Thanks Alex will try it out tomorrow. Off to bed, very tired. Qudos to all who make this possible and yourself for sharing it with others!
Regards, Matthew Australia -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alex Rhomberg Sent: Wednesday, 8 October 2003 9:18 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [leaf-user] Public Key SSH access > Alex can you please share how you get public key acess to your LEAF > firewall, I am interested in doing this to expand my knowledge of ssh and > shared key management plus making my access to it easier I am getting sick > of password acess. Sure The main benefits of public key access are - improved security (need private key and passphrase) - different passphrases for different users - same password on different firewalls for each user, but - different users get root access to different firewalls. - No root passwords - ssh-agent What we did: 1. Change /etc/ssh/sshd_config: Protocol 2 #Protocol 1 is not secure AuthorizedKeysFile /etc/ssh/pubkeys/%u.pub #Root Pubkeys are in /etc/ssh/pubkeys/root.pub HostbasedAuthentication no #We don't do this PasswordAuthentication no #no passwords 2. Create keypairs on your workstation. Do not share keypairs between persons. See ssh-keygen http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen You can also create a key in PuTTy 3. Append the publickey(s) to /etc/ssh/pubkeys/root.pub on your firewall. With OpenSSH, the pubkey usually is in ~/.ssh/id_rsa.pub Our root.pub looks like ssh-rsa AAAAB3NzaC1yc2a<snip> hans ssh-rsa AAAAB3NzaC1yc2b<snip> peter ssh-rsa AAAAB3NzaC1yc2c<snip> fritz 4. Profit!! HTH Alex ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
