Per-Account Configuration
by Robert G. Byrnes, Richard E. Silverman, Daniel J. Barrett
SSH, The Secure Shell: The Definitive Guide, 2nd Edition
- SSH, the Secure Shell, 2nd Edition
- Preface
- 1. Introduction to SSH
- Overview of SSH Features
- History of SSH
- Related Technologies
- Summary
- 2. Basic Client Use
- Authentication by Cryptographic Key
- The SSH Agent
- Connecting Without a Password or Passphrase
- Miscellaneous Clients
- Summary
- 3. Inside SSH
- Overview of Features
- A Cryptography Primer
- Inside SSH-2
- Inside SSH-1
- Implementation Issues
- SSH and File Transfers (scp and sftp)
- Algorithms Used by SSH
- Threats SSH Can Counter
- Threats SSH Doesn’t Prevent
- Threats Caused by SSH
- Summary
- 4. Installation and Compile-Time Configuration
- 5. Serverwide Configuration
- Running the Server
- Server Configuration: An Overview
- Getting Ready: Initial Setup
- 5.3.1 File Locations
- 5.3.2 File Permissions
- 5.3.3 TCP/IP Settings
- 5.3.3.1 Port number and network interface
- 5.3.3.2 Invocation by inetd or xinetd
- 5.3.3.3 Restarting the SSH server for each connection
- 5.3.3.4 Keepalive messages
- 5.3.3.5 Idle connections
- 5.3.3.6 Failed logins
- 5.3.3.7 Limiting simultaneous connections
- 5.3.3.8 Reverse IP mappings
- 5.3.3.9 Controlling the Nagle Algorithm
- 5.3.3.10 Discovering other servers
- 5.3.4 Key Regeneration
- 5.3.5 Encryption Algorithms
- 5.3.6 Integrity-Checking (MAC) Algorithms
- 5.3.7 SSH Protocol Settings
- 5.3.8 Compression
- Authentication: Verifying Identities
- 5.4.1 Authentication Syntax
- 5.4.2 Password Authentication
- 5.4.3 Public-Key Authentication
- 5.4.4 Hostbased Authentication
- 5.4.5 Keyboard-Interactive Authentication
- 5.4.6 PGP Authentication
- 5.4.7 Kerberos Authentication
- 5.4.8 PAM Authentication
- 5.4.9 Privilege Separation
- 5.4.10 Selecting a Login Program
- Access Control: Letting People In
- User Logins and Accounts
- Forwarding
- Subsystems
- Logging and Debugging
- Compatibility Between SSH-1 and SSH-2 Servers
- Summary
- 6. Key Management and Agents
- What Is an Identity?
- Creating an Identity
- SSH Agents
- Multiple Identities
- PGP Authentication in Tectia
- Tectia External Keys
- Summary
- 7. Advanced Client Use
- How to Configure Clients
- Precedence
- Introduction to Verbose Mode
- Client Configuration in Depth
- 7.4.1 Remote Account Name
- 7.4.2 User Identity
- 7.4.3 Host Keys and Known-Hosts Databases
- 7.4.4 SSH Protocol Settings
- 7.4.5 TCP/IP Settings
- 7.4.6 Making Connections
- 7.4.6.1 Number of connection attempts
- 7.4.6.2 Password prompting in OpenSSH
- 7.4.6.3 Password prompting in Tectia
- 7.4.6.4 Batch mode: suppressing prompts
- 7.4.6.5 Pseudo-terminal allocation (TTY/PTY/PTTY)
- 7.4.6.6 Backgrounding a remote command
- 7.4.6.7 Backgrounding a remote command, take two
- 7.4.6.8 Escaping
- 7.4.7 Proxies and SOCKS
- 7.4.8 Forwarding
- 7.4.9 Encryption Algorithms
- 7.4.10 Integrity-Checking (MAC) Algorithms
- 7.4.11 Host Key Types
- 7.4.12 Session Rekeying
- 7.4.13 Authentication
- 7.4.14 Data Compression
- 7.4.15 Program Locations
- 7.4.16 Subsystems
- 7.4.17 Logging and Debugging
- 7.4.18 Random Seeds
- Secure Copy with scp
- 7.5.1 Full Syntax of scp
- 7.5.2 Handling of Wildcards
- 7.5.3 Recursive Copy of Directories
- 7.5.4 Preserving Permissions
- 7.5.5 Automatic Removal of Original File
- 7.5.6 Safety Features
- 7.5.7 Batch Mode
- 7.5.8 User Identity
- 7.5.9 SSH Protocol Settings
- 7.5.10 TCP/IP Settings
- 7.5.11 Encryption Algorithms
- 7.5.12 Controlling Bandwidth
- 7.5.13 Data Compression
- 7.5.14 File Conversion
