 1 08-30-2009 02:57 PM
Installed Freenx. Changed sshd config. Can't ssh root. CrewXp Linux - Software 1 08-13-2007 05:52 AM
How to change ssh banner in sshd.config pAn1k Linux - Networking 2 03-24-2005 05:46 PM
Enabling SSH in mandrake 9.2 - sshd vs. sshd-xinetd DogTags Linux - Newbie 7 11-25-2003 01:17 PM
sshd/ssh config for local forwarding ewlnxnewB Linux - Networking 2 11-04-2003 03:09 PM


All times are GMT -5. The time now is 09:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration