|
Size: 941
Comment:
|
← Revision 19 as of 2023-04-06 16:23:08 ⇥
Size: 2251
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = SSH = | = OpenSSH = |
| Line 3: | Line 3: |
| '''Secure Shell''' ('''SSH''') is a protocol that enables remote access to a server. It encompasses both the client-side application (`ssh`) and the server-side daemon (`sshd`). The most common implementation for Linux and BSD is '''OpenSSH'''. | '''OpenSSH''' is a [[Encryption/SSH|SSH]] client (`ssh(1)`) and server (`sshd(8)`). <<TableOfContents>> ---- == Installation == Most [[Linux]] and [[BSD]] distributions will have `ssh(1)` and `sshd(8)` installed. Otherwise, they will be available in an `openssl` package. Furthermore, many Linux distributions have `sshd(8)` running by default. For `systemd(1)`-capable systems, [[Linux/Systemd|start and enable]] `sshd.service`. For OpenRC-based systems, [[Linux/OpenRC|start and add]] the `sshd` service. For BSDs, [[BSD/Init|start]] the `sshd` service. To have it automatically start on boot, try editing `/etc/rc.conf` like: {{{ sshd_enable="YES" }}} [[Windows]] systems preferring access by [[Protocols/RDP|RDP]]. |
| Line 11: | Line 35: |
| On Linux, `sshd` runs by default. On BSDs, you will need to enable it. In `/etc/rc.conf`: | === Require Authentication by Key === To require that all client logins use keys, use: |
| Line 14: | Line 42: |
| sshd_enable="YES" | PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no |
| Line 16: | Line 46: |
To make an exception for a user, add '''''at the bottom of the file''''': {{{ Match User git PasswordAuthentication yes Match all }}} To make an exception for the local network, add ('''''also'' at the bottom of the file'''): {{{ Match Address 192.168.*.* PasswordAuthentication yes Match all }}} === Login Messages === Usually any messages printed on login are actually handled by PAM. This can be tricky to configure, so instead disable the default login messages and configure the shell profile to print the desired messages. To disable all PAM login messages for a user, try: {{{ touch ~/.hushlogin }}} Note that default PAM configurations print `/etc/motd` and the output of `/usr/bin/lastlog --user USERNAME` on login. |
|
| Line 21: | Line 81: |
| == Require Authentication by Key == | == Usage == The primary use of `ssh(1)` is to access a remote host: {{{ ssh [email protected] }}} See [[Encryption/OpenSSH/Tunnels|here]] for details on creating and using SSH tunnels. |
| Line 27: | Line 95: |
| == Login Messages == | == See also == |
| Line 29: | Line 97: |
| Usually any messages printed on login are actually handled by PAM. This can be tricky to configure, so instead disable all login messages and recreate any desired messages. | [[https://man.archlinux.org/man/core/openssh/ssh.1.en|ssh(1)]] |
| Line 31: | Line 99: |
| To disable all PAM login messages for a user, just: | [[https://man.archlinux.org/man/core/openssh/sshd.8.en|sshd(8)]] |
| Line 33: | Line 101: |
| {{{ touch ~/.hushlogin }}} |
[[Encryption/SSHKeyGen|SSHKeyGen]] |
| Line 37: | Line 103: |
| Default PAM configurations print `/etc/motd` and the output of `/usr/bin/lastlog --user USERNAME`. These can just as easily be added to `~/.bashrc`. | [[Encryption/SSH|SSH]] |
OpenSSH
OpenSSH is a SSH client (ssh(1)) and server (sshd(8)).
Installation
Most Linux and BSD distributions will have ssh(1) and sshd(8) installed. Otherwise, they will be available in an openssl package.
Furthermore, many Linux distributions have sshd(8) running by default.
For systemd(1)-capable systems, start and enable sshd.service.
For OpenRC-based systems, start and add the sshd service.
For BSDs, start the sshd service. To have it automatically start on boot, try editing /etc/rc.conf like:
sshd_enable="YES"
Windows systems preferring access by RDP.
Setup
Require Authentication by Key
To require that all client logins use keys, use:
PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no
To make an exception for a user, add at the bottom of the file:
Match User git PasswordAuthentication yes Match all
To make an exception for the local network, add (also at the bottom of the file):
Match Address 192.168.*.* PasswordAuthentication yes Match all
Login Messages
Usually any messages printed on login are actually handled by PAM. This can be tricky to configure, so instead disable the default login messages and configure the shell profile to print the desired messages.
To disable all PAM login messages for a user, try:
touch ~/.hushlogin
Note that default PAM configurations print /etc/motd and the output of /usr/bin/lastlog --user USERNAME on login.
Usage
The primary use of ssh(1) is to access a remote host:
ssh [email protected]
See here for details on creating and using SSH tunnels.