Revision as of 11:05, 8 September 2017

Overview

This article provides a short overview of SSH on Alpine Linux.

Note: This article describes two popular SSH implementations: OpenSSH and Dropbear. Either can be installed using the setup-sshd script, or by following the below instructions.

OpenSSH

OpenSSH is a popular SSH implementation for remote encrypted login to a machine. OpenSSH defines sshd as the daemon, and ssh as the client program.

The openssh package provides OpenSSH on Alpine Linux.

Installation

Install the openssh package:

apk add openssh

Note: To use the ACF-frontend for openssh, install acf-openssh instead (assuming that you have the setup-acf script).

Also see Alpine Linux package management .

Service commands

Enable the sshd daemon so that it starts at boot:

rc-update add sshd

List services to verify sshd is enabled:

rc-status

Start the sshd service immediately and create configuration files:

/etc/init.d/sshd start

Note: If you are running from RAM, ensure you save your settings using the 'lbu ci' command as necessary. See Alpine local backup.

Also see Alpine Linux Init System.

Fine tuning

You may wish to change the default configuration. This section describes some of the configuration options as examples, however it is by no means an exhaustive list. See the manual for full details.

The fine-tuning is done by editing /etc/ssh/sshd_config. Any line starting with "#" will be ignored by sshd.

UseDNS no   # By setting this to no, connection speed can increase.
PasswordAuthentication no  # Do not allow password authentication.

Other configuration options are shown in /etc/ssh/sshd_config. The file includes comments that explain many of the options.

Firewalling and Port Changes

By default, sshd will communicate on TCP port 22.

Sometimes 22/tcp is blocked by a firewall over which you have no control. Changing the Port option to an unused port number in /etc/ssh/sshd_config may be useful in this situation.

Port 443   # Use whatever port number that fits your needs

Note: Ensure the port you wish to use is not already in use on the machine running sshd by running the netstat -lnp.

Restart sshd after making modifications to the configuration file:

/etc/init.d/sshd restart

Note: If you are running from RAM, ensure you save your settings using the 'lbu ci' command as necessary. See Alpine local backup.

Dropbear

Dropbear is another open source SSH implementation. Install it through the Alpine setup scripts, or manually with:

apk add dropbear

Start it:

rc-service dropbear start

Add it to the default runlevel:

rc-update add dropbear

Use the following command to check all available server options:

dropbear -h

The config file is located at /etc/conf.d/dropbear

dropbear also includes an SSH client which in its simplest form can be used like this:

dbclient host.example.com

dbclient x.x.x.x

(where x.x.x.x is the IP address of the remote machine).

Use dbclient -h to see all available options.

