FreeBSD  Release  11.0  Install  Guide

Home______________________________________________________________________

 

Example of configuring OpenSSH

Normally, when using native telnet, rlogin, or ftp your login ID, password and transmitted data is sent over the network in an clear, un-encrypted form. Network sniffers anywhere in between the client and server can steal your Login information and/or data transferred in your session.

OpenSSH encrypts all traffic (including login ID and passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety of authentication methods.

Openssh Manual        Openssh Info

 

Example Environment Description

In this example we have a FreeBSD system which we will call the host. This is the system that remote users want to have login access to.

We have an Remote FreeBSD system which is located some where on the public internet, we will call this the FBSD-client.

We also have an Remote MS/windows system which is located some where on the public internet, we will call this the Win-client.

This example details the encrypted Host/Client key with passphrase authentication method. This method gives the maximum protection possible utilizing ssh.

 

Host Setup Steps


1.  Edit /etc/rc.conf and add this statement
         sshd_enable="YES"
     Make sure your firewall allows port 22 in from the public internet.
     Reboot your system to activate sshd and login as root.
     If this is your first time booting with sshd you will have to
     create the host keys.
     sshd will show you this on the first sshd boot only.

    ====================================================
    Type a full screen full of random junk to unblock
    it and remember to finish with <enter>. This will
    timeout in 300 seconds, but waiting for
    the timeout without typing junk may make the
    entropy source deliver predictable output.
    Just hit <enter> for fast+insecure startup.
    ====================================================
    kern.random.sys.seeded: 1 -> 0
    qkcir83,2jsn40pl722jjbqok ---- this is the example junk entered
    Generating public/private rsa1 key pair.
    Your identification has been saved in /etc/ssh/ssh_host_key.
    Your public key has been saved in /etc/ssh/ssh_host_key.pub.
    The key fingerprint is:
    ed:5d:97:dc:49:98:36:66:fc root@domainname
    Generating public/private dsa key pair.
    Your identification has been saved in /etc/ssh/ssh_host_dsa_key.
    Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub.
    The key fingerprint is:
    67:e7:90:04:0e:27:2e:d2:97:6a root@a1poweruser.com
    Generating public/private rsa key pair.
    Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
    Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
    The key fingerprint is:
    96:db:50:5c:9e:69:88:26:28:54 root@domainname

2.  If you do a "ps ax" command you will see sshd as one
    of the running tasks.

3.  Using adduser or pw command create a normal user account.
    For this example we will use bob as the host user account name.

4.  Hit alt/F2 at same time to open second session and login using bob.

    Run this command ssh-keygen -t rsa

    Just hit enter to take default location and file name
    No need to enter a pass phrase for the host user here,
    just hit enter 2 times.
    This is what you will see

    Generating public/private rsa key pair.
    Enter file in which to save the key (/bob/.ssh/id_rsa):
    Created directory '/bob/.ssh'.
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /bob/.ssh/id_rsa.
    Your public key has been saved in /bob/.ssh/id_rsa.pub.
    The key fingerprint is:
    e7:e6:8f:d3:b1:b4:08:27:09:d2 bob@domainname

5.  If you want to use the Host 'root' account to initiate a ssh
    session with an remote system you have to perform step 4 above.
    If you want to do remote ssh login to this Host as user ‘root’, you
    have to edit /etc/ssh/sshd_config on the this Host and change;

    #PermitRootLogin no  to  PermitRootLogin yes

    Then /etc/rc.d/sshd reload  

    to make sshd task reread it’s sshd_config file.

 

FBSD-client Setup Steps

1. Using adduser or pw command create a normal user account.
   For this example we will use remotetom as the user account name.

2. Login using remotetom.
   Run this command ssh-keygen -t rsa

3. Just hit enter to take default location and file name.
   At the "Enter a passphrase prompt" [enter one and write it down,
   because it will be needed for ssh login to the host].

