floss uk devops spring 2015 enhancing ssh config
TRANSCRIPT
![Page 1: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/1.jpg)
Enhancing ssh Configuration
David ProffittJanet NOC
FLOSS Spring 2015York
![Page 2: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/2.jpg)
(More fun with ssh config)
![Page 3: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/3.jpg)
~/.ssh/config~/.ssh/authorized_keys/etc/ssh/sshd_config
![Page 4: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/4.jpg)
examples Debian specific
should work with RH, FreeBSD, solaris, MacOS ...
![Page 5: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/5.jpg)
Client options
![Page 6: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/6.jpg)
ssh -X -v -l bill -i ~/.ssh/yorkkey -4 york.domain.net
![Page 7: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/7.jpg)
~/.ssh/config
![Page 8: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/8.jpg)
doesn't exist by default
![Page 9: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/9.jpg)
overides defaults from /etc/ssh/ssh_config
![Page 10: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/10.jpg)
1. command line options
2. user-specific file
3. system-wide file
![Page 11: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/11.jpg)
Host Aliases
![Page 12: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/12.jpg)
Convenient text labels
![Page 13: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/13.jpg)
Host york
![Page 14: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/14.jpg)
Host yorkHostName york.domain.net
![Page 15: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/15.jpg)
Host yorkHostName 123.45.67.89
![Page 16: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/16.jpg)
ssh york.domain.net(assumes current user name)
![Page 17: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/17.jpg)
ssh -l bill york.domain.net
![Page 19: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/19.jpg)
Host yorkUser bill
![Page 20: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/20.jpg)
ssh york
![Page 21: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/21.jpg)
Multiple aliases are possible
![Page 22: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/22.jpg)
host york,web
![Page 23: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/23.jpg)
Host yorkUser ben
![Page 24: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/24.jpg)
Host brightonUser bill
![Page 25: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/25.jpg)
Host newcastlePort 1234
![Page 26: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/26.jpg)
Host yorkUser ben
IdentityFile /home/bill/.ssh/yorkkey
![Page 27: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/27.jpg)
ForwardAgent yes(Use with Caution)
![Page 28: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/28.jpg)
Protocol 2
![Page 29: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/29.jpg)
AddressFamily inet
![Page 30: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/30.jpg)
PubkeyAuthentication no
![Page 31: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/31.jpg)
ForwardX11 yes(assuming allowed on server)
![Page 32: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/32.jpg)
ServerAliveInterval 120
![Page 33: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/33.jpg)
Wildcards
![Page 34: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/34.jpg)
Host *
![Page 35: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/35.jpg)
Host *user bill
![Page 36: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/36.jpg)
Any configuration value is only changed the first time it is set.
man ssh
![Page 37: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/37.jpg)
Thus, host-specific definitions should be at the beginning of theconfiguration file, and defaults at the end.
![Page 38: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/38.jpg)
ssh -v yorkOpenSSH_6.0p1 Debian-4+deb7u2, OpenSSL 1.0.1e 11 Feb 2013debug1: Reading configuration data /home/bill/.ssh/configdebug1: /home/bill/.ssh/config line 19: Applying options for *debug1: /home/bill/.ssh/config line 363: Applying options for yorkdebug1: Reading configuration data /etc/ssh/ssh_configdebug1: /etc/ssh/ssh_config line 19: Applying options for *debug1: Connecting to york.ja.net [123.45.67.89] port 22.debug1: Connection established.
