Server Configuration
Once installed, we will configure the server console do:
sudo gedit / etc / ssh / sshd_config
And you can edit your choices, I put my config file and an explanation of what you can change.
# Package generated configuration file
# See the sshd_config (5) manpage for details
# Put the port to listen for SSH, the default is 22 We will open a port on your router to redirect to the internal IP of the machine where you have it.
Port 1234
# We use SSH protocol 2, much safer, therefore always force them to connect by Protocol 2.
Protocol 2
# HostKeys for protocol version 2 The place where the keys are stored.
HostKey / etc / ssh / ssh_host_rsa_key
HostKey / etc / ssh / ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 2048
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication, PermitRootLogin important part is your decision ...
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile% H / .ssh / authorized_keys
# Do not read the user's ~ / rhosts and ~ / .shosts files
IgnoreRhosts yes
# For esto a work Also you will need host keys in / etc / ssh_known_hosts
RhostsRSAAuthentication not
# Similar for protocol version 2
HostbasedAuthentication not
# Uncomment if you do not trust ~ / .ssh / known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords not
# Change to yes to enable challenge-response passwords (beware issues with
# Some PAM modules and threads)
ChallengeResponseAuthentication not
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication not
#KerberosGetAFSToken not
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication not
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd not
PrintLastLog yes
TCPKeepAlive yes
#UseLogin not
#MaxStartups 10:30:60
#banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_ *
Subsystem sftp / usr / lib / openssh / sftp-server
UsePAM yes
MaxAuthTries 2
If we use SFTP caged and comment must put this line (Subsystem sftp / usr / lib / openssh / sftp-server):
Subsystem sftp internal-sftp
Match server user
ChrootDirectory / home / jail / home
AllowTcpForwarding not
ForceCommand internal-sftp
As you can see, using openssh-server you also have built a sFTP server.
Caging a user with OpenSSH on Ubuntu
Suppose we want to create a user Sanobis our friend, but we do not want so you can see all files on the system, ie, let enjaularle in your / home / directory only.
We got this file:
And we put it in the root directory for convenience.
We assign permissions 700
sudo chmod 700 make_chroot_jail.sh