1 2 3 Previous Next 39 Replies Latest reply: Mar 12, 2013 5:49 PM by Ciarals
liv04soccer Level 1 Level 1 (0 points)

Hello I am not really Terminal Savvy.  But I currently want to use ssh to remote log in so I can access my files from anywhere using Filezilla. Wile still having the most secure connection that I can possibly have.

 

I currently did set up ssh and it is working I am using Filezilla so I can remotely access my files. But my worry is using my Mac account name and password. I would like to know how to lock down my server as much as possibe to avoid hackers.

 

1. I'm not Terminal Savvy

2. I would like to know how to disable protocol 1 (Heard it was less secure)

3. I would like to know how to disable root login.

4. I use Filezilla for (SFTP) secure ftp and still want to be able to use this with the above security measures in effect if possible.

 

 

 

Just wondering how or if this is possible your help would be greatly appreciated.


Mac Pro, Mac OS X (10.6.8)
  • 1. Re: How to config ssh ?
    Grant Bennet-Alder Level 8 Level 8 (49,250 points)

    There are some discussions of this subject in the Server Manuals:

     

    Mac OS X Server

    Introduction to Command-Line Administration Version 10.6 Snow Leopard

     

    manuals.info.apple.com/en_US/IntroCommandLine_v10.6.pdf

  • 2. Re: How to config ssh ?
    liv04soccer Level 1 Level 1 (0 points)

    Hi that manual is very helpful for generating DSA keys for Generating Key Pairs for Key-Based SSH Connections. But I do not see any documentation on how to edit the config file to disable root login and to disable protocol 1. And im not very terminal savvy so a picture guide or video would really help me out.

  • 4. Re: How to config ssh ?
    Alberto Ravasio Level 4 Level 4 (3,175 points)

    You need to modify

     

    /etc/sshd_config

     

    Anyway, SSH1 is disabled by default. If you never enabled root user there is no need to worry about that.

    If you did, the easy way is to disable root and highly recomended.

    If you open SSH to the world it is better to also disable password authentication. Uncomment (delete the # symbol) the line

     

    #PasswordAuthentication no

     

    Watch out. You must have ~/.ssh/authorized_keys in place and working before disabling password authentication, otherwise you won't be able to ssh from any local or remote computer.

     

    Authentication by key pair is already enabled.

  • 5. Re: How to config ssh ?
    liv04soccer Level 1 Level 1 (0 points)

    For ~/.ssh/authorized _keys are you talking about DSA keys ? And also im not Terminal savvy I don't know how to modify /ets/sshd_config a step by step guide would be nice or the terminal command. The extent of my Terminal knowledge is typing say then making the computer say it. By using the DSA keys instead of my login will I still be able to use Filezilla ? Filezilla is a FTP client because I don't know how to use the Terminal commands to transfer files.

  • 6. Re: How to config ssh ?
    liv04soccer Level 1 Level 1 (0 points)
    GNU nano 2.0.6            File: /etc/sshd_config                                 

     

    #   $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

     

    # This is the sshd server system-wide configuration file.  See

    # sshd_config(5) for more information.

     

    # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

     

    # The strategy used for options in the default sshd_config shipped with

    # OpenSSH is to specify options with their default value where

    # possible, but leave them commented.  Uncommented options change a

    # default value.

     

    #Port 22

    #AddressFamily any

    #ListenAddress 0.0.0.0

    #ListenAddress ::

     

    # Disable legacy (protocol version 1) support in the server for new

    # installations. In future the default will change to require explicit

    # activation of protocol 1

    Protocol 2

     

    # HostKey for protocol version 1

    #HostKey /etc/ssh_host_key

    # HostKeys for protocol version 2

    #HostKey /etc/ssh_host_rsa_key

    #HostKey /etc/ssh_host_dsa_key

     

    # Lifetime and size of ephemeral version 1 server key

    #KeyRegenerationInterval 1h

    #ServerKeyBits 1024

     

     

    Ok this is what I have on my config file can you tell me what should I edit. And how to edit it I dont want to screw anything up.

  • 7. Re: How to config ssh ?
    japamac Level 7 Level 7 (24,390 points)

    "PermitRootLogin yes" isn't listed.

    See

    # sshd_config(5) for more information.

    Is it listed there?

    I would like to know how to disable root login.

    Was it ever enabled? If so, the above is edited to "PermitRootLogin no".

    If never enabled, follow Alberto's advice.

     

    Interesting read:

    http://lists.grok.org.uk/pipermail/full-disclosure/2005-March/032951.html

  • 8. Re: How to config ssh ?
    Alberto Ravasio Level 4 Level 4 (3,175 points)

    liv04soccer wrote:

     

    By using the DSA keys instead of my login will I still be able to use Filezilla ? Filezilla is a FTP client because I don't know how to use the Terminal commands to transfer files.

     

    Yes, you can still use FileZilla. You must copy your DSA private key inside a visible folder, let's say Documents or whatever folder you like.

