Re: [SLUG] Setting up ssh advice?

Thu, 14 Aug 2003 12:11:22 -0700 

On Wed, Aug 13, 2003 at 01:41:19PM +1000, [EMAIL PROTECTED] wrote:

> Is there a good information resource on setting up host keys and user
> keys?  I find the man pages don't quite describe how to do that, and
> nor do the FAQs I could find via Google or on the OpenSSH web site.

If you're using Redhat, just install the openssh-server packages.  The
host keys are generated when the package is installed.  Other distros
may do something similar.

Otherwise just generate them with ssh-keygen just as you would a user
key:

    ssh-keygen -t key_type -f filename
    
where key_type is rsa1 for ssh version 1 and rsa or dsa for ssh version
2.  filename is the name of the file in which the keys are saved - the
private key is in filename and the public key is in filename.pub.  Host
keys are normally in /etc/sshd:

  [EMAIL PROTECTED] ~]$ ls -l /etc/ssh/
  total 102
  -rw-------    1 root     root        88039 Jun 27  2002 moduli
  -rw-r--r--    1 root     root         1359 Apr 15 11:09 ssh_config
  -rw-r--r--    1 root     root         1167 Apr  5  2002 ssh_config.save
  -rw-------    1 root     root          668 Oct  3  2002 ssh_host_dsa_key
  -rw-r--r--    1 root     root          590 Oct  3  2002 ssh_host_dsa_key.pub
  -rw-------    1 root     root          515 Oct  4  2002 ssh_host_key
  -rw-r--r--    1 root     root          319 Oct  4  2002 ssh_host_key.pub
  -rw-------    1 root     root          887 Oct  4  2002 ssh_host_rsa_key
  -rw-r--r--    1 root     root          210 Oct  4  2002 ssh_host_rsa_key.pub
  -rw-------    1 root     root         1896 Aug  5 16:34 sshd_config

ssh_host_key and ssh_host_key.pub is the v1 key, ssh_host_dsa_key and
ssh_host_dsa_key.pub is the v2 dsa key and ssh_host_rsa_key and
ssh_host_rsa_key.pub is the v2 rsa key.

User keys should be in ~/.ssh.  This directory must be owned by the
user and be mode 700.  Private key files and the authorised keys file
must be mode 600.

The authorised keys file contains the public keys (one per line) that
this user is allowed to login with, along with any restrictions on the
use of that key (e.g. from, command, port forwarding).  To allow the
user to login with their normal shell, just append the user's pubic key
to the file.  This only applies to rsa/dsa authentication, so if you
want to enforce restrictions, disable password authentication.  See the
sshd man page for more info.



Cheers,

John
-- 
whois [EMAIL PROTECTED]
GPG key id: 0xD59C360F
http://kirriwa.net/john/
-- 
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Reply via email to