Short tut on ssh keys and sshd config - checks for accuracy?
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Short tut on ssh keys and sshd config - checks for accuracy?
Hey I just finished my third edit of an article/tutorial I wrote on setting up RSA keys in OpenSSH and configuring SSHD to be a bit more secure than a fresh out of the box install.
I also removed any derogatories about sudu Linux that might have been there
Anyway, since it's kind of a big deal for anyone who uses it, and could potentially lock them out of their boxes I'd appreciate any comments related to the accuracy of the instructions, if you don't mind
Nice tutorial, found some useful bits. Thanks for sharing.
One thing I'd warn about is to be careful when changing sshd port in case there's a firewall enabled which blocks non-default ports. Very easy to get machine locked from yourself.
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541
Rep:
Nice job.
Not a biggie, but you may want to look at
Code:
First, joeuser logs on to localbox, and then he creates the RSA key/pair:
joeuser@localbox:~$ ssh-keygen -b 2048 -t rsa
Remember to create your passphrase. If you insist on having an empty passphrase, then use the following when creating your keys or just hit enter when asked to provide one using the command above:
ssh-keygen -b 1024 -t dsa -f id_dsa -P ''
Note that in the second example, we chose to create DSA keys, while in the first example, we created RSA keys for SSH protocol version 2.
Let's get a rundown on what's occured so far.
The -b flag sets the length of the keys to 1,024-bits.
-t indicates to use the DSA hashing algorithm.
-f sets the file name as id_dsa.
-P '' sets the private key password to be null.
Perhaps,
Code:
The -b flag in the first example sets the length of the keys to 2048 bits and in the second to 1024 bits.
Maybe a little confusing if somebody doesn't read it closely (or maybe does, eh?).
A Trick Learned During a Wasted Youth -- you can, on a user-by-user basis, use a ~/.ssh/config file to set options: on the host named fubar
Code:
Host pita
#ForwardAgent yes
ForwardX11 yes
Compression yes
Protocol 2,1
User <username>
Host snafu
#ForwardAgent yes
ForwardX11 yes
Compression yes
Protocol 2,1
User <username>
Host *
ForwardX11 no
Doing this, you don't need to fiddle around with system-wide configuration and you can sort-of customize for individual users; I should note that all my systems are fixed-IP and their names and addresses are in /etc/hosts (just as easy to use the actual IP address too).
Hey thanks for the feedback! I went ahead and affected changes to the part about the options used, and opted to explain each one individually to alleviate most confusion that might have occured.
Also, when doing that, I realized that if I were following along, I would ask the question as to whether RSA or DSA was *better*
So I addressed that point by dodging the bullet. Really, people need to make an informed decision on that matter, and considering the work involved to switch, I figure that it's best to send them on their merry way to determine that for themselves.
We all have our own take on it and also why, so I felt the reader should too.
And the ~/.ssh/config file. Thanks for that too. I've never done that, and it's good to know. I've always had root and done it that way, but this is much better since and I'll be sure to implement it myself here and there in the future.
For the article though, I think it's long enough and I don't want people to think they're reading War and Peace - but it's really good info and there is a comment/talkback link and if you're so inclined...
Thanks again for helping me to improve and clarify the tut
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541
Rep:
I just remembered... the August 2003 issue of Linux Journal had an article by Dennis Allen titled Eleven SSH Tricks; here's a link to it http://www.linuxjournal.com/article/6602.
Might not be useful for purposes of your article but he does discuss some pretty useful means and methods (and I think that's where I got on to ~/.ssh/config).
Here is an odd ssh trick. Using ControlMaster Auto will reuse the socket if you are ssh'ing to the same host, speeding up new connections to the same host.
Simply create a file $HOME/.ssh/config with these contents:
Code:
Host *
ControlMaster auto
ControlPath ~/.ssh/control-master/%r@%h:%p
root@remotebox:~# vim /etc/rc.d/rc.sshd restart
-=-=-=-=-=-==-
You probably want to omit the 'vim' command. As written, one will open rc.sshd in a vim session, then a new file titled 'restart'.
I make a lot of similar copy/paste mistakes. I'll look at the same mistake all day and not notice it. I think it's a good idea to ask the Slackware forum to help out with proofreading. Perhaps we could start a sub-forum dedicated to proofreading? Then we can train ourselves to get the LQ stamp of approval before release.
Good thread!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.