⁠Chapter 5. Server Use

In your /etc/ssh/sshd_config you will see several settings (and some you will not see) for setting up OpenSSH as a service. Information on all possible choices within the /etc/ssh/sshd_config can be found by man sshd_config.

The main /etc/ssh/sshd_config choices to address include the following:

Protocol 2 - Because protocol version 1 contains security vulnerabilities you should make sure that Protocol 2 is the only protocol to be used. To do this make sure that Protocol 2 is uncommented and Protocol 1 isn't in the configuration.

PermitRootLogin - Configure remote root login options as follows:

yes Enables access with password and public key

no Disables all direct remote logins as root

without-password Allows access with public key authentication only

forced-commands-only Allows access with public key authentication and only runs configured commands from ~/.ssh/authorized_keys (in the form of: allowed-command-name ssh-dsa public-key-string)

PermitEmptyPasswords - To explicitly disallow remote login from accounts with empty passwords set this to no.

Banner - Text you want displayed on the screen when someone connects to your server. This should point to a file.

Ciphers - Ciphers that OpenSSH will use. The ciphers must be comma-separated for example: aes128-ctr,blowfish-cbc. The supported ciphers for Protocol 2 are “3des-cbc”, “aes128-cbc”, “aes192-cbc”, “aes256-cbc”, “aes128-ctr”, “aes192-ctr”, “aes256-ctr”, “arcfour128”, “arcfour256”, “arcfour”, “blowfish-cbc”, and “cast128-cbc”.

AllowUsers - Usernames that can login using SSH listed for example: user1 user2.

DenyUsers - Usernames that cannot login using SSH listed for example: user1 user2.