# Running sshd

## CodeSlacker

Hey all, I'd like to start running sshd, but I don't know where to start.  It's installed, but I don't know how /etc/ssh/sshd_config needs to be set up.  What do I need to know before starting sshd or running an ssh daemon in general?  When I try to start sshd I get...

> sshd

Could not load host key: /etc/ssh/ssh_host_key

Could not load host key: /etc/ssh/ssh_host_rsa_key

Could not load host key: /etc/ssh/ssh_host_dsa_key

Disabling protocol version 1.  Could not load host key

Disabling protocol version 2.  Could not load host key

sshd: no hostkeys available -- exiting.

>

----------

## lowbatt

have you started sshd by (as root) /etc/init.d/sshd start

If not they try that because it creates the keys at that point. that and if you emerge things its best to use the scripts in /etc/init.d/ to start and stop them

At least as I understand it

----------

## CodeSlacker

Thanks lowbatt.  Running /etc/init.d/sshd start did the trick.  I can now ssh into my box.  Are there any issues I should know of or anything?  I mean, obviously, I want this to be secure, but I have no past experience with running any type of server if this can be called a server.

Thanks again.

----------

## rac

 *CodeSlacker wrote:*   

> Are there any issues I should know of or anything?

 As with most things, there's a tradeoff between ease of use and security.  Some things you might want to consider: disabling root login

disabling password authentication, only using public key authentication

disabling protocol 1 fallback, only supporting protocol 2

----------

## CodeSlacker

Also, could someone tell me where the log file is please.

Thanks

----------

## CodeSlacker

Do you have some links discussing these issues?  A place where I can educate myself.   :Smile: 

----------

## Larde

 *Quote:*   

> disabling password authentication, only using public key authentication 

 

There are different opinions... It's not a good idea someone who's account got hacked on machine A is allowed to login to machine B without password authentication. 

Yours,

Larde.

----------

## rac

 *Larde wrote:*   

>  *Quote:*   disabling password authentication, only using public key authentication  
> 
> There are different opinions... It's not a good idea someone who's account got hacked on machine A is allowed to login to machine B without password authentication. 

 Wouldn't having a decent passphrase on one's private key be helpful here?

----------

## Larde

Yes, but you can't enforce that from your users I think. I may be wrong though - and it only matters when you are not your only user anyway, which is mostly the case for home setups.  :Smile: 

Larde.

----------

## rac

 *Larde wrote:*   

> Yes, but you can't enforce that from your users I think.

 Well, the users in question would have to copy the public key from client to server's .ssh/authorized_keys before pubkey authorization will become effective, so at that point I think the onus is on the user.

----------

## masseya

 *CodeSlacker wrote:*   

> Do you have some links discussing these issues?  A place where I can educate myself.  

 

I haven't set sshd up very many times, but I have found that the link below to be rather good at explaining a few details and providing several references to other sources of information.   :Smile: 

http://yolinux.com/TUTORIALS/LinuxTutorialInternetSecurity.html#SSH

----------

## CodeSlacker

Thanks for all the help guys.  The gentoo forums are always helpful.   :Smile: 

----------

## snickered

i am having trouble setting up my sshd ... this is my sshd_config file:

Port 22

Protocol 2,1

ListenAddress 0.0.0.0

#ListenAddress ::

# HostKey for protocol version 1

HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 3600

#ServerKeyBits 768

# Logging

#obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

#LogLevel INFO

# Authentication:

#LoginGraceTime 120

PermitRootLogin no

#StrictModes yes

#RSAAuthentication yes

#PubkeyAuthentication yes

#AuthorizedKeysFile	.ssh/authorized_keys

# rhosts authentication should not be used

#RhostsAuthentication no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication yes

#PermitEmptyPasswords no

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver

#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication 

# Warning: enabling this may bypass the setting of 'PasswordAuthentication'

#PAMAuthenticationViaKbdInt no

#X11Forwarding no

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#KeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression yes

#MaxStartups 10

# no default banner path

#Banner /some/path

#VerifyReverseMapping no

# override default of no subsystems

Subsystem	sftp	/usr/lib/misc/sftp-server

and i tried to debug with ssh -v and this is what i got:

