TITLE: How to set up and use OpenSSH LFS VERSION: All AUTHOR: Arturo Rangel SYNOPSIS: How to configure OpenSSH to be even more secure and how to make a floppy disk that you can use on almost any Windows machine to access your machine remotely. HINT: 09/03/2001 - First publication 09/04/2001 - Minor changes in formatting INTRODUCTION Once I had my shiny LFS system I wanted to be with it all the time. I wanted to work on it from work, from my girlfriend's house, from school, everywhere. So I went out and read some documentation on how to set up OpenSSH (including Daniel's hint on http://hints.linuxfromscratch.org/hints/openssh.txt). Here's a summary of what I came up with. I hope it helps you out and that you learn from it. DISCLAIMER Just like the one the great Kevin Smith has at the beginning of Dogma. Please make sure you know what you are doing (or at least have an idea of what you are doing) when you follow this hint. The author cannot be made responsible for any missed configuration, run-over cats, hair loss or any other problem that arises directly or indirectly from following the simple instructions stated here. Now that we got that out of the way, let's move on. SETTING UP THE SERVER First of all, in order to make your machine more secure you need to disable the regular telnet daemon and make sure that OpenSSH gets started at bootup (read Daniel's hint on how to do this). Once you have a running OpenSSH fire up your favorite editor to change its configuration (the file in my system is /etc/ssh/sshd_config). Make sure that the following options are set (1): IgnoreRhosts no RhostsAuthentication no RhostsRSAAuthentication yes RSAAuthentication yes PasswordAuthentication yes What you are doing with these options is telling sshd to make sure that all the people trying to log into your system have a valid encryption key and not to allow login with a simple username/password combination. What this means is that your users will need to create a new key pair for themselves in your system and they will need to have their file key handy (in a floppy or copied into their laptop) whenever they want to log into the system. This might sound a little cumbersome but the increased security is well worth it in my opinion. Please make sure you read the Domain mini-HOWTO (1) if you have other needs (such as using X over the connection) To create a new RSA key the user has to type this command: ssh-keygen -b 1024 -f new_rsa_key The user will be asked for a pass phrase. Make_sure_this_is_not_blank. Doing that would mean that if someone found the file they would be able to use it to gain easy acces to your system. This command will create two files in the curent directory: new_rsa_key and new_rsa_key.pub. Now have them copy the .pub file into their $HOME/.ssh/authorized_keys file (Do a cat >> $HOME/.ssh/authorized_keys). CREATING YOUR PORTABLE CLIENT Now the fun part. Copy the new_rsa_key file into a floppy and also put a copy of PuTTY (2), the great ssh client for Windows, into the same floppy. This client saves the fingerprint of every host it connects to in the Windows registry to make sure that you are connecting to a host that has confirmed its "identity" with you. The only downside to this is that you are not able to carry this information with you, at least not easily. Here's what to do to save that information (as well as any changes you make to the PuTTY configuration) and have it ready on the go. In the floppy where you have the key file and the PuTTY executable, create the following files: puttyrnd.reg, which will have these two lines: REGEDIT4 [HKEY_CURRENT_USER\Software\SimonTatham\PuTTY] "RandSeedFile"="a:\putty.rnd" puttydel.reg, which will have these two lines: REGEDIT4 [-HKEY_CURRENT_USER\Software\SimonTatham\PuTTY] and, putty.reg, which will be an empty file (for now). For the final touch, you can either follow the directions from the PuTTY author (3) to create a batch file that will import the info into the registry, run PuTTY, save the info into the floppy,and delete it from the registry or you can go with the much more elegant choice, IMNSHO, and download a very simple script/executable (4) that will do the same thing without having to pull out an ugly DOS window (yech!). Simply copy this program into the same floppy, and run it. It will take care of importing the previous configuration into the registry and exporting any changes (new fingerprints and configuration changes) when you exit PuTTY. Please be aware that using any of these two methods (a batch file or the other program) will cause your settings to be deleted from the registry. Don't worry, there will be a copy of all the information on your floppy. CONCLUSION Like I said at the beginning; I hope that you learned from this hint and that it helps you have a far more secured server. Feel free to contact me if you have any questions. I will try to answer the best I can. NOTES I have only done this on my home box which has Win98. I have yet to try it from an WinNT/2K/Whatever box. I will update this hint as soon as I do. FOOTNOTES (1) The OpenSSH configuration was obtained from the Domain mini-HOWTO: http://www.linuxdoc.org/HOWTO/mini/Domain.html (2) PuTTY can be downloaded from: http://www.chiark.greenend.org.uk/~sgtatham/putty/ (3) Instruction on how to set up a DOS batch file for PuTTY are found here: http://www.tartarus.org/~owen/putty-docs/Section3.13.html (4) Or you can use the quasi-program I made at: http://www.izaram.net/start.zip