Short tut on ssh keys and sshd config

tallship · 06-07-2011, 09:31 PM

Hey I just finished my third edit of an article/tutorial I wrote on setting up RSA keys in OpenSSH and configuring SSHD to be a bit more secure than a fresh out of the box install.

I also removed any derogatories about sudu Linux that might have been there

Anyway, since it's kind of a big deal for anyone who uses it, and could potentially lock them out of their boxes I'd appreciate any comments related to the accuracy of the instructions, if you don't mind

http://bit.ly/setup_ssh

Kindest regards,

audriusk · 06-08-2011, 05:05 AM

Nice tutorial, found some useful bits. Thanks for sharing.

One thing I'd warn about is to be careful when changing sshd port in case there's a firewall enabled which blocks non-default ports. Very easy to get machine locked from yourself.

tallship · 06-08-2011, 06:17 AM

Quote:

Originally Posted by audriusk

One thing I'd warn about...

Hey thanks for bringing that up!

I added:

Quote:

With consideration to any rules you may need to adjust on firewalls between your workstation and the remote host, you can generally choose...

tronayne · 06-08-2011, 07:07 AM

Nice job.

Not a biggie, but you may want to look at

Code:

First, joeuser logs on to localbox, and then he creates the RSA key/pair:

joeuser@localbox:~$ ssh-keygen -b 2048 -t rsa

Remember to create your passphrase. If you insist on having an empty passphrase, then use the following when creating your keys or just hit enter when asked to provide one using the command above:

ssh-keygen -b 1024 -t dsa -f id_dsa -P ''

Note that in the second example, we chose to create DSA keys, while in the first example, we created RSA keys for SSH protocol version 2.

Let's get a rundown on what's occured so far.

The -b flag sets the length of the keys to 1,024-bits.
-t indicates to use the DSA hashing algorithm.
-f sets the file name as id_dsa.
-P '' sets the private key password to be null.

Perhaps,

Code:

The -b flag in the first example sets the length of the keys to 2048 bits and in the second to 1024 bits.

Maybe a little confusing if somebody doesn't read it closely (or maybe does, eh?).

A Trick Learned During a Wasted Youth -- you can, on a user-by-user basis, use a ~/.ssh/config file to set options: on the host named fubar

Code:

Host pita
#ForwardAgent yes
ForwardX11 yes
Compression yes
Protocol 2,1
User <username>

Host snafu
#ForwardAgent yes
ForwardX11 yes
Compression yes
Protocol 2,1
User <username>

Host *
ForwardX11 no

Doing this, you don't need to fiddle around with system-wide configuration and you can sort-of customize for individual users; I should note that all my systems are fixed-IP and their names and addresses are in /etc/hosts (just as easy to use the actual IP address too).

Anyway, nice, nice job.

Hope this helps some.

tallship · 06-09-2011, 01:25 AM

Hey thanks for the feedback! I went ahead and affected changes to the part about the options used, and opted to explain each one individually to alleviate most confusion that might have occured.

Also, when doing that, I realized that if I were following along, I would ask the question as to whether RSA or DSA was *better*

So I addressed that point by dodging the bullet. Really, people need to make an informed decision on that matter, and considering the work involved to switch, I figure that it's best to send them on their merry way to determine that for themselves.

We all have our own take on it and also why, so I felt the reader should too.

And the ~/.ssh/config file. Thanks for that too. I've never done that, and it's good to know. I've always had root and done it that way, but this is much better since and I'll be sure to implement it myself here and there in the future.

For the article though, I think it's long enough and I don't want people to think they're reading War and Peace - but it's really good info and there is a comment/talkback link and if you're so inclined...

Thanks again for helping me to improve and clarify the tut

Kindest regards,

mRgOBLIN · 06-09-2011, 03:04 AM

Might be prudent to mention how to use ssh-agent too.

If memory serves me correctly xfce is the only desktop that starts ssh-agent by default.

You'll need at least one key loaded before you can use ssh-copy-id too.

tallship · 06-09-2011, 06:10 AM

Quote:

Originally Posted by mRgOBLIN

Might be prudent to mention how to use ssh-agent too.

Well I was going to skip that but yes, I think you're right that I need to.

I'll get to that tomorrow, I can hardly keep my eyes open now and the sun's going to come up within an hour or so here LOL.

Thanks

tronayne · 06-09-2011, 07:21 AM

I just remembered... the August 2003 issue of Linux Journal had an article by Dennis Allen titled Eleven SSH Tricks; here's a link to it http://www.linuxjournal.com/article/6602.

Might not be useful for purposes of your article but he does discuss some pretty useful means and methods (and I think that's where I got on to ~/.ssh/config).

Hope this helps some.

mRgOBLIN · 06-09-2011, 04:55 PM

I also wrote a bit of a mini-howto here.

http://www.linuxquestions.org/questi...7/#post3762345

Might help a little.

jschiwal · 06-09-2011, 06:15 PM

Here is an odd ssh trick. Using ControlMaster Auto will reuse the socket if you are ssh'ing to the same host, speeding up new connections to the same host.

Simply create a file $HOME/.ssh/config with these contents:

Code:

Host *
        ControlMaster auto
        ControlPath ~/.ssh/control-master/%r@%h:%p

This will work for openSSH version 4.2.

hpfeil · 07-02-2011, 12:40 PM

=-=-=-
"... Let's restart sshd:

root@remotebox:~# vim /etc/rc.d/rc.sshd restart
-=-=-=-=-=-==-
You probably want to omit the 'vim' command. As written, one will open rc.sshd in a vim session, then a new file titled 'restart'.

I make a lot of similar copy/paste mistakes. I'll look at the same mistake all day and not notice it. I think it's a good idea to ask the Slackware forum to help out with proofreading. Perhaps we could start a sub-forum dedicated to proofreading? Then we can train ourselves to get the LQ stamp of approval before release.
Good thread!