Securing Fedora's sshd
2007-10-17 12:23![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
gdtFedora is installed with sshd running and permitted through the firewall and root login permitted. That's a gift for SSH door knockers. The consequences of choosing a poor root password are poorly spelt out during installation.
The first thing to do is to disable remote access for root. Anyone that needs root access can use sudo. Edit /etc/ssh/sshd_config.
PermitRootLogin no
Not every user needs remote access via SSH. So let's limit access to members of the sshers group (such as the user "fab").
# groupadd -r sshers
# usermod fab -a -G sshers
AllowGroups sshers
Cost those door knockers some bandwidth.
Banner /etc/issue.net
Now let's get rid of password access altogether and replace it with public keys. On the client box run
[fab@client]$ ssh-keygen -t dsa
This generates two files, ~/.ssh/id_dsa and ~/.ssh/id_dsa.pub. The id_dsa.pub file contains the public key and is placed on the remote machines you want to access. That is done by:
[fab@server]$ ( umask 077; touch ~/.ssh/authorized_keys )
[fab@server]$ vi ~/.ssh/authorized_keys
Place the one line content of id_dsa.pub into ~/.ssh/authorized_keys.
Once all that is done for all users, remove password and other access.
RSAAuthentication yes
PubkeyAuthentication yes
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no