   This is what you will see

   Generating public/private rsa key pair.
   Enter file in which to save the key (/remotetom/.ssh/id_rsa):
   Created directory '/remotetom/.ssh'.
   Enter passphrase (empty for no passphrase):
   Enter same passphrase again:
   Your identification has been saved in /remotetom/.ssh/id_rsa.
   Your public key has been saved in /remotetom/.ssh/id_rsa.pub.
   The key fingerprint is:
   e7:e6:8f:d3:b1:b4:08:27:09:56:de:d2 tom@domainname

4. The Public key file you just created /remotetom/.ssh/id_rsa.pub
   has to be sent to the Host system. On the host system rename it
   to authorized_keys2 and put it into the home directory of the
   user setup earlier. In this case ~/bob/.ssh/authorized_keys2.

5. To ssh to the host, enter this ssh hostname or ssh host-ip-address
  The first time you ssh to the Host you will get these messages.
  Answer yes if you are sure this first connection is with your
  targeted host. Enter exit to terminate session.

   # /home/remotetom/.ssh >ssh 10.0.10.2
   The authenticity of host '10.0.10.2 (10.0.10.2)' can't be established.
   DSA key fingerprint is 04:0e:27:2e:d2:97:9d:7b:62:7e:c9:32:6a.
   Are you sure you want to continue connecting (yes/no)? yes
   Warning: Permanently added '10.0.10.2' (DSA) to list of known hosts.
   Enter passphrase for key /remotetom/.ssh/id_rsa

   This is where you enter the pass phrase you entered while running
   ssh-keygen on this remote client. (remotetom)

6. You are now logged into the Host account bob.
   Every time you ssh login again you will just get this prompt

   Enter passphrase for key /remotetom/.ssh/id_rsa

 

7. At this point the Host user bob can login from Host console, or using telnet from a local LAN machine, or from the public internet if your host firewall has port 23 open. If this user is to be only allowed remote ssh client access you can use vipw command to edit the system’s master password file and star out his encrypted password. This will deny login from anywhere except remotebob

bob:$1$FXF.CEpf:1001:31::0:0:remote ssh only #:/home/bob:/bin/csh

change it to look like this

bob:*:1001:31::0:0:remote ssh only #:/home/bob:/bin/csh

8. At this point, if remotebob is a notebook pc he can ssh login from any place in the world. If remotebob is always working from home using ip address 192.168.1.32 you can add another level of security by restricting his login to come from that ip address. Do that by adding this statement to the Host /etc/ssh/sshd_config file

AllowUsers bob@192.168.1.32

 

Using Midnight Commander for SFTP

So far the FBSD-client setup steps above have described how to use native SSH for creating the SSH keys and logging in to the FreeBSD SSHD host. Using ssh's sftp is a command line environment. Meaning you have to know all the FTP commands to navigate around the local and remote directories plus the get and put commands to really move the files between PC's. This can really be a problem for the infrequent ftp user. An command line (I.E. not X) GUI program would make this sftp directory navigation much easier.

We are in luck. The ports system contains 'Midnight commander' an command line GUI program designed after the MS/Windows Norton Commander. It's panel has a 2 up display containing the source and target directory trees. It's normal usage is for navigating around your File system layout. But it has built in functions which allow it to do native ftp and ssh sftp between it self and the remote ftpd or sshd host.

You still have to run steps 1 through 5 above to create the SSH keys and moved it to the host system and then test ssh sftp login.

After installing MC from the ports system or package system.
You start it be entering  mc  on the command line.
This brings up the GUI panel. There are 2 ways to use MC for ftp or sftp.

One way uses the different menu panels and allows you to save the login information as a bookmark. Use F9 to active the
"Left file command options right" menus at the top of the MC panel.
The left & right pull down menu option have the FTP link & SH link option.

The second way is the short cut method. You just enter an "cd" change directory command on the MC command line.

cd /#sh:user@remote Host

user = the name of the user account on the host. In this example (bob)
remote host = the FQDN or IP address of the host

The MC command line at the bottom of the panel asks for the SSH pass phrase.
After entering the pass phrase, the remote hosts directory tree is displayed with a heading of the /#sh: command used to launched it.

