ssh:configuring_sshd
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revision | |||
| ssh:configuring_sshd [2016/12/05 12:09] – peter | ssh:configuring_sshd [2019/12/04 21:22] (current) – removed peter | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== SSH - Configuring sshd ====== | ||
| - | |||
| - | First, make a backup of your sshd_config file by copying it to your home directory, or by making a read-only copy in /etc/ssh by doing:" | ||
| - | |||
| - | <code bash> | ||
| - | sudo cp / | ||
| - | sudo chmod a-w / | ||
| - | </ | ||
| - | |||
| - | |||
| - | ===== Disable logins for the **root** user, only allow login for the core user and disable password based authentication. ===== | ||
| - | |||
| - | permissions: | ||
| - | owner: root:root | ||
| - | |||
| - | <file bash / | ||
| - | # Use most defaults for sshd configuration. | ||
| - | UsePrivilegeSeparation sandbox | ||
| - | Subsystem sftp internal-sftp | ||
| - | |||
| - | PermitRootLogin no | ||
| - | AllowUsers core | ||
| - | PasswordAuthentication no | ||
| - | ChallengeResponseAuthentication no | ||
| - | </ | ||
| - | |||
| - | |||
| - | ===== Changing the sshd port ===== | ||
| - | |||
| - | With socket-activated SSH by default. The configuration for this can be found at **/ | ||
| - | |||
| - | <file bash / | ||
| - | [Socket] | ||
| - | ListenStream=2222 | ||
| - | FreeBind=true | ||
| - | Accept=yes | ||
| - | </ | ||
| - | |||
| - | **sshd** will now listen only on port 2222 on all interfaces when the system is built. | ||
| - | |||
| - | |||
| - | Multiple ListenStream lines can be specified, in which case sshd will listen on all the specified sockets: | ||
| - | |||
| - | <file bash / | ||
| - | [Socket] | ||
| - | ListenStream=2222 | ||
| - | ListenStream=10.20.30.40: | ||
| - | FreeBind=true | ||
| - | </ | ||
| - | |||
| - | **sshd** will now listen to port 2222 on all configured addresses, and port 2223 on 10.20.30.40. | ||
| - | |||
| - | |||
| - | The complete contents of **/ | ||
| - | |||
| - | <file bash / | ||
| - | [Unit] | ||
| - | Description=OpenSSH Server Socket | ||
| - | Conflicts=sshd.service | ||
| - | |||
| - | [Socket] | ||
| - | ListenStream=2222 | ||
| - | ListenStream=10.20.30.40: | ||
| - | FreeBind=true | ||
| - | Accept=yes | ||
| - | |||
| - | [Install] | ||
| - | WantedBy=sockets.target | ||
| - | </ | ||
| - | |||
| - | |||
| - | ===== Activating changes ===== | ||
| - | |||
| - | After the edited file is written to disk, you can activate it without rebooting with: | ||
| - | |||
| - | <code bash> | ||
| - | sudo systemctl daemon-reload | ||
| - | </ | ||
| - | |||
| - | We now see that systemd is listening on the new sockets: | ||
| - | |||
| - | <code bash> | ||
| - | systemctl status sshd.socket | ||
| - | </ | ||
| - | |||
| - | Returns | ||
| - | |||
| - | < | ||
| - | ● sshd.socket - OpenSSH Server Socket | ||
| - | | ||
| - | | ||
| - | | ||
| - | | ||
| - | | ||
| - | ... | ||
| - | </ | ||
| - | |||
| - | And if we attempt to connect to port 22 on our public IP, the connection is rejected, but port 2222 works: | ||
| - | |||
| - | <code bash> | ||
| - | ssh core@[public IP] | ||
| - | ssh: connect to host [public IP] port 22: Connection refused | ||
| - | $ ssh -p 2222 core@[public IP] | ||
| - | Enter passphrase for key '/ | ||
| - | </ | ||
| - | |||
| - | |||
| - | |||
| - | |||
ssh/configuring_sshd.1480939776.txt.gz · Last modified: 2020/07/15 09:30 (external edit)