OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.
The OpenSSH suite consists of the following tools:
- Remote operations are done using ssh, scp, and sftp.
- Key management with ssh-add, ssh-keysign, ssh-keyscan, and ssh-keygen.
- The service side consists of sshd, sftp-server, and ssh-agent.
the props of the service to configure openssh:
sshd=service AllowGroups=group1,group2:sftp,group3 AllowLocalGroups=wheel,adm LoginGraceTime=2m MaxAuthTries=6 PasswordAuthentication=yes PermitRootLogin=yes Protocol=2 SubsystemSftp=yes TCPPort=22 UsePAM=yes access=green,red status=enabled StrongEncryption=enabled
AllowGroups: a comma separated list of groups from the accounts provider, allowed to connect with SSH. If the option
:sftpis specified then the group is restricted to SFTP. This prop is considered if the property
AllowLocalGroups: a comma separated list of group names in
/etc/groupsthat are granted full SSH and SFTP access.
SubsystemSftp: (yes|no) enable the sftp service
LoginGraceTime: The time after which the server disconnects if the user has not successfully logged in.
MaxAuthTries: Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged.
PasswordAuthentication: (yes,no) Specifies whether password authentication is allowed.
PermitRootLogin: (yes,no) Specifies whether root can log in using ssh.
TCPPort: Use this TCP port to use sshd
UsePAM: (yes,no) Pam can be used to authentify user
access: Allow ssh connection to your firewall following different zones.
status: (enabled,disabled) Enable or disable the sshd service
StrongEncryption: (enabled,disabled) Enable or disable the strong encryption by requiring strong ciphers, HostKeyAlgorithms, KexAlgorithms, MACs. Old clients might not be able to connect to the server once enabled.
Two events takes care to expand and restart the service
nethserver-openssh-update (sshd is restarted)
nethserver-openssh-save (sshd is reloaded)
One time password (2FA)¶
2FA is available only for password authentication. Authentication with public keys will not be affected by 2FA.
The Openssh server can be protected by a Two-factor authentication (2FA). It adds an extra layer of security required to access the new Server Manager. First, users will enter user name and password, then they will be required to provide a temporary verification code generated by an application running on their smartphone.
2FA is disabled by default. Each user can enable it by accessing the Two-factor authentication section under Settings page.