There are several configuration files used by HP-SSH. Some are used by the daemon and others by the client. We will first look at the host based configuration file followed by the client configuration file next week.
The sshd_config file
/etc/opt/ssh: (or) /opt/ssh/etc: -r--r--r-- 1 bin bin 2805 Sep 9 20:32 sshd_config
The sshd_config file is the one read and used by the SSH daemon. The "#" sign is a comment in this file. A " grep -v "# " sshd_config " command will produce the following output:
#Port 22 Protocol 2 #ListenAddress 0.0.0.0 #ListenAddress :: #HostKey /opt/ssh/etc/ssh_host_key #HostKey /opt/ssh/etc/ssh_host_rsa_key #HostKey /opt/ssh/etc/ssh_host_dsa_key #KeyRegenerationInterval 3600 #ServerKeyBits 768 #obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO #LoginGraceTime 600 #PermitRootLogin yes #StrictModes yes #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys #RhostsAuthentication no #IgnoreRhosts yes #RhostsRSAAuthentication no #HostbasedAuthentication no #IgnoreUserKnownHosts no #PasswordAuthentication yes #PermitEmptyPasswords no #ChallengeResponseAuthentication yes #KerberosAuthentication yes #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #AFSTokenPassing yes #KerberosTgtPassing no #PAMAuthenticationViaKbdInt yes #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog
yes #KeepAlive yes #UseLogin no #MaxStartups 10 #Banner /some/path #VerifyReverseMapping no Subsystem sftp /opt/ssh/libexec/sftp-server
From initially looking at this file, you might assume that the only settings are those that do not start with the "#" symbol. However, the lines that do start with a "#" symbol represent the default setting for that parameter. These settings were made during compile time. For example, the default setting for PrintLastLog is: #PrintLastLog yes . This settings displays the last login time for the user:
$ ssh ctg701 Enter passphrase for key '/home/vking/.ssh/id_dsa': Last login: Wed Sep 11 20:30:01 2002 from client
If we change the sshd_config file to:
#PrintLastLog yes PrintLastLog no
and force the SSH daemon to re-read its configuration file:
ctg701: kill -HUP 'cat /var/run/sshd.pid'
The next time the user runs ssh to this host, they are no longer displayed this information:
$ ssh ctg701 Enter passphrase for key '/home/vking/.ssh/id_dsa':
Should you keep the commented keyword? I would recommend keeping it. After all, if you remove your entry, the default value will be used. You can also make configuration changes to the SSH daemon when you start the daemon at the command line:
ctg701: /opt/ssh/sbin/sshd -o "PrintLastLog no"
Optionally, these could also be placed in the startup configuration file for secsh:
/etc/rc.config.d/sshd: SSHD_START=1 SSHD_ARGS="-o PrintLastLog=no" root 18629 1 0 0:00 /opt/ssh/sbin/sshd -o PrintLastLog=no
However, if you use command line arguments (either directly from the command line or via the startup script), change the configuration file, and force the SSH daemon to re-read the configuration file, the command line options will still be used, not the newer option in the configuration file. To change a configuration option that is set at the command line, the daemon must be stopped and restarted. Note: As of Sept. 2002, HP-SSH currently will kill the SSH daemon if you force it to re-read the configuration file if the daemon was started with command line options. (Received SIGHUP; restarting. command-line line 0: missing yes/no argument.)
The SSH daemon is also using options that were specified at compile time. A complete list of options available to use with the SSH daemon can be found by using:
grep "", s" /opt/ssh/src/ssh/servconf.c | cut -f2 -d, | cut -f2 -d" " | cut -c2-60 | sort
The options that are underlined are not listed in the sshd_config file:
AFSTokenPassing AllowGroups AllowTcpForwarding AllowUsers AuthorizedKeysFile AuthorizedKeysFile2 Banner ChallengeResponseAuthentication Ciphers ClientAliveCountMax ClientAliveInterval DenyGroups DenyUsers Deprecated EmptyPasswd GatewayPorts GssAuthentication GssCleanupCreds GssKeyEx GssUseSessionCredCache HostKeyFile HostbasedAuthentication HostbasedUsesNameFromPacketOnly IgnoreRhosts IgnoreUserKnownHosts KbdInteractiveAuthentication KeepAlives KerberosAuthentication KerberosOrLocalPasswd KerberosTgtPassing KerberosTicketCleanup KeyRegenerationTime ListenAddress LogFacility LogLevel LoginGraceTime Macs MaxStartups PAMAuthenticationViaKbdInt PasswordAuthentication PermitRootLogin PidFile Port PrintLastLog PrintMotd Protocol PubkeyAuthentication RSAAuthentication RhostsAuthentication RhostsRSAAuthentication ServerKeyBits StrictModes Subsystem UseLogin VerifyReverseMapping X11DisplayOffset X11Forwarding X11UseLocalhost XAuthLocation
Looking at this list, you can determine additional configuration settings to be used in your SSH environment. We will add the "DenyUsers" option to see how that works and further to see how rules work in the configuration file. When the following line is added and sshd is forced to re-read its configuration file:
The user vking will no longer be prompted to enter their passphrase and the following message is displayed in syslog on the SSH server:
Sep 12 ctg701 sshd: User vking not allowed because listed in DenyUsers
However, the user will be prompted for their UNIX login password.
vking@ctg701's password: Permission denied, please try again.
Even when the user enters their correct UNIX login password, they are denied access and the following message is placed in syslog:
Sep 12 ctg701 sshd: Failed password for illegal user vking from 192.168.105.18 port 61400 ssh2
What happens if we modify the sshd_config file to include:
AllowUsers vking DenyUsers vking
This user will be denied access regardless of the order of these two options. If a user is restricted by any option, that user will not be granted access. Using the above configuration what happens when a user named jrice attempts to use ssh? That user is also denied access because all users (except for vking) are restricted access since they are not listed in the AllowUsers option. Let's try a different configuration using a wildcard character:
AllowUsers j* DenyUsers vking
This configuration results in the following behaviour:
jrice: Allowed access (since part of j* and not vking)
vking: Denied access because listed in DenyUsers and not part of AllowUsers
jwong: Allowed access (since part of j* and not vking)
fsmith: Denied access because not part of j*
Next week we will look at the ssh configuration on the client side.
Chris Wong is a technical consultant and trainer for Cerius Technology Group, Inc. in Bellevue, WA. She is the author of the HP Press book HP-UX 11i Security. http://newfdawg.com
This was first published in October 2002