Configuring ssh Server ~ Mateen Ahmed

SSH SERVER CONFIGURATIONS

ssh command is a client remote login program to connect remote system and for executing commands on remote system. This program provides secure encrypted communication over an insecure network. By default you can use ssh to login remote system using any user with a valid password.

If your DNS server is configured you can use host name to login, else if not, you need to use ip address of the remote system to login.

Get pid of sshd demon

pgrep command can be used to check the pid of sshd demon

pgrep sshd

Configuring /etc/ssh/sshd_config

Location: /etc/ssh/sshd_config Permission: 0600 (rw-------) Ownership: root : root

Version

ssh Server by default run as Version 2, but can also run as Version 1 but not recommended. The Version can be changed by changing the parameter of Protocol in /etc/ssh/sshd_conf from Protocol 2 to Protocol 1.

Changing default port on which sshd demon listens

The port on which sshd demon listen can be changed by editing the value of variable Port to the required port number in /etc/ssh/sshd_config file, say:

Port 123

Before choosing the port you can check if the port you chose is not being used of any other service as:

netstat -an | grep <portnumber to search>

After you have made changes to sshd_config file, you need to restart the sshd demon as service sshd restart. Now to connect to this machine remotely, you need to connect as:

ssh -p 123 192.168.1.25

If you also want to specify the user, you can specify as:

ssh -p 123 sunil@192.168.1.25

Configuring ssh to Listen on specific ip address(s)

By default sshd demon will listen on all the IPs of all the network card. The default entry for this is in /etc/ssh/sshd_conf as:

#ListenAddress 0.0.0.0
#ListenAddress ::

You can note that these entries are # marked meaning there by that they are commented, but are written only to show that what the default value is for ListenAddress.

You can configure your sshd demon to listen on specific IP address, by changing the value of ListenAddress as

ListenAddress 192.168.1.26

If you what your sshd demon to listen on more than one IP address, you need to make ListenAddress <ip-address> for each ip address, one per line as

ListenAddress 192.168.1.26
ListenAddress 192.168.1.24

Configure ssh to Listen on specific port of specific ip address(s)

You can also configure your sshd demon to communication on specific port for a specific ip address. This can be done by changing the value of ListenAddress in /etc/ssh/sshd_config as:

ListenAddress 192.168.1.26:123
ListenAddress 192.168.1.24:456

So, now sshd demon will listen on port 123 for ip address 192.168.1.26, and will listen on port 456 for ip 192.168.1.24.

Displaying Banner when ssh Session starts after successful login

In some jurisdictions, sending a warning message before authentication may be relevant for getting legal protection. The contents of the specified file are sent to the remote user before authentication is allowed. This option is only available for protocol version 2. By default, no banner is displayed.

Edit /etc/ssh/sshd_config file, look for Banner and Edit the the path of Banner. Create a file named /etc/ssh/hackers.banner and the relevant contents you want to display on successfull login and restart sshd demon as

Banner /etc/ssh/hackers.banner
service sshd restart

Permitting ssh to specific user

To permit specific users(s), this keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. ‘*’ and ‘?’ can be used as wildcards in the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. More than one user can be specified by separating them with white space.