Setting up SSHD

Authorized Keys

Put your SSH keys in place so you can connect as wheeled user and possibly as root,

mkdir ~/.ssh/
chmod 700 ~/.ssh/
vi ~/.ssh/authorized_keys

(paste your pub key)

chmod 600 ~/.ssh/authorized_keys

Setup

grep ^wheel /etc/group
mv -i /etc/ssh/sshd_config /etc/ssh/sshd_config.dist
sed -r '/^[[:space:]]*(#|$)/d' /etc/ssh/sshd_config.dist > /etc/ssh/sshd_config
cat >> /etc/ssh/sshd_config <<-EOF

AddressFamily inet
#ListenAddress x.x.x.x
#AllowUsers root@CLIENT-IP gollum@CLIENT2
Protocol 2
Port XXX
AllowGroups wheel
#AllowGroups root
#AllowGroups sshusers
PermitRootLogin without-password
PasswordAuthentication no
PermitEmptyPasswords no
StrictModes yes
X11Forwarding no
ChallengeResponseAuthentication no
UsePam no
UseDNS no
HostKey /etc/ssh/ssh_host_ed25519_key
RSAAuthentication no
UsePrivilegeSeparation yes
ChallengeResponseAuthentication no
EOF
vi /etc/ssh/sshd_config

check

sshd -t
echo $?

not on slackware

#UsePam no

deprecated on netbsd (and ubuntu?)

RSAAuthentication
UsePrivilegeSeparation

deprecated on ubuntu?

ChallengeResponseAuthentication

Operations

NetBSD

tail -F /var/log/authlog
vi /etc/rc.conf

sshd=yes

service sshd restart
netstat -an -f inet,inet6

Debian / Ubuntu Server

tail -n0 -F /var/log/*
systemctl status ssh
#systemctl enable ssh
systemctl restart ssh
netstat -lntupe

Fail-Over

Create a failover config with other PORT and PID,

cp -pi sshd_config sshd_config.failover
vi  sshd_config.failover

Port ALT_PORT
PidFile /var/run/sshd.failover.pid

Start the daemon,

ls -lhF /var/run/sshd*
/usr/sbin/sshd -f /etc/ssh/sshd_config.failover
ps aux | grep failover
netstat -antupe --inet --inet6 | grep ALT_PORT

and enable it at startup (rc.local still works on CentOS7),

cd /etc/
cp -pi rc.local rc.local.dist
vi rc.local

echo -n starting a failover ssh daemon...
/usr/sbin/sshd -f /etc/ssh/sshd_config.failover && echo done

#no need to make it executable

Miscellaneous

Open ALT_PORT to listen on the network interface (CentOS7+ example),

firewall-cmd --zone=public --add-port=ALT_PORT/tcp --permanent

Resources

Using Ed25519 for OpenSSH keys (instead of DSA/RSA/ECDSA) https://linux-audit.com/using-ed25519-openssh-keys-instead-of-dsa-rsa-ecdsa/

sshd_config - SSH Server Configuration https://www.ssh.com/ssh/sshd_config/

Limit SSH access to specific clients by IP address https://unix.stackexchange.com/questions/406245/limit-ssh-access-to-specific-clients-by-ip-address


Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml