Skip navigation

How to config ssh ?

4802 Views 39 Replies Latest reply: Mar 12, 2013 5:49 PM by Ciarals RSS
1 2 3 Previous Next
liv04soccer Calculating status...
Currently Being Moderated
Dec 30, 2012 8:24 PM

Hello I am not really Terminal Savvy.  But I currently want to use ssh to remote log in so I can access my files from anywhere using Filezilla. Wile still having the most secure connection that I can possibly have.

 

I currently did set up ssh and it is working I am using Filezilla so I can remotely access my files. But my worry is using my Mac account name and password. I would like to know how to lock down my server as much as possibe to avoid hackers.

 

1. I'm not Terminal Savvy

2. I would like to know how to disable protocol 1 (Heard it was less secure)

3. I would like to know how to disable root login.

4. I use Filezilla for (SFTP) secure ftp and still want to be able to use this with the above security measures in effect if possible.

 

 

 

Just wondering how or if this is possible your help would be greatly appreciated.

Mac Pro, Mac OS X (10.6.8)
  • Grant Bennet-Alder Level 8 Level 8 (48,145 points)
    Currently Being Moderated
    Dec 30, 2012 9:05 PM (in response to liv04soccer)

    There are some discussions of this subject in the Server Manuals:

     

    Mac OS X Server

    Introduction to Command-Line Administration Version 10.6 Snow Leopard

     

    manuals.info.apple.com/en_US/IntroCommandLine_v10.6.pdf

    Mac Pro (Early 2009), Mac OS X (10.6.8), & Server, PPC, & AppleTalk Printers
  • japamac Level 7 Level 7 (24,390 points)
  • Alberto Ravasio Level 4 Level 4 (3,160 points)
    Currently Being Moderated
    Dec 31, 2012 1:55 AM (in response to liv04soccer)

    You need to modify

     

    /etc/sshd_config

     

    Anyway, SSH1 is disabled by default. If you never enabled root user there is no need to worry about that.

    If you did, the easy way is to disable root and highly recomended.

    If you open SSH to the world it is better to also disable password authentication. Uncomment (delete the # symbol) the line

     

    #PasswordAuthentication no

     

    Watch out. You must have ~/.ssh/authorized_keys in place and working before disabling password authentication, otherwise you won't be able to ssh from any local or remote computer.

     

    Authentication by key pair is already enabled.

    iMac, OS X Mountain Lion (10.8.2), iMac12,1
  • japamac Level 7 Level 7 (24,390 points)
    Currently Being Moderated
    Dec 31, 2012 5:40 AM (in response to liv04soccer)

    "PermitRootLogin yes" isn't listed.

    See

    # sshd_config(5) for more information.

    Is it listed there?

    I would like to know how to disable root login.

    Was it ever enabled? If so, the above is edited to "PermitRootLogin no".

    If never enabled, follow Alberto's advice.

     

    Interesting read:

    http://lists.grok.org.uk/pipermail/full-disclosure/2005-March/032951.html

  • Alberto Ravasio Level 4 Level 4 (3,160 points)
    Currently Being Moderated
    Dec 31, 2012 6:03 AM (in response to liv04soccer)

    liv04soccer wrote:

     

    By using the DSA keys instead of my login will I still be able to use Filezilla ? Filezilla is a FTP client because I don't know how to use the Terminal commands to transfer files.

     

    Yes, you can still use FileZilla. You must copy your DSA private key inside a visible folder, let's say Documents or whatever folder you like.

    In FileZilla, Preferences, SFTP, add your key. The program will ask you to convert the format. Accept that. Create a new site with the appropriate settings. Choose Interactive as Access type.

  • Alberto Ravasio Level 4 Level 4 (3,160 points)
    Currently Being Moderated
    Dec 31, 2012 6:14 AM (in response to liv04soccer)
  • Alberto Ravasio Level 4 Level 4 (3,160 points)
    Currently Being Moderated
    Dec 31, 2012 6:53 AM (in response to liv04soccer)

    This is the original /etc/sshd_config file from 10.6.8

     

    #
    $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
    
    
    
    # This is the sshd server system-wide configuration file.  See
    # sshd_config(5) for more information.
    
    
    # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
    
    
    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented.  Uncommented options change a
    # default value.
    
