SSH Configuration and Troubleshooting in Debian

      SSH

SSH (Secure SHell) is the secure way to connect over the Internet. A free version of SSH called OpenSSH is available as the ssh package in Debian.

 Basics of SSH

First install the OpenSSH server and client.

 

     # apt-get update 

     # apt-get install ssh

 

/etc/ssh/sshd_not_to_be_run must not be present if one wishes to run the OpenSSH server.

SSH has two authentication protocols:

• SSH protocol version 1:
  • Potato version only supports this protocol.
  • available authentication methods:
    • RSAAuthentication: RSA identity key based user authentication
    • RhostsAuthentication: .rhosts based host authentication (insecure, disabled)
    • RhostsRSAAuthentication: .rhosts authentication combined with RSA host key (disabled)
    • ChallengeResponseAuthentication: RSA challenge-response authentication
    • PasswordAuthentication: password based authentication

• SSH protocol version 2:
  • post-Woody versions use this as the primary protocol.
  • available authentication methods:
    • PubkeyAuthentication: public key based user authentication
    • HostbasedAuthentication: .rhosts or /etc/hosts.equiv authentication combined with public key client host authentication (disabled)
    • ChallengeResponseAuthentication: challenge-response authentication
    • PasswordAuthentication: password based authentication

 

Be careful about these differences if you are migrating to Woody or using a non-Debian system.

See /usr/share/doc/ssh/README.Debian.gz, ssh, sshd, ssh-agent, and ssh-keygen for details.

Following are the key configuration files:

• /etc/ssh/ssh_config: SSH client defaults. See ssh. Notable entries are:
  • Host: Restricts the following declarations (up to the next Host keyword) to be only for those hosts that match one of the patterns given after the keyword.
  • Protocol: Specifies the SSH protocol versions. The default is "2,1".
  • PreferredAuthentications: Specifies the SSH2 client authentication method. The default is "hostbased,publickey,keyboard-interactive,password".
  • PasswordAuthentication: If you want to log in with a password, you have to make sure this is not set no.
  • ForwardX11: The default is disabled. This can be overridden by the command-line option "-X".

• /etc/ssh/sshd_config: SSH server defaults. See sshd. Notable entries are:
  • ListenAddress: Specifies the local addresses sshd should listen on. Multiple options are permitted.
  • AllowTcpForwarding: The default is disabled.
  • X11Forwarding: The default is disabled.

• $HOME/.ssh/authorized_keys: the lists of the default public keys that clients use to connect to this account on this host. See ssh-keygen.

• $HOME/.ssh/identity: See ssh-add and ssh-agent.

 

The following will start an ssh connection from a client.

 

     $ ssh [email protected]

     $ ssh -1 [email protected] # Force SSH version 1

     $ ssh -1 -o RSAAuthentication=no -l username test.host

         # force password on SSH1

     $ ssh -o PreferredAuthentications=password -l username test.host

         # force password on SSH2

For the user, ssh functions as a smarter and more secure telnet (will not bomb with ^]).

 

SSH clients

 

There are a few free SSH clients available for non-Unix-like platforms.

Windows

puTTY (GPL)

Windows (cygwin)

SSH in cygwin (GPL)

Macintosh Classic

macSSH (GPL) [Note that Mac OS X includes OpenSSH; use ssh in the Terminal application]

Troubleshooting SSH

If you have problems, check the permissions of configuration files and run ssh with the "-v" option.

Use the "-P" option if you are root and have trouble with a firewall; this avoids the use of server ports 1–1023.

 

If ssh connections to a remote site suddenly stop working, it may be the result of tinkering by the sysadmin, most likely a change in host_key during system maintenance. After making sure this is the case and nobody is trying to fake the remote host by some clever hack, one can regain a connection by removing the host_key entry from $HOME/.ssh/known_hosts on the local machine