Difference between revisions of "Setting up a ssh-server"

From Alpine Linux
Jump to: navigation, search
m (Added See also: Two Factors Authentication With OpenSSH)
 
(10 intermediate revisions by 2 users not shown)
Line 1: Line 1:
If you need to administer a Alpine Linux box, you can install and use {{Pkg|openssh}}. [http://www.openssh.com/ Openssh] is used to provide a secure encrypted communications between you and the host where openssh is running (the ssh-server is called ''sshd'' and the ssh-client is called ''ssh'').
+
= Overview =
  
= Installation =
+
This article provides a short overview of SSH on Alpine Linux.
Install package:
+
 
 +
Also see [https://en.wikipedia.org/wiki/Secure_Shell Secure Shell (Wikipedia)].
 +
 
 +
{{Note|This article describes two popular SSH implementations: OpenSSH and Dropbear. Either can be installed using the [[Alpine setup scripts#setup-sshd|setup-sshd]] script, or by following the below instructions.}}
 +
 
 +
= OpenSSH =
 +
 
 +
[http://www.openssh.com/ OpenSSH] is a popular SSH implementation for remote encrypted login to a machine. OpenSSH defines ''sshd'' as the daemon, and ''ssh'' as the client program.
 +
 
 +
The {{Pkg|openssh}} package provides OpenSSH on Alpine Linux.
 +
 
 +
== Installation ==
 +
Install the {{Pkg|openssh}} package:
 
{{Cmd|apk add openssh}}
 
{{Cmd|apk add openssh}}
  
{{Note|If you want the ACF-frontend for openssh, you should install 'acf-openssh' instead (assuming that you have setup-acf)}}
+
{{Note|To use the ACF-frontend for openssh, install {{Pkg|acf-openssh}} instead (assuming that you have the setup-acf script).}}
 +
 
 +
Also see [https://wiki.alpinelinux.org/wiki/Alpine_Linux_package_management Alpine Linux package management ].
  
= Make it autostart =
+
== Service commands ==
Next time you reboot your Linux box, you would probably want your ''sshd'' to automatically start.
+
Enable the sshd service so that it starts at boot:
 
{{Cmd|rc-update add sshd}}
 
{{Cmd|rc-update add sshd}}
  
You can check your boot services:
+
List services to verify sshd is enabled:
 
{{Cmd|rc-status}}
 
{{Cmd|rc-status}}
  
= Start it up now =
+
Start the sshd service immediately and create configuration files:
The reason we want to manually start ''sshd'' at this moment is that we want ''sshd'' to create some initial files that he needs. After they are created, we can permanently save them.<BR>
 
Next reason is... we don't have time to wait for the box to reboot ;-)
 
 
{{Cmd|/etc/init.d/sshd start}}
 
{{Cmd|/etc/init.d/sshd start}}
  
{{Note|Don't forget to permanently save your settings by using the 'lbu ci' command when you are done.}}
+
{{Note|If you are running from RAM, ensure you save your settings using the 'lbu ci' command as necessary. See [https://wiki.alpinelinux.org/wiki/Alpine_local_backup Alpine local backup].}}
= Fine tuning =
+
 
The default config that comes with openssh has pretty good default values.<BR>
+
Also see [https://wiki.alpinelinux.org/wiki/Alpine_Linux_Init_System Alpine Linux Init System].
But sometimes you would like to fine-tune things. We show some examples below on what you might want to do.<BR>
+
 
 +
== Fine tuning ==
 +
 
 +
You may wish to change the default configuration. This section describes some of the configuration options as examples, however it is by no means an exhaustive list. See [https://www.openssh.com/manual.html the manual] for full details.
 +
 
 +
The fine-tuning is done by editing '''/etc/ssh/sshd_config'''. Any line starting with "#" will be ignored by ''sshd''.
 +
 
 +
UseDNS no  # By setting this to no, connection speed can increase.
 +
PasswordAuthentication no  # Do not allow password authentication.
  
{{Note|You are _not_ required to follow this [[#Fine_tuning]] section. You can skip it if you want to make things easy!}}
+
Other configuration options are shown in '''/etc/ssh/sshd_config'''. The file includes comments that explain many of the options.
  
The fine-tuning is done by editing '''/etc/ssh/sshd_config'''<BR>
+
== Firewalling and Port Changes ==
"#" marks that the rest of the line should be ignored by ''sshd''. Everything right to the "#" is treated as comments.
+
By default, sshd will communicate on TCP port '''22'''.<BR>
UseDNS no  # By setting this to no, you could increase speed when the client starts to connect to this ssh-server
 
PasswordAuthentication no  # Instead you could use private/public keys to authenticate to this box (this increases security for the box)
 
Many other options are found in '''/etc/ssh/sshd_config'''. The describing text that comes in the same file will guide you in your fine-tuning.
 
  
= Firewalling =
+
Sometimes '''22/tcp''' is blocked by a firewall over which you have no control. Changing the '''Port''' option to an unused port number in '''/etc/ssh/sshd_config''' may be useful in this situation.<BR>
As default, sshd will communicate on port ''''22'''' using protocol ''''TCP''''.<BR>
+
Port 443  # Use whichever port number fits your needs
You would need to make sure that the box where ''sshd'' is running, doesn't block your connection attempts on '''22TCP'''.<BR>
 
If you still have trouble accessing your box, make sure that there is no other firewall blocking your connection.
 
