Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 10 Feb 2006 09:12:15 -0500
From:      "fbsd_user" <fbsd_user@a1poweruser.com>
To:        "Ken Stevenson" <ken@allenmyland.com>
Cc:        "freebsd-questions@FreeBSD. ORG" <freebsd-questions@FreeBSD.ORG>
Subject:   RE: sshd / ssh setup
Message-ID:  <MIEPLLIBMLEEABPDBIEGOEAAHNAA.fbsd_user@a1poweruser.com>
In-Reply-To: <43EA92E2.8000301@allenmyland.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
For the archives.

Example of configuring OpenSSH

Environment description:
In this example we have a FreeBSD system which we will call the
host.
We have an Remote FreeBSD system  which is located some where on the
public internet, we will call this the FBSD-client.
We also have an Remote MS/windows system  which is located some
where
on the public internet, we will call this the Win-client.
OpenSSH has a few different security levels when it comes to how
the ssh login is handled. This example details the encrypted
host/client key with passphrase method.
This method gives the maximum protection possible utilizing ssh.

Host setup steps.

1.	Edit /etc/rc.conf and add this statement
		sshd_enable=”YES”
	Make sure your firewall allows port 22 in from the public internet.
	Reboot your system to activate sshd and login as root.
	If this is your first time booting with sshd you will have to
      create the host keys.
	sshd will show you this on the first sshd boot only.

====================================================
Type a full screen full of random junk to unblock
it and remember to finish with <enter>. This will
timeout in 300 seconds, but waiting for
the timeout without typing junk may make the
entropy source deliver predictable output.

Just hit <enter> for fast+insecure startup.
====================================================
kern.random.sys.seeded: 1 -> 0
qkcir83,2jsn40pl722jjbqok   ---- this is the example junk entered
Generating public/private rsa1 key pair.
Your identification has been saved in /etc/ssh/ssh_host_key.
Your public key has been saved in /etc/ssh/ssh_host_key.pub.
The key fingerprint is:
ed:5d:97:dc:49:98:36:66:fc root@domainname
Generating public/private dsa key pair.
Your identification has been saved in /etc/ssh/ssh_host_dsa_key.
Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub.
The key fingerprint is:
67:e7:90:04:0e:27:2e:d2:97:6a root@a1poweruser.com
Generating public/private rsa key pair.
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
96:db:50:5c:9e:69:88:26:28:54 root@ domainname

2.	If you do a “ps ax” command you will see sshd as
      one of the running tasks.

3.	Using adduser or pw command create a normal user account.
	For this example we will use bob as the host user account name.

4.	Hit alt/f2 at same time to open second session and login using
bob.

5.	Run this command   ssh-keygen -t rsa
	Just hit enter to take default location and file name
	No need to enter a pass phrase for the host user here,
      just hit enter 2 times
	This is what you will see

	Generating public/private rsa key pair.
	Enter file in which to save the key (/bob/.ssh/id_rsa):
	Created directory '/bob/.ssh'.
	Enter passphrase (empty for no passphrase):
	Enter same passphrase again:
	Your identification has been saved in /bob/.ssh/id_rsa.
	Your public key has been saved in /bob/.ssh/id_rsa.pub.
	The key fingerprint is:
	e7:e6:8f:d3:b1:b4:08:27:09:d2 bob@domainname

6.	If you want to ssh login as Host ‘root’, you have to run
      step 5 above while logged in as root on the host. Also
      edit /etc/ssh/sshd_config and change this statement

	#PermitRootLogin no    to    PermitRootLogin yes

	Then   killall –HUP sshd
      to make sshd task reread it’s sshd_config file.



FBSD-client setup steps.

1.	Using adduser or pw command create a normal user account.
      For this example we will use remotetom as the user account
name.

2.	Login using remotetom.

3.	Run this command   ssh-keygen -t rsa
	Just hit enter to take default location and file name
	At the “Enter a passphrase prompt” [enter one and write it down,
      because it will be needed for ssh login to the host].
	This is what you will see

	Generating public/private rsa key pair.
	Enter file in which to save the key (/remotetom/.ssh/id_rsa):
	Created directory '/remotetom/.ssh'.
	Enter passphrase (empty for no passphrase):
	Enter same passphrase again:
	Your identification has been saved in /remotetom/.ssh/id_rsa.
	Your public key has been saved in /remotetom/.ssh/id_rsa.pub.
	The key fingerprint is:
	e7:e6:8f:d3:b1:b4:08:27:09:56:de:d2 tom@domainname

4.	The Public key file you just created  /remotetom/.ssh/id_rsa.pub
      has to be sent to the Host system. On the host system rename
it
      to authorized_keys2 and put it into the home directory of the
      user setup earlier. In this case ~/bob/.ssh/authorized_keys2.

5.	To ssh to the host enter this   ssh hostname  or ssh
host-ip-address
	The first time you ssh to the Host you will get these messages.
      Answer yes if you are sure this first connection is with your
targeted host.
	Enter exit to terminate session.

	# /home/remotetom/.ssh >ssh 10.0.10.2
	The authenticity of host '10.0.10.2 (10.0.10.2)' can't be
established.
	DSA key fingerprint is
67:e7:90:04:0e:27:2e:d2:97:9d:7b:62:7e:c9:32:6a.
	Are you sure you want to continue connecting (yes/no)? yes
	Warning: Permanently added '10.0.10.2' (DSA) to the list of known
hosts.
	Enter passphrase for key /remotetom/.ssh/id_rsa

	This is where you enter the pass phrase you entered while running
           ssh-keygen on this remote client. (remotetom)

	You are now logged into the Host account bob.

