SSH configuration

Last update: 2001/5/15
Since 1999/3/23
Shigeo.Yashiro @kek.jp

Jump to SSH

  1. Installation
  2. Refer to http://www.hal.t.u-tokyo.ac.jp/~kunito/install/ssh/index.shtml.

  3. Access control
    1. By sshd_config
      The following entries in /etc/sshd_config. (For SSH1, it seens SSH2 does not support)
        AllowHosts, DenyHosts
        AllowUsers, DenyUsers
        AllowGroups, DenyGroups
    2. Using TCPwrappers library
      If sshd is compiled with --with-libwrap option, TCPwrappers' access control is used.
      This option is vaild in bath SSH1 and SSH2.

  4. Selection of cryptography
    1. Authentication method
        Host key: Can be changed creating new key with ssh-keygen.
        User key(ssh2): $HOME/.ssh2/identification
        User key(ssh1): Only RSA
    2. Cipher
        Ciphers entry in a configuration file. Ciphers that a server allows are written in /etc/sshd_config. Ciphers that a user prefers are written in $HOME/.ssh/config.

  5. Using Public key Authentication
    1. Supported in SSH1 and SSH2.
    2. Setup
      Sample is written in SSH2 style. For SSH1 style, see next "Using rhost with RSA Authentication" description.
      • First, at local host (SSH client), create a key-pair with the following helpers.
          UNIX: ssh-keygen
          Windows: F-Secure SSH Wizard
        Filenames of a pair of key are...
          $HOME/.ssh2/identification
            IdKeys filename
          $HOME/.ssh2/id_dsa_1024_a.
        Private-key should be kept in high level security.
      • Next, send the public key in local host to remote host (SSH server), and add it into authorized key list.
          $HOME/.ssh2/authorization
            Key filename.pub
          $HOME/.ssh2/id_dsa_1024_a.pub (etc.)
    3. Comment
      In DCE environment, need to execute dce_login to get DCE authentication.

  6. Using rhost with RSA Authentication
    1. Supported only in SSH1.
    2. Setup
      • First, at local host (SSH client), create a key-pair with the following helpers.
          UNIX: ssh-keygen
          Windows: F-Secure SSH Wizard
        Filenames of a pair of key are...
          $HOME/.ssh/identity
          $HOME/.ssh/identity.pub
        Private-key should be kept in high level security.
      • Next, send the public key in local host to remote host (SSH server), and add it into authorized key list.
          $HOME/.ssh/authorized_keys
      • Add client host entry, "hostname username", into $HOME/.rhost file on the remote host.

  7. Host Authentication
  8. Key files are created by "make install". At local host, a file is required which is a collection of server host's public-keys. Helper for host-key collection. Supported only in SSH1(?).

  9. SSH log
  10. SSH1: "SyslogFacility" in /etc/sshd_config.
    SSH1 & SSH2: sshd can be configured to use tcp_wrappers using the --with-libwrap compile-time configuration option.

  11. Check sheet for SSH Connectivity
  12. Table 1. SSH Connectivity Test.
    SSH2 serverSSH1 serverDCE-SSH1 servernon-SSH server
    sshpasswordpasswordpasswordpassword*1
    RSA-sshpassphrasepassphrasepassphrase*4N.A.
    ssh2passwordpassword*2password*2*3
    RSA-ssh2passphrasepassphrase*2passphrase*2N.A.
    sftppassword? *5N.A.?N.A.?N.A.?
    RSA-sftppassphrase?N.A.?N.A.?N.A.?

    Test environment

  13. X fowarding
  14. Port fowarding
  15. a) telnet

    b) ftp

  16. Security level of server host
    1. telnet, ftp, xdm,
      Password flows over unsecure network.
    2. rlogin, rsh, rcp, rdist
      Trusted hosts are secure?
    3. pop
      Password flows over unsecure network.

  17. Problems
    1. X terminal
      Connection from X terminal to host is unsecure, unless if X terminal supports ssh.
    2. PasswordAuthentication
      A user can add host key. If a user's password is stolen, ......
      That is, client authentication by server is skipped.