From c117d9980465b1325417b410095a6e4f8ad9b179 Mon Sep 17 00:00:00 2001 From: Aaron Kaplan Date: Mon, 16 Dec 2013 15:43:49 +0100 Subject: [PATCH] give the ssh section our normal structure. Add a how to test part to ssh --- src/practical_settings/ssh.tex | 39 ++++++++++++++++++++++++++++++---- 1 file changed, 35 insertions(+), 4 deletions(-) diff --git a/src/practical_settings/ssh.tex b/src/practical_settings/ssh.tex index b127ffc..ffeae84 100644 --- a/src/practical_settings/ssh.tex +++ b/src/practical_settings/ssh.tex @@ -1,4 +1,12 @@ \subsubsection{OpenSSH} + + +\begin{description} +\item[Tested with Version:] \todo{version?} + +\item[Settings:] \mbox{} + + \paragraph*{sshd_config} \begin{lstlisting}[breaklines] # ... @@ -15,7 +23,30 @@ \end{lstlisting} % XXX: curve25519-sha256@libssh.org only available upstream(!) -Note: Older linux systems won't support SHA2. PuTTY (Windows) does not support RIPE-MD160. Curve25519, AES-GCM and UMAC are only available upstream (OpenSSH 6.1). DSA host keys have been removed on purpose, the DSS standard does not support for DSA keys stronger than 1024bit -\footnote{\url{https://bugzilla.mindrot.org/show_bug.cgi?id=1647}} -which is far below current standards (see section \ref{section:keylengths}). Legacy systems can use this configuration and simply omit unsupported ciphers, key exchange algorithms and MACs. -\\ + +Note: Older linux systems won't support SHA2. PuTTY (Windows) does not support +RIPE-MD160. Curve25519, AES-GCM and UMAC are only available upstream (OpenSSH +6.1). DSA host keys have been removed on purpose, the DSS standard does not +support for DSA keys stronger than 1024bit +\footnote{\url{https://bugzilla.mindrot.org/show_bug.cgi?id=1647}} which is far +below current standards (see section \ref{section:keylengths}). Legacy systems +can use this configuration and simply omit unsupported ciphers, key exchange +algorithms and MACs. + +\item[Additional settings:] \mbox{} + +Note that the setting \texttt{ServerKeyBits 4096} has no effect until you re-generate new ssh host keys. There might be issues if you have users which rely on the fingerprint of the old ssh host key being stored in their clients' \texttt{.ssh/known\_hosts} file. + +\item[References:] The openssh sshd\_config man page is the best reference: \url{http://www.openssh.org/cgi-bin/man.cgi?query=sshd_config} + + +\item[How to test:] +% describe here or point the admin to tools (can be a simple footnote or \ref{} to the tools section) which help the admin to test his settings. + +Connect with a client to an ssh server like this: \\ +\begin{lstlisting}[breaklines] +$ ssh -vv myserver.com +\end{lstlisting} +and observe the key exchange in the verbose output. + +\end{description} -- 2.20.1