User Tools

Site Tools


foss:wikishelf:ssh:ssh_server

An SSH daemon on your system

Installation

OpenSolaris

The SSH daemon (or server) is installed by default in OpenSolaris 2009.06. To make sure it is activated, go to SystemAdministrationServices and make sure SSH server (network/ssh) is activated.

Mac OS X

The SSH daemon is installed by default on Mac OS X Leopard or later (10.5+) and OS X Lion or later (10.7+). To activate it, you have to go to the System Preferences, then click on Sharing. Select and activate Remote login.

Linux / Gnome

On Ubuntu, SSH daemon is not installed by default. You first have to install it, the package name is openssh-server. You can either install it using Software Centre or using the command line: $ sudo apt-get install openssh-server.

Once installed, the SSH daemon should be active, to verify it, check in SystemAdministrationServices and make sure Remote shell server (ssh) is activated or $ netstat -ltn | grep “:22 ” and check that you have at least one line reported as “LISTEN”.

OpenSSH Server Configuration and Hardening

OpenSSH Server Host Keys

An SSH server can be authenticate via a similar mechanism used to authenticate users with the public/private key scheme (asymetric cryptography). Those keys (also called host keys) are generated when SSH is installed. In case SSH is installed during installation, it could be possible that the random entropy pool is rather low, meaning that the quality of the (pseudo-)random number generator can be weak.

Depending on your SSH server version and on the configuration, you might have different set of keys. Usually you have host key pairs for SSH v1 and SSH v2 RSA and DSA, and with some more recent version of OpenSSH you might even have SSH v2 ECDSA and ED25519.

I don't like the DSA and ECDSA host keys ;-) (will give some links as why later), so I deactivate them like this:

for key in ssh_host_{dsa_,ecdsa_,}key*
do
  echo -n "$key: "
  cat /dev/null > $key && chattr +i $key && echo "disabled" || echo "failed"
done

And I want to regenerate my own RSA key.

ssh-keygen -t rsa -b 4096 -N "" -f /etc/ssh/ssh_host_rsa_key
chmod 0640 /etc/ssh/ssh_host_rsa_key
chmod 0644 /etc/ssh/ssh_host_rsa_key.pub

On SELinux protected system, you will need to restore the access rights for those files (this is not necessary by design with AppArmor as the filename is not changed):

restorecon /etc/ssh/ssh_host_rsa_key.pub

TO BE IMPROVED AND CONTINUED

foss/wikishelf/ssh/ssh_server.txt · Last modified: 2015/05/01 23:32 (external edit)