Results 1 to 6 of 6

Thread: Recommendations for /etc/ssh/sshd_config ?

  1. #1
    Join Date
    Oct 2006
    Beans
    62

    Recommendations for /etc/ssh/sshd_config ?

    I have a server that I wish to log into without being prompted for a password.

    So I've set this up using ssh keys.

    On the server I made the following changes to /etc/ssh/sshd_config (from the stock file that ships with 12.04):

    Code:
    $ diff /etc/ssh/sshd_config /etc/ssh/sshd_config.original
    27c27
    < PermitRootLogin no
    ---
    > PermitRootLogin yes
    51c51
    < PasswordAuthentication no
    ---
    > #PasswordAuthentication yes
    My goal is, of course, to minimize any security risks under this scheme.

    Any other recommendations?

  2. #2
    Join Date
    Mar 2008
    Beans
    1,219

    Re: Recommendations for /etc/ssh/sshd_config ?

    PermitRootLogin yes is always risky. Particularly with unprotected keys. Leaked key = someone can get full control. Passwords are OK but if your server is open to the Internet you want strong passwords.

  3. #3
    Join Date
    Oct 2006
    Beans
    62

    Re: Recommendations for /etc/ssh/sshd_config ?

    Quote Originally Posted by prodigy_ View Post
    PermitRootLogin yes is always risky. Particularly with unprotected keys. Leaked key = someone can get full control. Passwords are OK but if your server is open to the Internet you want strong passwords.
    Both are disabled, per above (current config shown first, followed by stock config for 12.04).

  4. #4
    Join Date
    Mar 2008
    Beans
    1,219

    Re: Recommendations for /etc/ssh/sshd_config ?

    :) That's why I hate diff.

  5. #5
    Join Date
    Aug 2009
    Beans
    Hidden!

    Re: Recommendations for /etc/ssh/sshd_config ?

    Quote Originally Posted by nadamsieee View Post
    I have a server that I wish to log into without being prompted for a password.
    Then combine an un unprivileged account with using ssh-agent.


    Quote Originally Posted by nadamsieee View Post
    Any other recommendations?
    Other than that adding fail2ban (which IMHO is always good) it kind of depends what the purpose is. In ~/.ssh/authorized_keys you can limit key access by subnet range ("from=") and allow it to only perform a specific command ("command=").

  6. #6
    Join Date
    Aug 2007
    Location
    US
    Beans
    878
    Distro
    Ubuntu Development Release

    Re: Recommendations for /etc/ssh/sshd_config ?

    Allow only specified users to connect:

    Code:
    AllowUsers username
    Users listed are separated by a space. You can specify as user or user@host or mix and match.

    ex.

    Code:
    AllowUsers phil root@192.168.1.1 greg@192.168.1.1 craig
    Please mark completed threads as [SOLVED], which lets us find solutions faster!

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •