Network Settings The network section of the sshd2_config file should look like the following: Port 443 ListenAddress 0.0.0.0 RequireReverseMapping no ResolveClientHostName yes MaxBroadcastsPerSecond 0 NoDelay yes KeepAlive yes The network section of the SSH configuration GUI should look like Figure 2.3. Figure 2.3 Network screen from the SSH server configuration tool. 54 Chapter 2 Table 2.19 describes the Network options available for the SSH server. Table 2.19 Options in the Network Section (Windows) OPTION DESCRIPTION Port Sets the port number for SSH to listen on. Default port is 22; however, listening on several ports, including other nonstandard ports, such as 80, 443, or 8080, may be optimal since business travelers may not be able to make outbound connections on port 22, but since port 80 or 443 is usually accessible. To listen on multiple ports, add the following lines: Port 22 Port 80 Port 443 Port 8080 ListenAddress Sets the IP address to have the SSH daemon listen on. The default, which is 0.0.0.0, will enable the SSH services on all interfaces. If there are interfaces where SSH should not be listening, such as the external interface of a firewall, remove 0.0.0.0 and add the appropriate IP addresses. To listen on only select interfaces, add the following lines: ListenAddress 172.16.1.1,192.168.0.1 ListenAddress 10.0.0.1 RequireReverseMapping Enables (yes) or disables (no) the requirement of DNS lookups to succeed, in order to work with AllowHost and DenyHost entries. If enabled and the DNS lookup fails, the request is denied. If disabled and the DNS lookup fails, the IP address in AllowHosts and DenyHosts is checked. ResolveClientHostname Enables (yes) or disables (no) the server resolving (sshd2_config file only) (via DNS) the client’s IP address. MaxBroadcastPerSecond Identifies the number of UDP broadcasts the server (sshd2_config file only) should handle per second. The default value, which is zero, has no broadcast handled. (continued) SSH Servers 55 Table 2.19 (continued) OPTION DESCRIPTION NoDelay Enables (yes) or disables (no) the socket option for TCP_NODELAY. KeepAlive Enables (yes) or disables (no) whether the SSH server should send KeepAlive packets to the SSH clients. This value helps prevent hanging sessions by determining if the client on the other side is still running and hasn’t crashed or blue-screened. Crypto Settings The Crypto section of the sshd2_config file should look like the following: Ciphers AnyStdCipher MACs AnyStdMac RekeyIntervalSeconds 0 RandomSeedFile “server_random_seed” The Encryption section of the SSH configuration GUI should look like Figure 2.4. Figure 2.4 Encryption screen from the SSH server configuration tool. 56 Chapter 2 Table 2.20 describes the Encryption options available for the SSH server. Table 2.20 Options in the Encryption Section (Windows) OPTION DESCRIPTION Ciphers Lists the types of cipher-text to be used to encrypt the session. Triple-DES (3DES), Blowfish, Arcfour, Twofish, CAST – 128, and DES are supported. More global options can be set, such as Any, Anystd, anycipher, and anystdcipher. Any and anystd allow standard ciphers; anycipher allows any ciphertext; anystdcipher allows any cipher listed in the IETS SSH draftA setting of none offers no cipher. MACs Message Authentication Code (MAC) is a hash algorithm that verifies the integrity of the data before and after transmission. The algorithms supported are SHA1, MD5, SHA1-96, and MD5-96. Multiple MACs can also be set. RekeyIntervalSeconds Specifies the amount of time before the key- exchange process is executed again. The default is 3600 seconds, which is one hour. The key-exchange process can be disabled by setting the value to zero. RandomSeedFile Identifies the location of the random seed file. This file is used to generate randomness for the SSH server. Users Settings The Users section of the sshd2_config file should look like the following: LoginGraceTime 600 PermitEmptyPasswords no UserConfigDirectory “%D/.ssh2” AuthorizationFile “authorization” PrivateWindowStation yes The User Authentication section of the SSH configuration GUI should look like Figure 2.5. SSH Servers 57 Figure 2.5 User Authentication screen from the SSH server configuration tool. Furthermore, the User Authentication–Password section should look like Figure 2.6. Lastly, the User Authentication–Public Key section should look like Fig- ure 2.7. Figure 2.6 User Authentication–Password screen from the SSH server configuration tool. 58 Chapter 2 Figure 2.7 User Authentication–Public Key screen from the SSH server configuration tool. Table 2.21 describes the User Authentication options available for the SSH server. Table 2.21 Options in the User Authentication Section (Windows) OPTION DESCRIPTION LoginGraceTime The amount of time, in seconds, the user has to complete the log in process after initiating an authentication request. Values range from zero, no limit, to 600 