Server Topic
   >  Introduction to OpenSSH
   >  Installing OpenSSH
   >  Starting & Stopping OpenSSH
   >  OpenSSH Configuration

 

Configuring OpenSSH

Configuring SSH

SSH is configured via the /etc/ssh/sshd_config file. The file as installed in the OpenSSH package looks something like the following:

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

This default setup is good to go for most users.

By default, OpenSSH is configured to run on the standard SSH port: 22. If you want to increase your security, so that people or scripts cannot guess the port to connect to, you can change this (-by altering the line highlighted above) to a different port that is not already in use.

You can find out which ports are currently being used by looking (-or using grep) through the /etc/services file:

$ grep "22/tcp" /etc/services
ssh		22/tcp				# SSH Remote Login Protocol
xmpp-client	5222/tcp	        jabber-client	              # Jabber Client Connection
bpjava-msvc	13722/tcp			# BP Java MSVC Protocol
$
$ grep "501/tcp" /etc/services
$

If you do change the SSH port, you'll need to remember to specify the new port (-using the -p option) when you try to connect to your server. For example, if you configure your SSH daemon to listen on port 501, any client connecting would need to use the following syntax:

$ ssh localhost -p 501

If you have problems connecting after changing the port, check that the port used by SSH is not blocked by your firewall rules.


HomeSite IndexDesktop GuideServer GuideHints and TipsHardware CornerVideo SectionContact Us

 sitelock verified Firefox Download Button