Debianhelp.co.uk

             SSH Configuration and Troubleshooting in Debian

      SSH

SSH (Secure SHell) is the secure way to connect over the Internet. A free version of SSH called OpenSSH is available as the ssh package in Debian.

 Basics of SSH

First install the OpenSSH server and client.

 

     # apt-get update 
     # apt-get install ssh

 

/etc/ssh/sshd_not_to_be_run must not be present if one wishes to run the OpenSSH server.

SSH has two authentication protocols:

  • SSH protocol version 1:
    • Potato version only supports this protocol.
    • available authentication methods:
      • RSAAuthentication: RSA identity key based user authentication
      • RhostsAuthentication: .rhosts based host authentication (insecure, disabled)
      • RhostsRSAAuthentication: .rhosts authentication combined with RSA host key (disabled)
      • ChallengeResponseAuthentication: RSA challenge-response authentication
      • PasswordAuthentication: password based authentication
  • SSH protocol version 2:
    • post-Woody versions use this as the primary protocol.
    • available authentication methods:
      • PubkeyAuthentication: public key based user authentication
      • HostbasedAuthentication: .rhosts or /etc/hosts.equiv authentication combined with public key client host authentication (disabled)
      • ChallengeResponseAuthentication: challenge-response authentication
      • PasswordAuthentication: password based authentication

 

Be careful about these differences if you are migrating to Woody or using a non-Debian system.

See /usr/share/doc/ssh/README.Debian.gz, ssh, sshd, ssh-agent, and ssh-keygen for details.

Following are the key configuration files:

  • /etc/ssh/ssh_config: SSH client defaults. See ssh. Notable entries are:
    • Host: Restricts the following declarations (up to the next Host keyword) to be only for those hosts that match one of the patterns given after the keyword.
    • Protocol: Specifies the SSH protocol versions. The default is "2,1".
    • PreferredAuthentications: Specifies the SSH2 client authentication method. The default is "hostbased,publickey,keyboard-interactive,password".
    • PasswordAuthentication: If you want to log in with a password, you have to make sure this is not set no.
    • ForwardX11: The default is disabled. This can be overridden by the command-line option "-X".
  • /etc/ssh/sshd_config: SSH server defaults. See sshd. Notable entries are:
    • ListenAddress: Specifies the local addresses sshd should listen on. Multiple options are permitted.
    • AllowTcpForwarding: The default is disabled.
    • X11Forwarding: The default is disabled.
  • $HOME/.ssh/authorized_keys: the lists of the default public keys that clients use to connect to this account on this host. See ssh-keygen.
  • $HOME/.ssh/identity: See ssh-add and ssh-agent.

 

The following will start an ssh connection from a client.

 

     $ ssh username@hostname.domain.ext
     $ ssh -1 username@hostname.domain.ext # Force SSH version 1
     $ ssh -1 -o RSAAuthentication=no -l username test.host
         # force password on SSH1
     $ ssh -o PreferredAuthentications=password -l username test.host
         # force password on SSH2
 

For the user, ssh functions as a smarter and more secure telnet (will not bomb with ^]).

 

SSH clients

 

There are a few free SSH clients available for non-Unix-like platforms.

Windows

puTTY (GPL)

Windows (cygwin)

SSH in cygwin (GPL)

Macintosh Classic

macSSH (GPL) [Note that Mac OS X includes OpenSSH; use ssh in the Terminal application]

Troubleshooting SSH

If you have problems, check the permissions of configuration files and run ssh with the "-v" option.

Use the "-P" option if you are root and have trouble with a firewall; this avoids the use of server ports 11023.

 

If ssh connections to a remote site suddenly stop working, it may be the result of tinkering by the sysadmin, most likely a change in host_key during system maintenance. After making sure this is the case and nobody is trying to fake the remote host by some clever hack, one can regain a connection by removing the host_key entry from $HOME/.ssh/known_hosts on the local machine