with RSA host authentication?
RhostsRSAAuthentication no
# Should we ignore ~/.rhosts files?
IgnoreRhosts yes
# Should we allow logins to accounts with empty passwords?
PermitEmptyPasswords no
It's important to make sure the permissions of the configuration files are correct to ensure that system security is maintained. Use the following commands:
# chown -R root:root /etc/ssh
# chmod 755 /etc/ssh
# chmod 600 /etc/ssh/ssh_host_key
# chmod 644 /etc/ssh/ssh_host_key.pub
# chmod 644 /etc/ssh/sshd_config
The final stage of sshd administration daemon is to run it. Normally you'd create an rc file for it or add it to an existing one, so that it is automatically executed at boot time. The daemon runs standalone and doesn't require any entry in the /etc/inetd.conf file. The daemon must be run as the root user. The syntax is very simple:
/usr/sbin/sshd
The sshd daemon will automatically place itself into the background when being run. You are now ready to accept ssh connections.
12.5.2.2. The ssh client
There are a number of ssh client programs: slogin , scp and ssh . They each read the same configuration file, usually called /etc/ssh/ssh_config . They each also read configuration files from the .ssh directory in the home directory of the user executing them. The most important of these files is the .ssh/config file, which may contain options that override those specified in the /etc/ssh/ssh_config file, the .ssh/identity file, which contains the user's own private key, and the corresponding .ssh/identity.pub file, containing the user's public key. Other important files are .ssh/known_hosts and .ssh/authorized_keys ; we'll talk about those later in Section 12.5.2.3 ." First, let's create the global configuration file and the user key file.
/etc/ssh/ssh_config is very similar to the server configuration file. Again, there are lots of features you can configure, but a minimal configuration looks like that presented in Example 12-5 . The rest of the configuration options are detailed in the sshd(8) manpage. You can add sections that match specific hosts or groups of hosts. The parameter to the "Host " statement may be either the full name of a host or a wildcard specification, as we've used in our example, to match all hosts. We could create an entry that used, for example, Host *.vbrew.com to match any host in the vbrew.com domain.
Example 12-5. Example ssh Client Configuration File
# /etc/ssh/ssh_config
# Default options to use when connecting to a remote host
Host *
# Compress the session data?
Compression yes
# .. using which compression level? (1 - fast/poor, 9 - slow/good)
CompressionLevel 6
# Fall back to rsh if the secure connection fails?
FallBackToRsh no
# Should we send keep-alive messages? Useful if you use IP masquerade
KeepAlive yes
# Try RSA authentication?
RSAAuthentication yes
# Try RSA authentication in combination with .rhosts authentication?
RhostsRSAAuthentication yes
We mentioned in the server configuration section that every host and user has a key. The user's key is stored in his or her ~/.ssh/indentity file. To generate the key, use the same ssh-keygen command as we used to generate the host key, except this time you do not need to specify the name of the file in which you save the key. The ssh-keygen defaults to the correct location, but it prompts you to enter a filename in case you'd like to save it elsewhere. It is sometimes useful to have multiple identity files, so ssh allows this. Just as before, ssh-keygen will prompt you to entry a passphrase.
