From owner-freebsd-questions@FreeBSD.ORG Wed Feb 8 23:01:45 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2670C16A422 for ; Wed, 8 Feb 2006 23:01:45 +0000 (GMT) (envelope-from ken@allenmyland.com) Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.192.83]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9ED9E43D49 for ; Wed, 8 Feb 2006 23:01:43 +0000 (GMT) (envelope-from ken@allenmyland.com) Received: from bserver.transpack.com ([68.80.195.248]) by comcast.net (rwcrmhc13) with ESMTP id <20060208230141m1300rpclae>; Wed, 8 Feb 2006 23:01:41 +0000 Received: from localhost (localhost.transpack.com [127.0.0.1]) by bserver.transpack.com (Postfix) with ESMTP id AC986B828; Wed, 8 Feb 2006 18:01:40 -0500 (EST) Received: from bserver.transpack.com ([127.0.0.1]) by localhost (bserver.transpack.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 36208-06; Wed, 8 Feb 2006 18:01:33 -0500 (EST) Received: from [192.168.214.102] (kbuilt.transpack.com [192.168.214.102]) by bserver.transpack.com (Postfix) with ESMTP id A699CB827; Wed, 8 Feb 2006 18:01:33 -0500 (EST) Message-ID: <43EA784A.70504@allenmyland.com> Date: Wed, 08 Feb 2006 18:01:30 -0500 From: Ken Stevenson User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: fbsd_user@a1poweruser.com References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at transpack.com Cc: "freebsd-questions@FreeBSD. ORG" Subject: Re: sshd / ssh setup X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Feb 2006 23:01:45 -0000 fbsd_user wrote: > Have user who is logging in to USA site from Asian public internet > cafes using his personal windows/xp notebook. Trying to setup the > USA server and his windows/xp notebook to use SSH. > Added sshd_enable="YES" to USA site server rc.conf and rebooted > system. > During boot process, followed sshd instruction and built > the root user keys. Have read the handbook but have no clue as > how to proceed. The handbook covers all the many different ssh > config options, but does not say how to really use it. > There are a lot of options here, but here's how I do it. Not necessarily the best way, but it works for me. > Need procedures to > 1. setup users on FreeBSD target sshd server. Create a regular login for each outside user using adduser. Make sure port 22tcp is open inbound. Login as that user and run: ssh-keygen -t rsa I don't have many users so I disable ChallengeResponse authentication and require users to submit keys. To do that, edit /etc/ssh/sshd_config and set: ChallengeResponse no I also set: Protocol 2 > 2. setup users on FreeBSD remote box to ssh to sshd server. Have them run the same ssh-keygen -t rsa Tell them to send you ~/.ssh/id_rsa.pub Concatenate that to the ~/.ssh/authorized_keys2 files in their home directory on your server. Make sure the key ends up on a new line in authorized_keys2. If there wasn't a newline at the end of the file previously, it will end up concatenating it to the end of whatever keys are already there. If that happens, just go in with a text editor and break the line. The user should then be able to ssh into your box. > 3. setup users on windows/xp remote box to ssh to sshd server. Install Putty http://www.chiark.greenend.org.uk/~sgtatham/putty/ Run puttygen and generate an SSH2 RSA key (select this at the bottom of the dialog box). Tell them to save the public and private keys, and then to copy the contents of the Public key for pasting.. field at the top of the screen, paste it into a file in notepad, and email it to you. Concatenate that to the end of their ~/.ssh/authorized_keys2 file as you did for your freebsd users. If they're going to be logging in often, tell them to run pageant to cache the private key. Then they can run putty and connect to your server. Again, you might not want to do it this way if you don't want to mess around with having users send you keys, but it's a lot more secure. Pretty soon you'll be be getting a 100 or more hits a day from crackers trying to log into your system. They'll never get anywhere if you're using key based authentication. > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- Ken Stevenson Allen-Myland Inc.