Gustav,
>Well, I wanted to replace rsh, rlogin, telnet and ftp within my small
>home LAN. (Currently 7 PCs with two more in the pipeline.)
An admirable goal. ;-) I don't have any of the r* services installed on
any of my servers and ftp is only allowed on one and only from specific
hosts. Be sure to comment all the r* services out of /etc/inetd.conf and
remove the associated packages once ssh is up and running.
>Especially, I want to use ssh as the only way to login to my Internet
>Gateway (that I'm right now configuring for use with ADSL within a month
>or two). The Gateway PC (486-DX266) currently runs without keyboard,
>mouse or monitor. It's on an over dimensioned UPS and should 'never'
>need to be shutdown. (Touch wood. ;-)
A good plan, but why no monitor/mouse/keyboard?
>Let me mention that I'm an old pgp/gpg user so I have a decent
>understanding of asymmetric public key data encryption, even though I'm
>far from an expert. I've been called 'power user' of pgp, but that might
>be to exaggerate. :-)
>
>I've already installed openssh, openssh-server and openssl (latest .rpm
>versions from the openssh site) on the Gateway machine (the server).
>I've also installed openssh, openssh-clients and openssl on a 'client'
>PC in my LAN.
>
>I configured openssh-server to use ssh protocol 2 only.
>
>First time I tried to connect to my server, using ssh, it asked me if I
>wanted to accept the key from the server with a specific finger print. I
>compared the finger print against the DSA fingerprint that was provided
>during key generation on the server while installing the openssh server
>part. It was the same, so I accepted. The information about the foreign
>host was now stored in my ~/.ssh/known_hosts2 file.
>
>Q: I've understood from the documentation that this could be done
>'centrally' on the client PC, so that all users on the client PC could
>take benefit from the knowledge of the server as a 'known host' and this
>way avoid that *every* local user on the client PC must know (and
>verify) the server. How is this supposed to be achieved?
According to the documentation, you can use /etc/ssh_known_hosts (ssh1) &
/etc/ssh_known_hosts2 (ssh2) for global lists of known
hosts. ~/.ssh/known_hosts is maintained automatically but I'd guess that
as long as you have the global files they'll get read first. You may also
need to turn "RhostsRSAAuthentication" on as well. You can also use
"IgnoreUserKnownHosts" if you don't want to use ~/.ssh/known_hosts at
all. (These options go in sshd's config file - /etc/ssh/sshd_config)
>Q: From what I've understood, the most secure way of using (open)ssh is
>to use RSAauthentification only. (Correct?) How do I setup that to
>happen?
If you're using strictly ssh2, I *think* you'll need to use DSA
authentication rather than RSA authentication, although the procedure is
pretty much the same:
1) On the client, run ssh-keygen (use the -d switch to generate a DSA
key). This creates the following files in ~/.ssh
identity (ssh1 private key)
identity.pub (ssh1 public key)
id_dsa (ssh2 private key)
id_dsa.pub (ssh2 public key)
Since you've used pgp/gpg these should be somewhat familiar to you. The
passphrase is entirely optional and you may wonder why anyone *wouldn't*
use one (see below).
2) The identity.pub and/or id_dsa.pub files need to be appended to the
server's (the server you want to ssh *to* that is) ~/.ssh/authorized_keys
and ~/.ssh/authorized_keys2 respectively. Create these files if necessary
and *make sure* the permissions are 0600. ssh is pretty picky about
ownership/permissions for files in ~/.ssh, but it never hurts to make sure.
Doing this effectively creates a one-way trust between this combination of
user, client & server. If you need to ssh from server to client you'll
need to do the reverse. Hope this makes sense. It can be a bit confusing
the first time.
To passphrase, or not to passphrase, that is the question? (Ok, bad pun...
<grin>)
Since ssh is designed to replace the r* commands and they can be setup to
not require a password (normally through rhosts.equiv), ssh can do the same
but it uses RSA/DSA authentication, which is much safer than rhosts. This
comes in handy if you want to ssh between servers without having to enter
either a password or passphrase every time. It also comes in handy if you
use ssh as the transport mechanism for things like rsync or building a vpn.
The RSA/DSA authentication method creates a unique "trust" between
user/client/server and in theory won't work for any other
combination. Even keeping the user the same and switching client & server
requires a different combination of keys. I leave it to you to decide if
you want to use a passphrase or not.
You also asked about accepting RSA/DSA authentication only.
I think setting "PasswordAuthentication" to no in /etc/ssh/sshd_config will
prevent regular password authentication.
>Enough for this time. :-)
Hope this is enough to get you started. ;-)
-Eric
Eric Sisler
Library Computer Technician
Westminster Public Library
Westminster, CO, USA
[EMAIL PROTECTED]
Linux - don't fear the Penguin.
Want to know what we use Linux for?
Visit http://gromit.westminster.lib.co.us/linux
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
