The following examples are based on recommendations made by the copSSH developer Tevfik Karagülle in this FAQ.
Use an alternate high number port for copSSH to listen on. See the Port option in the sshd_config file man page for option details. Note that in this case I use port redirection through my router to direct the high port to port 22 on the copSSH server PC as an alternative to changing the sshd_config file.
Create a 4096-bit private/public RSA key pair with a strong pass phrase for authentication.
Configure the sshd_config file to only allow private/public key authentication, use AllowUsers/DenyUsers and lower the MaxStartups value. See the following example sshd_config file for details. Changes from the default settings are highlighted in BOLD face. See the sshd_config file man page for option details.
| # This is the sshd server system-wide configuration file.
See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. Port 22 Protocol 2 ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh_host_rsa_key #HostKey /etc/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 3600 #ServerKeyBits 768 # Logging #obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: LoginGraceTime 60 PermitRootLogin no # The following setting overrides permission checks on host key files # and directories. For security reasons set this to "yes" when running # NT/W2K, NTFS and CYGWIN=ntsec. StrictModes yes #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # rhosts authentication should not be used #RhostsAuthentication no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Changed 20 July 2006 AllowUsers Al DenyUsers Administrator Guest Root #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #KeepAlive yes #UseLogin no UsePrivilegeSeparation yes #PermitUserEnvironment no Compression yes MaxStartups 3 # no default banner path #Banner /some/path Banner /etc/Banner.txt #VerifyReverseMapping no # override default of no subsystems Subsystem sftp /bin/sftp-server |
Important Note: The AllowUsers and DenyUsers options are highly localized from site to site. Modify as needed for local use.
Modify the default sshd_config file by navigating to the C:\Program Files\copssh\etc folder. Create a copy of the original sshd_config file as a backup. To modify the sshd_config file double-click on the file name and use Wordpad to modify the file. A modified /etc/sshd_config file and a new login authentication warning /etc/Banner.txt file can be downloaded here. Use the downloaded sshd_config file as a template for your local copSSH server. Make a backup of the original /etc/sshd_config file then download and extract the two new files into the C:\Program Files\copssh\etc folder on the copSSH server PC.
Remember that you must restart the OpenSSH Server service on the copSSH server PC after changing or modifying the sshd_config file.
| Last reviewed: 4 August 2007...awj Copyright © 2007 - Alan W. Jarvi - All rights reserved The Microsoft MVP Program |
 |