Mailing List Archive

2009/7/12 J. Bakshi <bakshi12@gmail.com>:
> Dear list,
>
> I am running openssh-server  1:5.1p1-5+b1 on a remote debian box.
> There are a no. of online docs on sshd configuration. I am afraid to
> say that even reading a no. of such tutorial I am still confused. I am
> looking for a sshd_config file which is both strict about security as
> well as efficient to control its client. Like it should force the client to have compression, it should survive with poor internet, and other good features which can make it a good ssh server.
>
> Could any one please suggest such sshd_config ?
>
> Here is mine
>
> ```````````````
> Port 47015
> Protocol 2
> PermitRootLogin no
> PasswordAuthentication no
> UsePAM yes
> X11Forwarding no
> ``````````
>
> thanks
>

Hi,

maybe you can read this discussion

http://www.governmentsecurity.org/forum/index.php?showtopic=6051

and for sure take a lokk to the official documentation

http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5

Bye

--
Matteo Filippetto

On Mon, 13 Jul 2009 10:00:52 +0200
matteo filippetto <matteo.filippetto@gmail.com> wrote:

> 2009/7/12 J. Bakshi <bakshi12@gmail.com>:
> > Dear list,
> >
> > I am running openssh-server __1:5.1p1-5+b1 on a remote debian box.
> > There are a no. of online docs on sshd configuration. I am afraid to
> > say that even reading a no. of such tutorial I am still confused. I
> > am looking for a sshd_config file which is both strict about
> > security as well as efficient to control its client. Like it should
> > force the client to have compression, it should survive with poor
> > internet, and other good features which can make it a good ssh
> > server.
> >
> > Could any one please suggest such sshd_config ?
> >
> > Here is mine
> >
> > ```````````````
> > Port 47015
> > Protocol 2
> > PermitRootLogin no
> > PasswordAuthentication no
> > UsePAM yes
> > X11Forwarding no
> > ``````````
> >
> > thanks
> >
>
> Hi,
>
> maybe you can read this discussion
>
> http://www.governmentsecurity.org/forum/index.php?showtopic=6051
>
> and for sure take a lokk to the official documentation
>
> http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5
>
> Bye
>

Thanks for your response but I have not found yet what I'm looking for. I need the configuration which actually suppress the hostname and the domain/IP on client side. client will only be prompted for password. The second thing the sshd should allow the client to be connected even half an hour with out executing any command. Any such configuration in openssh ?

Thanks

On Mon, 13 Jul 2009 10:00:52 +0200
matteo filippetto <matteo.filippetto@gmail.com> wrote:

> 2009/7/12 J. Bakshi <bakshi12@gmail.com>:
> > Dear list,
> >
> > I am running openssh-server __1:5.1p1-5+b1 on a remote debian box.
> > There are a no. of online docs on sshd configuration. I am afraid to
> > say that even reading a no. of such tutorial I am still confused. I
> > am looking for a sshd_config file which is both strict about
> > security as well as efficient to control its client. Like it should
> > force the client to have compression, it should survive with poor
> > internet, and other good features which can make it a good ssh
> > server.
> >
> > Could any one please suggest such sshd_config ?
> >
> > Here is mine
> >
> > ```````````````
> > Port 47015
> > Protocol 2
> > PermitRootLogin no
> > PasswordAuthentication no
> > UsePAM yes
> > X11Forwarding no
> > ``````````
> >
> > thanks
> >
>
> Hi,
>
> maybe you can read this discussion
>
> http://www.governmentsecurity.org/forum/index.php?showtopic=6051
>
> and for sure take a lokk to the official documentation
>
> http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5
>
> Bye
>

Thanks for your response but I have not found yet what I'm looking for. I need the configuration which actually suppress the hostname and the domain/IP on client side. client will only be prompted for password. The second thing the sshd should allow the client to be connected even half an hour with out executing any command. Any such configuration in openssh ?

