RE: sshd / ssh setup

[fbsd_user]

For the archives.

Example of configuring OpenSSH

Environment description:
In this example we have a FreeBSD system which we will call the
host.
We have an Remote FreeBSD system  which is located some where on the
public internet, we will call this the FBSD-client.
We also have an Remote MS/windows system  which is located some
where
on the public internet, we will call this the Win-client.
OpenSSH has a few different security levels when it comes to how
the ssh login is handled. This example details the encrypted
host/client key with passphrase method.
This method gives the maximum protection possible utilizing ssh.

Host setup steps.

1.  Edit /etc/rc.conf and add this statement
sshd_enable=”YES”
Make sure your firewall allows port 22 in from the public internet.
Reboot your system to activate sshd and login as root.
If this is your first time booting with sshd you will have to
  create the host keys.
sshd will show you this on the first sshd boot only.


Type a full screen full of random junk to unblock
it and remember to finish with enter. This will
timeout in 300 seconds, but waiting for
the timeout without typing junk may make the
entropy source deliver predictable output.

Just hit enter for fast+insecure startup.

kern.random.sys.seeded: 1 - 0
qkcir83,2jsn40pl722jjbqok    this is the example junk entered
Generating public/private rsa1 key pair.
Your identification has been saved in /etc/ssh/ssh_host_key.
Your public key has been saved in /etc/ssh/ssh_host_key.pub.
The key fingerprint is:
ed:5d:97:dc:49:98:36:66:fc [EMAIL PROTECTED]
Generating public/private dsa key pair.
Your identification has been saved in /etc/ssh/ssh_host_dsa_key.
Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub.
The key fingerprint is:
67:e7:90:04:0e:27:2e:d2:97:6a [EMAIL PROTECTED]
Generating public/private rsa key pair.
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
96:db:50:5c:9e:69:88:26:28:54 root@ domainname

2.  If you do a “ps ax” command you will see sshd as
  one of the running tasks.

3.  Using adduser or pw command create a normal user account.
For this example we will use bob as the host user account name.

4.  Hit alt/f2 at same time to open second session and login using
bob.

5.  Run this command   ssh-keygen -t rsa
Just hit enter to take default location and file name
No need to enter a pass phrase for the host user here,
  just hit enter 2 times
This is what you will see

Generating public/private rsa key pair.
Enter file in which to save the key (/bob/.ssh/id_rsa):
Created directory '/bob/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /bob/.ssh/id_rsa.
Your public key has been saved in /bob/.ssh/id_rsa.pub.
The key fingerprint is:
e7:e6:8f:d3:b1:b4:08:27:09:d2 [EMAIL PROTECTED]

6.  If you want to ssh login as Host ‘root’, you have to run
  step 5 above while logged in as root on the host. Also
  edit /etc/ssh/sshd_config and change this statement

#PermitRootLogin notoPermitRootLogin yes

Then   killall –HUP sshd
  to make sshd task reread it’s sshd_config file.



FBSD-client setup steps.

1.  Using adduser or pw command create a normal user account.
  For this example we will use remotetom as the user account
name.

2.  Login using remotetom.

3.  Run this command   ssh-keygen -t rsa
Just hit enter to take default location and file name
At the “Enter a passphrase prompt” [enter one and write it down,
  because it will be needed for ssh login to the host].
This is what you will see

Generating public/private rsa key pair.
Enter file in which to save the key (/remotetom/.ssh/id_rsa):
Created directory '/remotetom/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /remotetom/.ssh/id_rsa.
Your public key has been saved in /remotetom/.ssh/id_rsa.pub.
The key fingerprint is:
e7:e6:8f:d3:b1:b4:08:27:09:56:de:d2 [EMAIL PROTECTED]

4.  The Public key file you just created  /remotetom/.ssh/id_rsa.pub
  has to be sent to the Host system. On the host system rename
it
  to authorized_keys2 and put it into the home directory of the
  user setup earlier. In this case ~/bob/.ssh/authorized_keys2.

5.  To ssh to the host enter this   ssh hostname  or ssh
host-ip-address
The first time you ssh to the Host you will get these messages.
  Answer yes if you are sure this first connection is with 

sshd / ssh setup

[fbsd_user]

Have user who is logging in to USA site from Asian public internet
cafes using his personal windows/xp notebook. Trying to setup the
USA server and his windows/xp notebook to use SSH.
Added sshd_enable=YES to USA site server rc.conf and rebooted
system.
During boot process, followed sshd instruction and built
the root user keys. Have read the handbook but have no clue as
how to proceed. The handbook covers all the many different ssh
config options, but does not say how to really use it.

Need procedures to
1. setup users on FreeBSD target sshd server.
2. setup users on FreeBSD remote box to ssh to sshd server.
3. setup users on windows/xp remote box to ssh to sshd server.

Is this documented any where?

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: sshd / ssh setup

[Ken Stevenson]

fbsd_user wrote:

Have user who is logging in to USA site from Asian public internet
cafes using his personal windows/xp notebook. Trying to setup the
USA server and his windows/xp notebook to use SSH.
Added sshd_enable=YES to USA site server rc.conf and rebooted
system.
During boot process, followed sshd instruction and built
the root user keys. Have read the handbook but have no clue as
how to proceed. The handbook covers all the many different ssh
config options, but does not say how to really use it.

There are a lot of options here, but here's how I do it. Not 
necessarily the best way, but it works for me.



Need procedures to
1. setup users on FreeBSD target sshd server.

Create a regular login for each outside user using adduser.
Make sure port 22tcp is open inbound.