![Page 39: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/39.jpg)
ControlingKeyAccess
![Page 40: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/40.jpg)
~/.ssh/authorized_keys
![Page 41: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/41.jpg)
ssh-keygen -f ~/.ssh/yorkkey
![Page 42: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/42.jpg)
ssh-keygen -f yorkkeyGenerating public/private rsa key pair.Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in yorkkey.Your public key has been saved in yorkkey.pub.The key fingerprint is:d6:63:83:d3:c1:ba:cc:17:9a:e6:04:cf:1f:c1:30:cf bill@brightonThe key's randomart image is:+--[ RSA 2048]----+| || . || o o || @ . || . S E || B * = || @ o || + o . || . . |+-----------------+
![Page 43: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/43.jpg)
yorkkeyyorkkey.pub
![Page 44: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/44.jpg)
-rw------- 1 bill bill 1.8K Mar 23 16:22 yorkkey
![Page 45: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/45.jpg)
cat yorkkey.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9pNHNuFYp0kKYtxmmKs20bgBhMdj24U7KuWz6KbuMaIrgCib69z3uoYuD3WYiYoUvoB00M5zqZgC3M0f3+4Y5iXJpKnmaHFf4fpFz2Zru6WQmOyhnhvWMDQJm9nty9w6JoP2GM5bqZKGNzOLtkfPf3e26QliCKdrQzgFmlviFultSQU8/kPxxhFlu4JjwyRzlqCpMX/Ltr8w/fgmBd15NZqYRfJnU/tCjlLim9X+0FND/hKz6zabmNUcJe3gkyPb7noadevnKJtS3K+RPCivgT51lf77TBb398H4xNcoVTCRXBthC1PBmoCt1stwfYcM4JTXoe3henWT5ViGAyFyV bill@brighton
![Page 46: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/46.jpg)
default comment user@host
![Page 47: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/47.jpg)
ssh-copy-id -i ~/.ssh/yorkkey york
![Page 48: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/48.jpg)
~/.ssh/authorized_keys
![Page 49: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/49.jpg)
You can add key specific options to the beginning of each line (options separated by commas)
![Page 50: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/50.jpg)
from=
![Page 51: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/51.jpg)
from="123.45.67.89"
![Page 52: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/52.jpg)
from="123.45.67.89/24"
![Page 53: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/53.jpg)
from="1234:560:0:70::89"
![Page 54: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/54.jpg)
from="123.45.67.89,1234:560:0:70::89"
![Page 55: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/55.jpg)
from="brighton.domain.net"
![Page 56: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/56.jpg)
from="*.domain.net"
![Page 57: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/57.jpg)
from="!*.brighton.domain.net,*.domain.net"
![Page 58: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/58.jpg)
no-agent-forwarding
![Page 59: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/59.jpg)
no-port-forwarding
![Page 60: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/60.jpg)
no-pty
![Page 61: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/61.jpg)
no-X11-forwarding
![Page 62: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/62.jpg)
permitopen="localhost:1234"
![Page 63: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/63.jpg)
command="command"
![Page 64: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/64.jpg)
environment="PATH=/bin:/usr/bin/"
![Page 65: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/65.jpg)
debug1: Remote: Bad options in /home/bill/.ssh/authorized_keys file, line 2: fron="123.45.67.89,1234:567:8:90::12" ssh-rsa AAAA
![Page 66: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/66.jpg)
Server options
![Page 67: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/67.jpg)
sshd_config
![Page 68: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/68.jpg)
/etc/ssh/sshd_config
![Page 69: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/69.jpg)
Requires restart of sshd
![Page 70: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/70.jpg)
/etc/init.d/ssh
![Page 71: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/71.jpg)
try-restart
![Page 72: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/72.jpg)
sshd -t
![Page 73: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/73.jpg)
OOB access?ILOM etc.
![Page 74: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/74.jpg)
Defaults included as comments
![Page 75: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/75.jpg)
PermitRootLogin no
![Page 76: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/76.jpg)
StrictModes
![Page 77: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/77.jpg)
X11Forwarding
![Page 78: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/78.jpg)
AgentForwarding
![Page 79: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/79.jpg)
PasswordAuthentication
![Page 80: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/80.jpg)
UsePAM yes
![Page 81: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/81.jpg)
Only allow specific users
![Page 82: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/82.jpg)
AllowUsersDenyUsers
![Page 83: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/83.jpg)
AllowUsers
![Page 84: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/84.jpg)
AllowUsers bill
(exclusive)
![Page 85: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/85.jpg)
AllowUsers bill ben
![Page 86: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/86.jpg)
AllowUsers [email protected] bill@1234:567:0:80::11
![Page 87: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/87.jpg)
AllowUsers [email protected] AllowUsers bill@1234:567:0:80::11
![Page 88: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/88.jpg)
AllowGroups
![Page 89: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/89.jpg)
AllowGroups sshussers
![Page 90: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/90.jpg)
Standard uxix groups
/etc/group
![Page 91: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/91.jpg)
Standard admin tools for managing group membership
no need to keep restarting sshd
![Page 92: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/92.jpg)
Combining rules
![Page 93: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/93.jpg)
