Setting Up the Logs
Now that you have both OpenSSL and OpenSSH you need to setup the ever important logs, so you can keep track of how they are working, and even more importantly what the users are upto. So starting by adding editing /etc/syslog.conf, which is the configuration file for the syslog daemon which is used for the logging. The only change thats needed is to add the following to the end of the file.

local7.* /var/log/sshd

Now that you have updated the configuration you need to restart the syslog daemon in order for the changes to take effect. So for Slackware 8 users only use the following commands to do this.

killall syslogd
/usr/sbin/syslogd

Now for Slackware 8.1, its easier and much neater, you use the following command.

/etc/rc.d/rc.syslog restart

Thats it for this step, the logs are now setup, the next step is to move onto the actual OpenSSH configuration

Step 5. OpenSSH Configuration
You will find that each is already present, just that some are commented out, and so need to be checked. You really need to be careful to make sure this is done right, or you are asking for problems.

We start by setting up the OpenSSH side of the logs, to match what we did in the previous section. Then we set the level of the logging, which is actually the amount of information that is sent to the syslog daemon. I always set this to VERBOSE which give more than enough information for most users. For all the settings that are possible have a look at the man page for sshd. For this HOWTO we are using my standards for this, which are shown below.

SyslogFacility LOCAL7LogLevel VERBOSE

Now the logs are out of the way we move onto the security settings. So starting with one thats actually optional, but strongly recommended, it controls the root users ability to login remotely via SSH. Call me paranoid but the thought of the root user logging remotely, no matter how secure the link is, looks bad, others disagree, so this one is up to you, just remember you have been warned about this one. Anyway this is controlled with the following setting.

PermitRootLogin no

Thats the optional one out of the way, this next one, you really need to set, it controls the validity of blank passwords. Blank passwords as we all know are a bad thing, and if you are using them, there is no need to move away from Telnet, as you have no security anyway. So as you are looking for security, make sure blank passwords are not permitted, by verifying the following is set.

PermitEmptyPasswords no

This next one is enabled by default, so I have included it here to make sure that you are aware of it, and know not to ever disable it. What this is the control over the privilege separation feature, remember we created the user and group for this in Step 2, anyway you really want this enabled, as it provides additional security. Make sure the following is set.

UsePriviledgeSeperation yes

Thats the end of the very basic configuration thats covered by this HOWTO, the other settings in the configuration file are outside the scope set for this HOWTO. For those interested in learning more, details on all the settings are available on the man page for sshd.

At this point you have configured the SSH daemon to the point where it has a good level of security, and supports remote access in the same way that Telnet did, but with one major difference, its now encrypted. Now we move on to testing your new installation.

Step 6. Testing SSH
You now have built and configured OpenSSH, so before moving onto the final stages of the setup, its a good idea to make sure all is working. For this test you do not need a second machine, it can all be done locally. The first thing to do is to start the SSH daemon, you do this with the following command

/usr/local/sbin/sshd

Assuming that there where no error messages reported, the SSH daemon has started (it does not return any success messages either), now you can move onto trying to connect to it. To do this test you need to use a user other than root as if you remember we disabled that users ability to use SSH. You run the test with the following command.

ssh username@localhost.

After you run the above command you should see the following message.

The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is b0:71:1a:51:41:2e:dd:3a:a8:9a:dc:15:1a:fe:5f:91.
Are you sure you want to continue connecting (yes/no)?

This message is nothing to worry about, all it means is that SSH does not know the host you are connecting to, and is asking you to confirm that it really is the host it claims to be, which in this case as its your own machine it is, so answer yes. The next message you should see will look like this.

Warning: Permanently added 'localhost' (RSA) to the list of known hosts.

This one is normal, and just means, exactly what it says, localhost has been added to the list of known trusted hosts. Next you will be prompted for the password for the user you used for this test. If all is good you will be able to login OK, if you get an error message such as Permission Denied, then you need to recheck all the above steps.

As all is working, you can now move onto the next section that covers the setup to start the SSH daemon automatically at boot time

Step 7. Starting SSHD on bootup
This seventh and final step covers the configuration needed to start the SSH daemon automatically on those very rare occasions when you need to reboot your machine. Slackware 8.x uses a very simple set of start up scripts which are all located in /etc/rc.d. The only one that you are interested in, is rc.local which as the name sort of suggests is where local startup commands live. So open it and add the following lines to the end.

# start SSHD/usr/local/sbin/sshd