need an efficient and secure sshd_config

Dear list,

I am running openssh-server  1:5.1p1-5+b1 on a remote debian box.
There are a no. of online docs on sshd configuration. I am afraid to
say that even reading a no. of such tutorial I am still confused. I am
looking for a sshd_config file which is both strict about security as
well as efficient to control its client. Like it should force the client to have compression, it should survive with poor internet, and other good features which can make it a good ssh server.

Could any one please suggest such sshd_config ?

Here is mine

```````````````
Port 47015
Protocol 2
PermitRootLogin no
PasswordAuthentication no
UsePAM yes
X11Forwarding no
``````````

thanks

2009/7/12 J. Bakshi <bakshi12@...>:
Hi,

maybe you can read this discussion

http://www.governmentsecurity.org/forum/index.php?showtopic=6051

and for sure take a lokk to the official documentation

http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5

Bye

--
Matteo Filippetto

On Mon, 13 Jul 2009 10:00:52 +0200
matteo filippetto <matteo.filippetto@...> wrote:

Thanks for your response but I have not found yet what I'm looking for. I need the configuration which actually suppress the hostname and the domain/IP on client side. client will only be prompted for password. The second thing the sshd should allow the client to be connected even half an hour with out executing any command. Any such configuration in openssh ?

Thanks

ClientAliveInterval <time interval in seconds>
ClientAliveCountMax 0

That should do for the time settings :)

Remo


On 7/14/09 9:55 AM, "J. Bakshi" <bakshi12@...> wrote:

On Tue, 14 Jul 2009 11:05:20 -0600
Remo Mattei <remo-dated-1248023133.666171@...> wrote:

> ClientAliveInterval <time interval in seconds>
> ClientAliveCountMax 0
>
> That should do for the time settings :)
>
> Remo


Thanks a lot Remo.
Hope you don't mind if I insist on you to also show how to set the sshd deamon so that

1> it forces the client to follow compression
2> Suppress the host and IP information on client side

Is there any such time settings possible on host side ( in ssh_conf ? )

Wish you a nice time.

On Tue, Jul 14, 2009 at 8:55 AM, J. Bakshi<bakshi12@...> wrote:
> On Mon, 13 Jul 2009 10:00:52 +0200
> matteo filippetto <matteo.filippetto@...> wrote:
> Thanks for your response but I have not found yet what I'm looking for.
> I need the configuration which actually suppress the hostname and the
> domain/IP on client side. client will only be prompted for password.
> The second thing the sshd should allow the client to be connected even
> half an hour with out executing any command. Any such configuration
> in openssh ?

The idle logout, isn't sshd.  It is the shell.  Look into the "autologout"
environment veriable for bash.

As for the client password prompt, that is not controllable from the
server side, without dropping everything and going for
"keyboard interactive" authentication.  For that, you will have to
code your own authentication method.

--
And, did Galoka think the Ulus were too ugly to save?
                                         -Centauri

2009/7/14 J. Bakshi <bakshi12@...>:
Hi,

if you read this
http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5

you will find some options like

 Banner  The contents of the specified file are sent to the remote user
             before authentication is allowed.  If the argument is ``none''
             then no banner is displayed.  This option is only available for
             protocol version 2.  By default, no banner is displayed.

TCPKeepAlive
             Specifies whether the system should send TCP keepalive messages
             to the other side.  If they are sent, death of the connection or
             crash of one of the machines will be properly noticed.  However,
             this means that connections will die if the route is down tem-
             porarily, and some people find it annoying.  On the other hand,
             if TCP keepalives are not sent, sessions may hang indefinitely on
             the server, leaving ``ghost'' users and consuming server re-
             sources.

             The default is ``yes'' (to send TCP keepalive messages), and the
             server will notice if the network goes down or the client host
             crashes.  This avoids infinitely hanging sessions.