After entering the pass phrase the MC command line does not clear and ends up containing some left over parts of the SSH message. This is a bug.

Holding down the CTL key while pressing the keyboard letter C and O keys at the same time, 2 times in a role will clear the MC command line.

When your finished doing SSH sftp through MC, terminate the MC SSH session with the remote host by hitting F10 key.

 

Win-client Setup Steps

There are two MS/Windows SSH client programs. The "Putty" program which provides basic SSH access for Telnet style logins and native FTP access. The "WinSCP3" program which is built on "putty" underling code that provides a Norton commander GUI style SFTP access.

 

Putty Setup Steps

1. You have to get windows putty program from
    http://www.chiark.greenend.org.uk/~sgtatham/putty/
   Download the current windows installer program.
   Currently that’s putty-0.58-installer.exe

2. Run the putty-0.58-installer.exe and take all the defaults.

3. Start/programs/Putty/Puttygen
   This will create your private and public ssh keys
   At the bottom of the window select ssh2-rsa
   Click on generate button.
   After keys are created then enter your pass phrase.
   Then click on ‘save public key’ button.
   Save it to c:/programs/putty/putty_public_rsa_key
   Then click on ‘save private key’ button.
   Save it to c:/programs/putty/putty_private_rsa_key.ppk
   In the window area labeled
   "Public key for pasting into Open SSH authorized_key file"
   Highlight that content and past it into a notepad text
   file named win_authorized_keys2.txt

4. The win_authorized_keys2.txt file has to be sent to the
   Host system and put in the ~/home/bob/.ssh/ directory.
   In this example both the FBSD-client & the WIN-client will
   both use the same Host user account to ssh login to.
   Since the ~/home/bob/.ssh/authorized_keys2 already contains the
   private key for the FBSD-client you have to append the
   win_authorized_keys2.txt content to it.

   cat win_authorized_keys2.txt >> authorized_keys2

   If bob is only to be used by WIN-client then just

   cp win_authorized_keys2.txt authorized_keys2

 

5. start/programs/putty/putty to run it
   On the bottom of the window click on "never exit"
   Under protocol be sure ssh is clicked.
   On the left side click on ‘SSH’, then in the
   ‘preferred ssh protocol version’ click on ‘2 only’.
   On the left side click on ‘AUTH’, remove check mark from
   ‘Attempt keyboard-interactive auth (SSH-2).
   On the left side click on ‘Sessions’ to return to main login window.
   Enter you host name (IE; your official registered domain name of
   the Host box) or it’s IP address. Then type a name in the saved
   session window and click on save button. Now click on the open button
   at bottom of window to login to the host.

   A ms/dos window will open up and you will receive ‘login as’ prompt
   Enter bob
   Then you get
   Authenticating with public key "rsa-key-20060209"
   Passphrase for key "rsa-key-20060209":
   At this point enter the pass phrase you entered when you ran
   Start/programs/Putty/Puttygen to create the rsa keys on
   the client remotetom.

6. You are now logged into you host box using SSH. You have all
   the privileges that host user bob has when you created him.
   Every time you start/programs/putty/putty highlight the name
   of your saved session and click on the load button. This will
   restore your saved session configuration, then click open to launch.

 

WinSCP3 Setup Steps

1. You have to get windows WinSCP3 program from
   http://winscp.net/eng/index.php
   Download the windows installer program.
   Currently that's winscp380setup.exe

2. Run winscp380setup.exe and take all the defaults.

3. Start/programs/WinSCP3/keytools/puttygen
   This will create your private and public ssh keys

   At the bottom of the window select ssh2-rsa
   Click on generate button.

   After keys are created then enter your pass phrase.

