SSH Configuration and Troubleshooting in Debian
SSH
SSH (Secure SHell) is the secure way to connect over the Internet. A free version of SSH called OpenSSH is available as the ssh
package in Debian.
Basics of SSH
First install the OpenSSH server and client.
# apt-get update
# apt-get install ssh
/etc/ssh/sshd_not_to_be_run
must not be present if one wishes to run the OpenSSH server.
SSH has two authentication protocols:
-
SSH protocol version 1:
- Potato version only supports this protocol.
-
available authentication methods:
- RSAAuthentication: RSA identity key based user authentication
- RhostsAuthentication: .rhosts based host authentication (insecure, disabled)
- RhostsRSAAuthentication: .rhosts authentication combined with RSA host key (disabled)
- ChallengeResponseAuthentication: RSA challenge-response authentication
- PasswordAuthentication: password based authentication
-
SSH protocol version 2:
- post-Woody versions use this as the primary protocol.
-
available authentication methods:
- PubkeyAuthentication: public key based user authentication
- HostbasedAuthentication:
.rhosts
or /etc/hosts.equiv
authentication combined with public key client host authentication (disabled)
- ChallengeResponseAuthentication: challenge-response authentication
- PasswordAuthentication: password based authentication
Be careful about these differences if you are migrating to Woody or using a non-Debian system.
See /usr/share/doc/ssh/README.Debian.gz
, ssh
, sshd
, ssh-agent
, and ssh-keygen
for details.
Following are the key configuration files:
-
/etc/ssh/ssh_config
: SSH client defaults. See ssh
. Notable entries are:
- Host: Restricts the following declarations (up to the next Host keyword) to be only for those hosts that match one of the patterns given after the keyword.
- Protocol: Specifies the SSH protocol versions. The default is "2,1".
- PreferredAuthentications: Specifies the SSH2 client authentication method. The default is "hostbased,publickey,keyboard-interactive,password".
- PasswordAuthentication: If you want to log in with a password, you have to make sure this is not set no.
- ForwardX11: The default is disabled. This can be overridden by the command-line option "-X".
-
/etc/ssh/sshd_config
: SSH server defaults. See sshd
. Notable entries are:
- ListenAddress: Specifies the local addresses
sshd
should listen on. Multiple options are permitted.
- AllowTcpForwarding: The default is disabled.
- X11Forwarding: The default is disabled.
$HOME/.ssh/authorized_keys
: the lists of the default public keys that clients use to connect to this account on this host. See ssh-keygen
.
$HOME/.ssh/identity
: See ssh-add
and ssh-agent
.
The following will start an ssh
connection from a client.
$ ssh [email protected]
$ ssh -1 [email protected] # Force SSH version 1
$ ssh -1 -o RSAAuthentication=no -l username test.host
# force password on SSH1
$ ssh -o PreferredAuthentications=password -l username test.host
# force password on SSH2
For the user, ssh
functions as a smarter and more secure telnet
(will not bomb with ^]).
SSH clients
There are a few free SSH clients available for non-Unix-like platforms.
Windows
puTTY
(GPL)
Windows (cygwin)
SSH in cygwin
(GPL)
Macintosh Classic
macSSH
(GPL) [Note that Mac OS X includes OpenSSH; use ssh in the Terminal application]
Troubleshooting SSH
If you have problems, check the permissions of configuration files and run ssh
with the "-v" option.
Use the "-P" option if you are root and have trouble with a firewall; this avoids the use of server ports 1–1023.
If ssh
connections to a remote site suddenly stop working, it may be the result of tinkering by the sysadmin, most likely a change in host_key
during system maintenance. After making sure this is the case and nobody is trying to fake the remote host by some clever hack, one can regain a connection by removing the host_key
entry from $HOME/.ssh/known_hosts
on the local machine