HOWTO setup a small server

OpenSSH (Secure Shell)

Client Installation

You can install only the OpenSSH client under Debian using:

# apt-get install openssh-client

Typically, though, you will (also) want to intall the server:

Server Installation

Similarly, you can install the OpenSSH server:

# apt-get install openssh-server

Basic Configuration

In the following I want to give some notes on the server's configuration. To restrict OpenSSH to listen to only IPv4 packets, add/change the following option:

Excerpt: /etc/ssh/sshd_config


For security reasons it is also a good idea to disable root logins with simple password authentication:

Excerpt: /etc/ssh/sshd_config

PermitRootLogin without-password

Public Key Authentication

Public key authentication requires the following keyword to be set on the server(s). This is usually the case for standard SSH server configurations.

Excerpt: /etc/ssh/sshd_config

PubkeyAuthentication yes

On the client you will have to generate a key pair for your user. It can be either a DSA or RSA key pair (or both):

$ ssh-keygen -t dsa
$ ssh-keygen -t rsa -b 4096

If you not change the default file names of the keys, they will be located in the .ssh directory in the home directory. The files id_dsa and id_rsa, respectively, contain the private keys and must be readable only to the user. The files and, respectively, contain the public keys, e.g.:

File: /home/testuser/.ssh/

ssh-dss AAAAB3Nz..nIwO4v0= testuser@example

To be able to login with that key on the server, you will have to append the content of your public key file to .ssh/authorized_keys in your home directory on the server (as one line, make sure your editor does not wrap long lines!).

If you protect the private key(s) with a password and do not want to enter it before each login to a server, you can add the key to an SSH agent when required for the first time. Under Debian Lenny an SSH agent is running by default when logged in under (some) graphical desktops. If none is running, start one with:

$ eval `ssh-agent`

Then you can add your key to the agent:

$ ssh-add

Note: The agent is running in the background. The environment variables SSH_AUTH_SOCK and SSH_AGENT_PID are set when starting the agent as shown above. They must be available under all shells where you want make use of the agent when running ssh.

Host Authentication

To make sure that a user is not attacked by a man-in-the-middle attack, he is asked to check the fingerprint of the host key of the server when logging in the first time. As users typically do not check the fingerprints and just type in yes, it may also be a good idea to distribute the host public keys from the server to the clients. This is done in a similar manner as for public keys of the user in the previous section.

The host public keys are stored in /etc/ssh/ and /etc/ssh/ on the server. Each one contains a line begining with the type (ssh-dss or ssh-rsa), followed by the key (long ASCII string) and followed by the user who created the key (root@example or something else), e.g., for the DSA key:

File: /etc/ssh/

ssh-dss AAAAB3Nz..nIwO4v0= root@example

To make the host known to the client, append its public key to /etc/ssh/ssh_known_hosts on the clients. The lines in that file have the following format consisting of a comma-separated list of hostname and IP of the server, the key type and the public key (again only one line!):

Excerpt: /etc/ssh/ssh_known_hosts

example, ssh-dss AAAAB3Nz..nIwO4v0=

Kerberos Authentication

Prerequisite: Heimdal If you want to permit users to authenticate with their Kerberos password or Kerberos tickets, you will on the one hand have to set these server configuration variables

Excerpt: /etc/ssh/sshd_config

# Authentication with Kerberos password
KerberosAuthentication yes
KerberosOrLocalPasswd yes

# Authentication with Kerberos ticket
GSSAPIAuthentication yes

and, on the other hand have to create a host principal and a keytab readable by the OpenSSH server. With Heimdal Kerberos this is done like this:

# kadmin -l
> add --random-key host/
> ext_keytab -k /etc/krb5.keytab host/
> q

Finally, do not forget to restart the OpenSSH server:

# /etc/init.d/ssh restart

Networking Requirements

Prerequisite: Shorewall If you use Shorewall (or another packet filter), you will have to permit remote access to the SSH server. For Shorewall:

Excerpt: /etc/shorewall/rules

ACCEPT		net		$FW		tcp	22

and restart the packet filter:

# shorewall restart

Back to index.