[snickered@obsidian snickered]$ ssh -v 66.169.208.215

OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug1: Rhosts Authentication disabled, originating port will not be trusted.

debug1: restore_uid

debug1: ssh_connect: getuid 508 geteuid 508 anon 1

debug1: Connecting to 66.169.208.215 [66.169.208.215] port 22.

debug1: temporarily_use_uid: 508/508 (e=508)

debug1: restore_uid

debug1: temporarily_use_uid: 508/508 (e=508)

debug1: restore_uid

debug1: Connection established.

debug1: identity file /home/snickered/.ssh/identity type -1

debug1: identity file /home/snickered/.ssh/id_rsa type -1

debug1: identity file /home/snickered/.ssh/id_dsa type -1

debug1: Remote protocol version 1.99, remote software version OpenSSH_3.5p1

debug1: match: OpenSSH_3.5p1 pat OpenSSH*

Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.1p1

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-cbc hmac-md5 none

debug1: kex: client->server aes128-cbc hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: dh_gen_key: priv key bits set: 125/256

debug1: bits set: 1665/3191

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host '66.169.208.215' is known and matches the RSA host key.

debug1: Found key in /home/snickered/.ssh/known_hosts:1

debug1: bits set: 1572/3191

debug1: ssh_rsa_verify: signature correct

debug1: kex_derive_keys

debug1: newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: waiting for SSH2_MSG_NEWKEYS

debug1: newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: done: ssh_kex2.

debug1: send SSH2_MSG_SERVICE_REQUEST

debug1: service_accept: ssh-userauth

debug1: got SSH2_MSG_SERVICE_ACCEPT

debug1: authentications that can continue: publickey,password,keyboard-interactive

debug1: next auth method to try is publickey

debug1: try privkey: /home/snickered/.ssh/identity

debug1: try privkey: /home/snickered/.ssh/id_rsa

debug1: try privkey: /home/snickered/.ssh/id_dsa

debug1: next auth method to try is keyboard-interactive

debug1: authentications that can continue: publickey,password,keyboard-interactive

debug1: next auth method to try is password

snickered@66.169.208.215's password: 

debug1: packet_send2: adding 48 (len 63 padlen 17 extra_pad 64)

debug1: authentications that can continue: publickey,password,keyboard-interactive

Permission denied, please try again.

snickered@66.169.208.215's password: 

this is really bugging me ... cause in the past all i did was turn it on and it worked ... but i dont know what i've done to my system since then.  any help would be appreciated.

----------

## rtn

So what exactly is the problem, that sshd isn't accepting your user

password?  If that's the case, you might want to verify that your

password is correct, ensure that your shell is set in /etc/passwd, and

isn't a null, and check /etc/pam.d/sshd.

--rtn

----------

## snickered

thanks alot for the help rtn.  the prob was that there wasnt a shell defined in /etc/passwd.  thanks again for the help.

----------

## green_buddy

I'm also trying to setup sshd.  I can get it up and running using:

```
#sshd &
```

My question is how to start a service like this everytime the machine is started up without having to start it manually?  This is probably a more general linux question though!   :Rolling Eyes: 

Thanks,

-green

----------

## green_buddy

Ok, so a little lesson in rc-update taught me that I needed the following:

```
#rc-update add sshd default
```

However, where can I find out the realdifference between what should be included in boot vs. default runlevel.  I'm thinking that this service should probably be in boot, but not really knowing where to find the info that discusses this forces me to ask the question here.  If anyone can point me in the right direction that'd be excellent!  :Smile: 

I've searched in the online docs at regarding the Gentoo Linux 1.0 Init System, and under seciont 2. Runlevels it mentions in a note to checkout  *Quote:*   

> About rc-update

 , but I can't find that anywhere.  :Confused: 

Thanks,

-green

----------

## OdinsDream

sshd can safely go in the Default runlevel.

----------

## crimson

thanks, I had the same problem as CodeSlacker had, I guess using /etc/init.d/ssh start worked just fine  :Smile: 

----------

