Eric Sisler wrote:
> Gustav,
>
> >Well, I wanted to replace rsh, rlogin, telnet and ftp within my small
> >home LAN. (Currently 7 PCs with two more in the pipeline.)
>
> An admirable goal. ;-) I don't have any of the r* services installed on
> any of my servers and ftp is only allowed on one and only from specific
> hosts. Be sure to comment all the r* services out of /etc/inetd.conf and
> remove the associated packages once ssh is up and running.
>
> >Especially, I want to use ssh as the only way to login to my Internet
> >Gateway (that I'm right now configuring for use with ADSL within a month
> >or two). The Gateway PC (486-DX266) currently runs without keyboard,
> >mouse or monitor. It's on an over dimensioned UPS and should 'never'
> >need to be shutdown. (Touch wood. ;-)
>
> A good plan, but why no monitor/mouse/keyboard?
>
> >Let me mention that I'm an old pgp/gpg user so I have a decent
> >understanding of asymmetric public key data encryption, even though I'm
> >far from an expert. I've been called 'power user' of pgp, but that might
> >be to exaggerate. :-)
> >
> >I've already installed openssh, openssh-server and openssl (latest .rpm
> >versions from the openssh site) on the Gateway machine (the server).
> >I've also installed openssh, openssh-clients and openssl on a 'client'
> >PC in my LAN.
> >
> >I configured openssh-server to use ssh protocol 2 only.
> >
> >First time I tried to connect to my server, using ssh, it asked me if I
> >wanted to accept the key from the server with a specific finger print. I
> >compared the finger print against the DSA fingerprint that was provided
> >during key generation on the server while installing the openssh server
> >part. It was the same, so I accepted. The information about the foreign
> >host was now stored in my ~/.ssh/known_hosts2 file.
> >
> >Q: I've understood from the documentation that this could be done
> >'centrally' on the client PC, so that all users on the client PC could
> >take benefit from the knowledge of the server as a 'known host' and this
> >way avoid that *every* local user on the client PC must know (and
> >verify) the server. How is this supposed to be achieved?
>
> According to the documentation, you can use /etc/ssh_known_hosts (ssh1) &
> /etc/ssh_known_hosts2 (ssh2) for global lists of known
> hosts. ~/.ssh/known_hosts is maintained automatically but I'd guess that
> as long as you have the global files they'll get read first. You may also
> need to turn "RhostsRSAAuthentication" on as well. You can also use
> "IgnoreUserKnownHosts" if you don't want to use ~/.ssh/known_hosts at
> all. (These options go in sshd's config file - /etc/ssh/sshd_config)
>
> >Q: From what I've understood, the most secure way of using (open)ssh is
> >to use RSAauthentification only. (Correct?) How do I setup that to
> >happen?
>
> If you're using strictly ssh2, I *think* you'll need to use DSA
> authentication rather than RSA authentication, although the procedure is
> pretty much the same:
>
> 1) On the client, run ssh-keygen (use the -d switch to generate a DSA
> key). This creates the following files in ~/.ssh
> identity (ssh1 private key)
> identity.pub (ssh1 public key)
> id_dsa (ssh2 private key)
> id_dsa.pub (ssh2 public key)
> Since you've used pgp/gpg these should be somewhat familiar to you. The
> passphrase is entirely optional and you may wonder why anyone *wouldn't*
> use one (see below).
>
> 2) The identity.pub and/or id_dsa.pub files need to be appended to the
> server's (the server you want to ssh *to* that is) ~/.ssh/authorized_keys
> and ~/.ssh/authorized_keys2 respectively. Create these files if necessary
> and *make sure* the permissions are 0600. ssh is pretty picky about
> ownership/permissions for files in ~/.ssh, but it never hurts to make sure.
>
> Doing this effectively creates a one-way trust between this combination of
> user, client & server. If you need to ssh from server to client you'll
> need to do the reverse. Hope this makes sense. It can be a bit confusing
> the first time.
>
> To passphrase, or not to passphrase, that is the question? (Ok, bad pun...
> <grin>)
> Since ssh is designed to replace the r* commands and they can be setup to
> not require a password (normally through rhosts.equiv), ssh can do the same
> but it uses RSA/DSA authentication, which is much safer than rhosts. This
> comes in handy if you want to ssh between servers without having to enter
> either a password or passphrase every time. It also comes in handy if you
> use ssh as the transport mechanism for things like rsync or building a vpn.
>
> The RSA/DSA authentication method creates a unique "trust" between
> user/client/server and in theory won't work for any other
> combination. Even keeping the user the same and switching client & server
> requires a different combination of keys. I leave it to you to decide if
> you want to use a passphrase or not.
>
> You also asked about accepting RSA/DSA authentication only.
>
> I think setting "PasswordAuthentication" to no in /etc/ssh/sshd_config will
> prevent regular password authentication.
>
> >Enough for this time. :-)
>
> Hope this is enough to get you started. ;-)
>
Just to give myself a warm and fuzzy I also set the PermitRootLogin no
option
Bret
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
