os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Initial prep work for OpenSSH chapter.

Browse source 
Divide sections into client stuff and server stuff.
Still needs an editorial review and the last 2 hanging sub-sections
need to be incorporated.

Sponsored by: iXsystems
This commit is contained in:
Dru Lavigne 2014-03-21 19:53:55 +00:00
parent 3c001b2545
commit 5680cdf3b7
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=44322
1 changed files with 49 additions and 75 deletions
Download patch file Download diff file Expand all files Collapse all files

124
en_US.ISO8859-1/books/handbook/security/chapter.xml
View file

@ -2514,42 +2514,15 @@ racoon_enable="yes"</programlisting>
compatible with both <acronym>SSH</acronym> version 1 and 2 compatible with both <acronym>SSH</acronym> version 1 and 2
protocols.</para> protocols.</para>
<sect2>
<title>Advantages of Using
<application>OpenSSH</application></title>
<para>When data is sent over the network in an unencrypted form, <para>When data is sent over the network in an unencrypted form,
network sniffers anywhere in between the client and server network sniffers anywhere in between the client and server
can steal user/password information or data transferred can steal user/password information or data transferred
during the session. <application>OpenSSH</application> offers during the session. <application>OpenSSH</application> offers
a variety of authentication and encryption methods to prevent a variety of authentication and encryption methods to prevent
this from happening.</para> this from happening.</para>
</sect2>
<sect2> <sect2>
<title>Enabling the SSH Server</title> <title>Using the SSH Client Utilities</title>
<indexterm>
<primary>OpenSSH</primary>
<secondary>enabling</secondary>
</indexterm>
<para>To see if &man.sshd.8; is enabled, check
<filename>/etc/rc.conf</filename> for this line:</para>
<programlisting>sshd_enable="YES"</programlisting>
<para>This will start &man.sshd.8;, the daemon program for
<application>OpenSSH</application>, the next time the system
initializes. Alternatively, it is possible to use
&man.service.8; to start <application>OpenSSH</application>
now:</para>
<screen>&prompt.root; <userinput>service sshd start</userinput></screen>
</sect2>
<sect2>
<title>The SSH Client</title>
<indexterm> <indexterm>
<primary>OpenSSH</primary> <primary>OpenSSH</primary>
@ -2584,10 +2557,6 @@ user@example.com's password: <userinput>*******</userinput></screen>
1 or version 2, respectively. The version 1 compatibility is 1 or version 2, respectively. The version 1 compatibility is
maintained in the client for backwards compatibility with maintained in the client for backwards compatibility with
older versions.</para> older versions.</para>
</sect2>
<sect2>
<title>Secure Copy</title>
<indexterm> <indexterm>
<primary>OpenSSH</primary> <primary>OpenSSH</primary>
@ -2617,28 +2586,9 @@ COPYRIGHT 100% |*****************************| 4735
<acronym>SSH</acronym>, connection, one or more of the file <acronym>SSH</acronym>, connection, one or more of the file
arguments takes the form arguments takes the form
<option>user@host:&lt;path_to_remote_file&gt;</option>.</para> <option>user@host:&lt;path_to_remote_file&gt;</option>.</para>
</sect2>
<sect2> <sect3 xml:id="security-ssh-keygen">
<title>Configuration</title> <title>Key-based Authentication</title>
<indexterm>
<primary>OpenSSH</primary>
<secondary>configuration</secondary>
</indexterm>
<para>The system-wide configuration files for both the
<application>OpenSSH</application> daemon and client reside
in <filename>/etc/ssh</filename>.</para>
<para><filename>ssh_config</filename> configures the client
settings, while <filename>sshd_config</filename> configures
the daemon. Each file has its own manual page which describes
the available configuration options.</para>
</sect2>
<sect2 xml:id="security-ssh-keygen">
<title>&man.ssh-keygen.1;</title>
<para>Instead of using passwords, &man.ssh-keygen.1; can be used <para>Instead of using passwords, &man.ssh-keygen.1; can be used
to generate <acronym>DSA</acronym> or <acronym>RSA</acronym> to generate <acronym>DSA</acronym> or <acronym>RSA</acronym>
@ -2690,23 +2640,15 @@ bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8f:79:17 user@host.example.com</screen>
that host <acronym>IP</acronym>.</para> that host <acronym>IP</acronym>.</para>
</warning> </warning>
<para>If a passphrase is used in &man.ssh-keygen.1;, the user
will be prompted for the passphrase each time in order to use
the private key. &man.ssh-agent.1; can alleviate the strain
of repeatedly entering long passphrases, and is explored in
<xref linkend="security-ssh-agent"/>.</para>
<warning> <warning>
<para>The various options and files can be different according <para>The various options and files can be different according
