aboutsummaryrefslogtreecommitdiff
path: root/en_US.ISO8859-1
diff options
context:
space:
mode:
authorBrad Davis <brd@FreeBSD.org>2005-07-06 15:43:00 +0000
committerBrad Davis <brd@FreeBSD.org>2005-07-06 15:43:00 +0000
commit1f8f0888366f46e210dee6d699a1581f80900959 (patch)
treef35d31f549918bb2c523a3b9af59510c287fce2c /en_US.ISO8859-1
parent01f40f3fd5feff943eca3a8c3c83839ea0133817 (diff)
Notes
Diffstat (limited to 'en_US.ISO8859-1')
-rw-r--r--en_US.ISO8859-1/books/handbook/security/chapter.sgml136
1 files changed, 85 insertions, 51 deletions
diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.sgml b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
index cd024b8b7d..8912762803 100644
--- a/en_US.ISO8859-1/books/handbook/security/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
@@ -4236,8 +4236,10 @@ ipfw add 1 allow ipencap from W.X.Y.Z to A.B.C.D
<secondary>enabling</secondary>
</indexterm>
- <para>Be sure to make the following addition to your
- <filename>rc.conf</filename> file:</para>
+ <para>The <application>sshd</application> daemon is enabled by
+ default on &os; 4.X and is enabled or not during the
+ installation by the user of &os; 5.X. To see if it is
+ enabled, check the <filename>rc.conf</filename> file for:</para>
<screen>sshd_enable="YES"</screen>
<para>This will load &man.sshd.8;, the daemon program for <application>OpenSSH</application>,
the next time your system initializes. Alternatively, you can
@@ -4274,14 +4276,14 @@ user@example.com's password: <userinput>*******</userinput></screen>
<filename>~/.ssh/known_hosts2</filename> for SSH v2
fingerprints.</para>
- <para>By default, <application>OpenSSH</application> servers are configured to only accept
- SSH v2 connections. The client, however, can choose
- between version 1 and 2. Version 2 is known to be more robust and
- secure than its predecessor.</para>
-
- <para>The &man.ssh.1; command can be forced to use either protocol
- by passing it the <option>-1</option> or <option>-2</option> argument
- for v1 and v2, respectively.</para>
+ <para>By default, recent versions of the
+ <application>OpenSSH</application> servers only accept SSH v2
+ connections. The client will use version 2 if possible and
+ will fall back to version 1. The client can also be forced to
+ use one or the other by passing it the <option>-1</option> or
+ <option>-2</option> for version 1 or version 2, respectively.
+ The version 1 compatability is maintained in the client for
+ backwards compatability with older versions.</para>
</sect2>
<sect2>
@@ -4335,61 +4337,93 @@ COPYRIGHT 100% |*****************************| 4735
options can provide more levels of configuration.</para>
</sect2>
- <sect2>
+ <sect2 id="security-ssh-keygen">
<title>ssh-keygen</title>
<para>Instead of using passwords, &man.ssh-keygen.1; can
- be used to generate RSA keys to authenticate a user:</para>
-
- <screen>&prompt.user; <userinput>ssh-keygen -t <replaceable>rsa1</replaceable></userinput>
-Initializing random number generator...
-Generating p: .++ (distance 66)
-Generating q: ..............................++ (distance 498)
-Computing the keys...
-Key generation complete.
-Enter file in which to save the key (/home/user/.ssh/identity):
-Enter passphrase:
-Enter the same passphrase again:
-Your identification has been saved in /home/user/.ssh/identity.
-...</screen>
+ be used to generate DSA or RSA keys to authenticate a user:</para>
+
+ <screen>&prompt.user; <userinput>ssh-keygen -t <replaceable>dsa</replaceable></userinput>
+Generating public/private dsa key pair.
+Enter file in which to save the key (/home/user/.ssh/id_dsa):
+Created directory '/home/user/.ssh'.
+Enter passphrase (empty for no passphrase):
+Enter same passphrase again:
+Your identification has been saved in /home/user/.ssh/id_dsa.
+Your public key has been saved in /home/user/.ssh/id_dsa.pub.
