SSH
Configuration and Troubleshooting in Debian
SSH
SSH (Secure SHell) is the secure
way to connect over the Internet. A free version of SSH called
OpenSSH is available as the
ssh
package in Debian.
Basics
of SSH
First install the OpenSSH server and client.
# apt-get update
# apt-get install ssh
/etc/ssh/sshd_not_to_be_run
must not be present if one wishes to run the OpenSSH server.
SSH has two authentication protocols:
-
SSH protocol version 1:
-
Potato version only supports this
protocol.
-
available authentication methods:
-
RSAAuthentication: RSA identity
key based user authentication
-
RhostsAuthentication: .rhosts
based host authentication (insecure, disabled)
-
RhostsRSAAuthentication: .rhosts
authentication combined with RSA host key (disabled)
-
ChallengeResponseAuthentication:
RSA challenge-response authentication
-
PasswordAuthentication: password
based authentication
-
SSH protocol version 2:
-
post-Woody versions use this as the
primary protocol.
-
available authentication methods:
-
PubkeyAuthentication: public key
based user authentication
-
HostbasedAuthentication:
.rhosts
or
/etc/hosts.equiv
authentication combined with public key client host
authentication (disabled)
-
ChallengeResponseAuthentication:
challenge-response authentication
-
PasswordAuthentication: password
based authentication
Be careful about these differences if you are
migrating to Woody or using a non-Debian system.
See
/usr/share/doc/ssh/README.Debian.gz,
ssh,
sshd,
ssh-agent,
and
ssh-keygen
for details.
Following are the key configuration files:
/etc/ssh/ssh_config:
SSH client defaults. See
ssh.
Notable entries are:
-
Host:
Restricts the following declarations (up to the next
Host keyword) to be only for those hosts that match one
of the patterns given after the keyword.
-
Protocol:
Specifies the SSH protocol versions. The default is
"2,1".
-
PreferredAuthentications:
Specifies the SSH2 client authentication method. The
default is "hostbased,publickey,keyboard-interactive,password".
-
PasswordAuthentication:
If you want to log in with a password, you have to make
sure this is not set
no.
-
ForwardX11:
The default is disabled. This can be overridden by the
command-line option "-X".
/etc/ssh/sshd_config:
SSH server defaults. See
sshd.
Notable entries are:
-
ListenAddress:
Specifies the local addresses
sshd
should listen on. Multiple options are permitted.
-
AllowTcpForwarding:
The default is disabled.
-
X11Forwarding:
The default is disabled.
$HOME/.ssh/authorized_keys:
the lists of the default public keys that clients use to
connect to this account on this host. See
ssh-keygen.
$HOME/.ssh/identity:
See
ssh-add
and
ssh-agent.
The
following will start an
ssh
connection from a client.
$ ssh username@hostname.domain.ext
$ ssh -1 username@hostname.domain.ext # Force SSH version 1
$ ssh -1 -o RSAAuthentication=no -l username test.host
# force password on SSH1
$ ssh -o PreferredAuthentications=password -l username test.host
# force password on SSH2
For the user,
ssh
functions as a smarter and more secure
telnet
(will not bomb with ^]).
SSH clients
There are a few free SSH clients available for
non-Unix-like platforms.
Windows
puTTY
(GPL)
Windows (cygwin)
SSH in
cygwin
(GPL)
Macintosh Classic
macSSH
(GPL) [Note that Mac OS X includes OpenSSH; use
ssh
in the Terminal application]
Troubleshooting SSH
If you have problems, check the permissions of
configuration files and run
ssh
with the "-v" option.
Use the "-P"
option if you are root and have trouble with a firewall; this
avoids the use of server ports 1–1023.
If
ssh
connections to a remote site suddenly stop working, it may be
the result of tinkering by the sysadmin, most likely a change in
host_key
during system maintenance. After making sure this is the case
and nobody is trying to fake the remote host by some clever
hack, one can regain a connection by removing the
host_key
entry from
$HOME/.ssh/known_hosts
on the local machine
