====== SSH ======
===== Kulcsos authentikáció =====
  - Config átállítása:<code bash /etc/ssh/sshd_config>
PubkeyAuthentication yes
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
</code>
  - Config érvényre léptetése:<code bash>
/etc/init.d/ssh reload
</code>


==== /etc/security engedélyezése ====
  - Engedélyezni kell a következőt: <file bash /etc/pam.d/sshd>
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
account  required     pam_access.so
</file>
  - Be kell állítani a jogosultságokat: <file bash /etc/security/access.conf>
##############################################################################
# All lines from here up to the end are building a more complex example.
##############################################################################
#
# User "root" should be allowed to get access via cron .. tty5 tty6.
+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
#
# User "root" should be allowed to get access from hosts with ip addresses.
+ : root : 192.168.111.0/24 192.168.222.0/24
+ : root : 127.0.0.1
#
# User "root" should get access from network 192.168.201.
# This term will be evaluated by string matching.
# comment: It might be better to use network/netmask instead.
#          The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0
#+ : root : 192.168.201.
#
# User "root" should be able to have access from domain.
# Uses string matching also.
#+ : root : .foo.bar.org
#
# User "root" should be denied to get access from all other sources.
#- : root : ALL
#
# User "foo" and members of netgroup "nis_group" should be
# allowed to get access from all sources.
# This will only work if netgroup service is available.
+ : remote_access : ALL
#
# User "john" should get access from ipv4 net/mask
#+ : john : 127.0.0.0/24
#
# User "john" should get access from ipv4 as ipv6 net/mask
#+ : john : ::ffff:127.0.0.0/127
#
# User "john" should get access from ipv6 host address
#+ : john : 2001:4ca0:0:101::1
#
# User "john" should get access from ipv6 host address (same as above)
#+ : john : 2001:4ca0:0:101:0:0:0:1
#
# User "john" should get access from ipv6 net/mask
#+ : john : 2001:4ca0:0:101::/64
#
# All other users should be denied to get access from all sources.
- : ALL : ALL
</file>


===== Távoli port forward =====
  * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=228064

Távoli port-forward (''-R'') engedélyezése nem csak a loopback interface-en.

  - Írjuk be/engedélyezzük az ''/etc/ssh/sshd_config'' fájlban a következőt: <file sshd sshd_config>
GatewayPorts yes
</file>
  - Indírsuk újra a daemont


===== Szerver fingerprint lekérdezése =====
  * http://www.phcomp.co.uk/Tutorials/Unix-And-Linux/ssh-check-server-fingerprint.html

  * <code bash>
find /etc/ssh -name '*sa_key.pub' -exec ssh-keygen -lf {} \;
</code><code>
1024 94:c8:30:7a:e9:22:83:fd:0e:99:27:f2:50:77:e5:cf  root@foo (DSA)
2048 99:c4:b1:59:07:a3:70:b2:b2:20:0b:2d:4d:b7:30:c4  root@foo (RSA)
256 f7:00:1d:ee:14:fa:67:22:97:30:0d:39:35:6b:41:d6  root@foo (ECDSA)
</code>