Enabling and securing sshd in FreeBSD
sshd is the Secure Shell Daemon and allows an user to gain a remote shell on a foreign machine.
Unlike telnet, it allows one to exchange data on a secure way over the internet/a private network.
Although it’s often configured for simple password authentication, it can also be set up for a stronger security mechanism by using RSA/DSA keypairs.
First you need to generate your clients personnal keypair using ssh-keygen:
% ssh-keygen
After asking you a passphrase for these keys they are placed by default in ~/.ssh/:
- ~/.ssh/id_rsa.pub is your public key and can be used by anyone to encrypt data
- ~/.ssh/id_rsa is your private key and is needed to decrypt data encrypted with the public key
Now we can configure sshd on the machine you want to gain remote access.
All these modifications must be made on /etc/ssh/sshd_config:
PasswordAuthentication no
This should be set to no, since we want RSA key + passphrase authentication.
PermitEmptyPasswords no
If you want to use password authentication instead of public keys, for obvious reasons, you REALLY should set this to no…
ChallengeResponseAuthentication no
This will disable FreeBSD built-in PAM authentication (but not password-based authentication).
PermitRootLogin no
It’s a really a bad habit to log as root on a machine, especially over ssh because you want to be able to log/audit user’s activity.
A better way is to give some people the privileges they need using groups or login classes and/or sudo.
Protocol 2
You must restrict connections to SSHv2 because SSHv1 is now considered obsolete due to MITM vulnerabilities.
X11Forwarding no
Since I don’t need to forward X11 traffic, I like to disable it because it can make the client vulnerable to X11 attacks.
If this is a concern to you, more informations can be found in sshd_config(5) and ssh_config(5) manpages.
AllowUsers ...
AllowGroups ...
DenyUsers ...
DenyGoups ...
Last but not least, these powerful options allow you to manually specify who can log in or not by User/Group names.
If you plan to accept very few ssh connections, I strongly recommand you to use these options. Additional security is always welcome…
These options are processed in this order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
Now simply copy the public keys (id_rsa.pub, remember ?) of your clients in the authorized_keys file, by default it should be ~/.ssh/authorized_keys, ~ being the home directory of the user they want to log as.
Then add the following line to /etc/rc.conf to enable sshd at startup and reboot your host machine:
sshd_enable="YES"
Your clients can now remotely get a shell on your machine, but they must possess the private key associated to the public key in authorized_keys and the passphrase, needless to say that it’s way more secure than simple password authentication.
One more thing about rsa/dsa keys, only give them if you are sure of the identity of the receiver and please, by more secure way than mail ;-)
[...] Enabling and securing sshd in FreeBSD [...]