[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Google
  Web www.spinics.net

Re: need an efficient and secure sshd_config



2009/7/14 J. Bakshi <bakshi12@xxxxxxxxx>:
> On Mon, 13 Jul 2009 10:00:52 +0200
> matteo filippetto <matteo.filippetto@xxxxxxxxx> wrote:
>
>> 2009/7/12 J. Bakshi <bakshi12@xxxxxxxxx>:
>> > Dear list,
>> >
>> > I am running openssh-server __1:5.1p1-5+b1 on a remote debian box.
>> > There are a no. of online docs on sshd configuration. I am afraid to
>> > say that even reading a no. of such tutorial I am still confused. I
>> > am looking for a sshd_config file which is both strict about
>> > security as well as efficient to control its client. Like it should
>> > force the client to have compression, it should survive with poor
>> > internet, and other good features which can make it a good ssh
>> > server.
>> >
>> > Could any one please suggest such sshd_config ?
>> >
>> > Here is mine
>> >
>> > ```````````````
>> > Port 47015
>> > Protocol 2
>> > PermitRootLogin no
>> > PasswordAuthentication no
>> > UsePAM yes
>> > X11Forwarding no
>> > ``````````
>> >
>> > thanks
>> >
>>
>> Hi,
>>
>> maybe you can read this discussion
>>
>> http://www.governmentsecurity.org/forum/index.php?showtopic=6051
>>
>> and for sure take a lokk to the official documentation
>>
>> http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5
>>
>> Bye
>>
>
> Thanks for your response but I have not found yet what I'm looking for. I need the configuration which actually suppress the hostname and the domain/IP on client side. client will only be prompted for password. The second thing the sshd should allow the client to be connected even half an hour with out executing any command. Any such configuration in openssh ?
>
> Thanks
>

Hi,

if you read this
http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5

you will find some options like

 Banner  The contents of the specified file are sent to the remote user
             before authentication is allowed.  If the argument is ``none''
             then no banner is displayed.  This option is only available for
             protocol version 2.  By default, no banner is displayed.

TCPKeepAlive
             Specifies whether the system should send TCP keepalive messages
             to the other side.  If they are sent, death of the connection or
             crash of one of the machines will be properly noticed.  However,
             this means that connections will die if the route is down tem-
             porarily, and some people find it annoying.  On the other hand,
             if TCP keepalives are not sent, sessions may hang indefinitely on
             the server, leaving ``ghost'' users and consuming server re-
             sources.

             The default is ``yes'' (to send TCP keepalive messages), and the
             server will notice if the network goes down or the client host
             crashes.  This avoids infinitely hanging sessions.

             To disable TCP keepalive messages, the value should be set to
             ``no''.


and for client (http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5)

 ServerAliveCountMax
             Sets the number of server alive messages (see below) which may be
             sent without ssh(1) receiving any messages back from the server.
             If this threshold is reached while server alive messages are be-
             ing sent, ssh will disconnect from the server, terminating the
             session.  It is important to note that the use of server alive
             messages is very different from TCPKeepAlive (below).  The server
             alive messages are sent through the encrypted channel and there-
             fore will not be spoofable.  The TCP keepalive option enabled by
             TCPKeepAlive is spoofable.  The server alive mechanism is valu-
             able when the client or server depend on knowing when a connec-
             tion has become inactive.

             The default value is 3.  If, for example, ServerAliveInterval
             (see below) is set to 15 and ServerAliveCountMax is left at the
             default, if the server becomes unresponsive, ssh will disconnect
             after approximately 45 seconds.  This option applies to protocol
             version 2 only.

 ServerAliveInterval
             Sets a timeout interval in seconds after which if no data has
             been received from the server, ssh(1) will send a message through
             the encrypted channel to request a response from the server.  The
             default is 0, indicating that these messages will not be sent to
             the server.  This option applies to protocol version 2 only.

TCPKeepAlive
             Specifies whether the system should send TCP keepalive messages
             to the other side.  If they are sent, death of the connection or
             crash of one of the machines will be properly noticed.  However,
             this means that connections will die if the route is down tem-
             porarily, and some people find it annoying.

             The default is ``yes'' (to send TCP keepalive messages), and the
             client will notice if the network goes down or the remote host
             dies.  This is important in scripts, and many users want it too.

             To disable TCP keepalive messages, the value should be set to
             ``no''.


Bye
-- 
Matteo Filippetto


[Home]     [Fedora Users]     [Fedora Legacy]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

Add to Google Powered by Linux