diff options
author | Brad Davis <brd@FreeBSD.org> | 2005-07-06 15:43:00 +0000 |
---|---|---|
committer | Brad Davis <brd@FreeBSD.org> | 2005-07-06 15:43:00 +0000 |
commit | 1f8f0888366f46e210dee6d699a1581f80900959 (patch) | |
tree | f35d31f549918bb2c523a3b9af59510c287fce2c /en_US.ISO8859-1 | |
parent | 01f40f3fd5feff943eca3a8c3c83839ea0133817 (diff) |
Notes
Diffstat (limited to 'en_US.ISO8859-1')
-rw-r--r-- | en_US.ISO8859-1/books/handbook/security/chapter.sgml | 136 |
1 files changed, 85 insertions, 51 deletions
diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.sgml b/en_US.ISO8859-1/books/handbook/security/chapter.sgml index cd024b8b7d..8912762803 100644 --- a/en_US.ISO8859-1/books/handbook/security/chapter.sgml +++ b/en_US.ISO8859-1/books/handbook/security/chapter.sgml @@ -4236,8 +4236,10 @@ ipfw add 1 allow ipencap from W.X.Y.Z to A.B.C.D <secondary>enabling</secondary> </indexterm> - <para>Be sure to make the following addition to your - <filename>rc.conf</filename> file:</para> + <para>The <application>sshd</application> daemon is enabled by + default on &os; 4.X and is enabled or not during the + installation by the user of &os; 5.X. To see if it is + enabled, check the <filename>rc.conf</filename> file for:</para> <screen>sshd_enable="YES"</screen> <para>This will load &man.sshd.8;, the daemon program for <application>OpenSSH</application>, the next time your system initializes. Alternatively, you can @@ -4274,14 +4276,14 @@ user@example.com's password: <userinput>*******</userinput></screen> <filename>~/.ssh/known_hosts2</filename> for SSH v2 fingerprints.</para> - <para>By default, <application>OpenSSH</application> servers are configured to only accept - SSH v2 connections. The client, however, can choose - between version 1 and 2. Version 2 is known to be more robust and - secure than its predecessor.</para> - - <para>The &man.ssh.1; command can be forced to use either protocol - by passing it the <option>-1</option> or <option>-2</option> argument - for v1 and v2, respectively.</para> + <para>By default, recent versions of the + <application>OpenSSH</application> servers only accept SSH v2 + connections. The client will use version 2 if possible and + will fall back to version 1. The client can also be forced to + use one or the other by passing it the <option>-1</option> or + <option>-2</option> for version 1 or version 2, respectively. + The version 1 compatability is maintained in the client for + backwards compatability with older versions.</para> </sect2> <sect2> @@ -4335,61 +4337,93 @@ COPYRIGHT 100% |*****************************| 4735 options can provide more levels of configuration.</para> </sect2> - <sect2> + <sect2 id="security-ssh-keygen"> <title>ssh-keygen</title> <para>Instead of using passwords, &man.ssh-keygen.1; can - be used to generate RSA keys to authenticate a user:</para> - - <screen>&prompt.user; <userinput>ssh-keygen -t <replaceable>rsa1</replaceable></userinput> -Initializing random number generator... -Generating p: .++ (distance 66) -Generating q: ..............................++ (distance 498) -Computing the keys... -Key generation complete. -Enter file in which to save the key (/home/user/.ssh/identity): -Enter passphrase: -Enter the same passphrase again: -Your identification has been saved in /home/user/.ssh/identity. -...</screen> + be used to generate DSA or RSA keys to authenticate a user:</para> + + <screen>&prompt.user; <userinput>ssh-keygen -t <replaceable>dsa</replaceable></userinput> +Generating public/private dsa key pair. +Enter file in which to save the key (/home/user/.ssh/id_dsa): +Created directory '/home/user/.ssh'. +Enter passphrase (empty for no passphrase): +Enter same passphrase again: +Your identification has been saved in /home/user/.ssh/id_dsa. +Your public key has been saved in /home/user/.ssh/id_dsa.pub. +The key fingerprint is: +bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8f:79:17 user@host.example.com +</screen> <para>&man.ssh-keygen.1; will create a public and private key pair for use in authentication. The private key is stored in - <filename>~/.ssh/identity</filename>, whereas the public key is - stored in <filename>~/.ssh/identity.pub</filename>. The public - key must be placed in <filename>~/.ssh/authorized_keys</filename> - of the remote machine in order for the setup to work.