From owner-freebsd-security Thu Aug 12 3:37:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from shiva.eu.org (cx943344-a.fed1.sdca.home.com [24.0.167.187]) by hub.freebsd.org (Postfix) with ESMTP id 82D2514F3A for ; Thu, 12 Aug 1999 03:37:14 -0700 (PDT) (envelope-from bigby@shiva.eu.org) Received: from localhost (bigby@localhost) by shiva.eu.org (8.9.3/8.9.3) with ESMTP id DAA10714; Thu, 12 Aug 1999 03:35:51 -0700 (PDT) (envelope-from bigby@shiva.eu.org) Date: Thu, 12 Aug 1999 03:35:46 -0700 (PDT) From: Bigby Findrake To: chrisk@tpgi.com.au Cc: freebsd-security@FreeBSD.ORG Subject: Re: SSH on FreeBSD. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 12 Aug 1999, Chris Keladis wrote: > Hi folks, > > I am considering using SSH to tunnel backups over SSH on some FreeBSD boxes. > > I havent played with SSH in a while, and i remember last time i did a major > stumbling block was getting SSH to authenticate without asking for a > password. (The way r* utilities work). > > Would it be possible to setup my FreeBSD boxes to work in a similar way to r* > utils, so i can do ssh myhost.mydomain.com and be presented with a shell on the > remote machine, with the appropriate authentication pre-configured? Sure. I do it. What I do is use RSA keys. Use the ssh-keygen utility that installs with the ssh package to generate a RSA key for a user. When it prompts you for a password for the RSA key, hit return. By default this installs the key pair(public & private) into $HOME/.ssh/{identity,identity.pub. Put the public key ($HOME/.ssh/identity.pub) into the target machine, in the target user's $HOME/.ssh/authorized_keys. Make sure the target machine is running sshd, and that /etc/sshd_config says "RSAAuthentication yes". Now you can ssh from the source machine to the target machine without a password IF you didn't specify a password for the RSA key on the source machine. If you're sshing to the target machine as a different user from the source machine, you'll have to specify the user on the ssh command line with the -l command line option. For example: host1> tar -czf - /file1 /file2 | ssh host2 -l some_user "cd /backup_dir \ ; tar -xzf -" Do note that there are security implications for creating RSA keys without passwords. Essentially it's the same issue with using rhosts: if an account is compromised on a local machine, it is thereby compromised on the remote machine. > Are there any how-to's, or faq's on this? Aside from the above? I don't know. Maybe someone else can help you out there. /-------------------------------------------------------------------------/ Giving something away is the ultimate subversive act in a society the economic system of which is structurally based on greed and egotism. finger bigby@shiva.eu.org for my pgpkey e-mail bigby@pager.shiva.eu.org to page me /-------------------------------------------------------------------------/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message