FreeBSD Bugzilla – Attachment 62288 Details for
Bug 93130
addition to handbook section 14.11 Open SSH
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
Example of configuring OpenSSH.txt
Example of configuring OpenSSH.txt (text/plain), 11.32 KB, created by
FBSD mailing List
on 2006-02-13 00:34:56 UTC
(
hide
)
Description:
Example of configuring OpenSSH.txt
Filename:
MIME Type:
Creator:
FBSD mailing List
Created:
2006-02-13 00:34:56 UTC
Size:
11.32 KB
patch
obsolete
>Example of configuring OpenSSH > >Environment description: >In this example we have a FreeBSD system which we will call the host. > >We have an Remote FreeBSD system which is located some where on the public internet, >we will call this the FBSD-client. > >We also have an Remote MS/windows system which is located some where on the public internet, >we will call this the Win-client. > >OpenSSH has a few different security levels when it comes to how the ssh login is handled. >This example details the encrypted host/client key with passphrase method. >This method gives the maximum protection possible utilizing ssh. > >Host setup steps. > >1. Edit /etc/rc.conf and add this statement > sshd_enable="YES" > > Make sure your firewall allows port 22 in from the public internet. > Reboot your system to activate sshd and login as root. > If this is your first time booting with sshd you will have to > create the host keys. > sshd will show you this on the first sshd boot only. > >==================================================== >Type a full screen full of random junk to unblock >it and remember to finish with <enter>. This will >timeout in 300 seconds, but waiting for >the timeout without typing junk may make the >entropy source deliver predictable output. > >Just hit <enter> for fast+insecure startup. >==================================================== >kern.random.sys.seeded: 1 -> 0 >qkcir83,2jsn40pl722jjbqok ---- this is the example junk entered >Generating public/private rsa1 key pair. >Your identification has been saved in /etc/ssh/ssh_host_key. >Your public key has been saved in /etc/ssh/ssh_host_key.pub. >The key fingerprint is: >ed:5d:97:dc:49:98:36:66:fc root@domainname >Generating public/private dsa key pair. >Your identification has been saved in /etc/ssh/ssh_host_dsa_key. >Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub. >The key fingerprint is: >67:e7:90:04:0e:27:2e:d2:97:6a root@a1poweruser.com >Generating public/private rsa key pair. >Your identification has been saved in /etc/ssh/ssh_host_rsa_key. >Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub. >The key fingerprint is: >96:db:50:5c:9e:69:88:26:28:54 root@ domainname > >2. If you do a "ps ax" command you will see sshd as one of the running tasks. > >3. Using adduser or pw command create a normal user account. > For this example we will use bob as the host user account name. > >4. Hit alt/f2 at same time to open second session and login using bob. > >5. Run this command ssh-keygen -t rsa > Just hit enter to take default location and file name > No need to enter a pass phrase for the host user here, just hit enter 2 times > This is what you will see > > Generating public/private rsa key pair. > Enter file in which to save the key (/bob/.ssh/id_rsa): > Created directory '/bob/.ssh'. > Enter passphrase (empty for no passphrase): > Enter same passphrase again: > Your identification has been saved in /bob/.ssh/id_rsa. > Your public key has been saved in /bob/.ssh/id_rsa.pub. > The key fingerprint is: > e7:e6:8f:d3:b1:b4:08:27:09:d2 bob@domainname > >6. If you want to ssh login as Host 'root', you have to run step 5 > above while logged in as root on the host. > Also edit /etc/ssh/sshd_config and change this statement > > #PermitRootLogin no to PermitRootLogin yes > > Then killall -HUP sshd to make sshd task reread it's sshd_config file. > > > >FBSD-client setup steps. > >1. Using adduser or pw command create a normal user account. > For this example we will use remotetom as the user account name. > >2. Login using remotetom. > >3. Run this command ssh-keygen -t rsa > Just hit enter to take default location and file name > At the "Enter a passphrase prompt" [enter one and write it down, because it will be needed for ssh login to the host]. > This is what you will see > > Generating public/private rsa key pair. > Enter file in which to save the key (/remotetom/.ssh/id_rsa): > Created directory '/remotetom/.ssh'. > Enter passphrase (empty for no passphrase): > Enter same passphrase again: > Your identification has been saved in /remotetom/.ssh/id_rsa. > Your public key has been saved in /remotetom/.ssh/id_rsa.pub. > The key fingerprint is: > e7:e6:8f:d3:b1:b4:08:27:09:56:de:d2 tom@domainname > >4. The Public key file you just created /remotetom/.ssh/id_rsa.pub has to be > sent to the Host system. On the host system rename it to authorized_keys2 > and put it into the home directory of the user setup earlier. > In this case ~/bob/.ssh/authorized_keys2. > >5. To ssh to the host enter this ssh hostname or ssh host-ip-address > The first time you ssh to the Host you will get these messages. > Answer yes if you are sure this first connection is with your targeted host. > Enter exit to terminate session. > > # /home/remotetom/.ssh >ssh 10.0.10.2 > > The authenticity of host '10.0.10.2 (10.0.10.2)' can't be established. > DSA key fingerprint is 67:e7:90:04:0e:27:2e:d2:97:9d:7b:62:7e:c9:32:6a. > Are you sure you want to continue connecting (yes/no)? yes > Warning: Permanently added '10.0.10.2' (DSA) to the list of known hosts. > Enter passphrase for key /remotetom/.ssh/id_rsa > > This is where you enter the pass phrase you entered while running > ssh-keygen on this remote client. (remotetom) > > You are now logged into the Host account bob. > > Every time you ssh login again you will just get this prompt > Enter passphrase for key /remotetom/.ssh/id_rsa > > >7. At this point the Host user bob can login from Host console, or using telnet > from a local LAN machine, or from the public internet if your host firewall > has port 23 open. If this user is to be only allowed remote ssh client access > you can use vipw command to edit the system's master password file and star out > his encrypted password. This will deny login from anywhere except remotebob > > bob:$1$FXF.CEpf$B2cF:1001:31::0:0:remote ssh user only #:/home/bob:/bin/csh > > edit it to look like this > > bob:*:1001:31::0:0:remote ssh user only #:/home/bob:/bin/csh > >8. At this point, if remotebob is a notebook pc he can ssh login from any place > in the world. If remotebob is always working from home using ip > address 192.168.1.32 you can add another level of security by restricting his > login to come from that ip address. Do that by adding this statement to the > Host /etc/ssh/sshd_config file > > AllowUsers bob@192.168.1.32 > > > > >Win-client setup steps. > >1. You have to get windows putty program from > http://www.chiark.greenend.org.uk/~sgtatham/putty/ > Download the current windows installer program. > Currently that's putty-0.58-installer.exe > >2. Run the installer.exe and take all the defaults. > >3. start/programs/Putty/Puttygen > This will create your private and public ssh keys > At the bottom of the window select ssh2-rsa > Click on generate button. > > After keys are created then enter your pass phrase. > > Then click on 'save public key' button. > Save it to c:/programs/putty/ putty_public_rsa_key > > Then click on 'save private key' button. > Save it to c:/programs/putty/ putty_private_rsa_key.ppk > > In the window area labeled > "Public key for pasting into Open SSH authorized_key file" > Highlight that content and past it into a notepad text file named > win_authorized_keys2.txt > >4. The win_authorized_keys2.txt file has to be sent to the Host system > and put in the ~/home/bob/.ssh/ directory. In this example both the > FBSD-client & the WIN-client will both use the same Host user account > to ssh login to. > > Since the ~/home/bob/.ssh/authorized_keys2 already contains the > private key for the FBSD-client you have to append the > win_authorized_keys2.txt content to it. > > cat win_authorized_keys2.txt >> win_authorized_keys2 > > If bob is to only be used by WIN-client then just > cp win_authorized_keys2.txt authorized_keys2 > >5. start/programs/putty/putty to run it > On the bottom of the window click on "never exit" > Under protocol be sure ssh is clicked > > On the left side click on 'SSH', > then in the 'preferred ssh protocol version' > click on '2 only'. > > On the left side click on 'AUTH', remove check mark from > 'Attempt keyboard-interactive auth (SSH-2) . > > On the left side click on 'Sessions' to return to main login window. > Enter you host name (IE; your official registered domain name of the Host box) > or it's IP address. Then type a name in the saved session window and click on save > button. > > Now click on the open button at bottom of window to login to the host. > > An ms/dos window will open up and you will receive 'login as' prompt > Enter bob > Then you get > Authenticating with public key "rsa-key-20060209" > Passphrase for key "rsa-key-20060209": > > At this point enter the pass phrase you entered when you ran > start/programs/Putty/Puttygen to create the rsa keys on the client remotetom. > > You are now logged into you host box using SSH. You have all the privileges that > host user bob has when you created him. > > Every time you start/programs/putty/putty highlight the name of your saved > session and click on the load button. This will restore your saved session > configuration, then click open to launch. > > >Conclusion; > >Once you open ssh's port 22 in your firewall it wont be long before your auth.log >starts filling up with failed login attempts. About 99 percent of these failed >login attempts are script kiddies or robots. Their attacks are all most totally >based on indiscriminate rolling through a range of sequential IP address. >(IE: They never use DNS to lookup your domain name.) You were found by plain bad luck. >They run scripts that address the know ports listened on by those services which >accept logins. You use this knowledge to defend against this type of attack. >The simplest defense is to change the port number ssh uses. The /etc/services is where >the port number used by SSH is defined and where you would change it at. Remote clients >who want to access your host system will have to enter the alternate port number as part >of the login command. > >ssh -p 77777 hostname or host-ip-address > >[-p 77777 is the example alternate ssh port number you specified in /etc/services file] >or edit /etc/ssh/ssh_config on the remote client and change this statement from this > > # Port 22 to Port 77777 [to make the alternate port number permanent] > >Windows gutty also has way to change the default ssh port number right on the login window. > >You will have to open your firewall for the alternate port number you assign to ssh for this >to work. > >The technique of assigning a non-standard port number for SSH is security through obscurity >and is one of the first and easiest security measures an administrator may consider. >By no means does this provide protection from the dedicated attacker who has targeted >your IP address for some reason. This is just the first security level of hiding through >obscurity from the majority of script kiddies and their robots. You will be surprised at >how effective this really is at discouraging repeat port scan attacks and fraudulent login >attempts.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=62288">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 93130
: 62288 |
62289