[WBEL-users] SSH Info
Jeff Maze
maillists@crescentdigital.com
Thu, 12 Aug 2004 23:10:40 -0400
Here's my write-up for SSH.. I redid our setup after seeing an uprising in
SSH logins.. This uses public keys and P2..
_________________________________________________
Hello,
One of the links I used was
http://www.ssh.com/support/documentation/online/ssh/adminguide/32/Public-Key
_Authentication-2.html
Another was:
http://mikeage.net/backup/linuxcourse/ssh-notes.html
These sort of got me going in the right direction. But below are
the steps I completed to get the public key working with SSH.
1) On the client machine (I run Suse 9.1 Pro (via Vmware on XP host)),
create a public key. I was logged in as my user account; they say not to
use root for obvious reasons. So, open a term window and type the
following:
# ssh-keygen -b 2048 -t rsa
Running ssh-keygen just by itself will show you a list of options. The
above creates a rsa key pair with a 2048 bit count. When you run this, it
will ask you for a pass phrase twice. Remember this pass phrase. The new
public-keys will be stored in the /home/%user%/.ssh/ directory as id_rsa and
id_rsa.pub. The id_rsa.pub file is what you distribute to other systems,
people, etc. This is your public key.
2) Next copy, upload or transfer your public key (id_rsa.pub) to the server
you wish to use public-key authentication (make sure you keep a copy on your
client machine). My servers run webmin (http://www.webmin.com) and I
uploaded my public key this way to the /tmp directory.
3) Since my WBEL servers are just a webserver and a secondary mail server,
I haven't a need for X and gui interface. Again, I have a user account
added to the servers. It's good security practice to have this account
created on your machine and use it to log-in via SSH and then SU to root to
do work. Anyway, I had to create the .ssh directory within the /home/%user%
directory on the server. I then moved the id_rsa.pub file from /tmp to the
/home/%user%/.ssh directory.
4) Next, you have to create a 'authorized_keys' file within the
/home/user/.ssh directory on the server. Since I only have one user logging
in to the server remotely, I just copied the 'id_rsa.pub' file to
'authorized_keys' (# cp id_rsa.pub authorized_keys), but if you need to copy
multiple public keys, you can try:
# cat id_rsa.pub >> authorized_keys
# rm -f id_rsa.pub #removes you public
key off the server
Next, configure the permissions for the 'authorized_keys' file (I haven't
found anything yet on who the owner of the file should be yet; need to
test/lookup this further)
# chmod 600 authorized_keys
5) Next, you'll have to configure /etc/sshd_conf on the server to have SSH
use public keys (make a backup copy of the original: '# cp sshd_conf
sshd_conf_org'). I went to this site for this info:
http://www.debiansec.com/linux/services/ssh.html This is what the config
file will turn out to look like:
AllowGroups users
AllowUsers %user%
ChallengeResponseAuthentication no
ClientAliveInterval 15
DenyGroups root
DenyUsers root admin test
KeepAlive no
ListenAddress xxx.xxx.xxx.xxx
LoginGraceTime 60
MaxStartups 2:50:10
PasswordAuthentication no
PermitRootLogin no
Protocol 2
PubkeyAuthentication yes
NOTE: When I had AllowGroups and AllowUsers listed in the sshd_conf
file, I couldn't login via SSH; exited with a status 1. If I removed it, it
work fine. The error I was getting is:
User %user% not allowed because none of user's groups are listed in
AllowGroups
User %user% not allowed because not listed in AllowUsers
6) Once you've edited your sshd_conf file, restart the SSHD daemon.
# /etc/rc.d/init.d/sshd restart
7) Next, attempt to log into the SSH server via your favorite SSH client
(Suse uses KSSH). If it's working, you should be prompted with something
like this:
Enter pass phrase for key '/home/%user%/id_rsa':
Enter your pass phrase, and you should be now be logged in via SSH.
This should hopefully do it for you. Make sure you make backups of any
configuration file you change. It'll help out if there's a problem later
down the road. Let me know how it works out for ya..
_________________________________________________
-----Original Message-----
From: whitebox-users-admin@beau.org [mailto:whitebox-users-admin@beau.org]
On Behalf Of Ed Morrison
Sent: Thursday, August 12, 2004 10:40 PM
To: whitebox-users@beau.org
Subject: Re: [WBEL-users] SSH Info
[snip]
> Hey Ed,
> Perversely, sshd will *not* restart if you're logged in using ssh.
Hey Ed,
It looked like it stopped and restarted as Kirby said but it did not stop
the server from accepting ssh1 connections...at least it appears to not
unless totally not working qualifies :-) I will have to wait until tomorrow
to finish this up since ssh is not working on that box right now. I was
local to the box when I started this now...well it's not quite so
convenient. Thanks for the script and ideas.
Ed
> can however make a shell script with stops sshd, and then restarts it.
> I'm not sure I'd try this unless I could get someone to restart the
> service locally just in case. Or you could temporarily enable telnet
so
> you have a "plan B".
>
> remhost$ at now + 1 minute
> at> service sshd stop
> at> servies sshd start
> remhost$ logout
> localhost$ (wait a minute)
> localhost$ ssh remhost
>
>
> Ed
>
>
> >
> > On Thu, 2004-08-12 at 15:24, Ed wrote:
> >
> >>Ed Morrison wrote:
> >>
> >>>Hi Everyone,
> >>>
> >>>I'm looking to tighten down my servers some more and I would like
to
> >>>find a good ssh How to:/step guide for disabling ssh1 and
implementing
> >>>keys.
> >>
> >>in sshd_config:
> >>Protocol 2
> >
> >
> > Port 22
> > Protocol 2
> > #ListenAddress 0.0.0.0
> > #ListenAddress ::
> >
> >
> >
> >>If someone could send some links my way it would be appreciated.
> >>
> >>>Thanks,
> >>>Ed
> >>>
> >>>_______________________________________________
> >>>Whitebox-users mailing list
> >>>Whitebox-users@beau.org
> >>>http://beau.org/mailman/listinfo/whitebox-users
> >>
> >>
> >
> > _______________________________________________
> > Whitebox-users mailing list
> > Whitebox-users@beau.org
> > http://beau.org/mailman/listinfo/whitebox-users
_______________________________________________
Whitebox-users mailing list
Whitebox-users@beau.org
http://beau.org/mailman/listinfo/whitebox-users