Assistance on securing an OpenSSH server

From: Brad Chapman (kakadu_croc_at_yahoo.com)
Date: 08/23/03

  • Next message: Pupeno: "problem with X forwarding" 
    Date: Sat, 23 Aug 2003 13:06:48 -0700 (PDT)
To: secureshell@securityfocus.com

    I have OpenSSH 3.5p1-1 and OpenSSL 0.9.6b-31 installed on a gateway
    machine on my LAN that connects it to the Internet via DSL. My firewall
    is setup to block pings, ICMP redirects, some TCP port scans, and all
    ports except 22, since I would like to be able to ssh into the box
    remotely to do maintenance.

    Attached to this message are my configuration files for ssh and sshd on this
    machine. I am using 1024bit SSH2 RSA PKI (and am also trying to set up
    account password auth.) with the Blowfish cipher preferred for encyption. Is
    there anything else I need to do (upgrades, reconfigs, etc) to make this as
    secure as possible?

    TIA

    Brad

    ssh_config:

    # Site-wide defaults for various options

    # Host *
    # ForwardAgent no
    # ForwardX11 no
    # RhostsAuthentication no
    # RhostsRSAAuthentication no
    # RSAAuthentication yes
    # PasswordAuthentication yes
    # BatchMode no
    # CheckHostIP yes
    # StrictHostKeyChecking ask
    # IdentityFile ~/.ssh/identity
    # IdentityFile ~/.ssh/id_rsa
    # IdentityFile ~/.ssh/id_dsa
    # Port 22
    # Protocol 2,1
    # Cipher 3des
    # Ciphers
    aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
    # EscapeChar ~
    Host *
            ForwardX11 yes
            ForwardAgent yes
            CheckHostIP yes
            Protocol 2,1
            Cipher blowfish
            Ciphers
    blowfish-cbc,aes128-cbc,aes192-cbc,aes256-cbc,cast128-cbc,arcfour,3des-cbc
            PasswordAuthentication yes
            HostbasedAuthentication no

    sshd_config:

    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented. Uncommented options change a
    # default value.

    #Port 22
    #Protocol 2,1
    #ListenAddress 0.0.0.0
    #ListenAddress ::

    # HostKey for protocol version 1
    #HostKey /etc/ssh/ssh_host_key
    # HostKeys for protocol version 2
    #HostKey /etc/ssh/ssh_host_rsa_key
    #HostKey /etc/ssh/ssh_host_dsa_key

    # Lifetime and size of ephemeral version 1 server key
    #KeyRegenerationInterval 3600
    #ServerKeyBits 768

    # Logging
    #obsoletes QuietMode and FascistLogging
    #SyslogFacility AUTH
    SyslogFacility AUTHPRIV
    #LogLevel INFO

    # Authentication:

    #LoginGraceTime 600
    PermitRootLogin no
    #StrictModes yes

    RSAAuthentication yes
    PubkeyAuthentication yes
    AuthorizedKeysFile .ssh/authorized_keys

    # rhosts authentication should not be used
    #RhostsAuthentication no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #IgnoreRhosts yes
    # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
    #RhostsRSAAuthentication no
    # similar for protocol version 2
    #HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    #IgnoreUserKnownHosts no

    # To disable tunneled clear text passwords, change to no here!
    PasswordAuthentication yes
    PermitEmptyPasswords no

    # Change to no to disable s/key passwords
    #ChallengeResponseAuthentication yes

    # Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes

    #AFSTokenPassing no

    # Kerberos TGT Passing only works with the AFS kaserver
    #KerberosTgtPassing no

    # Set this to 'yes' to enable PAM keyboard-interactive authentication
    # Warning: enabling this may bypass the setting of 'PasswordAuthentication'
    #PAMAuthenticationViaKbdInt yes

    #X11Forwarding no
    X11Forwarding yes
    #X11DisplayOffset 10
    #X11UseLocalhost yes
    #PrintMotd yes
    #PrintLastLog yes
    KeepAlive yes
    #UseLogin no
    #UsePrivilegeSeparation yes
    #Compression yes

    #MaxStartups 10
    # no default banner path
    #Banner /some/path
    #VerifyReverseMapping no

    # override default of no subsystems
    Subsystem sftp /usr/libexec/openssh/sftp-server

    =====
    Brad Chapman

    Permanent e-mail: kakadu_croc@yahoo.com

    __________________________________
    Do you Yahoo!?
    Yahoo! SiteBuilder - Free, easy-to-use web site design software
    http://sitebuilder.yahoo.com

  • Next message: Pupeno: "problem with X forwarding"

    Relevant Pages

    • Re: Assistance on securing an OpenSSH server
      ... > PermitRootLogin no ... > PasswordAuthentication yes ... > # Kerberos TGT Passing only works with the AFS kaserver ...
      (SSH)
    • Re: Problem with ssh
      ... >PasswordAuthentication no ... RhostsRSAAuthentication no ... # Kerberos TGT Passing does only work with the AFS kaserver ...
      (freebsd-questions)
    • Re: Unable to set DISPLAY localhost:0.0 / Solved
      ... [root@localhost root]# date ... # This is the ssh client system-wide configuration file. ... # Kerberos TGT Passing only works with the AFS kaserver ...
      (Fedora)
    • locking down ssh
      ... PasswordAuthentication yes ... # Kerberos options ... GSSAPIAuthentication yes ... If this is enabled, PAM authentication will ...
      (comp.security.firewalls)
    • Problem with scp and SSH on Arch Linux
      ... PasswordAuthentication no ... # Kerberos options ... If this is enabled, PAM authentication will ... # the setting of "PermitRootLogin without-password". ...
      (SSH)