sshd_config

Michael Sammartano volinaz at cox.net
Sat Feb 18 08:27:37 MST 2006


This is what my file looks like. Hope this helps

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile    .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

Mike wrote:

>I'm not sure what happened. I was mucking around with sshd_config -2- and now 
>when i try to load a root konqueror it tells me 'file not supported'. I set 
>everything back as it was originaly but it still does it. Please look at my 
>sshd_config and see if anything is wrong.
>
>I was looking through the config file and see:
>
>	RhostsAuthentication no
>	#
>	# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
>	RhostsRSAAuthentication no
>
>Would it mess things up or be useless to set this to on and put 'cox.com/net 
>into known hosts?
>
>On another matter: to get around the sshd_config problem I attempted to save a 
>file (that needed superuser priveledges) manually (using mount and cp and 
>those kinds of things).... never mind. Figured out what the problem was with 
>that.
>
>
>-2-
>#       $OpenBSD: sshd_config,v 1.38 2001/04/15 21:41:29 deraadt Exp $
>
># This sshd was compiled with PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
>
># This is the sshd server system-wide configuration file.  See sshd(8)
># for more information.
>
>Port 1076
>#Protocol 2,1
>#ListenAddress 0.0.0.0
>#ListenAddress ::
>AllowUsers bmike1 bmike101
>HostKey /etc/ssh/ssh_host_key
>HostKey /etc/ssh/ssh_host_rsa_key
>HostKey /etc/ssh/ssh_host_dsa_key
>ServerKeyBits 768
>LoginGraceTime 600
>KeyRegenerationInterval 3600
>PermitRootLogin no
>#
># Don't read ~/.rhosts and ~/.shosts files
>IgnoreRhosts yes
># Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
>#IgnoreUserKnownHosts yes
>StrictModes yes
>X11Forwarding yes
>X11DisplayOffset 10
>PrintMotd no
>PrintLastLog no
>KeepAlive yes
>
># Logging
>SyslogFacility AUTH
>LogLevel INFO
>#obsoletes QuietMode and FascistLogging
>
>RhostsAuthentication no
>#
># For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
>RhostsRSAAuthentication no
># similar for protocol version 2
>HostbasedAuthentication no
>#
>RSAAuthentication yes
>
># To disable tunneled clear text passwords, change to no here!
>PasswordAuthentication yes
>PermitEmptyPasswords no
>
># Uncomment to disable s/key passwords
>#ChallengeResponseAuthentication no
>
># Uncomment to enable PAM keyboard-interactive authentication
># Warning: enabling this may bypass the setting of 'PasswordAuthentication'
>
>#PAMAuthenticationViaKbdInt yes
>
># To change Kerberos options
># NB: Debian's ssh ships without Kerberos Support
>#KerberosAuthentication no
>#KerberosOrLocalPasswd yes
>#AFSTokenPassing no
>#KerberosTicketCleanup no
>
># Kerberos TGT Passing does only work with the AFS kaserver
>#KerberosTgtPassing yes
>
>#CheckMail yes
>#UseLogin no
>
>#MaxStartups 10:30:60
>#Banner /etc/issue.net
>#ReverseMappingCheck yes
>
>Subsystem       sftp    /usr/lib/sftp-server
>  
>
>
> ------------------------------------------------------------------------
>
> Subject:
> Re: how to tell when you have a hacker?
> From:
> Gerard Snitselaar <snits at snitselaar.org>
> Date:
> Fri, 17 Feb 2006 23:05:24 -0700
> To:
> Main PLUG discussion list <plug-discuss at lists.plug.phoenix.az.us>
>
> To:
> Main PLUG discussion list <plug-discuss at lists.plug.phoenix.az.us>
>
> Return-Path:
> <plug-discuss-bounces at lists.plug.phoenix.az.us>
> Received:
> from eastrmimpi02.cox.net ([68.1.16.118]) by eastrmmtai08.cox.net 
> (InterMail vM.6.01.05.02 201-2131-123-102-20050715) with ESMTP id 
> <20060218060748.DDRY22952.eastrmmtai08.cox.net at eastrmimpi02.cox.net>; 
> Sat, 18 Feb 2006 01:07:48 -0500
> Received:
> from pluglist.macrosift.com ([68.14.243.59]) by eastrmimpi02.cox.net 
> with IMP id yu4G1T01Q1HcQdQ0000000 for wwarner42 at cox.net; Sat, 18 Feb 
> 2006 01:06:28 -0500
> Received:
> from lists.plug.phoenix.az.us (lists [127.0.0.1]) by 
> pluglist.macrosift.com (Postfix) with ESMTP id 91A0B12F6B7; Fri, 17 
> Feb 2006 23:04:36 -0700 (MST)
> X-Original-To:
> plug-discuss at lists.plug.phoenix.az.us
> Delivered-To:
> plug-discuss at lists.plug.phoenix.az.us
> Received:
> from cantor.snitselaar.org (wsip-68-14-232-151.ph.ph.cox.net 
> [68.14.232.151]) by pluglist.macrosift.com (Postfix) with ESMTP id 
> 08BFA12F6B4 for <plug-discuss at lists.plug.phoenix.az.us>; Fri, 17 Feb 
> 2006 23:04:34 -0700 (MST)
> Received:
> from [192.168.1.102] (unknown [68.14.232.142]) by 
