Date: Wed, 27 Jan 2016 18:23:30 +0000 (UTC) From: Tom Rhodes <trhodes@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r48103 - head/en_US.ISO8859-1/books/handbook/security Message-ID: <201601271823.u0RINUbq047130@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: trhodes Date: Wed Jan 27 18:23:30 2016 New Revision: 48103 URL: https://svnweb.freebsd.org/changeset/doc/48103 Log: Break out the AllowUsers discussion into a separate section and add some discussion on the AuthenticationMethods option to utilize key-only auth. Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Wed Jan 27 14:13:07 2016 (r48102) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Wed Jan 27 18:23:30 2016 (r48103) @@ -2862,9 +2862,13 @@ user@unfirewalled-system.example.org's p <acronym>SSH</acronym> server, accepting connections from other <acronym>SSH</acronym> clients.</para> - <para>To see if <application>sshd</application> is enabled, - check <filename>/etc/rc.conf</filename> for this line and add - it if it is missing:</para> + <para>To see if <application>sshd</application> is operating, + use the &man.service.8; command:</para> + + <screen>&prompt.root; <userinput>service sshd status</userinput></screen> + + <para>If the service is not running, add the following line to + <filename>/etc/rc.conf</filename>.</para> <programlisting>sshd_enable="YES"</programlisting> @@ -2885,6 +2889,21 @@ user@unfirewalled-system.example.org's p complete discussion about authentication, the login process, and the various configuration files.</para> + <para>At this point, the <application>sshd</application> should + be available to all users with a username and password on + the system.</para> + </sect2> + + <sect2> + <title>SSH Server Security</title> + + <para>While <application>sshd</application> is the most widely + used remote administration facility for &os;, brute force + and drive by attacks are common to any system exposed to + public networks. Several additional parameters are available + to prevent the success of these attacks and will be described + in this section.</para> + <para>It is a good idea to limit which users can log into the <acronym>SSH</acronym> server and from where using the <literal>AllowUsers</literal> keyword in the @@ -2927,6 +2946,17 @@ user@unfirewalled-system.example.org's p available keywords.</para> </note> + <para>In addition, users may be forced to use two factor + authentication via the use of a public and private key. When + required, the user may generate a key pair through the use + of &man.ssh-keygen.1; and send the administrator the public + key. This key file will be placed in the + <filename>authorized_keys</filename> as described above in + the client section. To force the users to use keys only, + the following option may be configured:</para> + + <programlisting>AuthenticationMethods publickey</programlisting> + <tip> <para>Do not confuse <filename>/etc/ssh/sshd_config</filename> with <filename>/etc/ssh/ssh_config</filename> (note the
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201601271823.u0RINUbq047130>