Setting up a SSH server: Difference between revisions

From Alpine Linux
mNo edit summary
m (→‎See also: Grammar.)
 
(11 intermediate revisions by 7 users not shown)
Line 5: Line 5:
Also see [https://en.wikipedia.org/wiki/Secure_Shell Secure Shell (Wikipedia)].
Also see [https://en.wikipedia.org/wiki/Secure_Shell Secure Shell (Wikipedia)].


{{Note|This article describes two popular SSH implementations: OpenSSH and Dropbear. Either can be installed using the [[Alpine setup scripts#setup-sshd|setup-sshd]] script, or by following the below instructions.}}
{{Note|This article describes two popular SSH implementations: OpenSSH and Dropbear. Either can be installed using the [[Alpine setup scripts#setup-sshd|setup-sshd]] script, or by following the instructions below.}}


= OpenSSH =
= OpenSSH =


[http://www.openssh.com/ OpenSSH] is a popular SSH implementation for remote encrypted login to a machine. OpenSSH defines ''sshd'' as the daemon, and ''ssh'' as the client program.
[https://www.openssh.com/ OpenSSH] is a popular SSH implementation for remote encrypted login to a machine. OpenSSH defines ''sshd'' as the daemon, and ''ssh'' as the client program.


The {{Pkg|openssh}} package provides OpenSSH on Alpine Linux.
The {{Pkg|openssh}} package provides OpenSSH on Alpine Linux.
Line 19: Line 19:
{{Note|To use the ACF-frontend for openssh, install {{Pkg|acf-openssh}} instead (assuming that you have the setup-acf script).}}
{{Note|To use the ACF-frontend for openssh, install {{Pkg|acf-openssh}} instead (assuming that you have the setup-acf script).}}


Also see [https://wiki.alpinelinux.org/wiki/Alpine_Linux_package_management Alpine Linux package management ].
Also see [[Alpine_Package_Keeper|Alpine Linux package management]].


== Service commands ==
== Service commands ==
Line 29: Line 29:


Start the sshd service immediately and create configuration files:
Start the sshd service immediately and create configuration files:
{{Cmd|/etc/init.d/sshd start}}
{{Cmd|rc-service sshd start}}


{{Note|If you are running from RAM, ensure you save your settings using the 'lbu ci' command as necessary. See [https://wiki.alpinelinux.org/wiki/Alpine_local_backup Alpine local backup].}}
{{Note|If you are running from RAM, ensure you save your settings using the 'lbu ci' command as necessary. See [https://wiki.alpinelinux.org/wiki/Alpine_local_backup Alpine local backup].}}


Also see [https://wiki.alpinelinux.org/wiki/Alpine_Linux_Init_System Alpine Linux Init System].
Also see [[OpenRC|Alpine Linux Init System]].


== Fine tuning ==
== Fine tuning ==
Line 39: Line 39:
You may wish to change the default configuration. This section describes some of the configuration options as examples, however it is by no means an exhaustive list. See [https://www.openssh.com/manual.html the manual] for full details.
You may wish to change the default configuration. This section describes some of the configuration options as examples, however it is by no means an exhaustive list. See [https://www.openssh.com/manual.html the manual] for full details.


The fine-tuning is done by editing '''/etc/ssh/sshd_config'''. Any line starting with "#" will be ignored by ''sshd''.
The fine-tuning is done by editing {{Path|/etc/ssh/sshd_config}}. Any line starting with "#" is ignored by ''sshd''.


  UseDNS no  # By setting this to no, connection speed can increase.
  UseDNS no  # By setting this to no, connection speed can increase.
  PasswordAuthentication no  # Do not allow password authentication.
  PasswordAuthentication no  # Do not allow password authentication.


Other configuration options are shown in '''/etc/ssh/sshd_config'''. The file includes comments that explain many of the options.
Other configuration options are shown in {{Path|etc/ssh/sshd_config}}. The file includes comments that explain many of the options.


== Firewalling and Port Changes ==
== Firewalling and Port Changes ==
By default, sshd will communicate on TCP port '''22'''.<BR>
By default, sshd will communicate on TCP port '''22'''.<BR>


Sometimes '''22/tcp''' is blocked by a firewall over which you have no control. Changing the '''Port''' option to an unused port number in '''/etc/ssh/sshd_config''' may be useful in this situation.<BR>
Sometimes '''22/tcp''' is blocked by a firewall over which you have no control. Changing the '''Port''' option to an unused port number in {{Path|/etc/ssh/sshd_config}} may be useful in this situation.<BR>
  Port 443  # Use whichever port number fits your needs
  Port 443  # Use whichever port number fits your needs


Line 55: Line 55:


Restart ''sshd'' after making modifications to the configuration file:
Restart ''sshd'' after making modifications to the configuration file:
{{Cmd|/etc/init.d/sshd restart}}
{{Cmd|rc-service sshd restart}}


{{Note|If you are running from RAM, ensure you save your settings using the 'lbu ci' command as necessary. See [https://wiki.alpinelinux.org/wiki/Alpine_local_backup Alpine local backup].}}
{{Note|If you are running from RAM, ensure you save your settings using the 'lbu ci' command as necessary. See [https://wiki.alpinelinux.org/wiki/Alpine_local_backup Alpine local backup].}}
Line 61: Line 61:
= Dropbear =
= Dropbear =