seconds. PermitEmptyPasswords Allows (yes) or rejects (no) the ability for users to have empty passwords. In most situations, this should be no. UserConfigDirectory Identifies the locations of user-specific configuration (sshd2_config file) data, such as keys and identification files. The default is the .ssh2 folder in the users’ home directory, such as /home/<username>/.ssh2 or Documents and Settings\<username>\.ssh2 (%D is user home dir; %U is user login name). More than one location can be identified for configuration data. (continued) SSH Servers 59 Table 2.21 (continued) OPTION DESCRIPTION User key directory (GUI) Identifies the location of the authorization file, usually named authorization and located in the users’ home directory on the SSH server. This file is used by the SSH server to indicate which public keys are authorized for acceptance during the process of authentication. For example, if a user has two public keys for authentication, such as id_dsa_2048_a.pub and id_rsa_2048_a.pub, the contents of the authorization file will look like the following: Key id_dsa_2048_a.pub Key id_rsa_2048_a.pub Note: The public keys listed in the authorization file need to be in the users’ home directory also, discussed further in Chapter 4. PrivateWindowStation Enables (yes) or disables (no) any terminal created (sshd2_config file only) to be in a fully private window or not. Server Public Key Configuration The Server Public Key Configuration section of the sshd2_config file should look like the following: # HostKeyFile hostkey # PublicHostKeyFile hostkey.pub The Identity section of the SSH configuration GUI should look like Fig- ure 2.8. Table 2.22 describes the Server Public Key options available for the SSH server. Table 2.22 Options in the Server Public Key Configuration Section (Windows) OPTION DESCRIPTION HostKeyFile Identifies the location of the private host-key file. The default location is in the /etc/ssh2 directory, located on the local file system. PublicHostKeyFile Identifies the location of the public host-key file. The default is hostkey.pub, located on the local file system. 60 Chapter 2 Figure 2.8 Identity screen from the SSH server configuration tool. Server Certificate Configurations The Server Certificate Configuration section of the sshd2_config file should look like the following: # HostKeyFile “” # HostCertificateFile “” # Pki “” # MapFile “” # LDAPServers # SocksServer # PkiDisableCRLs no Table 2.23 describes the Server Certificate options available for the SSH server. Table 2.23 Options in the Server Certificate Configuration (Windows) OPTION DESCRIPTION HostKeyFile Identifies the location of the private host-key file. The default is hostkey, located on the local file system. HostCertificateFile Identifies the location of the certificate file. PKI Enables (yes) or disables (no) user authentication using certificates. (continued) SSH Servers 61 Table 2.23 (continued) OPTION DESCRIPTION MapFile Identifies the keyword-mapping file for the preceding PKI keyword. LDAPServers Identifies the LDAP server to be used for CRLs. SocksServer Identifies the name of the SOCKS server, which is used for certificate CRL on remote servers. PKIDisableCRLs Disables CRL checking. Tunneling Configurations The Tunneling section of the sshd2_config file should look similar to the following: AllowTcpForwarding no # AllowTcpForwardingForUsers # DenyTcpForwardingForUsers The Tunneling section of the SSH configuration GUI should be similar to Figure 2.9. Figure 2.9 Tunneling screen from the SSH server configuration tool. 62 Chapter 2 Table 2.24 describes the Tunneling options available for the SSH server. Table 2.24 Options in the Tunneling Section (Windows) OPTION DESCRIPTION AllowTcpForwarding Enables (yes) or disables (no) the ability to forward ports, both locally and remotely for all users. AllowTcpForwardingForUsers Enables the ability for specific users to forward ports, both locally and remotely. This setting accepts usernames and patterns, such as DNS patterns. DenyTcpForwardingForUsers Disables the ability for specific users to forward ports, both locally and remotely. This setting accepts usernames and patterns, such as DNS patterns. Authentication Methods The Authentication section of the sshd2_config file should look like the following: PasswordGuesses 3 AllowedAuthentications “publickey,password,” RequiredAuthentications “publickey,” AuthInteractiveFailureTimeout 2 AuthKbdInt.NumOptional 0 # AuthKbdInt.Optional “” # AuthKbdInt.Required “” AuthKbdInt.Retries Table 2.25 describes the Authentication options available for the SSH server. Table 2.25 Options in the Authentication Section (Windows) OPTION DESCRIPTION PasswordGuesses Identifies the number of attempts a user is given (Shown in Figure 4.5) before being disconnected if a valid authentication is not submitted. AllowedAuthentications Identifies the types of authentication methods that (Shown in Figure 4.6 and are valid. Options include password, publickey, and 4.7 with the Password hostbased. Authenication drop down box or the Public Key drop down box) (continued) SSH Servers 63 [...]