Thanks

ClientAliveInterval <time interval in seconds>
ClientAliveCountMax 0

That should do for the time settings :)

Remo


On 7/14/09 9:55 AM, "J. Bakshi" <bakshi12@gmail.com> wrote:

> On Mon, 13 Jul 2009 10:00:52 +0200
> matteo filippetto <matteo.filippetto@gmail.com> wrote:
>
>> 2009/7/12 J. Bakshi <bakshi12@gmail.com>:
>>> Dear list,
>>>
>>> I am running openssh-server __1:5.1p1-5+b1 on a remote debian box.
>>> There are a no. of online docs on sshd configuration. I am afraid to
>>> say that even reading a no. of such tutorial I am still confused. I
>>> am looking for a sshd_config file which is both strict about
>>> security as well as efficient to control its client. Like it should
>>> force the client to have compression, it should survive with poor
>>> internet, and other good features which can make it a good ssh
>>> server.
>>>
>>> Could any one please suggest such sshd_config ?
>>>
>>> Here is mine
>>>
>>> ```````````````
>>> Port 47015
>>> Protocol 2
>>> PermitRootLogin no
>>> PasswordAuthentication no
>>> UsePAM yes
>>> X11Forwarding no
>>> ``````````
>>>
>>> thanks
>>>
>>
>> Hi,
>>
>> maybe you can read this discussion
>>
>> http://www.governmentsecurity.org/forum/index.php?showtopic=6051
>>
>> and for sure take a lokk to the official documentation
>>
>> http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5
>>
>> Bye
>>
>
> Thanks for your response but I have not found yet what I'm looking for. I need
> the configuration which actually suppress the hostname and the domain/IP on
> client side. client will only be prompted for password. The second thing the
> sshd should allow the client to be connected even half an hour with out
> executing any command. Any such configuration in openssh ?
>
> Thanks
>
> !DSPAM:4a5cb7a6195119363919659!
>

On Tue, 14 Jul 2009 11:05:20 -0600
Remo Mattei <remo-dated-1248023133.666171@italy1.com> wrote:

> ClientAliveInterval <time interval in seconds>
> ClientAliveCountMax 0
>
> That should do for the time settings :)
>
> Remo


Thanks a lot Remo.
Hope you don't mind if I insist on you to also show how to set the sshd deamon so that

1> it forces the client to follow compression
2> Suppress the host and IP information on client side

Is there any such time settings possible on host side ( in ssh_conf ? )

Wish you a nice time.


>
>
> On 7/14/09 9:55 AM, "J. Bakshi" <bakshi12@gmail.com> wrote:
>
> > On Mon, 13 Jul 2009 10:00:52 +0200
> > matteo filippetto <matteo.filippetto@gmail.com> wrote:
> >
> >> 2009/7/12 J. Bakshi <bakshi12@gmail.com>:
> >>> Dear list,
> >>>
> >>> I am running openssh-server __1:5.1p1-5+b1 on a remote debian box.
> >>> There are a no. of online docs on sshd configuration. I am afraid
> >>> to say that even reading a no. of such tutorial I am still
> >>> confused. I am looking for a sshd_config file which is both
> >>> strict about security as well as efficient to control its client.
> >>> Like it should force the client to have compression, it should
> >>> survive with poor internet, and other good features which can
> >>> make it a good ssh server.
> >>>
> >>> Could any one please suggest such sshd_config ?
> >>>
> >>> Here is mine
> >>>
> >>> ```````````````
> >>> Port 47015
> >>> Protocol 2
> >>> PermitRootLogin no
> >>> PasswordAuthentication no
> >>> UsePAM yes
> >>> X11Forwarding no
> >>> ``````````
> >>>
> >>> thanks
> >>>
> >>
> >> Hi,
> >>
> >> maybe you can read this discussion
> >>
> >> http://www.governmentsecurity.org/forum/index.php?showtopic=6051
> >>
> >> and for sure take a lokk to the official documentation
> >>
> >> http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5
> >>
> >> Bye
> >>
> >
> > Thanks for your response but I have not found yet what I'm looking
> > for. I need the configuration which actually suppress the hostname
> > and the domain/IP on client side. client will only be prompted for
> > password. The second thing the sshd should allow the client to be
> > connected even half an hour with out executing any command. Any
> > such configuration in openssh ?
> >
> > Thanks
> >
> > !DSPAM:4a5cb7a6195119363919659!
> >
>

