From 1f8f0888366f46e210dee6d699a1581f80900959 Mon Sep 17 00:00:00 2001 From: Brad Davis Date: Wed, 6 Jul 2005 15:43:00 +0000 Subject: [PATCH] Finish updating the OpenSSH section and add information on how to use ssh-agent(1). --- .../books/handbook/security/chapter.sgml | 138 +++++++++++------- 1 file changed, 86 insertions(+), 52 deletions(-) diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.sgml b/en_US.ISO8859-1/books/handbook/security/chapter.sgml index cd024b8b7d..8912762803 100644 --- a/en_US.ISO8859-1/books/handbook/security/chapter.sgml +++ b/en_US.ISO8859-1/books/handbook/security/chapter.sgml @@ -4236,8 +4236,10 @@ ipfw add 1 allow ipencap from W.X.Y.Z to A.B.C.D enabling - Be sure to make the following addition to your - rc.conf file: + The sshd daemon is enabled by + default on &os; 4.X and is enabled or not during the + installation by the user of &os; 5.X. To see if it is + enabled, check the rc.conf file for: sshd_enable="YES" This will load &man.sshd.8;, the daemon program for OpenSSH, the next time your system initializes. Alternatively, you can @@ -4274,14 +4276,14 @@ user@example.com's password: ******* ~/.ssh/known_hosts2 for SSH v2 fingerprints. - By default, OpenSSH servers are configured to only accept - SSH v2 connections. The client, however, can choose - between version 1 and 2. Version 2 is known to be more robust and - secure than its predecessor. - - The &man.ssh.1; command can be forced to use either protocol - by passing it the or argument - for v1 and v2, respectively. + By default, recent versions of the + OpenSSH servers only accept SSH v2 + connections. The client will use version 2 if possible and + will fall back to version 1. The client can also be forced to + use one or the other by passing it the or + for version 1 or version 2, respectively. + The version 1 compatability is maintained in the client for + backwards compatability with older versions. @@ -4335,61 +4337,93 @@ COPYRIGHT 100% |*****************************| 4735 options can provide more levels of configuration. - + ssh-keygen Instead of using passwords, &man.ssh-keygen.1; can - be used to generate RSA keys to authenticate a user: + be used to generate DSA or RSA keys to authenticate a user: - &prompt.user; ssh-keygen -t rsa1 -Initializing random number generator... -Generating p: .++ (distance 66) -Generating q: ..............................++ (distance 498) -Computing the keys... -Key generation complete. -Enter file in which to save the key (/home/user/.ssh/identity): -Enter passphrase: -Enter the same passphrase again: -Your identification has been saved in /home/user/.ssh/identity. -... + &prompt.user; ssh-keygen -t dsa +Generating public/private dsa key pair. +Enter file in which to save the key (/home/user/.ssh/id_dsa): +Created directory '/home/user/.ssh'. +Enter passphrase (empty for no passphrase): +Enter same passphrase again: +Your identification has been saved in /home/user/.ssh/id_dsa. +Your public key has been saved in /home/user/.ssh/id_dsa.pub. +The key fingerprint is: +bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8f:79:17 user@host.example.com + &man.ssh-keygen.1; will create a public and private key pair for use in authentication. The private key is stored in - ~/.ssh/identity, whereas the public key is - stored in ~/.ssh/identity.pub. The public - key must be placed in ~/.ssh/authorized_keys - of the remote machine in order for the setup to work. + ~/.ssh/id_dsa or + ~/.ssh/id_rsa, whereas the public key is + stored in ~/.ssh/id_dsa.pub or + ~/.ssh/id_rsa.pub, respectively for DSA and + RSA key types. The public key must be placed in + ~/.ssh/authorized_keys of the remote + machine in order for the setup to work. Similarly, RSA version + 1 public keys should be placed in + ~/.ssh/authorized_keys. This will allow connection to the remote machine based upon - RSA authentication instead of passwords. - - The option will create RSA - keys for use by SSH protocol version 1. If you want to use - RSA keys with the SSH protocol version 2, you have to use the - command ssh-keygen -t rsa. + SSH keys instead of passwords. If a passphrase is used in &man.ssh-keygen.1;, the user - will be prompted for a password each time in order to use the private - key. - - A SSH protocol version 2 DSA key can be created for the same purpose by using - the ssh-keygen -t dsa command. - This will - create a public/private DSA key for use in SSH protocol version 2 sessions only. - The public key is stored in ~/.ssh/id_dsa.pub, - while the private key is in ~/.ssh/id_dsa. - - DSA public keys are also placed in - ~/.ssh/authorized_keys on the remote - machine. - - &man.ssh-agent.1; and &man.ssh-add.1; are - utilities used in managing multiple passworded private keys. + will be prompted for a password each time in order to use the + private key. &man.ssh-agent.1; can alleviate the strain of + repeatedly entering long passphrases, and is explored in the + section below. The various options and files can be different - according to the OpenSSH version you have on your system, to - avoid problems you should consult the &man.ssh-keygen.1; - manual page. + according to the OpenSSH version + you have on your system; to avoid problems you should consult + the &man.ssh-keygen.1; manual page. + + + + ssh-agent and ssh-add + + The &man.ssh-agent.1; and &man.ssh-add.1; utilities provide + methods for SSH keys to be loaded + into memory for use, without needing to type the passphrase + each time. + + The &man.ssh-agent.1 utility will handle the authentication + using the private key(s) that are loaded into it. + &man.ssh-agent.1; should be used to launch another application. + At the most basic level, it could spawn a shell or at a more + advanced level, a window manager. + + To use &man.ssh-agent.1; in a shell, first it will need to + be spawned with a shell as an argument. Secondly, the + identity needs to be added by running &man.ssh-add.1; and + providing it the passphrase for the private key. Once these + steps have been completed the user will be able to &man.ssh.1; + to any host that has the corresponding public key installed. + For example: + + &prompt.user; ssh-agent csh +&prompt.user; ssh-add +Enter passphrase for /home/user/.ssh/id_dsa: +Identity added: /home/user/.ssh/id_dsa (/home/user/.ssh/id_dsa) +&prompt.user; + + To use &man.ssh-agent.1; in X11, a call to + &man.ssh-agent.1; will need to be placed in + ~/.xinitrc. This will provide the + &man.ssh-agent.1; services to all programs launched in X11. + An example ~/.xinitrc file might look + like this: + + exec ssh-agent startxfce4 + + This would launch &man.ssh-agent.1;, which would in turn + launch XFCE, every time X11 starts. + Then once that is done and X11 has been restarted so that the + changes can take effect, simply run &man.ssh-add.1; to load + all of your SSH keys.