</para> + <filename>~/.ssh/id_dsa</filename> or + <filename>~/.ssh/id_rsa</filename>, whereas the public key is + stored in <filename>~/.ssh/id_dsa.pub</filename> or + <filename>~/.ssh/id_rsa.pub</filename>, respectively for DSA and + RSA key types. The public key must be placed in + <filename>~/.ssh/authorized_keys</filename> of the remote + machine in order for the setup to work. Similarly, RSA version + 1 public keys should be placed in + <filename>~/.ssh/authorized_keys</filename>.</para> <para>This will allow connection to the remote machine based upon - RSA authentication instead of passwords.</para> - - <note><para>The <option>-t rsa1</option> option will create RSA - keys for use by SSH protocol version 1. If you want to use - RSA keys with the SSH protocol version 2, you have to use the - command <command>ssh-keygen -t rsa</command>.</para></note> + SSH keys instead of passwords.</para> <para>If a passphrase is used in &man.ssh-keygen.1;, the user - will be prompted for a password each time in order to use the private - key.</para> + will be prompted for a password each time in order to use the + private key. &man.ssh-agent.1; can alleviate the strain of + repeatedly entering long passphrases, and is explored in the + <xref linkend="security-ssh-agent"> section below.</para> - <para>A SSH protocol version 2 DSA key can be created for the same purpose by using - the <command>ssh-keygen -t dsa</command> command. - This will - create a public/private DSA key for use in SSH protocol version 2 sessions only. - The public key is stored in <filename>~/.ssh/id_dsa.pub</filename>, - while the private key is in <filename>~/.ssh/id_dsa</filename>.</para> + <warning><para>The various options and files can be different + according to the <application>OpenSSH</application> version + you have on your system; to avoid problems you should consult + the &man.ssh-keygen.1; manual page.</para></warning> + </sect2> + + <sect2 id="security-ssh-agent"> + <title>ssh-agent and ssh-add</title> + + <para>The &man.ssh-agent.1; and &man.ssh-add.1; utilities provide + methods for <application>SSH</application> keys to be loaded + into memory for use, without needing to type the passphrase + each time.</para> + + <para>The &man.ssh-agent.1 utility will handle the authentication + using the private key(s) that are loaded into it. + &man.ssh-agent.1; should be used to launch another application. + At the most basic level, it could spawn a shell or at a more + advanced level, a window manager.<para> + + <para>To use &man.ssh-agent.1; in a shell, first it will need to + be spawned with a shell as an argument. Secondly, the + identity needs to be added by running &man.ssh-add.1; and + providing it the passphrase for the private key. Once these + steps have been completed the user will be able to &man.ssh.1; + to any host that has the corresponding public key installed. + For example:</para> + + <screen>&prompt.user; ssh-agent <replaceable>csh</replaceable> +&prompt.user; ssh-add +Enter passphrase for /home/user/.ssh/id_dsa: +Identity added: /home/user/.ssh/id_dsa (/home/user/.ssh/id_dsa) +&prompt.user;</screen> - <para>DSA public keys are also placed in - <filename>~/.ssh/authorized_keys</filename> on the remote - machine.</para> + <para>To use &man.ssh-agent.1; in X11, a call to + &man.ssh-agent.1; will need to be placed in + <filename>~/.xinitrc</filename>. This will provide the + &man.ssh-agent.1; services to all programs launched in X11. + An example <filename>~/.xinitrc</filename> file might look + like this:</para> - <para>&man.ssh-agent.1; and &man.ssh-add.1; are - utilities used in managing multiple passworded private keys.</para> + <programlisting>exec ssh-agent <replaceable>startxfce4</replaceable></programlisting> - <warning><para>The various options and files can be different - according to the <application>OpenSSH</application> version you have on your system, to - avoid problems you should consult the &man.ssh-keygen.1; - manual page.</para></warning> + <para>This would launch &man.ssh-agent.1;, which would in turn + launch <application>XFCE</application>, every time X11 starts. + Then once that is done and X11 has been restarted so that the + changes can take effect, simply run &man.ssh-add.1; to load + all of your SSH keys.</para> </sect2> <sect2 id="security-ssh-tunneling"> |