SSH Communications’ SSH servers are also available on both Windows and Unix environments. The sshd2_config file is used by SSH Communications’ SSH server for all configuration management for the service. The Windows version has a different configuration utility, which uses a graphical user inter- face (GUI) to display and report changes to the sshd2_config configuration file. On the other hand, the Unix version provides only the sshd2_config file for configuration management without any extra configuration tools. Since the Unix and Windows versions provide different configuration utilities, I address the sshd2_config file first, since both platforms either rely (Unix) or refer (Win- dows) to this file for configuration; then I address the Windows GUI for con- figuration management.
SSH Communications’ SSH Server: Unix
To view the configuration file, enter the following commands:
#cd /etc/ssh2 #more sshd2_config
SSH Communications’ sshd2_config file is similar to the sshd_config file of OpenSSH; however, there are many differences that distinguish the two. The following paragraphs discuss the various sections of the sshd2_config file.
# SyslogFacility AUTH # SyslogFacility LOCAL7
Table 2.6 describes the general options available for the SSH server.
Table 2.6 Options in the General Section of the ssch2_config File (Unix)
OPTION DESCRIPTION
VerberosMode Enables (yes) or disables (no) the SSH session’s debugging and connection related information to be displayed to standard output
QuietMode Enables (yes) or disables (no) the SSH session’s warning and error messages to be displayed to standard output
ForcePTTYAllocation Enables (yes) or disables (no) the ability to force allocation of PTTY sessions
SyslogFacility Identifies the Syslog code to use when logging a message from SSH, such as Daemon, Auth, and Local
Network
The network section of the sshd2_config file should look like the following:
Port 22 # ListenAddress any # RequireReverseMapping no # MaxBroadcastsPerSecond 0 # MaxBroadcastsPerSecond 1 # NoDelay yes # KeepAlive yes # MaxConnections 50 # MaxConnections 0
Port 80 Port 443 Port 8080
ListenAddress Sets the IP address to have the SSH daemon listen on. The default, which is 0.0.0.0, enables the SSH services on all interfaces. If there are interfaces where SSH should not be listening, such as the external interface of a firewall, remove 0.0.0.0 and add the appropriate IP addresses. To listen on only select interfaces, add the following lines:
ListenAddress 172.16.1.1 ListenAddress 192.168.0.1
RequireReverseMapping Enables (yes) or disables (no) the requirement of DNS lookups to succeed, in order to work with AllowHost and DenyHost entries. If enabled and the DNS lookup fails, the request is denied. If disabled and the DNS lookup fails, the IP address in AllowHosts and DenyHosts is checked.
MaxBroadcastPerSecond Identifies the number of UDP broadcasts the server should handle per second. The default value, which is zero, has no broadcast handled.
NoDelay Enables (yes) or disables (no) the socket option for TCP_NODELAY.
KeepAlive Enables (yes) or disables (no) whether the SSH server should send KeepAlive packets to the SSH clients. This value helps prevent hanging sessions by determining if the client on the other side is still running and hasn’t crashed or blue-screened. MaxConnections Identifies the number of concurrent connections the
SSH server will handle. If the value is set to zero, the number of concurrent connections is unlimited.
# Ciphers AnyStdCipher # Ciphers 3des
# Following includes “none” ‘mac’: # MACs AnyMAC #
# MACs AnyStd # MACs AnyStdMAC # RekeyIntervalSeconds 3600
Table 2.8 describes the Crypto options available for the SSH server.
Table 2.8 Options in the Crypto Section (Unix)
OPTION DESCRIPTION
Ciphers Lists the types of cipher-text to be used when encrypting the SSH session. Triple-DES (3DES), Blowfish, Arcfour, Twofish, CAST – 128, and DES are supported. More global options can be set, such as Any, Anystd, anycipher, and anystdcipher. Any and anystd allows standard ciphers; anycipher allows any ciphertext; anystdcipher allows any cipher listed in the IETS SSH draft. The entry of none offers no cipher.
MACs Message Authentication Code (MAC) is a hash algorithm used to verify the integrity of the data before and after transmission. The algorithms supported are SHA1, MD5, SHA1-96, and MD5-96. Multiple MACs can also be set.
RekeyIntervalSeconds Specifies the amount of time before the key exchange process is executed again. The default is 3600 seconds, which is one hour. The key exchange process can be disabled by setting the value to zero.
# StrictModes yes # IdleTimeOut 1h
Table 2.9 describes the various miscellaneous options available for the SSH server.
Table 2.9 Miscellaneous Options in the User Section (Unix)
OPTION DESCRIPTION
PrintMotd Enables (yes) or disables (no) any text located in the motd (Message of the Day) file (/etc/motd) to be displayed at log in. This is very useful since messages can be displayed to all users who are logging in to the system, such as system downtime, legal statements, and security issues.
CheckMail Enables (yes) or disables (no) the ability of the SSH server to check for new mail after the user has been authenticated.
UserConfigDirectory Identifies the locations of user-specific configuration data, such as keys and identification files. The default is the .ssh2 folder in the users’ home directory, such as /home/<username>/.ssh2 or Documents and Settings\<username>\.ssh2. More than one location can be identified for configuration data.
UserKnownHosts Identifies the locations of user-specific known host file. The default is the .ssh2 folder in the users’ home directory, such as /home/<username>/.ssh2 or Documents and Settings\<username>\.ssh2. More than one location can be identified.
PermitEmptyPasswords Allows (yes) or rejects (no) the ability for users to have empty passwords. In most situations, this should be no.
StrictModes Enables (yes) or disables (no) the checking of a users’ permission in their home directory and rhosts files before accepting authentication. This should be set to yes to protect against world-writeable files in home directories.
IdleTimeOut The amount of time, in minutes, the session can remain unused before it is automatically closed. A setting of zero specifies no timeout, which may be ideal in certain backup processes.