17.4. Configuring an OpenSSH Server
To run an OpenSSH server, you must first make sure that you have
the proper RPM packages installed. The openssh-server package is required
and is dependent on the openssh package.
The OpenSSH daemon uses the configuration file /etc/ssh/sshd_config. The default
configuration file should be sufficient for most purposes. If
you want to configure the daemon in ways not provided by the
default sshd_config, read
the sshd man page for a list
of the keywords that can be defined in the configuration file.
To start the OpenSSH service, use the command /sbin/service sshd start. To stop the
OpenSSH server, use the command /sbin/service sshd stop. If you want
the daemon to start automatically at boot time, refer to Chapter 15, Controlling Access to Services for information on how to manage
services.
If you reinstall, the reinstalled system creates a new set of
identification keys. Any clients who had connected to the system
with any of the OpenSSH tools before the reinstall will see the
following message:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
If you want to keep the host keys generated for the system,
backup the /etc/ssh/ssh_host*key* files and
restore them after the reinstall. This process retains the
system's identity, and when clients try to connect to the
system after the reinstall, they will not receive the warning
message.
17.4.1. Requiring SSH for Remote Connections
For SSH to be truly effective, using insecure connection
protocols, such as Telnet and FTP, should be
prohibited. Otherwise, a user's password may be protected
using SSH for one session, only to be captured later while
logging in using Telnet.
Some services to disable include:
To disable insecure connection methods to the system, use the
command line program chkconfig, the ncurses-based
program /usr/sbin/ntsysv, or the
Services Configuration Tool
(system-config-services)
graphical application. All of these tools require root level
access.
For more information on runlevels and configuring services
with chkconfig,
/usr/sbin/ntsysv,
and the Services Configuration Tool, refer to
Chapter 15, Controlling Access to Services.