	Every time you ssh login again you will just get this prompt
		 Enter passphrase for key /remotetom/.ssh/id_rsa


7.	At this point the Host user bob can login from Host console,
      or using telnet from a local LAN machine, or from the public
internet
      if your host firewall has port 23 open.  If this user is to be
only
      allowed remote ssh client access you can use vipw command to
edit the
      system’s master password file and star out his encrypted
password.
      This will deny login from anywhere except remotebob

	bob:$1$FXF.CEpf$B2cF:1001:31::0:0:remote ssh
user#:/home/bob:/bin/csh

	edit it to look like this

	bob:*:1001:31::0:0:remote ssh user#:/home/bob:/bin/csh

8.	At this point, if remotebob is a notebook pc he can ssh login
      from any place in the world. If remotebob is always working
from
      home using ip address 192.168.1.32 you can add another level
of
      security by restricting his login to come from that ip
address.
      Do that by adding this statement to the Host
/etc/ssh/sshd_config file

	AllowUsers bob@192.168.1.32




Win-client setup steps.

1.	You have to get windows putty program from
	http://www.chiark.greenend.org.uk/~sgtatham/putty/
	Download the  current windows installer program.
	Currently that’s  putty-0.58-installer.exe

2.	Run the installer.exe and take all the defaults.

3.	start/programs/Putty/Puttygen
	This will create your private and public ssh keys
	At the bottom of the window select ssh2-rsa
	Click on generate button.
	After keys are created then enter your pass phrase.
	Then click on ‘save public key’ button.
	Save it to c:/programs/putty/ putty_public_rsa_key
	Then click on ‘save private key’ button.
	Save it to c:/programs/putty/ putty_private_rsa_key.ppk
	In the window area labeled
      “Public key for pasting into Open SSH authorized_key  file”
      Highlight that content and past it into a notepad text file
 	named win_authorized_keys2.txt

4.	The win_authorized_keys2.txt file has to be sent to the Host
      system and put in the ~/home/bob/.ssh/ directory. In this
example
      both the FBSD-client & the WIN-client will both use the same
Host
      user account to ssh login to.
	Since the ~/home/bob/.ssh/authorized_keys2 already contains the
      private key for the FBSD-client you have to append the
      win_authorized_keys2.txt content to it.

	cat win_authorized_keys2.txt >> cat win_authorized_keys2.txt

     If bob is to only be used by WIN-client then just
		cp win_authorized_keys2.txt  authorized_keys2

5.	start/programs/putty/putty  to run it
	On the bottom of the window click on “never exit”
	Under protocol be sure ssh is clicked
	On the left side click on ‘SSH’, then in the
      ‘preferred ssh protocol version’
	click on ‘2 only’.
	On the left side click on ‘AUTH’, remove check mark from
      ‘Attempt keyboard-interactive auth (SSH-2) .
	On the left side click on ‘Sessions’ to return to main
      login window.
	Enter you host name (IE; your official registered domain
      name of the Host box) or it’s IP address. Then type a name
      in the saved session window and click on save button.
      Now click on the open button at bottom of window to login to
the host.

	A ms/dos window will open up and you will receive ‘login as’ prompt
	Enter bob
	Then you get
	 Authenticating with public key "rsa-key-20060209"
	 Passphrase for key "rsa-key-20060209":
	At this point enter the pass phrase you entered when you ran
	start/programs/Putty/Puttygen to create the rsa keys on the
      client remotetom.
	You are now logged into you host box using SSH. You have all
      the privileges that host user bob has when you created him.

	Every time you start/programs/putty/putty  highlight the name
      of your saved session and click on the load button. This will
      restore your saved session configuration, then click open to
launch.


Conclusion;

Once you open ssh’s port 22 in your firewall it won't be long before
your auth.log starts filling up with failed login attempts.
About 99 percent of these failed login attempts are script kiddies
or robots.
Their attacks are all most totally based on indiscriminate rolling
through
a range of sequential IP address. (IE: They never use DNS to lookup
your
domain name.) You were found by plain bad luck. They run scripts
that
address the know ports listened on by those services which accept
logins.
You use this knowledge to defend against this type of attack.
The simplest defense is to change the port number ssh uses.
The /etc/services is where the port number used by SSH is defined
and where
you would change it at. Remote clients who want to access your host
system
will have to enter the alternate port number as part of the login
command.

ssh –p 77777 hostname or host-ip-address

[-p 77777 is the example alternate ssh port number you specified
in /etc/services file] or edit /etc/ssh/ssh_config  on the remote
client and change this statement from this

#    Port 22 to  Port 77777   [to make the alternate port number
permanent]

Windows gutty also has way to change the default ssh port number
right on the login window. The technique of assigning a non-standard
port for SSH is security through obscurity and is one of the first
and easiest security measures an administrator may consider.
By no means does this provide protection from the dedicated attacker
who has targeted your IP address for some reason. This is just the
first
security level of hiding through obscurity from the majority of
script
kiddies and their robots. You will be surprised at how effective
this
really is at discouraging repeat port scan attacks and fraudulent
login attempts. You will have to open your firewall for the
alternate
port number you assign to ssh for this to work.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGOEAAHNAA.fbsd_user>