Openssh Configuration ?

Support section for FREESCO v0.3.x 3rd Party Packages

Postby bob selby » Thu Jun 05, 2008 4:54 am

Is the supplied config with opensshd_3.7.1p1_dingetje intended to work "out-of--the-box" ??

.. or are there some things that need to be changed ??

What I want to do is set it up identically to "dropbear" with it enabled to the internet but using certificates but no password logins (using the -s switch).

Is there an example config that will achieve this ??

TIA Bob
bob selby
Advanced Member
 
Posts: 291
Joined: Wed Nov 21, 2001 8:18 am
Location: London, UK

Postby bob selby » Mon Jun 09, 2008 9:56 am

ping
bob selby
Advanced Member
 
Posts: 291
Joined: Wed Nov 21, 2001 8:18 am
Location: London, UK

Postby Lightning » Mon Jun 09, 2008 10:09 pm

Is the supplied config with opensshd_3.7.1p1_dingetje intended to work "out-of--the-box" ??
Yes it does work out of the box. However it comes with it's own set of firewall rules that you will need to disable. You will also need to enable or disable dropbear in y or n mode on a different port if it is enabled.
As for the config file for OpenSSH, it is mostly self explanatory. Although for certificates it is just knowing the right name of the file and where to put it along with the format.
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GURU !!
 
Posts: 3020
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Postby bob selby » Tue Jun 10, 2008 2:41 am

OK thanks :-)
bob selby
Advanced Member
 
Posts: 291
Joined: Wed Nov 21, 2001 8:18 am
Location: London, UK

Postby bob selby » Thu Jun 12, 2008 4:52 am

To those that might be interested ...

I installed OppenSSH and I only needed to make three changes to the files:

1. In "sshd_config" I changed the port number so that it didnt conflict with Dropbear as I wanted to run both for a short while.

2. I uncommented "PasswordAuthentication" and changed it from "yes" to "no" to make sure that only key authentication was used.

3. In "rc_opensshd" I commented out the firewall rule " ipfwadm -I -a deny -P tcp -W $INET -D 0.0.0.0/0 $PORT -y -o" so that the port was exposed to the internet (the whole point of the exercise).

Very simple and straight forward - in fact #1 and #2 were more my requirements than something I HAD to do to get it to work.

It just worked :-)

I assume that I haven't left myself wide open with just these few changes ?? ;-)

Bob
bob selby
Advanced Member
 
Posts: 291
Joined: Wed Nov 21, 2001 8:18 am
Location: London, UK

Postby dingetje » Thu Jun 12, 2008 7:35 am

Yay Bob! :lol:

BTW: running SSH (either dropbear or OpenSSH) on a non-standard port is recommended for an extra level of (easy) security and to prevent those annoying script kiddies running brute force attacks with a bunch of passwords against your SSH server.
GreetZ
http://dingetje.homeip.net

"Software is like sex: it's better when it's free." - LINUS TORVALDS
User avatar
dingetje
FREESCO Crazed !!
 
Posts: 1001
Joined: Wed Nov 14, 2001 12:13 pm
Location: The Netherlands

Postby bob selby » Fri Jun 13, 2008 5:04 am

LOL - yes, using a non-standard port is a good idea (assuming that the firewall at work allows outgoing connections to that port) :-)

Having certificate authentication only stops brute force password attacks ... but it doesnt stop the silly s*ds from trying :-)

Bob
bob selby
Advanced Member
 
Posts: 291
Joined: Wed Nov 21, 2001 8:18 am
Location: London, UK

Postby dilberts_left_nut » Sat Jun 14, 2008 2:24 am

For roaming use (laptop or USB stick) I prefer passwords over certs only, as if the device falls into "enemy hands" they have immediate access to the server if a password is not also required. (Assuming the device security can be circumvented).

Also if I need access from a foreign machine but don't have my cert with me, then I can still remember my password.
User avatar
dilberts_left_nut
Member
 
Posts: 71
Joined: Thu Sep 02, 2004 8:25 am
Location: Christchurch, NZ

Postby bob selby » Mon Sep 01, 2008 10:32 am

My SSH certificate has a passphrase on it - so even with the device they would have problems :-) Paranoid??? Me??? ;-)
bob selby
Advanced Member
 
Posts: 291
Joined: Wed Nov 21, 2001 8:18 am
Location: London, UK


Return to 3rd Party Package Support for FREESCO v0.3.x

Who is online

Users browsing this forum: No registered users and 1 guest

cron