On Tue, Jul 14, 2009 at 8:55 AM, J. Bakshi<bakshi12@gmail.com> wrote:
> On Mon, 13 Jul 2009 10:00:52 +0200
> matteo filippetto <matteo.filippetto@gmail.com> wrote:
> Thanks for your response but I have not found yet what I'm looking for.
> I need the configuration which actually suppress the hostname and the
> domain/IP on client side. client will only be prompted for password.
> The second thing the sshd should allow the client to be connected even
> half an hour with out executing any command. Any such configuration
> in openssh ?

The idle logout, isn't sshd. It is the shell. Look into the "autologout"
environment veriable for bash.

As for the client password prompt, that is not controllable from the
server side, without dropping everything and going for
"keyboard interactive" authentication. For that, you will have to
code your own authentication method.

--
And, did Galoka think the Ulus were too ugly to save?
-Centauri

2009/7/14 J. Bakshi <bakshi12@gmail.com>:
> On Mon, 13 Jul 2009 10:00:52 +0200
> matteo filippetto <matteo.filippetto@gmail.com> wrote:
>
>> 2009/7/12 J. Bakshi <bakshi12@gmail.com>:
>> > Dear list,
>> >
>> > I am running openssh-server __1:5.1p1-5+b1 on a remote debian box.
>> > There are a no. of online docs on sshd configuration. I am afraid to
>> > say that even reading a no. of such tutorial I am still confused. I
>> > am looking for a sshd_config file which is both strict about
>> > security as well as efficient to control its client. Like it should
>> > force the client to have compression, it should survive with poor
>> > internet, and other good features which can make it a good ssh
>> > server.
>> >
>> > Could any one please suggest such sshd_config ?
>> >
>> > Here is mine
>> >
>> > ```````````````
>> > Port 47015
>> > Protocol 2
>> > PermitRootLogin no
>> > PasswordAuthentication no
>> > UsePAM yes
>> > X11Forwarding no
>> > ``````````
>> >
>> > thanks
>> >
>>
>> Hi,
>>
>> maybe you can read this discussion
>>
>> http://www.governmentsecurity.org/forum/index.php?showtopic=6051
>>
>> and for sure take a lokk to the official documentation
>>
>> http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5
>>
>> Bye
>>
>
> Thanks for your response but I have not found yet what I'm looking for. I need the configuration which actually suppress the hostname and the domain/IP on client side. client will only be prompted for password. The second thing the sshd should allow the client to be connected even half an hour with out executing any command. Any such configuration in openssh ?
>
> Thanks
>

Hi,

if you read this
http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5

you will find some options like

Banner The contents of the specified file are sent to the remote user
before authentication is allowed. If the argument is ``none''
then no banner is displayed. This option is only available for
protocol version 2. By default, no banner is displayed.

TCPKeepAlive
Specifies whether the system should send TCP keepalive messages
to the other side. If they are sent, death of the connection or
crash of one of the machines will be properly noticed. However,
this means that connections will die if the route is down tem-
porarily, and some people find it annoying. On the other hand,
if TCP keepalives are not sent, sessions may hang indefinitely on
the server, leaving ``ghost'' users and consuming server re-
sources.

The default is ``yes'' (to send TCP keepalive messages), and the
server will notice if the network goes down or the client host
crashes. This avoids infinitely hanging sessions.

To disable TCP keepalive messages, the value should be set to
``no''.


and for client (http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5)

ServerAliveCountMax
Sets the number of server alive messages (see below) which may be
sent without ssh(1) receiving any messages back from the server.
If this threshold is reached while server alive messages are be-
ing sent, ssh will disconnect from the server, terminating the
session. It is important to note that the use of server alive
messages is very different from TCPKeepAlive (below). The server
alive messages are sent through the encrypted channel and there-
fore will not be spoofable. The TCP keepalive option enabled by
TCPKeepAlive is spoofable. The server alive mechanism is valu-
able when the client or server depend on knowing when a connec-
tion has become inactive.

