Tips and advices to configure openssh

  • Sharebar

openssh logo

Key strength

The advice from the French Security agency is to have keys with at least 2048 bits. So with ssh-keygen, you have to use an RSA-type key as DSA keys are limited to 1024 bits.

Here is the way to generate a key with 2048 bits:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): 
Created directory '/home/user/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/
The key fingerprint is:
2d:f7:13:c2:8a:eb:6e:bb:98:0d:c3:f3:cd:a0:81:90 user@computer
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|                 |
| .       o       |
|E       S = .    |
| . o   . + o .   |
|  . * o .   o    |
|     @.=     .   |
|    ++Ooo        |

Don’t forget to put a passphrase on your key to raise the security level.

To allow your newly created key to be used for password less authentication you need to upload the public part of your key to the remote server using the ssh-copy-id command:

$ ssh-copy-id user@remote

The command will ask you your password for the last time and then next ssh commands will be without password.


Having a passphrase on your key can be a pain because ssh will ask for it every time you connect. The solution to this issue is to use an ssh-agent like this in your login shell (for bourne shell types):

$ eval `ssh-agent -s`
Agent pid 19583
$ ssh-add
Enter passphrase for /home/user/.ssh/id_rsa: 
Identity added: /home/user/.ssh/id_rsa (/home/user/.ssh/id_rsa)

And then, the next ssh commands will not ask for your passphrase anymore.

ssh-agent under X11

Another trick, if you want to put this sequence in your X11 login setup is to use ssh-add without input to force it to ask the passphrase in a graphical window:

eval `ssh-agent -s`
ssh-agent < /dev/null

The file to put the commands will depend of your display manager (gdm, kdm...).

Enhancing authentication

Here are some configuration options to add to your /etc/ssh/sshd_config file to enhance authentication:

  1. Do not authorize empty passwords:
    PermitEmptyPasswords no
  2. Add a timeout to avoid users with "never closed shells" on systems:
    ClientAliveInterval 300
    ClientAliveCountMax 0
  3. Do not allow password authentication:
    PasswordAuthentication No

Two-factor authentication

To raise the security level of the authentication, you can use a two-factor authentication scheme like a password/public key and an OTP (One Time Password).

On a Debian system, you can do it like this:

# apt-get install libpam-opie opie-server

Then edit /etc/pam.d/ssh to add an entry for pam_opie:

auth required envfile=/etc/default/locale
auth required

Your /etc/ssh/sshd_config has to have to following activated options:
ChallengeResponseAuthentication yes
PasswordAuthentication no

You then need to initialize the OTP server:

# opiepasswd -c

Enter the passphrase and deploy the OTP client on the client systems (opie-client package) and then you will be asked something like that:

$ ssh login@device
otp-md5 492 ne9401 ext, Response:

Restricting access

Here are some configuration options to add to your /etc/ssh/sshd_config file to restrict access:

  1. No direct root login if you use sudo or an equivalent command to gain super-user access:
    PermitRootLogin no
    This allows a better traceability of whom is doing what.
  2. List users authorized to connect in an explicit way:
    AllowUsers john
  3. The other way to do it is to list users that are not authorized to connect and let all the others be authorized:
    DenyUsers bob
  4. Restrict access to a network interface if you have serveral ones on your server:
  5. Change the default port to avoid some port scanners:
    Port 222

If you use a tool like Wallix AdminBastion which allows you to have a fine control over your ssh/scp/sftp connections and by the way to record what is done, you can allow direct root access only from this designated device:
Match <ip of your WAB>
PermitRootLogin yes

Fighting brute force attacks

You can improve your ability to react to brute force attacks by using tools like fail2ban to add temporary firewall rules in case someone tries to connect several times. On a Debian system, you just have to install the fail2ban package.

You can also use a knocking system to make your ssh server visible only when special network packets are beeing received. On a Debian system, you can use the knockd package both on the server and the client.

Incoming search terms:

  • ssh authorized key password less
  • debian squeeze ssh timeout
  • debian squeeze ssh-keygen
  • debian squeeze ssh without password
  • debian squeeze ssh config
  • debian 6 ssh timeout
  • configure ssh debian squeeze
  • ssh-keygen debian
  • error autenticaci√≥n ssh squeeze
  • ssh config squeeze
This entry was posted in ssh and tagged , . Bookmark the permalink.