os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add an OpenSSH section to the security chapter.

Browse source 
Submitted by:	Chern Lee <chern@osd.bsdi.com>
This commit is contained in:
Murray Stokely 2001-05-08 17:53:31 +00:00
parent f1e0401cda
commit 2e27f4f7b0
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=9391
2 changed files with 320 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

161
en_US.ISO8859-1/books/handbook/security/chapter.sgml
View file

@ -1,7 +1,7 @@
<!--
The FreeBSD Documentation Project
$FreeBSD: doc/en_US.ISO_8859-1/books/handbook/security/chapter.sgml,v 1.41 2001/04/09 00:33:56 dd Exp $
$FreeBSD: doc/en_US.ISO_8859-1/books/handbook/security/chapter.sgml,v 1.42 2001/04/17 01:37:45 dd Exp $
-->
<chapter id="security">
@ -2674,6 +2674,165 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
</screen>
</sect2>
</sect1>
<sect1 id="openssh">
<title>OpenSSH</title>
<para><emphasis>Contributed by &a.chern;, April 21,
2001.</emphasis>
</para>
<para>Secure shell is a secure set of programs used to access a remote
machine. It can be used as a secure medium in place of rlogin, rsh,
rcp, etc. X11 connections, as well as other TCP/IP connections can
be tunnelled/forwarded securely through OpenSSH. Utilizing, RSA
public key cryptography, OpenSSH is a powerful secure alternative
over traditional utilities.
</para>
<para>The package provides secure alternatives to many <command>r*
*nix</command> commands. Namely, <command>rlogin, rcp, and
rsh</command>.
</para>
<para>OpenSSH is maintained by the OpenBSD project, and is based upon
SSH v1.2.12 with all the recent bug fixes and updates.
</para>
<para>The OpenSSH client is compatible with both SSH protocols 1 and
2.
</para>
<sect2>
<title>Advantages of using OpenSSH</title>
<para>Normally, when using <command>telnet</command> or <command>
rlogin</command>, data is sent over the network in an clear,
un-encrypted form. Network sniffers on either side, the server
or the client, or any route in between, can steal your
user/password information, and data transferred in your session.
Attackers can even hijack an existing TCP/IP connection and gain
control of your login session.
</para>
<para>With the SSH protocol, all this data is sent encrypted,
making the above impossible.
</para>
</sect2>
<sect2>
<title>Enabling sshd</title>
<para>Be sure to make the following additions to your
<filename>rc.conf</filename> file:
</para>
<screen>sshd_enable="YES"</screen>
<para>This will load the ssh daemon the next time your system inits.
</para>
</sect2>
<sect2>
<title>SSH client</title>
<para>The <command>ssh</command> utility works similarly to
<command>rlogin</command>.
</para>
<screen>&prompt.root <userinput>ssh user@foobardomain.com</userinput>
Host key not found from the list of known hosts.
Are you sure you want to continue connecting (yes/no)? <userinput>yes</userinput>
Host 'foobardomain.com' added to the list of known hosts.
user@foobardomain.com's password: <userinput>*******</userinput>
</screen>
<para>The login will continue just as it would have if a session was
