How to configure SSH server

From PeerFreedom Wiki
Jump to navigation Jump to search

Instalation

Install necessary package:

# apt-get install openssh-server

Configuration

SSH server config is in /etc/ssh/sshd_config

Here is an example configuration. You should know what you are doing before blindly applying it:

#User whitelist
AllowUsers ssh_example_user
AllowUsers tunnel_user
#AllowUsers some_other_user1
#AllowUsers some_other_user2

#Disabled older key types
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

#Don't allow root login
PermitRootLogin no

#Don't allow login via password
PasswordAuthentication no
ChallengeResponseAuthentication no

UsePAM yes

#Allow forwarding graphics
AllowTcpForwarding yes
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes

#Try to keep connection alive
TCPKeepAlive yes
ClientAliveInterval 5
ClientAliveCountMax 300

PrintMotd no

AcceptEnv LANG LC_*

Subsystem       sftp    /usr/lib/openssh/sftp-server

Make file /etc/systemd/system/ssh@.service with content:

[Unit]
Description=OpenBSD Secure Shell server per-connection daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=auditd.service

[Service]
EnvironmentFile=-/etc/default/ssh
ExecStart=-/usr/sbin/sshd -i $SSHD_OPTS
StandardInput=socket
RuntimeDirectory=sshd
RuntimeDirectoryMode=0755
KillMode=process

Enable and start server

# systemctl daemon-reload
# systemctl enable --now ssh.socket

Remember to open TCP port 22 in your firewall!

Add client pubkeys

For user ssh_example_user add in $HOME/.ssh/authorized_keys:

# example ed25519 pubkey
#ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEPXWrPPtAosOsv3MuJ1xBUwPbfn6BXY5tI9tvF0Y+NB tx@txdesktop

Creating user dedicated to ssh tunnels

If you want to allow only creating ssh tunnels instead of granting full shell access, create new user with /bin/false as a shell:

# useradd -m -s /bin/false tunnel_user
# mkdir -p /home/tunnel_user/.ssh
# chown tunnel_user:tunnel_user /home/tunnel_user/.ssh

Next:

  • add this user to AllowUsers in /etc/ssh/sshd_config as a new line
  • add clients pubkeys to /home/tunnel_user/.ssh/authorized_keys by making a new file
  • change ownership of that new file chown tunnel_user:tunnel_user /home/tunnel_user/.ssh/authorized_keys

More resources