   Then click on 'save public key' button.
   Save it to c:/Program Files/WinSCP3/putty_public_rsa_key

   Then click on 'save private key' button.
   Save it to c:/Program Files/WinSCP3/putty_private_rsa_key.ppk

   In the window area labeled
   "Public key for pasting into Open SSH authorized_key file"
   Highlight that content and past it into a notepad text file
   named win_authorized_keys2.txt

4. The win_authorized_keys2.txt file has to be sent to the Host system
   and put in the ~/home/bob/.ssh/ directory. In this example both
   the FBSD-client & the WIN-client will both use the same Host user
   account to ssh login to.

   Since the ~/home/bob/.ssh/authorized_keys2 already contains the
   private key for the FBSD-client you have to append the
   win_authorized_keys2.txt content to it.

    cat win_authorized_keys2.txt >> authorized_keys2

   If bob is to only be used by WIN-client then just
      cp win_authorized_keys2.txt authorized_keys2

5. Start/programs/WinSCP3/WinSCP3
   In the window on the left, click on SSH
   Then for preferred ssh protocol version, click on "2 only"

   In the window on the left, click on session
   Then fill in your host name FQDN or IP address.
   Then the user name of the host account you want to login to.
   Then fill in the location of for the rsa putty key created
   in step 3 above
   c:/Program Files/WinSCP3/putty_private_rsa_key.ppk

   For protocol click on sftp

   At the bottom of the panel click on the save button
   Accept the name in the pop up window or enter your own
   value and click OK.

   The stored session panel opens, highlight the session name you want
   to run and click on the load button. This fills in the session panel
   with your saved configuration.

   Click on login button to initiate your sftp session with the host.
   A pop up window will show asking you to enter the pass phrase you
   entered in "Step 3" above. Click on OK after entering you pass phrase.

   The first time you SSH to the Host you will get these messages.
   Answer yes if you are sure this first connection is with your
   targeted host.

   The authenticity of host '10.0.10.2 (10.0.10.2)' can't be established.
   DSA key fingerprint is 67:e7:90:04:0e:27:2e:d2.
   Are you sure you want to continue connecting (yes/no)? yes
   Warning: Permanently added 10.0.10.2 (DSA) to the list of known hosts.

   The GUI Norton commander style panel will display.
   Left side shows the client's directory and the
   right side shows the Host user accounts directory

   Every time you start/programs/WinSCP3/WinSCP3 highlight the name
   of your saved session and click on the load button. This will
   restore your saved session configuration, then click login to launch.

 

Fraudulent SSH Login Attempts

Once you open ssh’s port 22 in your firewall it won't be long before your auth.log starts filling up with failed login attempts. About 99 percent of these failed login attempts are script kiddies or robots. Their attacks are all most totally based on indiscriminate rolling through a range of sequential IP address. (IE: They never use DNS to lookup your domain name.) You were found by plain bad luck. They run scripts that address the known ports listened on by those services which accept logins. You use this knowledge to defend against this type of attack.

The simplest defense is to change the port number ssh uses. The /etc/services is where the port number used by SSH is defined and where you would change it at. Remote clients who want to access your host system will have to enter the alternate port number as part of the login command.

ssh –p 77777 hostname or host-ip-address

[-p 77777 is the example alternate ssh port number you specified in /etc/services file]

or edit /etc/ssh/ssh_config on the remote client and change this statement from this

# Port 22

    to

Port 77777    [to make the alternate port number permanent]

 

Windows gutty also has way to change the default ssh port number right on the login window.

The technique of assigning a non-standard port for SSH is security through obscurity and is one of the first and easiest security measures an administrator may consider. By no means does this provide protection from the dedicated attacker who has targeted your IP address for some reason. This is just the first security level of hiding through obscurity from the majority of script kiddies and their robots. You will be surprised at how effective this really is at discouraging repeat port scan attacks and fraudulent login attempts. You will have to open your firewall for the alternate port number you assign to ssh for this to work.

 

Previous Page                                        Next Page         

This FreeBSD Install Guide is an public domain HOW-TO. This content may be reproduced, in any form or by any means, and used by all without permission in writing from the author.