The default value is 3. If, for example, ServerAliveInterval
(see below) is set to 15 and ServerAliveCountMax is left at the
default, if the server becomes unresponsive, ssh will disconnect
after approximately 45 seconds. This option applies to protocol
version 2 only.

ServerAliveInterval
Sets a timeout interval in seconds after which if no data has
been received from the server, ssh(1) will send a message through
the encrypted channel to request a response from the server. The
default is 0, indicating that these messages will not be sent to
the server. This option applies to protocol version 2 only.

TCPKeepAlive
Specifies whether the system should send TCP keepalive messages
to the other side. If they are sent, death of the connection or
crash of one of the machines will be properly noticed. However,
this means that connections will die if the route is down tem-
porarily, and some people find it annoying.

The default is ``yes'' (to send TCP keepalive messages), and the
client will notice if the network goes down or the remote host
dies. This is important in scripts, and many users want it too.

To disable TCP keepalive messages, the value should be set to
``no''.


Bye
--
Matteo Filippetto

I would suggest you provide them a public key. So here is what I would do:

1) create user/s
2) generate a public key for each user
3) use the public key for login
4) disable access unless used with public keys

Just my 2 cents.

Remo


On 7/14/09 12:04 PM, "Robert Hajime Lanning" <robert.lanning@gmail.com>
wrote:

> On Tue, Jul 14, 2009 at 8:55 AM, J. Bakshi<bakshi12@gmail.com> wrote:
>> On Mon, 13 Jul 2009 10:00:52 +0200
>> matteo filippetto <matteo.filippetto@gmail.com> wrote:
>> Thanks for your response but I have not found yet what I'm looking for.
>> I need the configuration which actually suppress the hostname and the
>> domain/IP on client side. client will only be prompted for password.
>> The second thing the sshd should allow the client to be connected even
>> half an hour with out executing any command. Any such configuration
>> in openssh ?
>
> The idle logout, isn't sshd. It is the shell. Look into the "autologout"
> environment veriable for bash.
>
> As for the client password prompt, that is not controllable from the
> server side, without dropping everything and going for
> "keyboard interactive" authentication. For that, you will have to
> code your own authentication method.

On Tue, Jul 14, 2009 at 11:04:45AM -0700, Robert Hajime Lanning wrote:
> The idle logout, isn't sshd. It is the shell. Look into the "autologout"
> environment veriable for bash.

Many NAT firewalls also have a connection timeout that affects ssh
users. Setting the ServerAliveInternal (or the corresponding server
configuration option) allows persistent ssh connections through such
firewalls, which would otherwise expire idle connections.

> > matteo filippetto <matteo.filippetto@gmail.com> wrote:
> > I need the configuration which actually suppress the hostname and the
> > domain/IP on client side. client will only be prompted for password.

If I'm reading this right, you want the client to be able to reach
only one server. E.g., user types "go" and the "go" script runs
ssh someuser@some.host (which is a trivial script to write).

No server configuration option would be necessary or useful in that case.

If you mean something else by "suppress the hostname and the domain/IP
on client side", then I don't understand the question.

http://www.cyberciti.biz/faq/linux-unix-login-bash-shell-force-time-outs/

Bash and Csh environments work very differently when it comes to
environment variables. The above has some guides.

Kosala

On Tue, Jul 14, 2009 at 9:04 PM, Robert Hajime
Lanning<robert.lanning@gmail.com> wrote:
> On Tue, Jul 14, 2009 at 8:55 AM, J. Bakshi<bakshi12@gmail.com> wrote:
>> On Mon, 13 Jul 2009 10:00:52 +0200
>> matteo filippetto <matteo.filippetto@gmail.com> wrote:
>> Thanks for your response but I have not found yet what I'm looking for.
>> I need the configuration which actually suppress the hostname and the
>> domain/IP on client side. client will only be prompted for password.
>> The second thing the sshd should allow the client to be connected even
>> half an hour with out executing any command. Any such configuration
>> in openssh ?
>
> The idle logout, isn't sshd.  It is the shell.  Look into the "autologout"
> environment veriable for bash.
>
> As for the client password prompt, that is not controllable from the
> server side, without dropping everything and going for
> "keyboard interactive" authentication.  For that, you will have to
> code your own authentication method.
>
> --
> And, did Galoka think the Ulus were too ugly to save?
>                                         -Centauri
>