created using rlogin or telnet. SSH utilizes a key fingerprint
system for verifying the authenticity of the server when the
client connects. The user is prompted to enter 'yes' only during
the first time connecting. Future attempts to login are all
verified against the saved fingerprint key. The SSH client
will alert you if the saved fingerprint differs from the
received fingerprint on future login attempts. The fingerprints
are saved in <filename>~/.ssh/known_hosts</filename>
</para>
</sect2>
<sect2>
<title>Secure copy</title>
<para>The <command>scp</command> command works similarly to rcp; it copies a
file off a remote machine, except in a secure fashion.</para>
<screen>&prompt.root <userinput> scp user@foobardomain.com:/COPYRIGHT COPYRIGHT</userinput>
user@foobardomain.com's password:
COPYRIGHT 100% |*****************************| 4735
00:00
&prompt.root
</screen>
<para>Since the fingerprint was already saved for this host in the
previous example, it is verified when using <command>scp</command>
here.
</para>
</sect2>
<sect2>
<title>Configuration</title>
<para>The system-wide configuration files for both the OpenSSH
daemon and client reside within the <filename>/etc/ssh</filename>
directory.
</para>
<para><filename>ssh_config</filename> configures the client
settings, while <filename>sshd_config</filename> configures the
daemon.
</para>
</sect2>
<sect2>
<title>ssh-keygen</title>
<para>Instead of using passwords, <command>ssh-keygen</command> can
be used to generate RSA keys to authenticate a user.
</para>
<screen>&prompt.user<userinput> ssh-keygen</userinput>
Initializing random number generator...
Generating p: .++ (distance 66)
Generating q: ..............................++ (distance 498)
Computing the keys...
Key generation complete.
Enter file in which to save the key (/home/user/.ssh/identity):
Enter passphrase:
Enter the same passphrase again:
Your identification has been saved in /home/user/.ssh/identity.
...
</screen>
<para><command>ssh-keygen</command> will create a public and private
key pair for use in authentication. The private key is stored in
<filename>~/.ssh/identity</filename>, whereas the public key is
stored in <filename>~/.ssh/identity.pub</filename>. The public
key must be placed in <filename>~/.ssh/authorized_keys</filename>
of the remote machine in order for the setup to work.
</para>
<para>This will allow connection to the remote machine based upon
RSA authentication, not password.
</para>
<para>If a passphrase is used in <command>ssh-keygen</command>, the user
will be prompted for a password each time in order to use the private
key.
</para>
<para><command>ssh-agent</command> and <command>ssh-add</command> are
utilities used in managing multiple passworded private keys.
</para>
</sect2>
<sect2>
<title>Further Reading</title>
<para><ulink url="http://www.openssh.com">OpenSSH</ulink></para>
<para>&man.ssh.1 &man.scp.1 &man.ssh-keygen.1
&man.ssh-agent.1 &man.ssh-add.1</para>
<para>&man.sshd.8 &man.sftp-server.8</para>
</sect2>
</sect1>
</chapter>
<!--

