From 19c6f692b6e9b744b36cee524e518ece71411513 Mon Sep 17 00:00:00 2001 From: "Simental Magana, Marcos" Date: Mon, 8 Oct 2018 10:49:41 -0500 Subject: [PATCH 1/3] Document how to change OpenSSH default port. This commit documents how to change the OpenSSH port on Clear Linux*. Clear Linux* enables an `sshd.socket` systemd unit, which listens in port 22 by default. This commit fixes #261 Signed-off-by: Simental Magana, Marcos --- .../reference/bundles/openssh-server.rst | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/source/clear-linux/reference/bundles/openssh-server.rst b/source/clear-linux/reference/bundles/openssh-server.rst index 99e6d80d5..0d63a725a 100644 --- a/source/clear-linux/reference/bundles/openssh-server.rst +++ b/source/clear-linux/reference/bundles/openssh-server.rst @@ -8,6 +8,46 @@ Remote users require a SSH service to be able to use an encrypted login shell. The first time OpenSSH starts, it generates the server SSH keys needed for the service. +|CL| enables the `sshd.socket` unit, which will listen on port 22 by default and +start the openssh service as required. + +Change Default Port +=================== +In order to change the default listen port for the OpenSSH\* service, perform +the following steps: + +#. Edit the sshd.socket unit file, provide the `ListenStream` option in the + `[Socket]` section with no value in order to remove the |CL| default port + value, then provide the `ListenStream` option again with the new default + port to listen. In this example, we change `ListenStream` to + listen on port 4200 instead of the |CL| default: + + .. code-block:: console + + # systemctl edit sshd.socket + +#. Verify your changes: + + .. code-block:: console + + # cat /etc/systemd/system/sshd.socket.d/override.conf + [Socket] + ListenStream= + ListenStream=4200 + +#. Reload the systemd daemon configurations: + + .. code-block:: console + + # systemctl daemon-reload + +#. Restart the sshd.socket unit: + + .. code-block:: console + + # systemctl restart sshd.socket + + SFTP ==== From b75b6880660e4be940cdc25d89ccabe33915f158 Mon Sep 17 00:00:00 2001 From: Kristal Dale Date: Mon, 8 Oct 2018 14:47:31 -0700 Subject: [PATCH 2/3] - Updated section headings to use correct underlining and capitalization. Updated heading text for clarity. - Update first CL reference to use CL-ATTR. - Break out first steps in Change default port section to be one step per #. - Update code-block command examples to use bash style. Separate the example commands from the example output. - Remove prompt # from example commands (per guidelines). - Minor capitalization and grammar edits. Signed-off-by: Kristal Dale --- .../reference/bundles/openssh-server.rst | 96 ++++++++++++------- 1 file changed, 60 insertions(+), 36 deletions(-) diff --git a/source/clear-linux/reference/bundles/openssh-server.rst b/source/clear-linux/reference/bundles/openssh-server.rst index 0d63a725a..5c0429d81 100644 --- a/source/clear-linux/reference/bundles/openssh-server.rst +++ b/source/clear-linux/reference/bundles/openssh-server.rst @@ -3,53 +3,77 @@ openssh-server ############## -This bundle provides the OpenSSH\* package needed to enable a SSH service. -Remote users require a SSH service to be able to use an encrypted login -shell. The first time OpenSSH starts, it generates the server SSH keys needed -for the service. +The **openssh-server** bundle provides the OpenSSH\* package needed to enable +a SSH service in |CL-ATTR|. Remote users require a SSH service to be able to +use an encrypted login shell. -|CL| enables the `sshd.socket` unit, which will listen on port 22 by default and -start the openssh service as required. +|CL| enables the `sshd.socket` unit, which will listen on port 22 by default +and start the OpenSSH service as required. The first time OpenSSH starts, it +generates the server SSH keys needed for the service. -Change Default Port -=================== -In order to change the default listen port for the OpenSSH\* service, perform -the following steps: +Change default port +******************* +Perform the following steps to change the default listen port for the +OpenSSH service: -#. Edit the sshd.socket