sshd_config

Top Page
Attachments:
Message as email
+ (text/plain)
+ forwarded message (message/rfc822)
+ (text/plain)
+ (text/plain)
Delete this message
Reply to this message
Author: Mike
Date:  
To: plug-discuss
Subject: sshd_config
I'm not sure what happened. I was mucking around with sshd_config -2- and now
when i try to load a root konqueror it tells me 'file not supported'. I set
everything back as it was originaly but it still does it. Please look at my
sshd_config and see if anything is wrong.

I was looking through the config file and see:

    RhostsAuthentication no
    #
    # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
    RhostsRSAAuthentication no


Would it mess things up or be useless to set this to on and put 'cox.com/net
into known hosts?

On another matter: to get around the sshd_config problem I attempted to save a
file (that needed superuser priveledges) manually (using mount and cp and
those kinds of things).... never mind. Figured out what the problem was with
that.


-2-
#       $OpenBSD: sshd_config,v 1.38 2001/04/15 21:41:29 deraadt Exp $


# This sshd was compiled with PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

# This is the sshd server system-wide configuration file. See sshd(8)
# for more information.

Port 1076
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
AllowUsers bmike1 bmike101
HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin no
#
# Don't read ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog no
KeepAlive yes

# Logging
SyslogFacility AUTH
LogLevel INFO
#obsoletes QuietMode and FascistLogging

RhostsAuthentication no
#
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
#
RSAAuthentication yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no

# Uncomment to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'

#PAMAuthenticationViaKbdInt yes

# To change Kerberos options
# NB: Debian's ssh ships without Kerberos Support
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

#CheckMail yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes

Subsystem       sftp    /usr/lib/sftp-server

Anything you do to ssh will have no effect on sudo. They are separate
things that have no relation to each other. Secure Shell in its common
use is basically a secure form of a telnet session. It uses encryption
to secure the transmission of data. To see if it is running look in the
ps output for sshd. I would recommend setting permit root login to no.
All that means is that root can not login through ssh. You can login as
yourself and still use sudo. I would also recommend looking at
AllowUsers, which can restrict what usernames can login via ssh. You
might even research ssh more and look at turning off password
authentication, and using key authentication.

On Sat, 2006-02-18 at 00:21 -0500, Mike wrote:
> My password is more complex than a name. (it isn't even a word). But please do
> share with me how to check if ssh is open, what port it is on, and how to
> change it..... HEY look at that! sshd must be where to do that. Is all I have
> to do is change the number by the word 'Port'? (it has a 22 next to it now)
>
> Then there is the line that says: 'permit root login yes' Should I change that
> one to no? If I do that what will happen to sudo and when I need to log roots
> account into a termnal?
>
> On Friday 17 February 2006 11:48 pm, Craig White wrote:
> > you've only been on the hsi for about a week and it's not likely your
> > box was cracked already but if you are using something really simple for
> > a password like mike or password and you have ssh open and on standard
> > port 22, it's not going to take all that long for someone to hack their
> > way in.
> >
> > Also, you probably want to make certain that root can't log in via
> > password in sshd_config and all the rage now on Fedora/RHEL is denyhosts
> > package which automatically adds entries for ip addresses with 5 (or
> > configurable) consecutive failed login attempts in ... hosts.deny (duh)
> > Also, I've found it more peaceful to change the ssh port to something
> > above 1024.
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>


---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss