10. A Recommended Setup
by Robert G. Byrnes, Richard E. Silverman, Daniel J. Barrett
SSH, The Secure Shell: The Definitive Guide, 2nd Edition
- SSH, the Secure Shell, 2nd Edition
- Preface
- 1. Introduction to SSH
- Overview of SSH Features
- History of SSH
- Related Technologies
- Summary
- 2. Basic Client Use
- Authentication by Cryptographic Key
- The SSH Agent
- Connecting Without a Password or Passphrase
- Miscellaneous Clients
- Summary
- 3. Inside SSH
- Overview of Features
- A Cryptography Primer
- Inside SSH-2
- Inside SSH-1
- Implementation Issues
- SSH and File Transfers (scp and sftp)
- Algorithms Used by SSH
- Threats SSH Can Counter
- Threats SSH Doesn’t Prevent
- Threats Caused by SSH
- Summary
- 4. Installation and Compile-Time Configuration
- 5. Serverwide Configuration
- Running the Server
- Server Configuration: An Overview
- Getting Ready: Initial Setup
- 5.3.1 File Locations
- 5.3.2 File Permissions
- 5.3.3 TCP/IP Settings
- 5.3.3.1 Port number and network interface
- 5.3.3.2 Invocation by inetd or xinetd
- 5.3.3.3 Restarting the SSH server for each connection
- 5.3.3.4 Keepalive messages
- 5.3.3.5 Idle connections
- 5.3.3.6 Failed logins
- 5.3.3.7 Limiting simultaneous connections
- 5.3.3.8 Reverse IP mappings
- 5.3.3.9 Controlling the Nagle Algorithm
- 5.3.3.10 Discovering other servers
- 5.3.4 Key Regeneration
- 5.3.5 Encryption Algorithms
- 5.3.6 Integrity-Checking (MAC) Algorithms
- 5.3.7 SSH Protocol Settings
- 5.3.8 Compression
- Authentication: Verifying Identities
- 5.4.1 Authentication Syntax
- 5.4.2 Password Authentication
- 5.4.3 Public-Key Authentication
- 5.4.4 Hostbased Authentication
- 5.4.5 Keyboard-Interactive Authentication
- 5.4.6 PGP Authentication
- 5.4.7 Kerberos Authentication
- 5.4.8 PAM Authentication
- 5.4.9 Privilege Separation
- 5.4.10 Selecting a Login Program
- Access Control: Letting People In
- User Logins and Accounts
- Forwarding
- Subsystems
- Logging and Debugging
- Compatibility Between SSH-1 and SSH-2 Servers
- Summary
- 6. Key Management and Agents
- What Is an Identity?
- Creating an Identity
- SSH Agents
- Multiple Identities
- PGP Authentication in Tectia
- Tectia External Keys
- Summary
- 7. Advanced Client Use
- How to Configure Clients
- Precedence
- Introduction to Verbose Mode
- Client Configuration in Depth
- 7.4.1 Remote Account Name
- 7.4.2 User Identity
- 7.4.3 Host Keys and Known-Hosts Databases
- 7.4.4 SSH Protocol Settings
- 7.4.5 TCP/IP Settings
- 7.4.6 Making Connections
- 7.4.6.1 Number of connection attempts
- 7.4.6.2 Password prompting in OpenSSH
- 7.4.6.3 Password prompting in Tectia
- 7.4.6.4 Batch mode: suppressing prompts
- 7.4.6.5 Pseudo-terminal allocation (TTY/PTY/PTTY)
- 7.4.6.6 Backgrounding a remote command
- 7.4.6.7 Backgrounding a remote command, take two
- 7.4.6.8 Escaping
- 7.4.7 Proxies and SOCKS
- 7.4.8 Forwarding
- 7.4.9 Encryption Algorithms
- 7.4.10 Integrity-Checking (MAC) Algorithms
- 7.4.11 Host Key Types
- 7.4.12 Session Rekeying
- 7.4.13 Authentication
- 7.4.14 Data Compression
- 7.4.15 Program Locations
- 7.4.16 Subsystems
- 7.4.17 Logging and Debugging
- 7.4.18 Random Seeds
- Secure Copy with scp
- 7.5.1 Full Syntax of scp
- 7.5.2 Handling of Wildcards
- 7.5.3 Recursive Copy of Directories
- 7.5.4 Preserving Permissions
- 7.5.5 Automatic Removal of Original File
- 7.5.6 Safety Features
- 7.5.7 Batch Mode
- 7.5.8 User Identity
- 7.5.9 SSH Protocol Settings
- 7.5.10 TCP/IP Settings
- 7.5.11 Encryption Algorithms
- 7.5.12 Controlling Bandwidth
- 7.5.13 Data Compression
- 7.5.14 File Conversion
- 7.5.15 Optimizations
- 7.5.16 Statistics Display