Deny then allow
![Page 94: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/94.jpg)
DenyUsersAllowUsersDenyGroupsAllowGroups
![Page 95: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/95.jpg)
Specific Overrides
![Page 96: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/96.jpg)
Match Operator
![Page 97: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/97.jpg)
Must be at the end of the file
![Page 98: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/98.jpg)
PasswordAuthentication no...Match User bill PasswordAuthentication yes
![Page 99: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/99.jpg)
Match Group
![Page 100: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/100.jpg)
Match !Group
![Page 101: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/101.jpg)
Match Address
![Page 102: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/102.jpg)
Match Address 123.456.789.10 PasswordAuthentication yes
![Page 103: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/103.jpg)
Match Host brighton.example.net
![Page 104: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/104.jpg)
Match User trusty Address 123.45.67.* X11Forwarding yes
![Page 105: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/105.jpg)
Match User nagiosPasswordAuthentication noRSAAuthentication yesPubkeyAuthentication yesBanner none
(Banner may break some automated logins)... is your shell clean
![Page 106: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/106.jpg)
related options
![Page 107: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/107.jpg)
chroot sftp
(similar to proftpd)
![Page 108: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/108.jpg)
Subsystem sftp /usr/lib/openssh/sftp-server
![Page 109: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/109.jpg)
Subsystem sftp internal-sftp
![Page 110: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/110.jpg)
Match group sftponly X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp -u 0002 ChrootDirectory %h
![Page 111: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/111.jpg)
Also possible to jail shell accountsbut needs static shell
![Page 112: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/112.jpg)
Rate Limiting
![Page 113: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/113.jpg)
MaxStartups 10
![Page 114: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/114.jpg)
MaxStartups 10:30:60
![Page 115: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/115.jpg)
Troubleshooting
![Page 116: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/116.jpg)
SyslogFacility AUTHLogLevel INFO
![Page 117: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/117.jpg)
LogLevel DEBUG
![Page 118: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/118.jpg)
ssh -vvv
![Page 119: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/119.jpg)
ben@brighton:~$ ssh -v yorkOpenSSH_6.xxx Debian-4+deb7u2, OpenSSL 1.2.3 12 Feb 1804debug1: Reading configuration data /home/ben/.ssh/configdebug1: /home/ben/.ssh/config line 12: Applying options for *debug1: /home/ben/.ssh/config line 456: Applying options for yorkdebug1: Reading configuration data /etc/ssh/ssh_configdebug1: /etc/ssh/ssh_config line 19: Applying options for *debug1: Connecting to york.domain.net [123.456.78.9] port 22.debug1: Connection established.debug1: identity file /home/ben/.ssh/yorkkey type 1debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048debug1: identity file /home/ben/.ssh/yorkkey-cert type -1debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4+deb7u2debug1: match: OpenSSH_6.0p1 Debian-4+deb7u2 pat OpenSSH*debug1: Enabling compatibility mode for protocol 2.0debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2debug1: SSH2_MSG_KEXINIT sentdebug1: SSH2_MSG_KEXINIT receiveddebug1: kex: server->client aes128-ctr hmac-md5 nonedebug1: kex: client->server aes128-ctr hmac-md5 nonedebug1: sending SSH2_MSG_KEX_ECDH_INITdebug1: expecting SSH2_MSG_KEX_ECDH_REPLYdebug1: Server host key: RSA 12:34:56:78:12:34:56:78:90:12:34:56:78:90debug1: Host 'york.domain.net' is known and matches the RSA host key.debug1: Found key in /home/ben/.ssh/known_hosts:123debug1: ssh_rsa_verify: signature correctdebug1: SSH2_MSG_NEWKEYS sentdebug1: expecting SSH2_MSG_NEWKEYSdebug1: SSH2_MSG_NEWKEYS receiveddebug1: Roaming not allowed by serverdebug1: SSH2_MSG_SERVICE_REQUEST sentdebug1: SSH2_MSG_SERVICE_ACCEPT received====================================This is a private systemUnauthorised access is prohibited!All access attempts are logged====================================debug1: Authentications that can continue: publickey,passworddebug1: Next authentication method: publickeydebug1: Offering RSA public key: /home/ben/.ssh/yorkkeydebug1: Server accepts key: pkalg ssh-rsa blen 279debug1: Authentication succeeded (publickey).Authenticated to york.domain.net ([123.456.78.9]:22).debug1: channel 0: new [client-session]debug1: Requesting [email protected]: Entering interactive session.debug1: Requesting authentication agent forwarding.debug1: Sending environment.debug1: Sending env LANG = en_GB.UTF-8Linux york 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64 Welcome to york.domain.net
You have mail.Last login: Fri Feb 6 14:24:43 2015 from brighton.domain.netben@york:~$
![Page 120: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/120.jpg)
/var/log/auth.log
![Page 121: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/121.jpg)
or check syslog config
![Page 122: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/122.jpg)
Feb 6 15:47:18 york sshd[12345]: User bill from brighton.domain.net not allowed because not listed in AllowUsers
![Page 123: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/123.jpg)
Feb 6 15:47:29 york sshd[12345]: Failed password for invalid user bill from 123.45.67.89 port 45678 ssh2
![Page 124: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/124.jpg)
Questions?
![Page 125: FLOSS UK DEVOPS Spring 2015 Enhancing ssh config](https://reader030.vdocuments.us/reader030/viewer/2022020110/55a93ab41a28ab34648b45a5/html5/thumbnails/125.jpg)
David Proffitt FLOSS Spring 2015
York