    
    #Port 22
    #AddressFamily any
    #ListenAddress 0.0.0.0
    #ListenAddress ::
    
    
    # Disable legacy (protocol version 1) support in the server for new
    # installations. In future the default will change to require explicit
    # activation of protocol 1
    Protocol 2
    
    
    # HostKey for protocol version 1
    #HostKey /etc/ssh_host_key
    # HostKeys for protocol version 2
    #HostKey /etc/ssh_host_rsa_key
    #HostKey /etc/ssh_host_dsa_key
    
    
    # Lifetime and size of ephemeral version 1 server key
    #KeyRegenerationInterval 1h
    #ServerKeyBits 1024
    
    
    # Logging
    # obsoletes QuietMode and FascistLogging
    SyslogFacility AUTHPRIV
    #LogLevel INFO
    
    
    # Authentication:
    
    
    #LoginGraceTime 2m
    #PermitRootLogin yes
    #StrictModes yes
    #MaxAuthTries 6
    #MaxSessions 10
    
    
    #RSAAuthentication yes
    #PubkeyAuthentication yes
    #AuthorizedKeysFile
    .ssh/authorized_keys
    
    
    
    # For this to work you will also need host keys in /etc/ssh_known_hosts
    #RhostsRSAAuthentication no
    # similar for protocol version 2
    #HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    #IgnoreUserKnownHosts no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #IgnoreRhosts yes
    
    
    # To disable tunneled clear text passwords, change to no here! Also,
    # remember to set the UsePAM setting to 'no'.
    #PasswordAuthentication no
    #PermitEmptyPasswords no
    
    
    # SACL options
    # The default for the SACLSupport option is now "no", as this option has been
    # depreciated in favor of SACL enforcement in the PAM configuration (/etc/pam.d/sshd).
    #SACLSupport no
    
    
    # Change to no to disable s/key passwords
    #ChallengeResponseAuthentication yes
    
    
    # Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    
    
    # GSSAPI options
    #GSSAPIAuthentication no
    #GSSAPICleanupCredentials yes
    #GSSAPIStrictAcceptorCheck yes
    #GSSAPIKeyExchange no
    
    
    # Set this to 'yes' to enable PAM authentication, account processing, 
    # and session processing. If this is enabled, PAM authentication will 
    # be allowed through the ChallengeResponseAuthentication and
    # PasswordAuthentication.  Depending on your PAM configuration,
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # the setting of "PermitRootLogin without-password".
    # If you just want the PAM account and session checks to run without
    # PAM authentication, then enable this but set PasswordAuthentication
    # and ChallengeResponseAuthentication to 'no'.
    # Also, PAM will deny null passwords by default.  If you need to allow
    # null passwords, add the "
    nullok" option to the end of the
    
    # securityserver.so line in /etc/pam.d/sshd.
    #UsePAM yes
    
    
    #AllowAgentForwarding yes
    #AllowTcpForwarding yes
    #GatewayPorts no
    #X11Forwarding no
    #X11DisplayOffset 10
    #X11UseLocalhost yes
    #PrintMotd yes
    #PrintLastLog yes
    #TCPKeepAlive yes
    #UseLogin no
    #UsePrivilegeSeparation yes
    #PermitUserEnvironment no
    #Compression delayed
    #ClientAliveInterval 0
    #ClientAliveCountMax 3
    #UseDNS yes
    #PidFile /var/run/sshd.pid
    #MaxStartups 10
    #PermitTunnel no
    #ChrootDirectory none
    
    
    # no default banner path
    #Banner none
    
    
    # override default of no subsystems
    Subsystem
    sftp
    /usr/libexec/sftp-server
    
    
    
    # Example of overriding settings on a per-user basis
    #Match User anoncvs
    #
    X11Forwarding no
    #
    AllowTcpForwarding no
    #
    ForceCommand cvs server
    
    
    

     

     

    The following is the modified version.

    I enclosed the changed lines between

     

    # changed December 31, 2012

    ##

     

    #
    $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
    
    
    
    # This is the sshd server system-wide configuration file.  See
    # sshd_config(5) for more information.
    
    
    # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
    
    
    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented.  Uncommented options change a
    # default value.
    