- 7.5.17 Locating the ssh Executable
- 7.5.18 Getting Help
- 7.5.19 For Internal Use Only
- 7.5.20 Further Configuration
- Summary
- 8. Per-Account Server Configuration
- Limits of This Technique
- Public-Key-Based Configuration
- Hostbased Access Control
- The User rc File
- Summary
- 9. Port Forwarding and X Forwarding
- Port Forwarding
- 9.2.1 Local Forwarding
- 9.2.2 Trouble with Multiple Connections
- 9.2.3 Comparing Local and Remote Port Forwarding
- 9.2.4 Forwarding Off-Host
- 9.2.5 Bypassing a Firewall
- 9.2.6 Port Forwarding Without a Remote Login
- 9.2.7 The Listening Port Number
- 9.2.8 Choosing the Target Forwarding Address
- 9.2.9 Termination
- 9.2.10 Configuring Port Forwarding in the Server
- 9.2.11 Protocol-Specific Forwarding: FTP
- Dynamic Port Forwarding
- X Forwarding
- Forwarding Security: TCP-Wrappers and libwrap
- Summary
- Port Forwarding
- 10. A Recommended Setup
- 11. Case Studies
- Unattended SSH: Batch or cron Jobs
- FTP and SSH
- 11.2.1 FTP-Specific Tools for SSH
- 11.2.2 Static Port Forwarding and FTP: A Study in Pain
- 11.2.3 The FTP Protocol
- 11.2.4 Forwarding the Control Connection
- 11.2.5 FTP, Firewalls, and Passive Mode
- 11.2.6 FTP and Network Address Translation (NAT)
- 11.2.7 All About Data Connections
- 11.2.8 Forwarding the Data Connection
- Pine, IMAP, and SSH
- Connecting Through a Gateway Host
- Scalable Authentication for SSH
- 11.5.1 Tectia with X.509 Certificates
- 11.5.1.1 What’s a PKI?
- 11.5.1.2 Using certificates with Tectia host keys
- 11.5.1.3 A simple configuration
- 11.5.1.4 Getting a certificate
- 11.5.1.5 Hostkey verification: configuring the server
- 11.5.1.6 Hostkey verification: configuring the Client
- 11.5.1.7 User authentication: configuring the client
- 11.5.1.8 User authentication: configuring the server
- 11.5.2 OpenSSH and Tectia with Kerberos
- 11.5.1 Tectia with X.509 Certificates
- Tectia Extensions to Server Configuration Files
- Tectia Plugins
- 12. Troubleshooting and FAQ
- 13. Overview of Other Implementations
- 14. OpenSSH for Windows
- 15. OpenSSH for Macintosh
- 16. Tectia for Windows
- 17. SecureCRT and SecureFX for Windows
- 18. PuTTY for Windows
- File Transfer
- Key Management
- Advanced Client Use
- Forwarding
- Summary
- A. OpenSSH 4.0 New Features
- B. Tectia Manpage for sshregex
- C. Tectia Module Names for Debugging
- D. SSH-1 Features of OpenSSH and Tectia
- E. SSH Quick Reference
- Index
- About the Authors
- Colophon
- Copyright
We’ve just covered a pile of chapters on SSH configuration: is your head spinning yet? With so many choices, you might be wondering which options you should use. How can system administrators secure their systems most effectively with SSH?
When set up properly, SSH works well and invisibly, but sometimes a good setup takes a few tries. In addition, there are some ways to configure the software that are simply wrong. If you’re not careful, you can introduce security holes into your system.
In this chapter we present a recommended set of options for compilation, server configuration, key management, and client configuration. We assume:
You’re running SSH on a Unix machine.
You want a secure system, sometimes at the expense of flexibility. For instance, rather than tell you to maintain your .rhosts files carefully, we recommend disabling Rhosts authentication altogether.
Of course, no single configuration covers all the possibilities; that is, after all, the point of configuration. This is just a sample setup, more on the secure side, to give you a starting point and cover some of the issues involved.
-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.