unit file, provide the `ListenStream` option in the - `[Socket]` section with no value in order to remove the |CL| default port - value, then provide the `ListenStream` option again with the new default - port to listen. In this example, we change `ListenStream` to - listen on port 4200 instead of the |CL| default: +#. Open the sshd.socket file: + + .. code-block:: bash + + sudo systemctl edit sshd.socket + +#. Add the `[Socket]` section and `ListenStream` option to the sshd.socket + file as shown below. The first `ListenStream` entry removes the |CL| + default listen port value. The second `ListenStream` entry sets the new + default listen port value. In this example, we set the new default port + to 4200: .. code-block:: console - # systemctl edit sshd.socket + [Socket] + ListenStream= + ListenStream=4200 + + + Make sure to include a new line after the last line of text in the sshd.socket file. #. Verify your changes: + .. code-block:: bash + + cat /etc/systemd/system/sshd.socket.d/override.conf + + + You should see the following output: + .. code-block:: console - # cat /etc/systemd/system/sshd.socket.d/override.conf [Socket] ListenStream= ListenStream=4200 + #. Reload the systemd daemon configurations: - .. code-block:: console + .. code-block:: bash - # systemctl daemon-reload + sudo systemctl daemon-reload #. Restart the sshd.socket unit: - .. code-block:: console + .. code-block:: bash + + sudo systemctl restart sshd.socket + +#. Confirm the the sshd.socket unit is listening on your new port: - # systemctl restart sshd.socket + .. code-block:: bash + + systemctl status sshd.socket -SFTP -==== +Enable SFTP +*********** |CL| *disables* the :abbr:`SFTP (SSH File Transfer Protocol)` subsystem by default due to security considerations. To enable the SFTP subsystem, perform @@ -57,14 +81,14 @@ the following configuration of the :abbr:`SSHD (SSH Daemon)` service file: #. Create a systemd drop-in directory for the SSHD service: - .. code-block:: console + .. code-block:: bash - # mkdir -p /etc/systemd/system/sshd@.service.d + mkdir -p /etc/systemd/system/sshd@.service.d #. Create the following file: :file:`/etc/systemd/system/sshd@.service.d/sftp.conf` -#. Add the OPTIONS environment variable +#. Add the OPTIONS environment variable to the sftp.conf file. .. code-block:: console @@ -73,25 +97,25 @@ the following configuration of the :abbr:`SSHD (SSH Daemon)` service file: #. Reload systemd configuration: - .. code-block:: console + .. code-block:: bash - # systemctl daemon-reload + systemctl daemon-reload Congratulations! The SFTP subsystem is enabled. -Root login -========== +Enable root login +***************** -To enable root login via ssh, perform the following steps: +To enable root login via SSH, perform the following steps: -#. Create a *ssh* directory in :file:`/etc`, only if it does not exist) +#. Create a *ssh* directory in :file:`/etc`, if it does not already exist. - .. code-block:: console + .. code-block:: bash - # mkdir /etc/ssh + mkdir /etc/ssh #. Set the configuration variable. - .. code-block:: console + .. code-block:: bash - # echo "PermitRootLogin yes" >> /etc/ssh/sshd_config + echo "PermitRootLogin yes" >> /etc/ssh/sshd_config From 3d92de602b240f8cab7a76f07d7d1f6beacbab6c Mon Sep 17 00:00:00 2001 From: Kristal Dale Date: Mon, 8 Oct 2018 14:57:29 -0700 Subject: [PATCH 3/3] Clean up extra returns. Signed-off-by: Kristal Dale --- source/clear-linux/reference/bundles/openssh-server.rst | 3 --- 1 file changed, 3 deletions(-) diff --git a/source/clear-linux/reference/bundles/openssh-server.rst b/source/clear-linux/reference/bundles/openssh-server.rst index 5c0429d81..d8747f9e4 100644 --- a/source/clear-linux/reference/bundles/openssh-server.rst +++ b/source/clear-linux/reference/bundles/openssh-server.rst @@ -43,7 +43,6 @@ OpenSSH service: cat /etc/systemd/system/sshd.socket.d/override.conf - You should see the following output: .. code-block:: console @@ -52,7 +51,6 @@ OpenSSH service: ListenStream= ListenStream=4200 - #. Reload the systemd daemon configurations: .. code-block:: bash @@ -71,7 +69,6 @@ OpenSSH service: systemctl status sshd.socket - Enable SFTP ***********