> cantor.snitselaar.org (Postfix) with ESMTP id 80DDE60CA82 for 
> <plug-discuss at lists.plug.phoenix.az.us>; Fri, 17 Feb 2006 23:05:25 
> -0700 (MST)
> In-Reply-To:
> <200602180021.59827.bmike101 at cox.net>
> References:
> <200602171912.19364.bmike101 at cox.net> 
> <200602172337.33182.bmike101 at cox.net> 
> <1140238103.6496.66.camel at lin-workstation.azapple.com> 
> <200602180021.59827.bmike101 at cox.net>
> Content-Type:
> text/plain
> Message-ID:
> <1140242724.22883.4.camel at newton>
> MIME-Version:
> 1.0
> X-Mailer:
> Evolution 2.2.3 (2.2.3-2.fc4)
> Content-Transfer-Encoding:
> 7bit
> X-BeenThere:
> plug-discuss at lists.plug.phoenix.az.us
> X-Mailman-Version:
> 2.1.5
> Precedence:
> list
> Reply-To:
> snits at snitselaar.org, Main PLUG discussion list 
> <plug-discuss at lists.plug.phoenix.az.us>
> List-Id:
> Main PLUG discussion list <plug-discuss.lists.plug.phoenix.az.us>
> List-Unsubscribe:
> <http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>, 
> <mailto:plug-discuss-request at lists.plug.phoenix.az.us?subject=unsubscribe> 
>
> List-Archive:
> <http://lists.plug.phoenix.az.us/pipermail/plug-discuss>
> List-Post:
> <mailto:plug-discuss at lists.plug.phoenix.az.us>
> List-Help:
> <mailto:plug-discuss-request at lists.plug.phoenix.az.us?subject=help>
> List-Subscribe:
> <http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>, 
> <mailto:plug-discuss-request at lists.plug.phoenix.az.us?subject=subscribe>
> Sender:
> plug-discuss-bounces at lists.plug.phoenix.az.us
> Errors-To:
> plug-discuss-bounces at lists.plug.phoenix.az.us
> Status:
> R
> X-Status:
> N
>
>
>Anything you do to ssh will have no effect on sudo. They are separate
>things that have no relation to each other. Secure Shell in its common
>use is basically a secure form of a telnet session. It uses encryption
>to secure the transmission of data. To see if it is running look in the
>ps output for sshd. I would recommend setting permit root login to no.
>All that means is that root can not login through ssh. You can login as
>yourself and still use sudo. I would also recommend looking at
>AllowUsers, which can restrict what usernames can login via ssh. You
>might even research ssh more and look at turning off password
>authentication, and using key authentication.
>
>On Sat, 2006-02-18 at 00:21 -0500, Mike wrote:
>  
>
>>My password is more complex than a name. (it isn't even a word). But please do 
>>share with me how to check if ssh is open, what port it is on, and how to 
>>change it..... HEY look at that! sshd must be where to do that. Is all I have 
>>to do is change the number by the word 'Port'? (it has a 22 next to it now)
>>
>>Then there is the line that says: 'permit root login yes' Should I change that 
>>one to no? If I do that what will happen to sudo and when I need to log roots 
>>account into a termnal?
>>
>>On Friday 17 February 2006 11:48 pm, Craig White wrote:
>>    
>>
>>>you've only been on the hsi for about a week and it's not likely your
>>>box was cracked already but if you are using something really simple for
>>>a password like mike or password and you have ssh open and on standard
>>>port 22, it's not going to take all that long for someone to hack their
>>>way in.
>>>
>>>Also, you probably want to make certain that root can't log in via
>>>password in sshd_config and all the rage now on Fedora/RHEL is denyhosts
>>>package which automatically adds entries for ip addresses with 5 (or
>>>configurable) consecutive failed login attempts in ... hosts.deny (duh)
>>>Also, I've found it more peaceful to change the ssh port to something
>>>above 1024.
>>>      
>>>
>>---------------------------------------------------
>>PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>>To subscribe, unsubscribe, or to change  you mail settings:
>>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>>    
>>
>
>---------------------------------------------------
>PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>To subscribe, unsubscribe, or to change  you mail settings:
>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>  
>
>------------------------------------------------------------------------
>
>---------------------------------------------------
>PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>To subscribe, unsubscribe, or to change  you mail settings:
>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>

-- 


More information about the PLUG-discuss mailing list