             To disable TCP keepalive messages, the value should be set to
             ``no''.


and for client (http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5)

 ServerAliveCountMax
             Sets the number of server alive messages (see below) which may be
             sent without ssh(1) receiving any messages back from the server.
             If this threshold is reached while server alive messages are be-
             ing sent, ssh will disconnect from the server, terminating the
             session.  It is important to note that the use of server alive
             messages is very different from TCPKeepAlive (below).  The server
             alive messages are sent through the encrypted channel and there-
             fore will not be spoofable.  The TCP keepalive option enabled by
             TCPKeepAlive is spoofable.  The server alive mechanism is valu-
             able when the client or server depend on knowing when a connec-
             tion has become inactive.

             The default value is 3.  If, for example, ServerAliveInterval
             (see below) is set to 15 and ServerAliveCountMax is left at the
             default, if the server becomes unresponsive, ssh will disconnect
             after approximately 45 seconds.  This option applies to protocol
             version 2 only.

 ServerAliveInterval
             Sets a timeout interval in seconds after which if no data has
             been received from the server, ssh(1) will send a message through
             the encrypted channel to request a response from the server.  The
             default is 0, indicating that these messages will not be sent to
             the server.  This option applies to protocol version 2 only.

TCPKeepAlive
             Specifies whether the system should send TCP keepalive messages
             to the other side.  If they are sent, death of the connection or
             crash of one of the machines will be properly noticed.  However,
             this means that connections will die if the route is down tem-
             porarily, and some people find it annoying.

             The default is ``yes'' (to send TCP keepalive messages), and the
             client will notice if the network goes down or the remote host
             dies.  This is important in scripts, and many users want it too.

             To disable TCP keepalive messages, the value should be set to
             ``no''.


Bye
--
Matteo Filippetto

I would suggest you provide them a public key. So here is what I would do:

1) create user/s
2) generate a public key for each user
3) use the public key for login
4) disable access unless used with public keys

Just my 2 cents.

Remo


On 7/14/09 12:04 PM, "Robert Hajime Lanning" <robert.lanning@...>
wrote:

On Tue, Jul 14, 2009 at 11:04:45AM -0700, Robert Hajime Lanning wrote:
> The idle logout, isn't sshd.  It is the shell.  Look into the "autologout"
> environment veriable for bash.

Many NAT firewalls also have a connection timeout that affects ssh
users.  Setting the ServerAliveInternal (or the corresponding server
configuration option) allows persistent ssh connections through such
firewalls, which would otherwise expire idle connections.

> > matteo filippetto <matteo.filippetto@...> wrote:
> > I need the configuration which actually suppress the hostname and the
> > domain/IP on client side. client will only be prompted for password.

If I'm reading this right, you want the client to be able to reach
only one server.  E.g., user types "go" and the "go" script runs
ssh someuser@... (which is a trivial script to write).

No server configuration option would be necessary or useful in that case.

If you mean something else by "suppress the hostname and the domain/IP
on client side", then I don't understand the question.

http://www.cyberciti.biz/faq/linux-unix-login-bash-shell-force-time-outs/

Bash and Csh environments work very differently when it comes to
environment variables. The above has some guides.

Kosala

On Tue, Jul 14, 2009 at 9:04 PM, Robert Hajime
Lanning<robert.lanning@...> wrote:


--
Kosala
--------------------------------------------
Disclaimer: Views expressed in this mail are my personal views and
they would not reflect views of the employer.
--------------------------------------------
blog.kosala.net
www.linux.lk/~kosala/
www.kosala.net

On Wed, 15 Jul 2009 13:01:15 -0400
Greg Wooledge <wooledg@...> wrote:

Ok here is an example. Say there is a Host configuration as myserver in my .ssh/config file. Now if I do


```````````
# ssh myserver

username@...'s password:  
```````````````````

I like to suppress the information username@... and it should prompt only the password:
I like to know the configuration for both server side and clinet side to suppress the information; if any.

thanks

That prompt is being shown by the SSH client. You could write a script
to accept the password. Or implement a client yourself.


On Thursday, July 16, 2009, J. Bakshi <bakshi12@...> wrote:
--
warm regards,
Akash Mahajan
----------------------------------------------------------
Security Consultant, (Web / Networks /
Servers / IT/ Virtualization)
Founder Headstart Network Foundation
----------------------------------------------------------
http://www.linkedin.com/in/akashm
http://network.headstart.in
----------------------------------------------------------