Setup SSHD

Casual

mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dist
sed -r '/^[[:space:]]*(#|$)/d' /etc/ssh/sshd_config.dist > /etc/ssh/sshd_config
cat >> /etc/ssh/sshd_config <<-EOF

AddressFamily inet
#ListenAddress x.x.x.x
Protocol 2
Port XXX
#AllowGroups sshusers
#AllowGroups root
AllowGroups wheel
PermitRootLogin without-password
PasswordAuthentication no
PermitEmptyPasswords no
StrictModes yes
X11Forwarding no
ChallengeResponseAuthentication no
UsePam no
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
EOF
vi /etc/ssh/sshd_config

deprecated

#RSAAuthentication no
#ChallengeResponseAuthentication no
#UsePrivilegeSeparation yes

debian/ubuntu

for other users to reach the service

useradd -m -g users -s /bin/bash USERNAME
groupadd sshusers
usermod -aG sshusers USERNAME

and don’t forget to add the other users that might need it

Keys

Put your SSH keys in place so you can connect as wheeled user and possibly as root,

mkdir ~/.ssh/
chmod 700 ~/.ssh/
vi ~/.ssh/authorized_keys

(paste your pub key)

chmod 600 ~/.ssh/authorized_keys

Operations

NetBSD

tail -F /var/log/authlog
vi /etc/rc.conf

sshd=yes

service sshd restart
netstat -an -f inet,inet6

Debian / Ubuntu Server

tail -n0 -F /var/log/*
systemctl status ssh
#systemctl enable ssh
systemctl restart ssh
netstat -lntupe

Fail-Over

Create a failover config with other PORT and PID,

cp -pi sshd_config sshd_config.failover
vi  sshd_config.failover

Port ALT_PORT
PidFile /var/run/sshd.failover.pid

Start the daemon,

ls -lhF /var/run/sshd*
/usr/sbin/sshd -f /etc/ssh/sshd_config.failover
ps aux | grep failover
netstat -antupe --inet --inet6 | grep ALT_PORT

and enable it at startup (rc.local still works on CentOS7),

cd /etc/
cp -pi rc.local rc.local.dist
vi rc.local

echo -n starting a failover ssh daemon...
/usr/sbin/sshd -f /etc/ssh/sshd_config.failover && echo done

#no need to make it executable

Miscellaneous

Open ALT_PORT to listen on the network interface (CentOS7+ example),

firewall-cmd --zone=public --add-port=ALT_PORT/tcp --permanent

Resources


Nethence | Doc | Pub | Lab | Pbraun | SNE Russia | xhtml