to the <application>OpenSSH</application> version. To avoid to the <application>OpenSSH</application> version. To avoid
problems, consult &man.ssh-keygen.1;.</para> problems, consult &man.ssh-keygen.1;.</para>
</warning> </warning>
</sect2>
<sect2 xml:id="security-ssh-agent"> <para>If a passphrase is used in &man.ssh-keygen.1;, the user
<title>Using SSH Agent to Cache Keys</title> will be prompted for the passphrase each time in order to use
the private key. To load <acronym>SSH</acronym> keys into memory for use,
<para>To load <acronym>SSH</acronym> keys into memory for use,
without needing to type the passphrase each time, use without needing to type the passphrase each time, use
&man.ssh-agent.1; and &man.ssh-add.1;.</para> &man.ssh-agent.1; and &man.ssh-add.1;.</para>
@ -2745,9 +2687,9 @@ Identity added: /home/user/.ssh/id_dsa (/home/user/.ssh/id_dsa)
<application>&xorg;</application> has been restarted so that <application>&xorg;</application> has been restarted so that
the changes can take effect, run &man.ssh-add.1; to load all the changes can take effect, run &man.ssh-add.1; to load all
of the <acronym>SSH</acronym> keys.</para> of the <acronym>SSH</acronym> keys.</para>
</sect2> </sect3>
<sect2 xml:id="security-ssh-tunneling"> <sect3 xml:id="security-ssh-tunneling">
<title><acronym>SSH</acronym> Tunneling</title> <title><acronym>SSH</acronym> Tunneling</title>
<indexterm> <indexterm>
@ -2850,11 +2792,7 @@ Escape character is '^]'.
run as a separate user.</para> run as a separate user.</para>
</example> </example>
<sect3> <example>
<title>Practical <acronym>SSH</acronym> Tunneling
Examples</title>
<sect4>
<title>Secure Access of a POP3 Server</title> <title>Secure Access of a POP3 Server</title>
<para>In this example, there is an <acronym>SSH</acronym> <para>In this example, there is an <acronym>SSH</acronym>
@ -2873,9 +2811,9 @@ user@ssh-server.example.com's password: <userinput>******</userinput></screen>
<systemitem>localhost</systemitem> on port 2110. This <systemitem>localhost</systemitem> on port 2110. This
connection will be forwarded securely across the tunnel to connection will be forwarded securely across the tunnel to
<systemitem>mail.example.com</systemitem>.</para> <systemitem>mail.example.com</systemitem>.</para>
</sect4> </example>
<sect4> <example>
<title>Bypassing a Draconian Firewall</title> <title>Bypassing a Draconian Firewall</title>
<para>Some network administrators impose firewall rules <para>Some network administrators impose firewall rules
@ -2897,12 +2835,30 @@ user@unfirewalled-system.example.org's password: <userinput>*******</userinput><
8888, which will be forwarded over to 8888, which will be forwarded over to
<systemitem>music.example.com</systemitem> on port 8000, <systemitem>music.example.com</systemitem> on port 8000,
successfully bypassing the firewall.</para> successfully bypassing the firewall.</para>
</sect4> </example>
</sect3> </sect3>
</sect2> </sect2>
<sect2> <sect2>
<title>The <varname>AllowUsers</varname> Option</title> <title>Enabling the SSH Server</title>
<indexterm>
<primary>OpenSSH</primary>
<secondary>enabling</secondary>
</indexterm>
<para>To see if &man.sshd.8; is enabled, check
<filename>/etc/rc.conf</filename> for this line:</para>
<programlisting>sshd_enable="YES"</programlisting>
<para>This will start &man.sshd.8;, the daemon program for
<application>OpenSSH</application>, the next time the system
initializes. Alternatively, it is possible to use
&man.service.8; to start <application>OpenSSH</application>
now:</para>
<screen>&prompt.root; <userinput>service sshd start</userinput></screen>
<para>It is often a good idea to limit which users can log in <para>It is often a good idea to limit which users can log in
and from where using <literal>AllowUsers</literal>. For and from where using <literal>AllowUsers</literal>. For
@ -2935,6 +2891,24 @@ user@unfirewalled-system.example.org's password: <userinput>*******</userinput><
<screen>&prompt.root; <userinput>service sshd reload</userinput></screen> <screen>&prompt.root; <userinput>service sshd reload</userinput></screen>
</sect2> </sect2>
<sect2>
<title>Configuration</title>
<indexterm>
<primary>OpenSSH</primary>
<secondary>configuration</secondary>
</indexterm>
<para>The system-wide configuration files for both the
<application>OpenSSH</application> daemon and client reside
in <filename>/etc/ssh</filename>.</para>
<para><filename>ssh_config</filename> configures the client
settings, while <filename>sshd_config</filename> configures
the daemon. Each file has its own manual page which describes
the available configuration options.</para>
</sect2>
<sect2> <sect2>
<title>Further Reading</title> <title>Further Reading</title>