Skip to content

A few configuration tips for OpenSSH

There are a few interesting settings worth checking in this program, even though it may be tempting to skip them because, after all, it just works out of the box. The configuration file is (at least in Ubuntu and Debian) located in /etc/ssh/sshd_config.

Port 22: the default port the daemon listens to. You might want to change it to make it a bit safer: an attacker will first have to find the right port before proceeding.

KeyRegenerationInterval 3600
ServerKeyBits 768
: if I understood well, the key for the communication between your SSH client (probably PuTTY) and the SSH daemon is regularly renewed (every KeyRegenerationInterval seconds). Nonetheless, I sea no reason to have a key as ridiculously small as 768 bits. Assuming this uses RSA, anything below 1024 bits should be considered breakable. For my OpenPGP key I use 10240 bits (not 1024, note the extra 0 at the end), but this is a bit slow for live use. 4096 bits (the maximum allowed by GnuPG for key creation) sounds like a sensible value.

LoginGraceTime 120: that should be more than enough, but it’s interesting to know about this one. I wondered for a while why my connection would quickly time out when I start a PuTTY console in the background and forgot to enter credentials. Well, this is why 🙂 (if no authentication withing LoginGraceTime seconds, session is closed)

PermitRootLogin yes: usually it is advised to disable this, and instead log in as a normal user and then use sudo to do stuff. If your root password is unbreakable (or if your root RSA key is properly guarded), I believe there is no use in such paranoia. But the choice is yours to make for you servers.

PasswordAuthentication yes: you can set it to no to force connecting via RSA keys only. If you use PuTTY, you’ll then need Pageant to handle the keys. There’s a long overdue tutorial about auto-restoring symmetric SSH tunnel that I still have to write which should deal with Pageant and plink. My bad.
Still I believe using a password is safe enough (if said password is good enough), but maybe then it would be worth generating stronger HostKeys (still haven’t figured how to do so).

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
: globally this is to enable authentication by RSA keys. %h/.ssh/authorized_keys is the name of a file containing a list of public keys allowed to connect as user %h. Note that although the line is commented, this is the default value, so if you do have such authorized_keys files, the public keys in then are allowed to connect. You should know it already if you’re messing with such settings, but .ssh, starting with a dot, is a hidden folder.

# For symmetrical tunnel
GatewayPorts clientspecified
: as mentionned in the (2 years old already :/) tutorial about symmetrical SSH tunnel, this is for PuTTY to be allowed to configure the SSH daemon to forward specific ports back to you via the SSH tunnel.

Well, that’s about it. There are probably more interesting settings to discover, but those are the ones you should really know about.

Posted in Linux, servers.

0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

Some HTML is OK

or, reply to this post via trackback.

Sorry about the CAPTCHA that requires JS. If you really don't want to enable JS and still want to comment, you can send me your comment via e-mail and I'll post it for you.

Please solve the CAPTCHA below in order to fight spamWordPress CAPTCHA