    In FileZilla, Preferences, SFTP, add your key. The program will ask you to convert the format. Accept that. Create a new site with the appropriate settings. Choose Interactive as Access type.

  • 9. Re: How to config ssh ?
    Alberto Ravasio Level 4 Level 4 (3,175 points)
  • 10. Re: How to config ssh ?
    Alberto Ravasio Level 4 Level 4 (3,175 points)

    This is the original /etc/sshd_config file from 10.6.8

     

    #
    $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
    
    
    
    # This is the sshd server system-wide configuration file.  See
    # sshd_config(5) for more information.
    
    
    # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
    
    
    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented.  Uncommented options change a
    # default value.
    
    
    #Port 22
    #AddressFamily any
    #ListenAddress 0.0.0.0
    #ListenAddress ::
    
    
    # Disable legacy (protocol version 1) support in the server for new
    # installations. In future the default will change to require explicit
    # activation of protocol 1
    Protocol 2
    
    
    # HostKey for protocol version 1
    #HostKey /etc/ssh_host_key
    # HostKeys for protocol version 2
    #HostKey /etc/ssh_host_rsa_key
    #HostKey /etc/ssh_host_dsa_key
    
    
    # Lifetime and size of ephemeral version 1 server key
    #KeyRegenerationInterval 1h
    #ServerKeyBits 1024
    
    
    # Logging
    # obsoletes QuietMode and FascistLogging
    SyslogFacility AUTHPRIV
    #LogLevel INFO
    
    
    # Authentication:
    
    
    #LoginGraceTime 2m
    #PermitRootLogin yes
    #StrictModes yes
    #MaxAuthTries 6
    #MaxSessions 10
    
    
    #RSAAuthentication yes
    #PubkeyAuthentication yes
    #AuthorizedKeysFile
    .ssh/authorized_keys
    
    
    
    # For this to work you will also need host keys in /etc/ssh_known_hosts
    #RhostsRSAAuthentication no
    # similar for protocol version 2
    #HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    #IgnoreUserKnownHosts no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #IgnoreRhosts yes
    
    
    # To disable tunneled clear text passwords, change to no here! Also,
    # remember to set the UsePAM setting to 'no'.
    #PasswordAuthentication no
    #PermitEmptyPasswords no
    
    
    # SACL options
    # The default for the SACLSupport option is now "no", as this option has been
    # depreciated in favor of SACL enforcement in the PAM configuration (/etc/pam.d/sshd).
    #SACLSupport no
    
    
    # Change to no to disable s/key passwords
    #ChallengeResponseAuthentication yes
    
    
    # Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    
    
    # GSSAPI options
    #GSSAPIAuthentication no
    #GSSAPICleanupCredentials yes
    #GSSAPIStrictAcceptorCheck yes
    #GSSAPIKeyExchange no
    
    
    # Set this to 'yes' to enable PAM authentication, account processing, 
    # and session processing. If this is enabled, PAM authentication will 
    # be allowed through the ChallengeResponseAuthentication and
    # PasswordAuthentication.  Depending on your PAM configuration,
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # the setting of "PermitRootLogin without-password".
    # If you just want the PAM account and session checks to run without
    # PAM authentication, then enable this but set PasswordAuthentication
    # and ChallengeResponseAuthentication to 'no'.
    # Also, PAM will deny null passwords by default.  If you need to allow
    # null passwords, add the "
    nullok" option to the end of the
    
    # securityserver.so line in /etc/pam.d/sshd.
    #UsePAM yes
    
    
    #AllowAgentForwarding yes
    #AllowTcpForwarding yes
    #GatewayPorts no
    #X11Forwarding no
    #X11DisplayOffset 10
    #X11UseLocalhost yes
    #PrintMotd yes
    #PrintLastLog yes
    #TCPKeepAlive yes
    #UseLogin no
    #UsePrivilegeSeparation yes
    #PermitUserEnvironment no
    #Compression delayed
    #ClientAliveInterval 0
    #ClientAliveCountMax 3
    #UseDNS yes
    #PidFile /var/run/sshd.pid
    #MaxStartups 10
    #PermitTunnel no
    #ChrootDirectory none
    
    
    # no default banner path
    #Banner none
    
    
    # override default of no subsystems
    Subsystem
    sftp
    /usr/libexec/sftp-server
    
    
    
    # Example of overriding settings on a per-user basis
    #Match User anoncvs
    #
    X11Forwarding no
    #
    AllowTcpForwarding no
    #
    ForceCommand cvs server
    
    
    

     

     

    The following is the modified version.

    I enclosed the changed lines between

     

    # changed December 31, 2012

    ##

     

    #
    $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
    
    
    
    # This is the sshd server system-wide configuration file.  See
    # sshd_config(5) for more information.
    
    
    # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
    
    
    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented.  Uncommented options change a
    # default value.
    
