Secure remote access of a private network
using Secure Shell (SSH)

Securing the copSSH server PC
The examples illustrated are  from an installation on a Windows Vista Ultimate desktop PC

The following examples are based on recommendations made by the copSSH developer Tevfik Karagülle in this FAQ.

Change default port example

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
 

#Port 22
Port 11205
Protocol 2
ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh_host_key

# HostKeys for protocol version 2
#HostKey /etc/ssh_host_rsa_key
#HostKey /etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

LoginGraceTime 60
PermitRootLogin no
# The following setting overrides permission checks on host key files
# and directories. For security reasons set this to "yes" when running
# NT/W2K, NTFS and CYGWIN=ntsec.
StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# rhosts authentication should not be used
#RhostsAuthentication no

# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# For this to work you will also need host keys in /etc/ssh_known_hosts
#RhostsRSAAuthentication no

# similar for protocol version 2
#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Changed 20 July 2006
 AllowUsers Al
DenyUsers Administrator Guest Linda Paul

#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#PermitUserEnvironment no
Compression yes

MaxStartups 3
# no default banner path
#Banner /some/path
 Banner /etc/Banner.txt

#VerifyReverseMapping no

# override default of no subsystems
Subsystem sftp /bin/sftp-server
 

Important Note: The AllowUsers and DenyUsers options are highly localized from site to site. Modify as needed for local use.

Modify the default sshd_config file by navigating to the C:\Program Files\copssh\etc folder. Create a copy of the original sshd_config file as a backup. To modify the sshd_config file double-click on the file name and use Wordpad to modify the file. A modified /etc/sshd_config file and a new login authentication warning /etc/Banner.txt file can be downloaded here. Use the downloaded sshd_config file as a template for your local copSSH server. Make a backup of the original /etc/sshd_config file then download and extract the two new files into the C:\Program Files\copssh\etc folder on the copSSH server PC.

Remember that you must restart the Openssh SSHD service on the copSSH server PC after changing or modifying the sshd_config file.
Last reviewed: 2 August 2008...awj
Copyright © 2008 - Alan W. Jarvi - All rights reserved
The Microsoft MVP Program