    
    #Port 22
    #AddressFamily any
    #ListenAddress 0.0.0.0
    #ListenAddress ::
    
    
    # Disable legacy (protocol version 1) support in the server for new
    # installations. In future the default will change to require explicit
    # activation of protocol 1
    Protocol 2
    
    
    # HostKey for protocol version 1
    #HostKey /etc/ssh_host_key
    # HostKeys for protocol version 2
    #HostKey /etc/ssh_host_rsa_key
    #HostKey /etc/ssh_host_dsa_key
    
    
    # Lifetime and size of ephemeral version 1 server key
    #KeyRegenerationInterval 1h
    #ServerKeyBits 1024
    
    
    # Logging
    # obsoletes QuietMode and FascistLogging
    SyslogFacility AUTHPRIV
    #LogLevel INFO
    
    
    # Authentication:
    
    
    #LoginGraceTime 2m
    
    
    # changed December 31, 2012
    PermitRootLogin no
    ##
    
    
    #StrictModes yes
    #MaxAuthTries 6
    #MaxSessions 10
    
    
    #RSAAuthentication yes
    #PubkeyAuthentication yes
    #AuthorizedKeysFile
    .ssh/authorized_keys
    
    
    
    # For this to work you will also need host keys in /etc/ssh_known_hosts
    #RhostsRSAAuthentication no
    # similar for protocol version 2
    #HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    #IgnoreUserKnownHosts no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #IgnoreRhosts yes
    
    
    # To disable tunneled clear text passwords, change to no here! Also,
    # remember to set the UsePAM setting to 'no'.
    
    
    # changed December 31, 2012
    PasswordAuthentication no
    ##
    
    
    #PermitEmptyPasswords no
    
    
    # SACL options
    # The default for the SACLSupport option is now "no", as this option has been
    # depreciated in favor of SACL enforcement in the PAM configuration (/etc/pam.d/sshd).
    #SACLSupport no
    
    
    # Change to no to disable s/key passwords
    #ChallengeResponseAuthentication yes
    
    
    # Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    
    
    # GSSAPI options
    #GSSAPIAuthentication no
    #GSSAPICleanupCredentials yes
    #GSSAPIStrictAcceptorCheck yes
    #GSSAPIKeyExchange no
    
    
    # Set this to 'yes' to enable PAM authentication, account processing, 
    # and session processing. If this is enabled, PAM authentication will 
    # be allowed through the ChallengeResponseAuthentication and
    # PasswordAuthentication.  Depending on your PAM configuration,
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # the setting of "PermitRootLogin without-password".
    # If you just want the PAM account and session checks to run without
    # PAM authentication, then enable this but set PasswordAuthentication
    # and ChallengeResponseAuthentication to 'no'.
    # Also, PAM will deny null passwords by default.  If you need to allow
    # null passwords, add the "
    nullok" option to the end of the
    
    # securityserver.so line in /etc/pam.d/sshd.
    #UsePAM yes
    
    
    #AllowAgentForwarding yes
    #AllowTcpForwarding yes
    #GatewayPorts no
    #X11Forwarding no
    #X11DisplayOffset 10
    #X11UseLocalhost yes
    #PrintMotd yes
    #PrintLastLog yes
    #TCPKeepAlive yes
    #UseLogin no
    #UsePrivilegeSeparation yes
    #PermitUserEnvironment no
    #Compression delayed
    #ClientAliveInterval 0
    #ClientAliveCountMax 3
    #UseDNS yes
    #PidFile /var/run/sshd.pid
    #MaxStartups 10
    #PermitTunnel no
    #ChrootDirectory none
    
    
    # no default banner path
    #Banner none
    
    
    # override default of no subsystems
    Subsystem
    sftp
    /usr/libexec/sftp-server
    
    
    
    # Example of overriding settings on a per-user basis
    #Match User anoncvs
    #
    X11Forwarding no
    #
    AllowTcpForwarding no
    #
    ForceCommand cvs server
    
    
    

     

    Please test it before going online

    iMac, OS X Mountain Lion (10.8.2), iMac12,1
  • Alberto Ravasio Level 4 Level 4 (3,160 points)
    Currently Being Moderated
    Dec 31, 2012 7:03 AM (in response to Alberto Ravasio)

    Do not copy and paste the modified version because the format got broken. Search for the line

     

    # changed December 31, 2012

     

    and edit the file accordingly.

     

    Anyway make a copy of your original file before revision.

1 2 3 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.