OpenSSH is a set of utilities to allow you to connect to a remote machine through an encrypted tunnel. You can use it as a terminal connection or to tunnel any data through a VPN interface. OpenSSH is a FREE version of the SSH suite of network connectivity tools that increasing numbers of people on the Internet are coming to rely on. Many users of telnet, rlogin, ftp, and other such programs might not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.OpenSSH FAQ
Most operating systems come with one version or another of OpenSSH. You may want to make sure you have the latest version on your machine. Check the OpenSSH site for the latest source code. You can also look to the package maintainers of your OS revision to see if they make a premade package for you to install. The directives and options listing in the following config files apply to the latest official OpenSSH release.
SECURITY NOTE: Notice that we have specified the "Ciphers" for the client and server config files. It is important to only use the Advanced Encryption Standard (AES) encryption with stateful-decryption counter (CTR) only. AES with CBC is vulnerable to the Plaintext Recovery Attack Against SSH. AES is the strongest encryption available in openssl and all others are too weak to trust. We are also specifying the "MACs" or Hash-based Message Authentication Code to use. Again, we want the strongest security model available.
This config is for the client side options. You can specify directives here and the client will negotiate them with the server. Only if the server allows them will they will take effect.
####################################################### ### moneyslow.com CLIENT /etc/ssh/ssh_config ####################################################### Host * AddressFamily inet CheckHostIP yes Ciphers aes256-ctr,aes192-ctr,aes128-ctr Compression no ConnectionAttempts 1 ConnectTimeout 10 ControlMaster auto ControlPath ~/.ssh/master-%r@%h:%p EscapeChar ~ ForwardAgent no ForwardX11 no ForwardX11Trusted no HashKnownHosts yes IdentityFile ~/.ssh/identity IdentityFile ~/.ssh/id_rsa IdentityFile ~/.ssh/id_dsa IdentityFile ~/.ssh/id_ecdsa IdentitiesOnly yes MACs hmac-sha2-512-96,hmac-sha2-512,hmac-sha2-256-96,hmac-sha2-256,hmac-sha1-96,hmac-sha1 PermitLocalCommand no Port 22 Protocol 2 RekeyLimit 1G ServerAliveInterval 15 ServerAliveCountMax 3 StrictHostKeyChecking ask TCPKeepAlive no Tunnel no TunnelDevice any:any VisualHostKey no ####################################################### ### moneyslow.com CLIENT /etc/ssh/ssh_config #######################################################
These directives are for sshd. Permissions should be "chmod 755". We want to restrict access with the following options to better protect the server.
####################################################### ### moneyslow.com SERVER /etc/ssh/sshd_config ####################################################### # Port 22 Protocol 2 AddressFamily inet #ListenAddress 127.0.0.1 #See the questions section for setting up the gatekeeper #ForceCommand /tools/ssh_gatekeeper.sh AllowUsers calomel@10.10.10.3 calomel@192.168.* AllowGroups calomel AllowTcpForwarding yes #AuthorizedKeysFile .ssh/authorized_keys (need to be be commented for OpenSSH 5.4) Banner /etc/banner ChallengeResponseAuthentication no Ciphers aes256-ctr,aes192-ctr,aes128-ctr ClientAliveInterval 15 ClientAliveCountMax 3 Compression yes GatewayPorts no LogLevel VERBOSE LoginGraceTime 50s MACs hmac-sha2-512-96,hmac-sha2-512,hmac-sha2-256-96,hmac-sha2-256,hmac-sha1-96,hmac-sha1 MaxAuthTries 6 MaxStartups 10 PasswordAuthentication yes PermitEmptyPasswords no #PermitOpen localhost:80 PermitRootLogin no PermitUserEnvironment no PidFile /var/run/sshd.pid PrintLastLog yes PrintMotd no PubkeyAuthentication yes StrictModes yes Subsystem sftp /usr/libexec/sftp-server SyslogFacility AUTH TCPKeepAlive no UseDNS no UseLogin no UsePrivilegeSeparation yes X11DisplayOffset 10 X11Forwarding no X11UseLocalhost yes #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server # ####################################################### ### moneyslow.com SERVER /etc/ssh/sshd_config #######################################################
Yes we do. Please take a look at our OpenSSH GateKeeper (ssh_gatekeeper.sh) script. You can add a layer of authentication on top of what OpenSSH already provides to drastically increase security.
Indeed. Take a look at our OpenSSH Distributed SSH shell script. The scripts will allow you to easily automate ssh commands to many ssh machines.
Instead of using a special program to encrypt and decrypt files, like password or financial data, you can just use OpenSSL. You can pass any file into OpenSSL and using a password as a key you can encrypt it. The best part is that any OS, be it Linux OpenBSD, NetBSD, MacOSX or even windows and use this method as long as OpenSSL is installed. For example, we have some random file called "calomel". Use the following commands to encrypt and then decrypt this file.
to encrypt (-e): openssl aes-256-cbc -a -e -salt -in calomel -out calomel.aes to decrypt (-d): openssl aes-256-cbc -a -d -salt -in calomel.aes -out calomel