Date: Sun, 30 Nov 2008 09:24:38 +0200 From: Manolis Kiagias <sonic2000gr@gmail.com> To: FreeBSD-Questions Questions <freebsd-questions@freebsd.org> Subject: Re: Temporarily blocking ports Message-ID: <49323FB6.3010903@gmail.com> In-Reply-To: <769E437F-4F3B-44D4-B470-56AD323C6AB3@hughes.net> References: <49319A83.6050407@webrz.net> <22771067-1635-4C00-A0EB-4E14569F636C@hughes.net> <4931B00D.2040206@webrz.net> <769E437F-4F3B-44D4-B470-56AD323C6AB3@hughes.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Chris wrote: > > On Nov 29, 2008, at 1:11 PM, Jos Chrispijn wrote: > >> >> From your reply on my message of 29-11-2008 21:47: >>> An even tighter practice is to turn off all password logins and >>> use only keyed connections. This is easier than it might seem >>> though I'll admit I think of ssh as something only a select >>> number of users may use and thus you know them by name >>> and what IPs they are permitted to connect on. >> I have been thinking of that as well, but don't think I should use >> that yet with the knowledge I have on this. >> Do you refer to manual of automatic key connections? >> > It's extremely easy. > > Generate your key and spread it to all systems you want > to connect to. Have other users generate their key and do the > same. After everyone is set, turn off password access in > /etc/ssh/sshd_config, that file contains the docs in comments > on how to do this. You change three parameters. Then sshd > will need to be restarted. Be sure logins by key work first. > > This implies how to set up your keys. This was lifted from > a helpful page on the net and modified but is pretty basic. > Creates the keys in home directory of myuserid on system > www.example.com, then moving the key to a second system > called other.example.com such that myuserid can move > between systems. The userid on the remote does not need > to be the same string as on the local system though it's shown > that way here. > > www$ cd # get to your home directory > www$ ssh-keygen -t rsa > Generating public/private rsa key pair. > Enter file in which to save the key (/home/myuserid/.ssh/id_rsa): > Enter passphrase (empty for no passphrase): > Enter same passphrase again: > Your identification has been saved in /home/myuserid/.ssh/id_rsa. > Your public key has been saved in /home/myuserid/.ssh/id_rsa.pub. > The key fingerprint is: > <fingerprintshownhere> myuserid@www.example.com > www$ ssh myuserid@other.example.com mkdir -p .ssh > Password: <enter password here for other system> > www$ cat .ssh/id_rsa.pub|ssh myuserid@other.example.com 'cat >> > .ssh/authorized_keys' > Password:<enter password here for other system> > > You are done setting up keys. Sample use of seamless login: > > www$ ssh other.example.com > other$ host > other.example.com > other$ users > myuserid ttyp0 Jul 14 05:28 (www.example.com) > other$ exit > www$ > > I only use this on FreeBSD and OS-X. No idea on Putty and others. > Can be used on Putty too. There are some small helper programs you can download along with Putty: - Puttygen: This will convert your key to a format that can be used by putty - Pageant: This works like "ssh-agent". You simply supply the key, and it is automatically used in your Putty connections it works flawlessly
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49323FB6.3010903>