+The key fingerprint is:
+bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8f:79:17 user@host.example.com
+</screen>
<para>&man.ssh-keygen.1; will create a public and private
key pair for use in authentication. The private key is stored in
- <filename>~/.ssh/identity</filename>, whereas the public key is
- stored in <filename>~/.ssh/identity.pub</filename>. The public
- key must be placed in <filename>~/.ssh/authorized_keys</filename>
- of the remote machine in order for the setup to work.</para>
+ <filename>~/.ssh/id_dsa</filename> or
+ <filename>~/.ssh/id_rsa</filename>, whereas the public key is
+ stored in <filename>~/.ssh/id_dsa.pub</filename> or
+ <filename>~/.ssh/id_rsa.pub</filename>, respectively for DSA and
+ RSA key types. The public key must be placed in
+ <filename>~/.ssh/authorized_keys</filename> of the remote
+ machine in order for the setup to work. Similarly, RSA version
+ 1 public keys should be placed in
+ <filename>~/.ssh/authorized_keys</filename>.</para>
<para>This will allow connection to the remote machine based upon
- RSA authentication instead of passwords.</para>
-
- <note><para>The <option>-t rsa1</option> option will create RSA
- keys for use by SSH protocol version 1. If you want to use
- RSA keys with the SSH protocol version 2, you have to use the
- command <command>ssh-keygen -t rsa</command>.</para></note>
+ SSH keys instead of passwords.</para>
<para>If a passphrase is used in &man.ssh-keygen.1;, the user
- will be prompted for a password each time in order to use the private
- key.</para>
+ will be prompted for a password each time in order to use the
+ private key. &man.ssh-agent.1; can alleviate the strain of
+ repeatedly entering long passphrases, and is explored in the
+ <xref linkend="security-ssh-agent"> section below.</para>
- <para>A SSH protocol version 2 DSA key can be created for the same purpose by using
- the <command>ssh-keygen -t dsa</command> command.
- This will
- create a public/private DSA key for use in SSH protocol version 2 sessions only.
- The public key is stored in <filename>~/.ssh/id_dsa.pub</filename>,
- while the private key is in <filename>~/.ssh/id_dsa</filename>.</para>
+ <warning><para>The various options and files can be different
+ according to the <application>OpenSSH</application> version
+ you have on your system; to avoid problems you should consult
+ the &man.ssh-keygen.1; manual page.</para></warning>
+ </sect2>
+
+ <sect2 id="security-ssh-agent">
+ <title>ssh-agent and ssh-add</title>
+
+ <para>The &man.ssh-agent.1; and &man.ssh-add.1; utilities provide
+ methods for <application>SSH</application> keys to be loaded
+ into memory for use, without needing to type the passphrase
+ each time.</para>
+
+ <para>The &man.ssh-agent.1 utility will handle the authentication
+ using the private key(s) that are loaded into it.
+ &man.ssh-agent.1; should be used to launch another application.
+ At the most basic level, it could spawn a shell or at a more
+ advanced level, a window manager.<para>
+
+ <para>To use &man.ssh-agent.1; in a shell, first it will need to
+ be spawned with a shell as an argument. Secondly, the
+ identity needs to be added by running &man.ssh-add.1; and
+ providing it the passphrase for the private key. Once these
+ steps have been completed the user will be able to &man.ssh.1;
+ to any host that has the corresponding public key installed.
+ For example:</para>
+
+ <screen>&prompt.user; ssh-agent <replaceable>csh</replaceable>
+&prompt.user; ssh-add
+Enter passphrase for /home/user/.ssh/id_dsa:
+Identity added: /home/user/.ssh/id_dsa (/home/user/.ssh/id_dsa)
+&prompt.user;</screen>
- <para>DSA public keys are also placed in
- <filename>~/.ssh/authorized_keys</filename> on the remote
- machine.</para>
+ <para>To use &man.ssh-agent.1; in X11, a call to
+ &man.ssh-agent.1; will need to be placed in
+ <filename>~/.xinitrc</filename>. This will provide the
+ &man.ssh-agent.1; services to all programs launched in X11.
+ An example <filename>~/.xinitrc</filename> file might look
+ like this:</para>
- <para>&man.ssh-agent.1; and &man.ssh-add.1; are
- utilities used in managing multiple passworded private keys.</para>
+ <programlisting>exec ssh-agent <replaceable>startxfce4</replaceable></programlisting>
- <warning><para>The various options and files can be different
- according to the <application>OpenSSH</application> version you have on your system, to
- avoid problems you should consult the &man.ssh-keygen.1;
- manual page.</para></warning>
+ <para>This would launch &man.ssh-agent.1;, which would in turn
+ launch <application>XFCE</application>, every time X11 starts.
+ Then once that is done and X11 has been restarted so that the
+ changes can take effect, simply run &man.ssh-add.1; to load
+ all of your SSH keys.</para>
</sect2>
<sect2 id="security-ssh-tunneling">