    
    #Port 22
    #AddressFamily any
    #ListenAddress 0.0.0.0
    #ListenAddress ::
    
    
    # Disable legacy (protocol version 1) support in the server for new
    # installations. In future the default will change to require explicit
    # activation of protocol 1
    Protocol 2
    
    
    # HostKey for protocol version 1
    #HostKey /etc/ssh_host_key
    # HostKeys for protocol version 2
    #HostKey /etc/ssh_host_rsa_key
    #HostKey /etc/ssh_host_dsa_key
    
    
    # Lifetime and size of ephemeral version 1 server key
    #KeyRegenerationInterval 1h
    #ServerKeyBits 1024
    
    
    # Logging
    # obsoletes QuietMode and FascistLogging
    SyslogFacility AUTHPRIV
    #LogLevel INFO
    
    
    # Authentication:
    
    
    #LoginGraceTime 2m
    
    
    # changed December 31, 2012
    PermitRootLogin no
    ##
    
    
    #StrictModes yes
    #MaxAuthTries 6
    #MaxSessions 10
    
    
    #RSAAuthentication yes
    #PubkeyAuthentication yes
    #AuthorizedKeysFile
    .ssh/authorized_keys
    
    
    
    # For this to work you will also need host keys in /etc/ssh_known_hosts
    #RhostsRSAAuthentication no
    # similar for protocol version 2
    #HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    #IgnoreUserKnownHosts no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #IgnoreRhosts yes
    
    
    # To disable tunneled clear text passwords, change to no here! Also,
    # remember to set the UsePAM setting to 'no'.
    
    
    # changed December 31, 2012
    PasswordAuthentication no
    ##
    
    
    #PermitEmptyPasswords no
    
    
    # SACL options
    # The default for the SACLSupport option is now "no", as this option has been
    # depreciated in favor of SACL enforcement in the PAM configuration (/etc/pam.d/sshd).
    #SACLSupport no
    
    
    # Change to no to disable s/key passwords
    #ChallengeResponseAuthentication yes
    
    
    # Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    
    
    # GSSAPI options
    #GSSAPIAuthentication no
    #GSSAPICleanupCredentials yes
    #GSSAPIStrictAcceptorCheck yes
    #GSSAPIKeyExchange no
    
    
    # Set this to 'yes' to enable PAM authentication, account processing, 
    # and session processing. If this is enabled, PAM authentication will 
    # be allowed through the ChallengeResponseAuthentication and
    # PasswordAuthentication.  Depending on your PAM configuration,
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # the setting of "PermitRootLogin without-password".
    # If you just want the PAM account and session checks to run without
    # PAM authentication, then enable this but set PasswordAuthentication
    # and ChallengeResponseAuthentication to 'no'.
    # Also, PAM will deny null passwords by default.  If you need to allow
    # null passwords, add the "
    nullok" option to the end of the
    
    # securityserver.so line in /etc/pam.d/sshd.
    #UsePAM yes
    
    
    #AllowAgentForwarding yes
    #AllowTcpForwarding yes
    #GatewayPorts no
    #X11Forwarding no
    #X11DisplayOffset 10
    #X11UseLocalhost yes
    #PrintMotd yes
    #PrintLastLog yes
    #TCPKeepAlive yes
    #UseLogin no
    #UsePrivilegeSeparation yes
    #PermitUserEnvironment no
    #Compression delayed
    #ClientAliveInterval 0
    #ClientAliveCountMax 3
    #UseDNS yes
    #PidFile /var/run/sshd.pid
    #MaxStartups 10
    #PermitTunnel no
    #ChrootDirectory none
    
    
    # no default banner path
    #Banner none
    
    
    # override default of no subsystems
    Subsystem
    sftp
    /usr/libexec/sftp-server
    
    
    
    # Example of overriding settings on a per-user basis
    #Match User anoncvs
    #
    X11Forwarding no
    #
    AllowTcpForwarding no
    #
    ForceCommand cvs server
    
    
    

     

    Please test it before going online

  • 11. Re: How to config ssh ?
    Alberto Ravasio Level 4 Level 4 (3,175 points)

    Do not copy and paste the modified version because the format got broken. Search for the line

     

    # changed December 31, 2012

     

    and edit the file accordingly.

     

    Anyway make a copy of your original file before revision.

  • 12. Re: How to config ssh ?
    liv04soccer Level 1 Level 1 (0 points)

    Ok I will try this and get back to you.

     

    Also is Max sessions the limit of how many sessions you can have at one time. If I cange to one does that mean when I'm connected no one else can connect ?

     

    Sorry for being such a pain but I am a noob when it comes to Terminal.

  • 13. Re: How to config ssh ?
    liv04soccer Level 1 Level 1 (0 points)

    Edit ok I generated the DSA keys now do I have to move them somewhere before I edit the config file or can I edit the config file right now ?

     

    Ok somehow my config file is complety blank I was using Japmac's website that I can use

    At your terminal, 'su -' to your root account

    - 'pico -w /etc/sshd_config'

     

    to edit my config file but when I closed out then reopened it nothing was in the config file.  What am I suppose to do ?

  • 14. Re: How to config ssh ?
    liv04soccer Level 1 Level 1 (0 points)

    Nevermind about not seeing my config file that last post I just typed the wrong thing in terminal

1 2 3 Previous Next