--
Kosala
--------------------------------------------
Disclaimer: Views expressed in this mail are my personal views and
they would not reflect views of the employer.
--------------------------------------------
blog.kosala.net
www.linux.lk/~kosala/
www.kosala.net

On Wed, 15 Jul 2009 13:01:15 -0400
Greg Wooledge <wooledg@eeg.ccf.org> wrote:

> On Tue, Jul 14, 2009 at 11:04:45AM -0700, Robert Hajime Lanning wrote:
> > The idle logout, isn't sshd. It is the shell. Look into the
> > "autologout" environment veriable for bash.
>
> Many NAT firewalls also have a connection timeout that affects ssh
> users. Setting the ServerAliveInternal (or the corresponding server
> configuration option) allows persistent ssh connections through such
> firewalls, which would otherwise expire idle connections.
>
> > > matteo filippetto <matteo.filippetto@gmail.com> wrote:
> > > I need the configuration which actually suppress the hostname and
> > > the domain/IP on client side. client will only be prompted for
> > > password.
>
> If I'm reading this right, you want the client to be able to reach
> only one server. E.g., user types "go" and the "go" script runs
> ssh someuser@some.host (which is a trivial script to write).
>
> No server configuration option would be necessary or useful in that
> case.
>
> If you mean something else by "suppress the hostname and the domain/IP
> on client side", then I don't understand the question.

Ok here is an example. Say there is a Host configuration as myserver in my .ssh/config file. Now if I do


```````````
# ssh myserver

username@192.168.1.100's password:
```````````````````

I like to suppress the information username@192.168.1.100 and it should prompt only the password:
I like to know the configuration for both server side and clinet side to suppress the information; if any.

thanks

That prompt is being shown by the SSH client. You could write a script
to accept the password. Or implement a client yourself.


On Thursday, July 16, 2009, J. Bakshi <bakshi12@gmail.com> wrote:
> On Wed, 15 Jul 2009 13:01:15 -0400
> Greg Wooledge <wooledg@eeg.ccf.org> wrote:
>
>> On Tue, Jul 14, 2009 at 11:04:45AM -0700, Robert Hajime Lanning wrote:
>> > The idle logout, isn't sshd.  It is the shell.  Look into the
>> > "autologout" environment veriable for bash.
>>
>> Many NAT firewalls also have a connection timeout that affects ssh
>> users.  Setting the ServerAliveInternal (or the corresponding server
>> configuration option) allows persistent ssh connections through such
>> firewalls, which would otherwise expire idle connections.
>>
>> > > matteo filippetto <matteo.filippetto@gmail.com> wrote:
>> > > I need the configuration which actually suppress the hostname and
>> > > the domain/IP on client side. client will only be prompted for
>> > > password.
>>
>> If I'm reading this right, you want the client to be able to reach
>> only one server.  E.g., user types "go" and the "go" script runs
>> ssh someuser@some.host (which is a trivial script to write).
>>
>> No server configuration option would be necessary or useful in that
>> case.
>>
>> If you mean something else by "suppress the hostname and the domain/IP
>> on client side", then I don't understand the question.
>
> Ok here is an example. Say there is a Host configuration as myserver in my .ssh/config file. Now if I do
>
>
> ```````````
> # ssh myserver
>
> username@192.168.1.100's password:
> ```````````````````
>
> I like to suppress the information username@192.168.1.100 and it should prompt only the password:
> I like to know the configuration for both server side and clinet side to suppress the information; if any.
>
> thanks
>

--
warm regards,
Akash Mahajan
----------------------------------------------------------
Security Consultant, (Web / Networks /
Servers / IT/ Virtualization)
Founder Headstart Network Foundation
----------------------------------------------------------
http://www.linkedin.com/in/akashm
http://network.headstart.in
----------------------------------------------------------