CSUF LogoCSUF Site Navigation
optics.csufresno.edu

F8 Security ssh & sshd

Department of Electrical and Computer Engineering
Assistant Professor Gregory R. Kriehn
Forums
Wiki
F8 ssh & sshd

ssh (Secure SHell login) is a client program that allows a user to log onto a remote machine and execute commands on it. In other words, ssh provides a secure way of allowing for encrypted communication between two untrusted hosts over an insecure network. See the man page for the nitty-gritty details. Along with scp (Secure CoPy), it is one of my most used programs especially when working away from the office.

One of the huge advantages of ssh is that it allows for encrypted X11 connections to be forwarded over the channel (once secured) if the host computer has its ssh daemon (sshd) setup correctly, and the ssh configuration file is setup correctly on the client. In layman terms,  this means is that I can execute a program on a remote host (even if it halfway around the world) and have it launch a graphical window on the client, or local computer. The only drawback to this is that because all of the data is encrypted, you need a fast internet connection, as data encryption chews up bandwidth like no tomorrow. However, in a pinch, it works great, especially if you are on a local area network. Although I will not discuss it here, you can even launch X applications on a windows machine if cygwin is installed 
perfect for working at home on the family computer when the wife will not allow you to boot over to "poopy" Linux. :(

To setup X11 forwarding, edit /etc/ssh/ssh_config with your favorite editor using sudo, since the file can only be read/written by root
~> sudo nano /etc/ssh/ssh_config
Hit enter and type in the root password. Scroll down to the very bottom of the file and look for the line:
ForwardX11Trusted yes
Just under it, add the following:
ForwardX11 yes
Save and exit (^o, ^x). Now X11 forwarding is setup on the client. If your local computer is running sshd (to allow others such as yourself to login to it), you might as well verify that X11 forwarding is enabled in /etc/ssh/sshd_config. Pop open the file with your editor using sudo:
~> sudo nano /etc/ssh/sshd_config
Perform a search to verify that the option has been set (use ^w), which is standard for Fedora Core these days. Lines starting with "#" have been commented out, and are the default values for sshd. Notice that in F8, the configuration file overrides the defaults to allow for X11 forwarding. Specifically, you should see the following:
#X11Forwarding no
X11Forwarding yes
While in /etc/ssh/sshd_config, also do a search for "PermitRootLogin". Notice that the default value is set to "yes". This is a huge security hole, because it allows remote users to attempt to login to your computer directly as root from a remote location (I have no idea why Fedora allows this). Script kiddies abound nowadays, so we might as well deny them an easy access point when they decide to attack your computer. (I'll discuss other methods of hardening the system a bit by using rkhunter and blockhosts in the HOWTOs.) Add the following line just under the "PermitRootLogin" option:
PermitRootLogin no
Save and exit. Finally, restart sshd.
~> sudo service sshd restart
You should see the daemon successfully stop and restart:
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]
If you get a "Permission denied" message, it is because you are using a faulty selinux-targeted-policy, which can be fixed by updating to the latest policy file:
~> sudo yum -y update selinux-policy-targeted
Once updated, try to restart the daemon once again.  It should now work properly.  For additional information, see the Fedora 8 Common Bugs page regarding sshd.

That's it! X11 forwarding is now setup, and a fairly large security hole has just been plugged.