From owner-freebsd-questions@FreeBSD.ORG Sat Mar 5 19:21:30 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 227EF16A4CE for ; Sat, 5 Mar 2005 19:21:30 +0000 (GMT) Received: from mx1.sohotech.ca (mx1.sohotech.ca [64.26.169.251]) by mx1.FreeBSD.org (Postfix) with ESMTP id A60CF43D4C for ; Sat, 5 Mar 2005 19:21:29 +0000 (GMT) (envelope-from greg@grokking.org) Received: from localhost (unknown [127.0.0.1]) by mx1.sohotech.ca (Postfix) with ESMTP id A02A81798B6 for ; Sat, 5 Mar 2005 14:21:28 -0500 (EST) Received: from mx1.sohotech.ca ([127.0.0.1]) by localhost (mx1.sohotech.ca [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 77082-04 for ; Sat, 5 Mar 2005 14:21:26 -0500 (EST) Received: from [192.168.1.6] (chomsky.sohotech.ca [192.168.1.6]) by mx1.sohotech.ca (Postfix) with ESMTP id 6FD081798B2 for ; Sat, 5 Mar 2005 14:21:26 -0500 (EST) Message-ID: <422A06B7.9060007@grokking.org> Date: Sat, 05 Mar 2005 14:21:27 -0500 From: "greg@grokking.org" User-Agent: Mozilla Thunderbird 1.0 (X11/20041223) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <20050305181134.M99248@bmyster.com> In-Reply-To: <20050305181134.M99248@bmyster.com> X-Enigmail-Version: 0.89.5.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at sohotech.ca Subject: Re: help configuring ssh pub keys instead of passwords X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Mar 2005 19:21:30 -0000 > so far i have done > > edit /etc/sshd_config > > Port 22 > Protocol 2 > PermitRootLogin no > MaxStartups 5:50:10 > X11Forwarding no > PrintLastLog yes > SyslogFacility auth > LogLevel VERBOSE > PasswordAuthentication no > PermitEmptyPasswords no > Banner /etc/issue > AllowGroups sshusers <-- this exsists > > # create some group that you can put OpenSSH users into > Next, we'll open and edit /etc/ssh/ssh_config > > [user@server /dir]#vi /etc/ssh/ssh_config > > ForwardAgent no > ForwardX11 no > PasswordAuthentication no > CheckHostIP yes > Port 22 > Protocol 2 > > then i su to unpriv user and ran ssh-keygen -d > > then i did > cat id_dsa.pub > authorized_keys2 make sure you have a line in /etc/ssh/sshd_config that points to this, like so: AuthorizedKeysFile .ssh/authorized_keys2 If it's commented out that's okay (default) just make sure it's the same filename you've used! (Incidentally, on my 5.3 box it's set as .ssh/authorized_keys) > > then copy the id_dsa.pub to a floppy so that i could transfer the dsa key to > the machine from which id be accessing the unix box. > No, you need to put the PRIVATE key (id_dsa by default) on the client machines in the .ssh directory under each users' home dir. The PUBLIC key stays on the server in authorized_keys as you've done above. Make sure this key and the directory it's in is accessible only by the user you want. Hope that helps, G