3 Installing SSHD

sshd is the name of the server. Most applications has a package for sshd. For Debian distributions, the name of the server is openssh-server. As a result, the command apt-get install openssh-server installs the package.

After the package is installed, it is a good idea to review the configuration file. In Debian distributions, this file is /etc/ssh/sshd_config. The following is a explanation of the most important settings.

• Port 22
  This specifies that sshd listens to port 22. Port 22 is the default port for SSH. However, this can be changed to other ports. This may be necessary because a firewall blocks port 22 (and leave some other ports open).
• Protocol 2
  There are two versions of SSH to date. Version 1 is known to have security issues. As a result, version 2 is better. This option specifies that the server only connects with version 2. Unless a server may need to connect to version 1 clients.
• HostKey /etc/ssh/ssh_host_rsa_key and
  HostKey /etc/ssh/ssh_host_dsa_key
  These two options specify the encryption keys of the server itself. These keys should be set up automatically when the package is installed (in Debian, at least).
• UsePrivilegeSeparation yes
  This option should be turned on for security. However, this option breaks PAM (pluggable authentication module). We’ll discuss authentication options later.
• PasswordAuthentication yes
  This enables sshd to use passwords for authentication. This is what most people are used to (using passwords for authentication). However, it is not the most secure method. Many people choose rather weak passwords, which can be attacked by a dictionary approach. We’ll discuss the alternative authentication method later.
• KeyRegenerationInterval 3600
  This specifies the number of seconds that an encryption key should last in a connection for SSH version 1.
• ServerKeyBits 768
  This is the number of bits for a session key. It is only useful for SSH version 1.
• SyslogFacility AUTH
  This specifies where SSH related log entries should be stored. This option specifies that the log entries will be in /var/log/auth.log
• LogLevel INFO
  This specifies that we log useful information in the log file.
• LoginGraceTime 600
  This means a user has 600 seconds (10 minutes!) to log in once a log in prompt is displayed.
• PermitRootLogin no
  This specifies that the root account cannot log in directly.
• RSAAuthentication yes
  This specifies that the server permits public key authentication. This option is useful only for version 1.
• PubkeyAuthentication yes
  This specifies that the server permits the use of public key authentication.
• IgnoreRhosts yes
  This means all settings related to rhosts will be ignored. rhosts is an older (less secure) method to remote host access.
• RhostsRSAAuthentication no
  This means that we do not permit rhosts based RSA authentication.
• HostbasedAuthentication no
  This specifies that we do not permit host-to-host authentication. Without host-to-host authentication, the server only uses user-based authentication. It is more secure to only use user-based authentication.
• PermitEmptyPassword no
  Unless you have a very compelling reason, specify no!
• X11Forwarding yes
  This specifies that we permit the X11 protocol be tunneled through an SSH connection. We’ll explain this later.
• X11DisplayOffset 10
  This specifies that the first display forwarded by display 10, then 11 and so on. This means that the server may have up to 10 native (non-forwarded) X11 servers.
• PrintMotd yes
  This specifies that an SSH log in shell should display the usual log in prompt (such as the identification of the host and version of operating system).
• PrintLastLog yes
  This specifies whether to print the date and time of the last log in. This is usually a good idea, as a user can check the last log in time to see if anyone has logged in unauthorized.
• Subsystem sftp /usr/lib/openssh/sftp-server
  This is a rather important setting. It specifis that the sub-protocol SFTP be handled by another program (and the path to it). At this point, only SFTP is a common sub-protocol.
• UsePAM no
  If you enable PasswordAuthentication, then you should disable this option. Furthermore, enabling this option also makes it impossible to run sshd without root privilege. If you are using PAM, then enable this feature, but disable PasswordAuthentication.