[https://matt.ucc.asn.au/dropbear/dropbear.html Dropbear] is another open source SSH implementation.
[https://matt.ucc.asn.au/dropbear/dropbear.html Dropbear] is a lightweight SSH client/server alternative to OpenSSH.
Install {{Pkg|dropbear}} through the [[Alpine setup scripts]], or manually with:
 
=== server ===
{{Tip|You can use {{Path|~/.ssh/authorized_keys}} in the same way as with OpenSSH}}
 
{{Pkg|dropbear}} can be install through the [[Alpine setup scripts]], or manually with:
{{Cmd|apk add dropbear}}
{{Cmd|apk add dropbear}}
Start it:
Start it:
Line 72: Line 76:
{{Cmd|dropbear -h}}
{{Cmd|dropbear -h}}


The config file is located at <code>/etc/conf.d/dropbear</code>
The config file is located at {{Path|/etc/conf.d/dropbear}}


{{Pkg|dropbear}} also includes an SSH client which in its simplest form can be used like this:
{{Tip|<code>DROPBEAR_OPTS{{=}}"-w -s"</code> will forbid root login and password login}}


=== client ===
{{Pkg|dropbear-dbclient}} contains the SSH client and can be installed manually with:
{{Cmd|apk add dropbear-dbclient}}
In its simplest form it can be used like this:
{{Cmd|dbclient <user>@host.example.com}}
{{Cmd|dbclient host.example.com}}
{{Cmd|dbclient host.example.com}}
{{Cmd|dbclient x.x.x.x}} (where x.x.x.x is the IP address of the remote machine).
{{Cmd|dbclient x.x.x.x}} (where x.x.x.x is the IP address of the remote machine).


Use <code>dbclient -h</code> to see all available options.
Use <code>dbclient -h</code> to see all available options.
= See also =
* [[HOWTO OpenSSH 2FA with password and Google Authenticator|Two Factor Authentication With OpenSSH]]


= Further Reading =
= Further Reading =

Latest revision as of 11:39, 20 December 2023

Overview

This article provides a short overview of SSH on Alpine Linux.

Also see Secure Shell (Wikipedia).

Note: This article describes two popular SSH implementations: OpenSSH and Dropbear. Either can be installed using the setup-sshd script, or by following the instructions below.

OpenSSH

OpenSSH is a popular SSH implementation for remote encrypted login to a machine. OpenSSH defines sshd as the daemon, and ssh as the client program.

The openssh package provides OpenSSH on Alpine Linux.

Installation

Install the openssh package:

apk add openssh

Note: To use the ACF-frontend for openssh, install acf-openssh instead (assuming that you have the setup-acf script).

Also see Alpine Linux package management.

Service commands

Enable the sshd service so that it starts at boot:

rc-update add sshd

List services to verify sshd is enabled:

rc-status

Start the sshd service immediately and create configuration files:

rc-service sshd start

Note: If you are running from RAM, ensure you save your settings using the 'lbu ci' command as necessary. See Alpine local backup.

Also see Alpine Linux Init System.

Fine tuning

You may wish to change the default configuration. This section describes some of the configuration options as examples, however it is by no means an exhaustive list. See the manual for full details.

The fine-tuning is done by editing /etc/ssh/sshd_config. Any line starting with "#" is ignored by sshd.

UseDNS no   # By setting this to no, connection speed can increase.
PasswordAuthentication no  # Do not allow password authentication.

Other configuration options are shown in etc/ssh/sshd_config. The file includes comments that explain many of the options.

Firewalling and Port Changes

By default, sshd will communicate on TCP port 22.

Sometimes 22/tcp is blocked by a firewall over which you have no control. Changing the Port option to an unused port number in /etc/ssh/sshd_config may be useful in this situation.

Port 443   # Use whichever port number fits your needs
Note: Ensure the port you wish to use is not already in use by running netstat -lnp on the machine running sshd.

Restart sshd after making modifications to the configuration file:

rc-service sshd restart

Note: If you are running from RAM, ensure you save your settings using the 'lbu ci' command as necessary. See Alpine local backup.

Dropbear

Dropbear is a lightweight SSH client/server alternative to OpenSSH.

server

Tip: You can use ~/.ssh/authorized_keys in the same way as with OpenSSH

dropbear can be install through the Alpine setup scripts, or manually with:

apk add dropbear

Start it:

rc-service dropbear start

Add it to the default runlevel:

rc-update add dropbear

Use the following command to check all available server options:

dropbear -h

The config file is located at /etc/conf.d/dropbear

Tip: DROPBEAR_OPTS="-w -s" will forbid root login and password login

client

dropbear-dbclient contains the SSH client and can be installed manually with:

apk add dropbear-dbclient

In its simplest form it can be used like this:

dbclient <user>@host.example.com

dbclient host.example.com

dbclient x.x.x.x

(where x.x.x.x is the IP address of the remote machine).

Use dbclient -h to see all available options.

See also

Further Reading

OpenSSH (openssh.com)
OpenSSH (wikipedia.org)