161
en_US.ISO_8859-1/books/handbook/security/chapter.sgml
View file

@ -1,7 +1,7 @@
<!--
The FreeBSD Documentation Project
$FreeBSD: doc/en_US.ISO_8859-1/books/handbook/security/chapter.sgml,v 1.41 2001/04/09 00:33:56 dd Exp $
$FreeBSD: doc/en_US.ISO_8859-1/books/handbook/security/chapter.sgml,v 1.42 2001/04/17 01:37:45 dd Exp $
-->
<chapter id="security">
@ -2674,6 +2674,165 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
</screen>
</sect2>
</sect1>
<sect1 id="openssh">
<title>OpenSSH</title>
<para><emphasis>Contributed by &a.chern;, April 21,
2001.</emphasis>
</para>
<para>Secure shell is a secure set of programs used to access a remote
machine. It can be used as a secure medium in place of rlogin, rsh,
rcp, etc. X11 connections, as well as other TCP/IP connections can
be tunnelled/forwarded securely through OpenSSH. Utilizing, RSA
public key cryptography, OpenSSH is a powerful secure alternative
over traditional utilities.
</para>
<para>The package provides secure alternatives to many <command>r*
*nix</command> commands. Namely, <command>rlogin, rcp, and
rsh</command>.
</para>
<para>OpenSSH is maintained by the OpenBSD project, and is based upon
SSH v1.2.12 with all the recent bug fixes and updates.
</para>
<para>The OpenSSH client is compatible with both SSH protocols 1 and
2.
</para>
<sect2>
<title>Advantages of using OpenSSH</title>
<para>Normally, when using <command>telnet</command> or <command>
rlogin</command>, data is sent over the network in an clear,
un-encrypted form. Network sniffers on either side, the server
or the client, or any route in between, can steal your
user/password information, and data transferred in your session.
Attackers can even hijack an existing TCP/IP connection and gain
control of your login session.
</para>
<para>With the SSH protocol, all this data is sent encrypted,
making the above impossible.
</para>
</sect2>
<sect2>
<title>Enabling sshd</title>
<para>Be sure to make the following additions to your
<filename>rc.conf</filename> file:
</para>
<screen>sshd_enable="YES"</screen>
<para>This will load the ssh daemon the next time your system inits.
</para>
</sect2>
<sect2>
<title>SSH client</title>
<para>The <command>ssh</command> utility works similarly to
<command>rlogin</command>.
</para>
<screen>&prompt.root <userinput>ssh user@foobardomain.com</userinput>
Host key not found from the list of known hosts.
Are you sure you want to continue connecting (yes/no)? <userinput>yes</userinput>
Host 'foobardomain.com' added to the list of known hosts.
user@foobardomain.com's password: <userinput>*******</userinput>
</screen>
<para>The login will continue just as it would have if a session was
created using rlogin or telnet. SSH utilizes a key fingerprint
system for verifying the authenticity of the server when the
client connects. The user is prompted to enter 'yes' only during
the first time connecting. Future attempts to login are all
verified against the saved fingerprint key. The SSH client
will alert you if the saved fingerprint differs from the
received fingerprint on future login attempts. The fingerprints
are saved in <filename>~/.ssh/known_hosts</filename>
</para>
</sect2>
<sect2>
<title>Secure copy</title>
<para>The <command>scp</command> command works similarly to rcp; it copies a
file off a remote machine, except in a secure fashion.</para>
<screen>&prompt.root <userinput> scp user@foobardomain.com:/COPYRIGHT COPYRIGHT</userinput>
user@foobardomain.com's password:
COPYRIGHT 100% |*****************************| 4735
00:00
&prompt.root
</screen>
<para>Since the fingerprint was already saved for this host in the
previous example, it is verified when using <command>scp</command>
here.
</para>
</sect2>
<sect2>
<title>Configuration</title>
<para>The system-wide configuration files for both the OpenSSH
daemon and client reside within the <filename>/etc/ssh</filename>
directory.
</para>
<para><filename>ssh_config</filename> configures the client
settings, while <filename>sshd_config</filename> configures the
daemon.
</para>
</sect2>
<sect2>
<title>ssh-keygen</title>
<para>Instead of using passwords, <command>ssh-keygen</command> can
be used to generate RSA keys to authenticate a user.
</para>
<screen>&prompt.user<userinput> ssh-keygen</userinput>
Initializing random number generator...
Generating p: .++ (distance 66)
Generating q: ..............................++ (distance 498)
Computing the keys...
Key generation complete.
Enter file in which to save the key (/home/user/.ssh/identity):
Enter passphrase:
Enter the same passphrase again:
Your identification has been saved in /home/user/.ssh/identity.
...
</screen>
<para><command>ssh-keygen</command> will create a public and private
key pair for use in authentication. The private key is stored in
<filename>~/.ssh/identity</filename>, whereas the public key is
stored in <filename>~/.ssh/identity.pub</filename>. The public
key must be placed in <filename>~/.ssh/authorized_keys</filename>
of the remote machine in order for the setup to work.
</para>
<para>This will allow connection to the remote machine based upon
RSA authentication, not password.
</para>
<para>If a passphrase is used in <command>ssh-keygen</command>, the user
will be prompted for a password each time in order to use the private
key.
</para>
<para><command>ssh-agent</command> and <command>ssh-add</command> are
utilities used in managing multiple passworded private keys.
</para>
</sect2>
<sect2>
<title>Further Reading</title>
<para><ulink url="http://www.openssh.com">OpenSSH</ulink></para>
<para>&man.ssh.1 &man.scp.1 &man.ssh-keygen.1
&man.ssh-agent.1 &man.ssh-add.1</para>
<para>&man.sshd.8 &man.sftp-server.8</para>
</sect2>
</sect1>
</chapter>
<!--