From owner-freebsd-questions@FreeBSD.ORG Sun Nov 30 07:24:44 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 19B68106576B for ; Sun, 30 Nov 2008 07:24:44 +0000 (UTC) (envelope-from sonic2000gr@gmail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.25]) by mx1.freebsd.org (Postfix) with ESMTP id A24F88FC0C for ; Sun, 30 Nov 2008 07:24:43 +0000 (UTC) (envelope-from sonic2000gr@gmail.com) Received: by ey-out-2122.google.com with SMTP id 6so813212eyi.7 for ; Sat, 29 Nov 2008 23:24:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=no1xmoQjJSowt93O8ACVkavjCzgG7vhcQByHJW5siwM=; b=UqarVBDKFIlwynC/WfSw5YL3X5nT5cyk/DC5Cdbb3/dCk7MRgQMjO6CJaowa4fh4om +KA3UAiAk2Mao0GFG83t68sYn6U5o92brDDvurHBXvHHfZeBJ7R5/6mek5p8vwXowWgx nCdGpnY2xuIVJ25/Wgeep5UmrDdxZnpbTUcTE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=WPU43UeImp4J7eef200OTuwgvf/gbbSlzKF7RF3NFWaQXfOrXjUd+0Y4l0sMegsE1G VMbQ804n2l0Ur3HCTLozXE+shFUMVWhtvfh2oR+ZeSCyPDbQGZ/ZvZwu5sYrRQHhU2X0 2IuTb5qXoXGvCHFxFlKpHW2PuO1eJnkUZuKiM= Received: by 10.210.29.11 with SMTP id c11mr3435813ebc.141.1228029882066; Sat, 29 Nov 2008 23:24:42 -0800 (PST) Received: from atlantis.dyndns.org (athedsl-12874.home.otenet.gr [87.202.50.174]) by mx.google.com with ESMTPS id k5sm13974553nfh.0.2008.11.29.23.24.39 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 29 Nov 2008 23:24:40 -0800 (PST) Message-ID: <49323FB6.3010903@gmail.com> Date: Sun, 30 Nov 2008 09:24:38 +0200 From: Manolis Kiagias User-Agent: Thunderbird 2.0.0.17 (X11/20081011) MIME-Version: 1.0 To: FreeBSD-Questions Questions References: <49319A83.6050407@webrz.net> <22771067-1635-4C00-A0EB-4E14569F636C@hughes.net> <4931B00D.2040206@webrz.net> <769E437F-4F3B-44D4-B470-56AD323C6AB3@hughes.net> In-Reply-To: <769E437F-4F3B-44D4-B470-56AD323C6AB3@hughes.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: Temporarily blocking ports X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Nov 2008 07:24:44 -0000 Chris wrote: > > On Nov 29, 2008, at 1:11 PM, Jos Chrispijn wrote: > >> >> From your reply on my message of 29-11-2008 21:47: >>> An even tighter practice is to turn off all password logins and >>> use only keyed connections. This is easier than it might seem >>> though I'll admit I think of ssh as something only a select >>> number of users may use and thus you know them by name >>> and what IPs they are permitted to connect on. >> I have been thinking of that as well, but don't think I should use >> that yet with the knowledge I have on this. >> Do you refer to manual of automatic key connections? >> > It's extremely easy. > > Generate your key and spread it to all systems you want > to connect to. Have other users generate their key and do the > same. After everyone is set, turn off password access in > /etc/ssh/sshd_config, that file contains the docs in comments > on how to do this. You change three parameters. Then sshd > will need to be restarted. Be sure logins by key work first. > > This implies how to set up your keys. This was lifted from > a helpful page on the net and modified but is pretty basic. > Creates the keys in home directory of myuserid on system > www.example.com, then moving the key to a second system > called other.example.com such that myuserid can move > between systems. The userid on the remote does not need > to be the same string as on the local system though it's shown > that way here. > > www$ cd # get to your home directory > www$ ssh-keygen -t rsa > Generating public/private rsa key pair. > Enter file in which to save the key (/home/myuserid/.ssh/id_rsa): > Enter passphrase (empty for no passphrase): > Enter same passphrase again: > Your identification has been saved in /home/myuserid/.ssh/id_rsa. > Your public key has been saved in /home/myuserid/.ssh/id_rsa.pub. > The key fingerprint is: > myuserid@www.example.com > www$ ssh myuserid@other.example.com mkdir -p .ssh > Password: > www$ cat .ssh/id_rsa.pub|ssh myuserid@other.example.com 'cat >> > .ssh/authorized_keys' > Password: > > You are done setting up keys. Sample use of seamless login: > > www$ ssh other.example.com > other$ host > other.example.com > other$ users > myuserid ttyp0 Jul 14 05:28 (www.example.com) > other$ exit > www$ > > I only use this on FreeBSD and OS-X. No idea on Putty and others. > Can be used on Putty too. There are some small helper programs you can download along with Putty: - Puttygen: This will convert your key to a format that can be used by putty - Pageant: This works like "ssh-agent". You simply supply the key, and it is automatically used in your Putty connections it works flawlessly