Date: Sat, 29 Nov 2008 14:01:28 -0800 From: Chris <eagletree@hughes.net> To: Jos Chrispijn <jos@webrz.net> Cc: FreeBSD-Questions Questions <freebsd-questions@freebsd.org> Subject: Re: Temporarily blocking ports Message-ID: <769E437F-4F3B-44D4-B470-56AD323C6AB3@hughes.net> In-Reply-To: <4931B00D.2040206@webrz.net> References: <49319A83.6050407@webrz.net> <22771067-1635-4C00-A0EB-4E14569F636C@hughes.net> <4931B00D.2040206@webrz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 29, 2008, at 1:11 PM, Jos Chrispijn wrote: > > From your reply on my message of 29-11-2008 21:47: >> An even tighter practice is to turn off all password logins and >> use only keyed connections. This is easier than it might seem >> though I'll admit I think of ssh as something only a select >> number of users may use and thus you know them by name >> and what IPs they are permitted to connect on. > I have been thinking of that as well, but don't think I should use > that yet with the knowledge I have on this. > Do you refer to manual of automatic key connections? > It's extremely easy. Generate your key and spread it to all systems you want to connect to. Have other users generate their key and do the same. After everyone is set, turn off password access in /etc/ssh/sshd_config, that file contains the docs in comments on how to do this. You change three parameters. Then sshd will need to be restarted. Be sure logins by key work first. This implies how to set up your keys. This was lifted from a helpful page on the net and modified but is pretty basic. Creates the keys in home directory of myuserid on system www.example.com, then moving the key to a second system called other.example.com such that myuserid can move between systems. The userid on the remote does not need to be the same string as on the local system though it's shown that way here. www$ cd # get to your home directory www$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/myuserid/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/myuserid/.ssh/id_rsa. Your public key has been saved in /home/myuserid/.ssh/id_rsa.pub. The key fingerprint is: <fingerprintshownhere> myuserid@www.example.com www$ ssh myuserid@other.example.com mkdir -p .ssh Password: <enter password here for other system> www$ cat .ssh/id_rsa.pub|ssh myuserid@other.example.com 'cat >> .ssh/ authorized_keys' Password:<enter password here for other system> You are done setting up keys. Sample use of seamless login: www$ ssh other.example.com other$ host other.example.com other$ users myuserid ttyp0 Jul 14 05:28 (www.example.com) other$ exit www$ I only use this on FreeBSD and OS-X. No idea on Putty and others. > thanks for sharing, > Jos Chrispijn
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?769E437F-4F3B-44D4-B470-56AD323C6AB3>