Chapter 5. Serverwide Configuration
After installing an SSH server (sshd ), it's time to make informed decisions about your server's operation. Which authentication techniques should be permitted? How many bits should the server key contain? Should idle connections be dropped after a time limit or left connected indefinitely? These and other questions must be considered carefully. sshd has reasonable defaults, but don't accept them blindly. Your server should conform to a carefully planned security policy. Fortunately, sshd is highly configurable so you can make it do all kinds of interesting tricks. sshd may be configured at three levels, and this chapter covers the second one: serverwide configuration, in which a system administrator controls the global runtime behavior of the server. This includes a large, rich set of features, such as TCP/IP settings, encryption, authentication, access control, and error logging. Some features are controlled by modifying a serverwide configuration file, and others by command-line options passed to the server at invocation. The other two levels of configuration are compile-time configuration (Chapter 4, "Installation and Compile-Time Configuration"), in which the server is compiled with or without certain functionality; and per-account configuration (Chapter 8, "Per-Account Server Configuration"), in which the server's behavior is modified by end users for their accounts only. We'll discuss the distinction between the three levels in more detail later in this chapter. This chapter covers only the servers from SSH1/SSH2 and their derivatives OpenSSH and F-Secure SSH Server. Our reference implementations, however, are SSH1 and SSH2 for Unix. We've tried to indicate which features are found or not found in the various flavors of sshd, but these will certainly change as new versions appear, so read each product's documentation for the latest information.
Contents:The Name of the Server
Running the Server
Server Configuration: An Overview
Getting Ready: Initial Setup
Letting People in: Authentication and Access Control
User Logins and Accounts
History, Logging, and Debugging
Compatibility Between SSH-1 and SSH-2 Servers
5.1. The Name of the ServerThe SSH server is named sshd1 for SSH1, sshd2 for SSH2, and sshd for OpenSSH. However, you may also be able to invoke sshd1 or sshd2 as sshd, because their Makefiles create a symbolic link called sshd. [Section 4.1.3, "Building and Installing SSH1"] [Section 4.1.4, "Building and Installing SSH2"] The link points to sshd2 if it's installed, otherwise sshd1 (the SSH1 Makefile doesn't supersede links installed by SSH2). Some features in this chapter apply to sshd1 only, sshd2 only, OpenSSH's sshd only, or various combinations. We indicate this in the following ways:
Copyright © 2002 O'Reilly & Associates. All rights reserved.