... Key section describes the host-key location as well as the fingerprint Various options are given in Table 2 .30 SSH Servers Figure 2.15 General–Host Key screen from the VShell server Table 2 .30 Options in the General–Host Key Section (VShell) OPTION DESCRIPTION Filename Identifies the path to the host key for the VShell SSH server Fingerprint Displays the fingerprint for the VShell SSH server Generate... the level of compression to be used for the SSH session Authentication Highlight the Authentication section next (see Figure 2.20) The Authentication section describes the key exchange options, which are listed in Table 2 .35 75 76 Chapter 2 Figure 2.20 Authentication screen from the VShell server Table 2 .35 Options in the Authentication Section (VShell) OPTION DESCRIPTION Limit failed attempts to The. .. section from the VShell server Comparison of OpenSSH, SSH Server, and VShell The SSH servers discussed in this chapter have similar functionality, but significant differences exist among them For example, VShell SSH server offers easy configuration methods to restrict shell access to an SSH client but also allows other SSH options such as SFTP or port forwarding If SSH needs to be set up for secure file... Software’s VShell SSH Server VanDyke Software’s VShell SSH server is available only for Windows environments The VShell server uses a GUI to display, edit, and report configuration options for the SSH server The following paragraphs address the various settings and capabilities of the VShell SSH server General Settings To view the configuration screen (see Figure 2.14), browse to the VShell shortcut,... attempts a user can have before the session is disconnected Time authentication after Sets the amount of time the user has to complete the authentication process Specifically, from the time the user initiates the connection to the time the user enters a username/password or private-key password Required authentication methods – Password Requires a password for authentication Required authentication methods... exist than the ones discussed here; however, in the interests of time and space, they have not been covered Be aware that most of the other servers are very similar to the ones examined in the previous paragraphs For example, F -Secure s SSH server and SSH Communications’ SSH server are practically alike When deciding on the choice of an SSH server for your organization, it is important to know the business... usage is discussed The following clients are the focus of this chapter: Command-Line SSH Clients ■ ■ Secure Shell Communications ■ ■ OpenSSH ■ ■ GUI SSH clients 87 88 Chapter 3 ■ ■ SecureCRT ■ ■ PuTTY ■ ■ WinSCP ■ ■ MindTerm ■ ■ MacSSH The discussion of SSH clients in this chapter, and throughout this book, is limited to the major ones Keep in mind that there are many other types of SSH clients, very... good as the ones covered here For example, F -Secure s SSH client and SSH Communications’ SSH client are extremely similar Although many of the SSH clients discussed in this chapter offer similar functionality, there are various subtle differences among them For example, SSH Communications’ SSH client offers an integrated SFTP client that can be used in a seamless fashion On the other hand, SecureCRT... allow your SSH- client decision to be as informed as possible For example, if SSH is being deployed primarily for its file-transfer capabilities, WinSCP and SSH Communications’ SSH clients are probably good choices On the other hand, if SSH is being deployed for remote shell access via an HTTP proxy server, the SecureCRT and PuTTY clients are probably good choices Lastly, if SSH is being deployed for remote... command-line clients The SSH clients can be purchased and/or downloaded for commercial or noncommercial use from the following Web site: www .ssh. com/support/downloads/secureshellwks/ Since we will be using SSH for a noncommercial use, the noncommercial version can be downloaded from www.secondstory.org/mirror /ssh/ Also, the OpenSSH client for Unix can be downloaded from the following site: ftp://ftp3.usa.openbsd.org/pub/OpenBSD/OpenSSH/portable . Identifies the path to the host key for the VShell SSH server Fingerprint Displays the fingerprint for the VShell SSH server Generate Host Key A wizard that creates a host key for the VShell SSH server General–Key. VShell SSH Server VanDyke Software’s VShell SSH server is available only for Windows envi- ronments. The VShell server uses a GUI to display, edit, and report configura- tion options for the SSH. Identifies the path for the SFTP (secure file transfer (sshd2_config file only) protocol) subsystem to be used with SSH; usually located in Program Files /SSH Secure Shell Server. Sftplogcategory (sshd2_config)