  
Sometimes '''22TCP''' is blocked by some firewall that you can not control. In those cases you might want to configure '''sshd''' to communicate on some other port.<BR>
+
{{Note|Ensure the port you wish to use is not already in use by running '''netstat -lnp''' on the machine running ''sshd''.}}
In that case you change '''/etc/ssh/sshd_config''' to reflect your needs.<BR>
 
But before you do so, you need to check so you don't use a port that already is in use. (You can check this by using the command ''''netstat -ln'''' on the box where you plan to run ''sshd'')
 
Port 443  # Use whatever port number that fits your needs
 
  
You need to restart ''sshd'' after you done you modifications.
+
Restart ''sshd'' after making modifications to the configuration file:
 
{{Cmd|/etc/init.d/sshd restart}}
 
{{Cmd|/etc/init.d/sshd restart}}
  
= Save settings =
+
{{Note|If you are running from RAM, ensure you save your settings using the 'lbu ci' command as necessary. See [https://wiki.alpinelinux.org/wiki/Alpine_local_backup Alpine local backup].}}
If you already haven't done so, save all your settings
 
{{Cmd|lbu ci}}
 
  
= Alternative =
+
= Dropbear =
  
Alternatively you can use [https://matt.ucc.asn.au/dropbear/dropbear.html Dropbear].
+
[https://matt.ucc.asn.au/dropbear/dropbear.html Dropbear] is another open source SSH implementation.
Install it:
+
Install {{Pkg|dropbear}} through the [[Alpine setup scripts]], or manually with:
 
{{Cmd|apk add dropbear}}
 
{{Cmd|apk add dropbear}}
 
Start it:
 
Start it:
 
{{Cmd|rc-service dropbear start}}
 
{{Cmd|rc-service dropbear start}}
And if you are happy with it, add it to the default runlevel:
+
Add it to the default runlevel:
 
{{Cmd|rc-update add dropbear}}
 
{{Cmd|rc-update add dropbear}}
  
Line 62: Line 72:
 
{{Cmd|dropbear -h}}
 
{{Cmd|dropbear -h}}
  
The config file is located at /etc/conf.d/dropbear.
+
The config file is located at <code>/etc/conf.d/dropbear</code>
 +
 
 +
{{Pkg|dropbear}} also includes an SSH client which in its simplest form can be used like this:
 +
 
 +
{{Cmd|dbclient host.example.com}}
 +
 
 +
{{Cmd|dbclient x.x.x.x}} (where x.x.x.x is the IP address of the remote machine).
 +
 
 +
Use <code>dbclient -h</code> to see all available options.
  
Dropbear also includes an SSH client which in its simplest form can be used like this:
+
= See also =
 +
* [[Two Factors Authentication With OpenSSH]]
  
{{Cmd|dbclient x.x.x.x}}
+
= Further Reading =
  
(where x.x.x.x is the destination server). Use dbclient -h to see all available options.
+
[https://www.openssh.com/portable.html OpenSSH (openssh.com)]<BR>
 +
[https://en.wikipedia.org/wiki/OpenSSH OpenSSH (wikipedia.org)]
  
 
[[Category:Server]]
 
[[Category:Server]]
 
[[Category:Networking]]
 
[[Category:Networking]]
 
[[Category:Security]]
 
[[Category:Security]]

Latest revision as of 23:00, 18 September 2017

Overview

This article provides a short overview of SSH on Alpine Linux.

Also see Secure Shell (Wikipedia).

Note: This article describes two popular SSH implementations: OpenSSH and Dropbear. Either can be installed using the setup-sshd script, or by following the below instructions.

OpenSSH

OpenSSH is a popular SSH implementation for remote encrypted login to a machine. OpenSSH defines sshd as the daemon, and ssh as the client program.

The openssh package provides OpenSSH on Alpine Linux.

Installation

Install the openssh package:

apk add openssh

Note: To use the ACF-frontend for openssh, install acf-openssh instead (assuming that you have the setup-acf script).

Also see Alpine Linux package management .

Service commands

Enable the sshd service so that it starts at boot:

rc-update add sshd

List services to verify sshd is enabled:

rc-status

Start the sshd service immediately and create configuration files:

/etc/init.d/sshd start

Note: If you are running from RAM, ensure you save your settings using the 'lbu ci' command as necessary. See Alpine local backup.

Also see Alpine Linux Init System.

Fine tuning

You may wish to change the default configuration. This section describes some of the configuration options as examples, however it is by no means an exhaustive list. See the manual for full details.

The fine-tuning is done by editing /etc/ssh/sshd_config. Any line starting with "#" will be ignored by sshd.

UseDNS no   # By setting this to no, connection speed can increase.
PasswordAuthentication no  # Do not allow password authentication.

Other configuration options are shown in /etc/ssh/sshd_config. The file includes comments that explain many of the options.

Firewalling and Port Changes

By default, sshd will communicate on TCP port 22.

Sometimes 22/tcp is blocked by a firewall over which you have no control. Changing the Port option to an unused port number in /etc/ssh/sshd_config may be useful in this situation.

Port 443   # Use whichever port number fits your needs
Note: Ensure the port you wish to use is not already in use by running netstat -lnp on the machine running sshd.

Restart sshd after making modifications to the configuration file:

/etc/init.d/sshd restart

Note: If you are running from RAM, ensure you save your settings using the 'lbu ci' command as necessary. See Alpine local backup.

Dropbear

Dropbear is another open source SSH implementation. Install dropbear through the Alpine setup scripts, or manually with:

apk add dropbear

Start it:

rc-service dropbear start

Add it to the default runlevel:

rc-update add dropbear

Use the following command to check all available server options:

dropbear -h

The config file is located at /etc/conf.d/dropbear

dropbear also includes an SSH client which in its simplest form can be used like this:

dbclient host.example.com

dbclient x.x.x.x

(where x.x.x.x is the IP address of the remote machine).

Use dbclient -h to see all available options.

See also

Further Reading

OpenSSH (openssh.com)
OpenSSH (wikipedia.org)