====== OpenSSH ======

  * [[dropbear]]
  * [[libressl]]
  * [[monit]]
  * [[openssl]]
  * [[SSH]]

  * [[ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/]]
  * [[http://cmrg.fifthhorseman.net/wiki/OpenSSH]]
  * [[https://dev.gentoo.org/~swift/docs/security_benchmarks/openssh.html]]
  * [[http://utcc.utoronto.ca/~cks/space/blog/sysadmin/SshdSelectiveOptions|Match support in SSHD]]

=== Server Configuration ===

OpenSSH requires that users be in the ''ssh-users'' group to login.

A public key is recommended, but not required.

<code>
# A barebones sshd_config
PermitRootLogin no
PasswordAuthentication no
UsePAM no
PrintMotd no
PrintLastLog no
Subsystem       sftp    /usr/lib64/misc/sftp-server
AllowGroups ssh-users
</code>

=== User Configuration ===

Don't hash known_hosts so that bash completion will work.  Add to ''~/.ssh/config'':
<code>
HashKnownHosts no
</code>

Decide which public key to use.  Also see [[http://www.kelvinwong.ca/2011/03/30/multiple-ssh-private-keys-identityfile/|this]].

<code>
IdentityFile ~/.ssh/id_rsa
</code>

=== OS X ===

SSHD must be enabled in ''System Preferences > Sharing'' with service ''Remote Login'' enabled.  A firewall rule must allow access on port 22 as well, which can be setup in ''System Preferences > Security > Firewall > Advanced'' with the following configuration:

  * Block all incoming connections (unchecked)
  * Remote Login (SSH) - Allow incoming connections

The config file for OS X for SSHD is located at ''/etc/sshd_config''

Add these lines to the config file:

<code>
PermitRootLogin no
PasswordAuthentication no
UsePAM no
AllowUsers <user-name>
</code>

Then restart the SSH server manually from Terminal:

<code>
launchctl stop com.openssh.sshd
launchctl start com.openssh.sshd
</code>

=== Building from Source ===

Use the local copy of OpenSSL:

<code>
./configure --with-ssl-dir=/usr/local
</code>

If looking for ''ssh-copy-id'', it will be in the ''contrib'' directory.