From owner-freebsd-questions@FreeBSD.ORG Sat Nov 29 22:01:45 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 356C01065749 for ; Sat, 29 Nov 2008 22:01:45 +0000 (UTC) (envelope-from eagletree@hughes.net) Received: from smtprelay.b.hostedemail.com (smtprelay0040.b.hostedemail.com [64.98.42.40]) by mx1.freebsd.org (Postfix) with ESMTP id B5BEC8FC14 for ; Sat, 29 Nov 2008 22:01:44 +0000 (UTC) (envelope-from eagletree@hughes.net) Received: from filter.hostedemail.com (b-bigip1 [10.5.19.254]) by smtprelay02.b.hostedemail.com (Postfix) with SMTP id 8B15638A6B5E; Sat, 29 Nov 2008 22:01:43 +0000 (UTC) X-SpamScore: 1 X-Spam-Summary: 2, 0, 0, 9390dd1257e62a99, 944facfeb153b4f0, eagletree@hughes.net, freebsd-questions@freebsd.org:jos@webrz.net, RULES_HIT:355:379:541:564:599:601:945:960:966:967:973:981:988:989:1260:1261:1277:1311:1313:1314:1345:1359:1437:1487:1515:1516:1518:1534:1542:1593:1594:1711:1730:1747:1766:1792:2196:2199:2393:2552:2553:2559:2562:2829:2901:3027:3354:3636:3653:3865:3866:3867:3868:3869:3870:3871:3872:3873:3874:3876:3877:4321:4385:4605:5007:6114:6117:6119:6248:7652:7903:8501:9121, 0, RBL:none, CacheIP:none, Bayesian:0.5, 0.5, 0.5, Netcheck:none, DomainCache:0, MSF:not bulk, SPF:, MSBL:none, DNSBL:none Received: from [192.168.0.3] (dpc6744118153.direcpc.com [67.44.118.153]) (Authenticated sender: eagletree@hughes.net) by omf03.b.hostedemail.com (Postfix) with ESMTP; Sat, 29 Nov 2008 22:01:34 +0000 (UTC) In-Reply-To: <4931B00D.2040206@webrz.net> References: <49319A83.6050407@webrz.net> <22771067-1635-4C00-A0EB-4E14569F636C@hughes.net> <4931B00D.2040206@webrz.net> Mime-Version: 1.0 (Apple Message framework v753) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <769E437F-4F3B-44D4-B470-56AD323C6AB3@hughes.net> Content-Transfer-Encoding: 7bit From: Chris Date: Sat, 29 Nov 2008 14:01:28 -0800 To: Jos Chrispijn X-Mailer: Apple Mail (2.753) X-session-marker: 6561676C6574726565406875676865732E6E6574 Cc: FreeBSD-Questions Questions Subject: Re: Temporarily blocking ports X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Nov 2008 22:01:45 -0000 On Nov 29, 2008, at 1:11 PM, Jos Chrispijn wrote: > > From your reply on my message of 29-11-2008 21:47: >> An even tighter practice is to turn off all password logins and >> use only keyed connections. This is easier than it might seem >> though I'll admit I think of ssh as something only a select >> number of users may use and thus you know them by name >> and what IPs they are permitted to connect on. > I have been thinking of that as well, but don't think I should use > that yet with the knowledge I have on this. > Do you refer to manual of automatic key connections? > It's extremely easy. Generate your key and spread it to all systems you want to connect to. Have other users generate their key and do the same. After everyone is set, turn off password access in /etc/ssh/sshd_config, that file contains the docs in comments on how to do this. You change three parameters. Then sshd will need to be restarted. Be sure logins by key work first. This implies how to set up your keys. This was lifted from a helpful page on the net and modified but is pretty basic. Creates the keys in home directory of myuserid on system www.example.com, then moving the key to a second system called other.example.com such that myuserid can move between systems. The userid on the remote does not need to be the same string as on the local system though it's shown that way here. www$ cd # get to your home directory www$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/myuserid/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/myuserid/.ssh/id_rsa. Your public key has been saved in /home/myuserid/.ssh/id_rsa.pub. The key fingerprint is: myuserid@www.example.com www$ ssh myuserid@other.example.com mkdir -p .ssh Password: www$ cat .ssh/id_rsa.pub|ssh myuserid@other.example.com 'cat >> .ssh/ authorized_keys' Password: You are done setting up keys. Sample use of seamless login: www$ ssh other.example.com other$ host other.example.com other$ users myuserid ttyp0 Jul 14 05:28 (www.example.com) other$ exit www$ I only use this on FreeBSD and OS-X. No idea on Putty and others. > thanks for sharing, > Jos Chrispijn