[gentoo-user] ssh configuration guide

[gentoo-user] ssh configuration guide

[David Rioja]

This is my very first post to the list, so hello you all :)

I've been editing /etc/ssh/sshd_config in order to configure SSH as told 
in the guide at gentoo.org. The options you have to set for a quick 
start configuration are:

Port 22
Protocol 2
ServerKeyBits 2048
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 60
PermitRootLogin no
RSAAuthentication no
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
PAMAuthenticationViaKbdInt no
Compression yes
KeepAlive yes
ClientAliveInterval 30
ClientAliveCountMax 4


I have encountered two issues in that:

1.- When restarting the sshd service you are told 
PMAAuthenticationViaKbdInt is deprecated.

2.- KeepAlive is not commented in the default configuration file, there 
is TCPKeepAlive instead. I suppose same options are the same. Could 
anyone confim that?

Thanks!

Re: [gentoo-user] ssh configuration guide

[Andrey Falko]

On Thu, Oct 9, 2008 at 1:06 AM, David Rioja <rams@englobe-tec.com> wrote:
> This is my very first post to the list, so hello you all :)
>
> I've been editing /etc/ssh/sshd_config in order to configure SSH as told in
> the guide at gentoo.org. The options you have to set for a quick start
> configuration are:
>
> Port 22
> Protocol 2
> ServerKeyBits 2048
> SyslogFacility AUTH
> LogLevel INFO
> LoginGraceTime 60
> PermitRootLogin no
> RSAAuthentication no
> PubkeyAuthentication yes
> PasswordAuthentication no
> PermitEmptyPasswords no
> PAMAuthenticationViaKbdInt no
> Compression yes
> KeepAlive yes
> ClientAliveInterval 30
> ClientAliveCountMax 4
>
>
> I have encountered two issues in that:
>
> 1.- When restarting the sshd service you are told PMAAuthenticationViaKbdInt
> is deprecated.
>
> 2.- KeepAlive is not commented in the default configuration file, there is
> TCPKeepAlive instead. I suppose same options are the same. Could anyone
> confim that?
>
> Thanks!
>
>

If you want are truely quick start configuration, you should use the
defaults that get installed after you install ssh. Basically, thost
default will give you a working ssh that is secure and that is more
than likely to work out of box.

I'm not sure which Gentoo quickstart guide you are following, but it
is an out of date guide. I recommend emerge -1 openssh, then running
etc-update and applying the default configuration. Your goal is to get
a basic working ssh daemon, right?

Re: [gentoo-user] ssh configuration guide

[Stroller]

[-- Attachment #1: Type: text/plain, Size: 830 bytes --]


On 9 Oct 2008, at 09:06, David Rioja wrote:
> ...
> I've been editing /etc/ssh/sshd_config in order to configure SSH as  
> told in the guide at gentoo.org.

Hi there,

Curiosity caused me to Google the configuration you gave & led me to <http://www.gentoo.org/proj/en/infrastructure/config-ssh.xml 
 >. This is not a guide for end-users - this configuration is  
mandatory ONLY if the machine you're configuring is to be globally  
addressable as hostname.gentoo.org

I might also add that the "ServerKeyBits 2048" line of this  
configuration appears to be rendered redundant by the "Protocol 2"  
line - unless you're an expert I would just stick with the default / 
etc/ssh/sshd_config and only change the parts that you think  
appropriate. (I personally deny root logon & enable X11 forwarding on  
my machines.)

Stroller.

[-- Attachment #2: Type: text/html, Size: 1507 bytes --]

Re: [gentoo-user] ssh configuration guide

[David Rioja]

