HOWTO setup a small server
OpenSSH (Secure Shell)
Client Installation
You can install only the OpenSSH client under Debian using:
# apt-get install openssh-client
Typically, though, you will (also) want to intall the server:
Server Installation
Similarly, you can install the OpenSSH server:
# apt-get install openssh-server
Basic Configuration
In the following I want to give some notes on the server's configuration. To restrict OpenSSH to listen to only IPv4 packets, add/change the following option:
Excerpt: /etc/ssh/sshd_config
ListenAddress 0.0.0.0
For security reasons it is also a good idea to disable root
logins with simple password authentication:
Excerpt: /etc/ssh/sshd_config
PermitRootLogin without-password
Public Key Authentication
Public key authentication requires the following keyword to be set on the server(s). This is usually the case for standard SSH server configurations.
Excerpt: /etc/ssh/sshd_config
PubkeyAuthentication yes
On the client you will have to generate a key pair for your user. It can be either a DSA or RSA key pair (or both):
$ ssh-keygen -t dsa
$ ssh-keygen -t rsa -b 4096
If you not change the default file names of the keys, they will be located
in the .ssh directory in the home directory. The files
id_dsa and id_rsa, respectively, contain the private
keys and must be readable only to the user. The files id_dsa.pub
and id_rsa.pub, respectively, contain the public keys, e.g.:
File: /home/testuser/.ssh/id_dsa.pub
ssh-dss AAAAB3Nz..nIwO4v0= testuser@example
To be able to login with that key on the server, you will have to append the
content of your public key file to .ssh/authorized_keys in your
home directory on the server (as one line, make sure your editor does not wrap
long lines!).
If you protect the private key(s) with a password and do not want to enter it before each login to a server, you can add the key to an SSH agent when required for the first time. Under Debian Lenny an SSH agent is running by default when logged in under (some) graphical desktops. If none is running, start one with:
$ eval `ssh-agent`
Then you can add your key to the agent:
$ ssh-add
Note: The agent is running in the background. The environment variables
SSH_AUTH_SOCK and SSH_AGENT_PID are set when starting
the agent as shown above. They must be available under all shells where you
want make use of the agent when running ssh.
Host Authentication
To make sure that a user is not attacked by a man-in-the-middle attack, he
is asked to check the fingerprint of the host key of the server when logging
in the first time. As users typically do not check the fingerprints and
just type in yes, it may also be a good idea to distribute the
host public keys from the server to the clients. This is done in a similar
manner as for public keys of the user in the previous section.
The host public keys are stored in
/etc/ssh/ssh_host_dsa_key.pub and
/etc/ssh/ssh_host_rsa_key.pub on the server. Each one contains a
line begining with the type (ssh-dss or ssh-rsa),
followed by the key (long ASCII string) and followed by the user who created
the key (root@example or something else), e.g., for the DSA
key:
File: /etc/ssh/ssh_host_dsa_key.pub
ssh-dss AAAAB3Nz..nIwO4v0= root@example
To make the host known to the client, append its public key to
/etc/ssh/ssh_known_hosts on the clients. The lines in that file
have the following format consisting of a comma-separated list of hostname and
IP of the server, the key type and the public key (again only one line!):
Excerpt: /etc/ssh/ssh_known_hosts
example,223.1.2.1 ssh-dss AAAAB3Nz..nIwO4v0=
Kerberos Authentication
Prerequisite: Heimdal If you want to permit users to authenticate with their Kerberos password or Kerberos tickets, you will on the one hand have to set these server configuration variables
Excerpt: /etc/ssh/sshd_config
# Authentication with Kerberos password KerberosAuthentication yes KerberosOrLocalPasswd yes # Authentication with Kerberos ticket GSSAPIAuthentication yes
and, on the other hand have to create a
host principal and a keytab readable by the OpenSSH server.
With Heimdal Kerberos this is done like this:
# kadmin -l > add --random-key host/server.example.com > ext_keytab -k /etc/krb5.keytab host/server.example.com > q
Finally, do not forget to restart the OpenSSH server:
# /etc/init.d/ssh restart
Networking Requirements
Prerequisite: Shorewall If you use Shorewall (or another packet filter), you will have to permit remote access to the SSH server. For Shorewall:
Excerpt: /etc/shorewall/rules
# SSH # ACCEPT net $FW tcp 22 #
and restart the packet filter:
# shorewall restart