Datei: ssh2.localaccess.txt
Titel/Inhalt: SSH2: Secure Shell V2 (et.al.)
Datum: fr 29 mar 2k+2
AutorIn: heiter, mittermayer, nendwich
-------------------------------------------------------------------------------
Date: Tue, 17 Jul 2001 20:54:09 +0200
From: heiter@astro.univie.ac.at
To:
Subject: Anleitung zur Einrichtung von SSH
Configuring SSH:
1) On dec-unix-machine:
ssh-keygen
(Type Enter when asked for Passphrase)
Create two files in .ssh2:
echo "IdKey id_dsa_1024_a" >identification
echo "Key id_dsa_1024_a.pub" >authorization
2) On linux-machine:
mkdir .ssh
ssh-keygen -X -f .ssh2/id_dsa_1024_a >.ssh/id_dsa
ssh-keygen -X -f .ssh2/id_dsa_1024_a.pub > .ssh/id_dsa.pub
cd .ssh
chmod 600 id_dsa
cp id_dsa.pub authorized_keys2
-------------------------------------------------------------------------------
Date: Tue, 02 May 2000 13:14:24 +0200
From: Peter Mittermayer
To:
Subject: Upgrade to SSH2
Secure Shell has been upgraded to V2. The following changes will benecessary:
5. Per-User Configuration
User configuration of SSH2 becomes smarter than that of SSH1. Now
public keys are stored in separate files and one can have multiple
host-specific identifications (i.e., private keys). Read the ssh
manual page for details. Here I describe most basic usage of
SSH2. When you want to login to a remote host (Remote) from a local
computer (Local) using SSH2, you do:
1. Create private & public keys of Local, by executing
ssh-keygen (ssh-keygen2) on Local.
Local> ssh-keygen
Generating 1024-bit dsa key pair
Generating 1024-bit dsa key pair
9 o.oOo..oOo.o
Key generated.
1024-bit dsa, created by ymmt@Local Wed Sep 23 07:11:02 1998
Passphrase :
Again :
Private key saved to /home/ymmt/.ssh2/id_dsa_1024_a
Public key saved to /home/ymmt/.ssh2/id_dsa_1024_a.pub
ssh-keygen will ask you a passphrase for new key. Enter a
sequence of any ordinal character (white spaces are OK) of proper
length (20 characters or so). ssh-keygen creates a ".ssh2"
directory in your home directory, and stores a new
authentication key in two separate files. One is your private
key and thus it must NOT be opened to anyone but you. In above
example, it is id_dsa_1024_a. The other (id_dsa_1024_a.pub) is
a public key that is safe to be opened and to be distributed
to other computers.
2. Create an "identification" file in your ".ssh2" directory on Local.
Local> cd ~/.ssh2
Local> echo "IdKey id_dsa_1024_a" > identification
This will create a file "identification" in your ".ssh2"
directory, which has one line that denotes which file
contains your identification. An identification
corresponds a passphrase (see above). You can create
multiple identifications by executing ssh-keygen
again, but rarely you should.
3. Do the same thing (1, and optionally 2) on Remote.
This is needed just to setup ".ssh2" directory on
Remote. Passphrase may be different.
4. Copy your public key of Local (id_dsa_1024_a.pub) to ".ssh2"
directory of Remote under the name, say, "Local.pub".
".ssh2" on Remote now contains:
Remote>ls -F ~/.ssh2
Local.pub
authorization
hostkeys/
id_dsa_1024_a
id_dsa_1024_a.pub
identification
random_seed
5. Create an "authorization" file in your ".ssh2" directory on
Remote. Add the following one line to "authorization",
Key Local.pub
which directs SSH server to see Local.pub when
authorizing your login. If you want to login to
Remote from other hosts, create authorization keys on
the hosts (step 1 and 2) and repeat step 4 and 5 on
Remote.
6. Now you can login to Remote from Local using SSH2!
Try to login:
Local>ssh Remote
Passphrase for key "/home/ymmt/.ssh2/id_dsa1024_a" with
comment "1024-bit dsa, created by ymmt@Local Mon Sep 21
17:53:01 1998":
Enter your passphrase on Local, good luck!
--------------------------------------------------------------------
Peter Mittermayer Phone: +43 1 4277 518 - 73,72
Institute for Astronomy email: p.mittermayer@astro.univie.ac.at
1180 Vienna, AUSTRIA
===============================================================================
Date: Tue, 20 Aug 2002 16:52:50 +0200
From: Peter Mittermayer
To: nendwich@tycho.astro.univie.ac.at
Subject: Sicherheitshinweis!!
Diese Nachricht ist zum Lesen gedacht!!
Dies gilt fuer alle, die ihre email ueber IMAP lesen (z.B. Netscape,
usw). Bei diesem Protokoll wird das Passwort im Klartext uebertragen.
Aus diesem Grund habe ich OpenSSL installiert und es steht in Zukunft
die Moeglichkeit zur Verfuegung die Verbindung verschluesselt
aufzubauen. Dazu muss allerdings im Mailprogramm bein den Einstellungen
fuer den Mailserver die Verschluesselung aktiviert werden. Die
funktioniert bei Netscape folgendermassen:
Edit->Preferences->Mail & Newsgroups->Mail Server
Dann Tycho auswaehlen und auf Edit gehen.
Auf dem Blatt IMAP den Punkt 'use secure connection (SSL)' auswaehlen.
Alles mit OK bestaetigen.
Netscape neu starten, alle Fragen lesen(!!) und beantworten.
Das war's!
Sollte bei jedem Neustart von Netscape Mail eine Certificate-Meldung
auftauchen, dann ist wahrscheinlich statt tycho der name ams
eingetragen. Dies waere dann auf tycho zu aendern.
Damit ist ein weiterer wichtiger Schritt zur Systemsicherheit getan.
Jetzt ist mir nur mehr Telnet und FTP ein Dorn im Auge! Ich hoffe auch
dafuer wird sich bald eine Loesung finden.
Daher nochmals: Sollte auf einem Rechner ssh,scp,sftp verfuegbar sein,
so ist dieses bitte auch zu benutzen. Erst wenn dies nicht funktioniert
das sehr unsichere Telnet oder FTP verwenden!!
Danke!
Peter
--------------------------------------------------------------------
Peter Mittermayer Phone: +43 1 4277 518 - 73,72
Institute for Astronomy email: p.mittermayer@astro.univie.ac.at
1180 Vienna, AUSTRIA