Andrey Falko escribió:
> On Thu, Oct 9, 2008 at 1:06 AM, David Rioja <rams@englobe-tec.com> wrote:
>   
>> This is my very first post to the list, so hello you all :)
>>
>> I've been editing /etc/ssh/sshd_config in order to configure SSH as told in
>> the guide at gentoo.org. The options you have to set for a quick start
>> configuration are:
>>
>> Port 22
>> Protocol 2
>> ServerKeyBits 2048
>> SyslogFacility AUTH
>> LogLevel INFO
>> LoginGraceTime 60
>> PermitRootLogin no
>> RSAAuthentication no
>> PubkeyAuthentication yes
>> PasswordAuthentication no
>> PermitEmptyPasswords no
>> PAMAuthenticationViaKbdInt no
>> Compression yes
>> KeepAlive yes
>> ClientAliveInterval 30
>> ClientAliveCountMax 4
>>
>>
>> I have encountered two issues in that:
>>
>> 1.- When restarting the sshd service you are told PMAAuthenticationViaKbdInt
>> is deprecated.
>>
>> 2.- KeepAlive is not commented in the default configuration file, there is
>> TCPKeepAlive instead. I suppose same options are the same. Could anyone
>> confim that?
>>
>> Thanks!
>>
>>
>>     
>
> If you want are truely quick start configuration, you should use the
> defaults that get installed after you install ssh. Basically, thost
> default will give you a working ssh that is secure and that is more
> than likely to work out of box.
>
> I'm not sure which Gentoo quickstart guide you are following, but it
> is an out of date guide. I recommend emerge -1 openssh, then running
> etc-update and applying the default configuration. Your goal is to get
> a basic working ssh daemon, right?
>
>
>
>   
Yes, I wanted only make it work over the lan. Default options seemed not 
to work when I tried, perhaps I forgot to start the service... who 
knows? :-/

By the way, besides unabling ssh access for root, I is not a good idea 
enabling KeepAlive? So won't be great problems if anyone go away leaving 
his session active. Am I mistaken?

Re: [gentoo-user] ssh configuration guide

[Eric Martin]

Ssh disconnects on its own accord even with keepalive. I disable all
methods of authentication except for public keys. You'll have to
create a pub/private pair and copy the public key to
$HOME/.ssh/authorized_keys.  I'm on my blackberry so I can't type out
full directions but gentoo has docs.

On 10/10/08, David Rioja <rams@englobe-tec.com> wrote:
> Andrey Falko escribió:
>> On Thu, Oct 9, 2008 at 1:06 AM, David Rioja <rams@englobe-tec.com> wrote:
>>
>>> This is my very first post to the list, so hello you all :)
>>>
>>> I've been editing /etc/ssh/sshd_config in order to configure SSH as told
>>> in
>>> the guide at gentoo.org. The options you have to set for a quick start
>>> configuration are:
>>>
>>> Port 22
>>> Protocol 2
>>> ServerKeyBits 2048
>>> SyslogFacility AUTH
>>> LogLevel INFO
>>> LoginGraceTime 60
>>> PermitRootLogin no
>>> RSAAuthentication no
>>> PubkeyAuthentication yes
>>> PasswordAuthentication no
>>> PermitEmptyPasswords no
>>> PAMAuthenticationViaKbdInt no
>>> Compression yes
>>> KeepAlive yes
>>> ClientAliveInterval 30
>>> ClientAliveCountMax 4
>>>
>>>
>>> I have encountered two issues in that:
>>>
>>> 1.- When restarting the sshd service you are told
>>> PMAAuthenticationViaKbdInt
>>> is deprecated.
>>>
>>> 2.- KeepAlive is not commented in the default configuration file, there
>>> is
>>> TCPKeepAlive instead. I suppose same options are the same. Could anyone
>>> confim that?
>>>
>>> Thanks!
>>>
>>>
>>>
>>
>> If you want are truely quick start configuration, you should use the
>> defaults that get installed after you install ssh. Basically, thost
>> default will give you a working ssh that is secure and that is more
>> than likely to work out of box.
>>
>> I'm not sure which Gentoo quickstart guide you are following, but it
>> is an out of date guide. I recommend emerge -1 openssh, then running
>> etc-update and applying the default configuration. Your goal is to get
>> a basic working ssh daemon, right?
>>
>>
>>
>>
> Yes, I wanted only make it work over the lan. Default options seemed not
> to work when I tried, perhaps I forgot to start the service... who
> knows? :-/
>
> By the way, besides unabling ssh access for root, I is not a good idea
> enabling KeepAlive? So won't be great problems if anyone go away leaving
> his session active. Am I mistaken?
>
>