@@ Line 1: / Line 1: @@
-If you need to administer a Alpine Linux box, you can install and use {{Pkg|openssh}}. [http://www.openssh.com/ Openssh] is used to provide a secure encrypted communications between you and the host where openssh is running (the ssh-server is called ''sshd'' and the ssh-client is called ''ssh'').
+= Overview =
-{{Note|either of the SSH daemons discussed in this article can be installed using the [[Alpine setup scripts#setup-sshd|setup-sshd]] script}}
+This article provides a short overview of SSH on Alpine Linux.
-= Installation =
+Also see [https://en.wikipedia.org/wiki/Secure_Shell Secure Shell (Wikipedia)].
-Install package:
+{{Note|This article describes two popular SSH implementations: OpenSSH and Dropbear. Either can be installed using the [[Alpine setup scripts#setup-sshd|setup-sshd]] script, or by following the below instructions.}}
+= OpenSSH =
+[http://www.openssh.com/ OpenSSH] is a popular SSH implementation for remote encrypted login to a machine. OpenSSH defines ''sshd'' as the daemon, and ''ssh'' as the client program.
+The {{Pkg|openssh}} package provides OpenSSH on Alpine Linux.
+== Installation ==
+Install the {{Pkg|openssh}} package:
 {{Cmd|apk add openssh}}
-{{Note|If you want the ACF-frontend for openssh, you should install 'acf-openssh' instead (assuming that you have setup-acf)}}
+{{Note|To use the ACF-frontend for openssh, install {{Pkg|acf-openssh}} instead (assuming that you have the setup-acf script).}}
-= Make it autostart =
+Also see [https://wiki.alpinelinux.org/wiki/Alpine_Linux_package_management Alpine Linux package management ].
-Next time you reboot your Linux box, you would probably want your ''sshd'' to automatically start.
+== Service commands ==
+Enable the sshd daemon so that it starts at boot:
 {{Cmd|rc-update add sshd}}
-You can check your boot services:
+List services to verify sshd is enabled:
 {{Cmd|rc-status}}
-= Start it up now =
+Start the sshd service immediately and create configuration files:
-The reason we want to manually start ''sshd'' at this moment is that we want ''sshd'' to create some initial files that he needs. After they are created, we can permanently save them.<BR>
-Next reason is... we don't have time to wait for the box to reboot ;-)
 {{Cmd|/etc/init.d/sshd start}}
-{{Note|Don't forget to permanently save your settings by using the 'lbu ci' command when you are done.}}
+{{Note|If you are running from RAM, ensure you save your settings using the 'lbu ci' command as necessary. See [https://wiki.alpinelinux.org/wiki/Alpine_local_backup Alpine local backup].}}
-= Fine tuning =
-The default config that comes with openssh has pretty good default values.<BR>
+Also see [https://wiki.alpinelinux.org/wiki/Alpine_Linux_Init_System Alpine Linux Init System].
-But sometimes you would like to fine-tune things. We show some examples below on what you might want to do.<BR>
+== Fine tuning ==
+You may wish to change the default configuration. This section describes some of the configuration options as examples, however it is by no means an exhaustive list. See [https://www.openssh.com/manual.html the manual] for full details.
+The fine-tuning is done by editing '''/etc/ssh/sshd_config'''. Any line starting with "#" will be ignored by ''sshd''.
-{{Note|You are _not_ required to follow this [[#Fine_tuning]] section. You can skip it if you want to make things easy!}}
+ UseDNS no   # By setting this to no, connection speed can increase.
+ PasswordAuthentication no  # Do not allow password authentication.
-The fine-tuning is done by editing '''/etc/ssh/sshd_config'''<BR>
+Other configuration options are shown in '''/etc/ssh/sshd_config'''. The file includes comments that explain many of the options.
-"#" marks that the rest of the line should be ignored by ''sshd''. Everything right to the "#" is treated as comments.
- UseDNS no   # By setting this to no, you could increase speed when the client starts to connect to this ssh-server
- PasswordAuthentication no   # Instead you could use private/public keys to authenticate to this box (this increases security for the box)
-Many other options are found in '''/etc/ssh/sshd_config'''. The describing text that comes in the same file will guide you in your fine-tuning.
-= Firewalling =
+== Firewalling and Port Changes ==
-As default, sshd will communicate on port ''''22'''' using protocol ''''TCP''''.<BR>
+By default, sshd will communicate on TCP port '''22'''.<BR>
-You would need to make sure that the box where ''sshd'' is running, doesn't block your connection attempts on '''22TCP'''.<BR>
-If you still have trouble accessing your box, make sure that there is no other firewall blocking your connection.
-Sometimes '''22TCP''' is blocked by some firewall that you can not control. In those cases you might want to configure '''sshd''' to communicate on some other port.<BR>
+Sometimes '''22/tcp''' is blocked by a firewall over which you have no control. Changing the '''Port''' option to an unused port number in '''/etc/ssh/sshd_config''' may be useful in this situation.<BR>
-In that case you change '''/etc/ssh/sshd_config''' to reflect your needs.<BR>
-But before you do so, you need to check so you don't use a port that already is in use. (You can check this by using the command ''''netstat -ln'''' on the box where you plan to run ''sshd'')
   Port 443   # Use whatever port number that fits your needs
-You need to restart ''sshd'' after you done you modifications.
+{{Note|Ensure the port you wish to use is not already in use on the machine running ''sshd'' by running the '''netstat -lnp'''.}}
+Restart ''sshd'' after making modifications to the configuration file:
 {{Cmd|/etc/init.d/sshd restart}}
-= Save settings =
+{{Note|If you are running from RAM, ensure you save your settings using the 'lbu ci' command as necessary. See [https://wiki.alpinelinux.org/wiki/Alpine_local_backup Alpine local backup].}}
-If you already haven't done so, save all your settings
-{{Cmd|lbu ci}}
-= Alternative: Dropbear =
+= Dropbear =
-Alternatively you can use [https://matt.ucc.asn.au/dropbear/dropbear.html Dropbear].
+[https://matt.ucc.asn.au/dropbear/dropbear.html Dropbear] is another open source SSH implementation.
 Install it through the [[Alpine setup scripts]], or manually with:
 {{Cmd|apk add dropbear}}
 Start it:
 {{Cmd|rc-service dropbear start}}
-And if you are happy with it, add it to the default runlevel:
+Add it to the default runlevel:
 {{Cmd|rc-update add dropbear}}
@@ Line 68: / Line 76: @@
 {{Pkg|dropbear}} also includes an SSH client which in its simplest form can be used like this:
-{{Cmd|dbclient x.x.x.x}}
+{{Cmd|dbclient host.example.com}}
+{{Cmd|dbclient x.x.x.x}} (where x.x.x.x is the IP address of the remote machine).
+Use <code>dbclient -h</code> to see all available options.
+== Further Reading ==
-(where x.x.x.x is the destination server).  Use <code>dbclient -h</code> to see all available options.
+[https://www.openssh.com/portable.html OpenSSH (openssh.com)]
+[https://en.wikipedia.org/wiki/OpenSSH OpenSSH (wikipedia.org)]
 [[Category:Server]]
 [[Category:Networking]]
 [[Category:Security]]