- 7.5.15 Optimizations
- 7.5.16 Statistics Display
- 7.5.17 Locating the ssh Executable
- 7.5.18 Getting Help
- 7.5.19 For Internal Use Only
- 7.5.20 Further Configuration
- Summary
- 8. Per-Account Server Configuration
- Limits of This Technique
- Public-Key-Based Configuration
- Hostbased Access Control
- The User rc File
- Summary
- 9. Port Forwarding and X Forwarding
- Port Forwarding
- 9.2.1 Local Forwarding
- 9.2.2 Trouble with Multiple Connections
- 9.2.3 Comparing Local and Remote Port Forwarding
- 9.2.4 Forwarding Off-Host
- 9.2.5 Bypassing a Firewall
- 9.2.6 Port Forwarding Without a Remote Login
- 9.2.7 The Listening Port Number
- 9.2.8 Choosing the Target Forwarding Address
- 9.2.9 Termination
- 9.2.10 Configuring Port Forwarding in the Server
- 9.2.11 Protocol-Specific Forwarding: FTP
- Dynamic Port Forwarding
- X Forwarding
- Forwarding Security: TCP-Wrappers and libwrap
- Summary
- Port Forwarding
- 10. A Recommended Setup
- 11. Case Studies
- Unattended SSH: Batch or cron Jobs
- FTP and SSH
- 11.2.1 FTP-Specific Tools for SSH
- 11.2.2 Static Port Forwarding and FTP: A Study in Pain
- 11.2.3 The FTP Protocol
- 11.2.4 Forwarding the Control Connection
- 11.2.5 FTP, Firewalls, and Passive Mode
- 11.2.6 FTP and Network Address Translation (NAT)
- 11.2.7 All About Data Connections
- 11.2.8 Forwarding the Data Connection
- Pine, IMAP, and SSH
- Connecting Through a Gateway Host
- Scalable Authentication for SSH
- 11.5.1 Tectia with X.509 Certificates
- 11.5.1.1 What’s a PKI?
- 11.5.1.2 Using certificates with Tectia host keys
- 11.5.1.3 A simple configuration
- 11.5.1.4 Getting a certificate
- 11.5.1.5 Hostkey verification: configuring the server
- 11.5.1.6 Hostkey verification: configuring the Client
- 11.5.1.7 User authentication: configuring the client
- 11.5.1.8 User authentication: configuring the server
- 11.5.2 OpenSSH and Tectia with Kerberos
- 11.5.1 Tectia with X.509 Certificates
- Tectia Extensions to Server Configuration Files
- Tectia Plugins
- 12. Troubleshooting and FAQ
- 13. Overview of Other Implementations
- 14. OpenSSH for Windows
- 15. OpenSSH for Macintosh
- 16. Tectia for Windows
- 17. SecureCRT and SecureFX for Windows
- 18. PuTTY for Windows
- File Transfer
- Key Management
- Advanced Client Use
- Forwarding
- Summary
- A. OpenSSH 4.0 New Features
- B. Tectia Manpage for sshregex
- C. Tectia Module Names for Debugging
- D. SSH-1 Features of OpenSSH and Tectia
- E. SSH Quick Reference
- Index
- About the Authors
- Colophon
- Copyright
Users should be instructed not to create .rhosts files. If hostbased authentication is enabled in the local SSH server, advise users to create .shosts files instead of .rhosts files.
For OpenSSH, each key in ~/.ssh/authorized_keys should be restricted
by appropriate options. First, use the from option to restrict access to particular
keys by particular hosts when appropriate. For example, suppose your
authorized_keys file contains a
public key for your home PC, myhome.isp.net. No
other machine will ever authenticate using this key, so make the
relationship explicit:
from="myhome.isp.net" ...key...Also set idle timeouts for appropriate keys:
from="myhome.isp.net",idle-timeout=5m ...key...Finally, for each key, consider whether port forwarding, agent
forwarding, and tty allocation are ever necessary for incoming
connections. If not, disable these features with no-port-forwarding, no-agent-forwarding, and no-pty, respectively:
from="myhome.isp.net",idle-timeout=5m,no-agent-forwarding ...key...-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.