Login as that user and run:

ssh-keygen -t rsa

I don't have many users so I disable ChallengeResponse authentication 
and require users to submit keys. To do that, edit 
/etc/ssh/sshd_config and set:


ChallengeResponse no

I also set:

Protocol 2


2. setup users on FreeBSD remote box to ssh to sshd server.


Have them run the same ssh-keygen -t rsa

Tell them to send you ~/.ssh/id_rsa.pub

Concatenate that to the ~/.ssh/authorized_keys2 files in their home 
directory on your server. Make sure the key ends up on a new line in 
authorized_keys2. If there wasn't a newline at the end of the file 
previously, it will end up concatenating it to the end of whatever 
keys are already there. If that happens, just go in with a text editor 
and break the line.


The user should then be able to ssh into your box.


3. setup users on windows/xp remote box to ssh to sshd server.


Install Putty

http://www.chiark.greenend.org.uk/~sgtatham/putty/

Run puttygen and generate an SSH2 RSA key (select this at the bottom 
of the dialog box). Tell them to save the public and private keys, and 
then to copy the contents of the Public key for pasting.. field at the 
top of the screen, paste it into a file in notepad, and email it to 
you. Concatenate that to the end of their ~/.ssh/authorized_keys2 file 
as you did for your freebsd users.


If they're going to be logging in often, tell them to run pageant to 
cache the private key.


Then they can run putty and connect to your server.

Again, you might not want to do it this way if you don't want to mess 
around with having users send you keys, but it's a lot more secure. 
Pretty soon you'll be be getting a 100 or more hits a day from 
crackers trying to log into your system. They'll never get anywhere if 
 you're using key based authentication.



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]



--
Ken Stevenson
Allen-Myland Inc.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: sshd / ssh setup

[fbsd_user]

fbsd_user wrote:
 Have user who is logging in to USA site from Asian public internet
 cafes using his personal windows/xp notebook. Trying to setup the
 USA server and his windows/xp notebook to use SSH.
 Added sshd_enable=YES to USA site server rc.conf and rebooted
 system.
 During boot process, followed sshd instruction and built
 the root user keys. Have read the handbook but have no clue as
 how to proceed. The handbook covers all the many different ssh
 config options, but does not say how to really use it.

There are a lot of options here, but here's how I do it. Not
necessarily the best way, but it works for me.

 Need procedures to
 1. setup users on FreeBSD target sshd server.
Create a regular login for each outside user using adduser.
Make sure port 22tcp is open inbound.

Login as that user and run:

ssh-keygen -t rsa

I don't have many users so I disable ChallengeResponse
authentication
and require users to submit keys. To do that, edit
/etc/ssh/sshd_config and set:

ChallengeResponse no

I also set:

Protocol 2

 2. setup users on FreeBSD remote box to ssh to sshd server.

Have them run the same ssh-keygen -t rsa

Tell them to send you ~/.ssh/id_rsa.pub

Concatenate that to the ~/.ssh/authorized_keys2 files in their home
directory on your server. Make sure the key ends up on a new line in
authorized_keys2. If there wasn't a newline at the end of the file
previously, it will end up concatenating it to the end of whatever
keys are already there. If that happens, just go in with a text
editor
and break the line.

The user should then be able to ssh into your box.

 3. setup users on windows/xp remote box to ssh to sshd server.

Install Putty

http://www.chiark.greenend.org.uk/~sgtatham/putty/

Run puttygen and generate an SSH2 RSA key (select this at the bottom
of the dialog box). Tell them to save the public and private keys,
and
then to copy the contents of the Public key for pasting.. field at
the
top of the screen, paste it into a file in notepad, and email it to
you. Concatenate that to the end of their ~/.ssh/authorized_keys2
file
as you did for your freebsd users.

If they're going to be logging in often, tell them to run pageant to
cache the private key.

Then they can run putty and connect to your server.

Again, you might not want to do it this way if you don't want to
mess
around with having users send you keys, but it's a lot more secure.
Pretty soon you'll be be getting a 100 or more hits a day from
crackers trying to log into your system. They'll never get anywhere
if
  you're using key based authentication.
--
Ken Stevenson
Allen-Myland Inc.

***

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Ken
Stevenson
Sent: Wednesday, February 08, 2006 6:02 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED] ORG
Subject: Re: sshd / ssh setup

Ken
Thanks that helps a lot.
Only thing missing is what is ssh login syntax to login from the
remote FreeBSD pc?
Can I also remotely login as root on sshd server system?
I guess the setup instructions are with the putty pgm for ssh access
from windows/xp


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: sshd / ssh setup

[Ken Stevenson]

fbsd_user wrote:


Ken
Thanks that helps a lot.
Only thing missing is what is ssh login syntax to login from the
remote FreeBSD pc?
Can I also remotely login as root on sshd server system?
I guess the setup instructions are with the putty pgm for ssh access
from windows/xp


On the freebsd machine:

ssh hostname

The first you connect, you'll be prompted to confirm you're sure about 
the identity of the host you're connecting to.


Assuming you assigned a passphrase to your key using ssh-keygen, 
you'll have to enter the passphrase.


For putty, go to the SSH | Auth tab and select the private rsa2 key 
created with puttygen. Enter your username in the Auto-login username 
field on the Connection tab.


Enter the host name, then click the save button to save the profile. 
Then just double click on the profile name to connect. If you 
previously cached the private key with pageant, you won't have to 
enter a passphrase.



--
Ken Stevenson
Allen-Myland Inc.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]