Securing a LAMP server [1] SSHD

Wim Sturkenboom · 05-31-2006, 04:04 AM

I'm currently trying to secure a LAMP server (Slackware 10.1) and have plenty of questions.

This thread has some questions about SSHD.

Q1)
What SSHD can do for me? One of the things as I understand it, is providing a secure 'kind of telnet' where the communication is encrypted (so it can not be snooped).

I have the feeling that it can do other things (reading between the lines of man pages etc). If so, what?

Q2)
If it does encrypted communication, how does it work? I understand that there are some negotiations before a session_key is generated and used by the two parties?

What prevents an attacker from snooping (and understanding) those negotiations? And as a result getting the session_key and be able to decrypt the communication?

A newbie friendly link is fine (I could not find one

).

Q3)
Everywhere I fall over the term fingerprint. E.g. when I connect the first time to the SSHD, PuTTY (a Windows SSH client) tells me something in the line of "it can't verify the fingerprint and if it can trust it". Where can I find the fingerprint of my SSHD (or how can I calculate it)? I've looked in the files in /etc/ssh, but don't seem to be able to find it. As I could not find it, I assume it's a checksum/hash type of value which one might be able to calculate.

Q4)
Is there a difference between 'PermitRootLogin no' and 'DenyUsers root' in the sshd_config?

PS I modified sshd_config to only allow protocol 2

imagineers7 · 05-31-2006, 06:19 AM

Hi wim,

Quote:

Originally Posted by Wim

Q4)
Is there a difference between 'PermitRootLogin no' and 'DenyUsers root' in the sshd_config?

I thought there is a difference :- First asks for password and another does not.

But I tried this on my machine and both asked for the password!!

Then what it is?

Wim Sturkenboom · 05-31-2006, 07:49 AM

Hi imagineers7, please note that I want to deny the access for root user.

unSpawn · 06-01-2006, 07:56 AM

I don't know the difference exactly, but my guess would be DenyUsers is a "general" ACL. If you "man sshd_config" for PermitRootLogin you see it makes provisions for circumstances where you would actually more finegrained control over a root account login, like if you need to make backups (forced command only). The default should be to use "PermitRootLogin no" unless you have specific requirements. While on the topic of ACL's also note PAM can be used easily to allow or deny users access using the pam_listfile module. Comes in handy when you have different requirements for different services and want a centralised solution instead of having to tweak various confs.

Wim Sturkenboom · 06-07-2006, 06:57 AM

Q1) Yes, it can use authentication based on keys. And SFTP.

Q2 and Q3 still open. Specially Q3 is quite important as I must be able to give users this information.