NetworkingFiles
SecurityProNews
ITmanagement



Tips And Tricks For SSH And SSHFS, Part 2: Configuration

By: Joe Purcell
Expert Author
2011-07-22

Last time we discussed general setup and install for SSH and SSHFS. Having setup our SSH keys we will now look at some configuration tips for both security and ease of use.

ssh_config OR sshd_config?



First, there are two config files when dealing with SSH and it's not obvious to those new to Linux or SSH what the difference is. Suffice it to say that ssh_config is for the SSH client (outgoing connections) and sshd_config is for the SSH server (incoming connections). The SSH client (your computer) is what allows you to connect to SSH servers (computers you're connecting to). Here we will only be dealing with the sshd_config.

Allow Only Public Key Access



A great security measure is to allow only public key authentication in the SSH config file. All the SSH server configuration is located in '/etc/ssh/sshd_config' (on most Linux distros). Here you will see a long list of options that may not make a lot of sense; hopefully, this article will help clarify a few things. Use the following setting to only allow public key authentication, as well as some additional security measures, but first make sure that you have copied the public key from the SSH client to the SSH server. 

PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
PermitEmptyPasswords no
RSAAuthentication yes
PubkeyAuthentication yes


Note that the above configuration should not be appended to the file. Search for the existing config and set them to the correct values, uncommenting the line if necessary (remove the '#' character).

Disable Host Based Authentication



This option is typically only useful if you are on a home network and know the IP address of your server. However, it can also be useful on the public internet as well. This configuration option essentially requires SSH users to know the server's IP address. Instead of being able to connect as 'joe@mywebsite.com' I have to connect as 'joe@11.222.33.4' (or whatever the server's IP address is, it would be something like 192.168.1.10 on a home network). The configuration option is: 

HostbasedAuthentication no


There is one trick to make this very handy. Requiring the knowledge of your server's IP address does add a good level of security, and is worth doing if possible. If you don't want to type in the server's IP address all the time, you can add the IP address to your computer's hosts file in '/etc/hosts' as follows: 

192.168.1.10    srv


Then, you can connect as 'joe@srv' and it will resolve the IP address. As always, be sure to restart SSH when the configuration has changed: 

sudo /etc/init.d/ssh restart


The SSH config file is the bread and butter of tips and tricks when it comes to SSH. Because of this, we will continue next with some more configuration options like these. In the mean time, try out these configuration options and be sure to post a comment if you need any help.

About the Author:
Joe Purcell is a technology virtuoso, cyberspace frontiersman, and connoisseur of Linux, Mac, and Windows alike.
Newsletter Archive | Submit Article | Advertising Information | About Us| Contact

LinuxDeveloperNews is an iEntry, Inc.® publication © All Rights Reserved Privacy Policy and Legal
iEntry Contact Advertise iEntry Jayde WebProWorld Forums Downloads News Article Archive About iEntry LinuxDeveloperNews Home Page LinuxDeveloperNews News