Datei: ssh2.localaccess.txt Titel/Inhalt: SSH2: Secure Shell V2 (et.al.) Datum: fr 29 mar 2k+2 AutorIn: heiter, mittermayer, nendwich ------------------------------------------------------------------------------- Date: Tue, 17 Jul 2001 20:54:09 +0200 From: heiter@astro.univie.ac.at To: Subject: Anleitung zur Einrichtung von SSH Configuring SSH: 1) On dec-unix-machine: ssh-keygen (Type Enter when asked for Passphrase) Create two files in .ssh2: echo "IdKey id_dsa_1024_a" >identification echo "Key id_dsa_1024_a.pub" >authorization 2) On linux-machine: mkdir .ssh ssh-keygen -X -f .ssh2/id_dsa_1024_a >.ssh/id_dsa ssh-keygen -X -f .ssh2/id_dsa_1024_a.pub > .ssh/id_dsa.pub cd .ssh chmod 600 id_dsa cp id_dsa.pub authorized_keys2 ------------------------------------------------------------------------------- Date: Tue, 02 May 2000 13:14:24 +0200 From: Peter Mittermayer To: Subject: Upgrade to SSH2 Secure Shell has been upgraded to V2. The following changes will benecessary: 5. Per-User Configuration User configuration of SSH2 becomes smarter than that of SSH1. Now public keys are stored in separate files and one can have multiple host-specific identifications (i.e., private keys). Read the ssh manual page for details. Here I describe most basic usage of SSH2. When you want to login to a remote host (Remote) from a local computer (Local) using SSH2, you do: 1. Create private & public keys of Local, by executing ssh-keygen (ssh-keygen2) on Local. Local> ssh-keygen Generating 1024-bit dsa key pair Generating 1024-bit dsa key pair 9 o.oOo..oOo.o Key generated. 1024-bit dsa, created by ymmt@Local Wed Sep 23 07:11:02 1998 Passphrase : Again : Private key saved to /home/ymmt/.ssh2/id_dsa_1024_a Public key saved to /home/ymmt/.ssh2/id_dsa_1024_a.pub ssh-keygen will ask you a passphrase for new key. Enter a sequence of any ordinal character (white spaces are OK) of proper length (20 characters or so). ssh-keygen creates a ".ssh2" directory in your home directory, and stores a new authentication key in two separate files. One is your private key and thus it must NOT be opened to anyone but you. In above example, it is id_dsa_1024_a. The other (id_dsa_1024_a.pub) is a public key that is safe to be opened and to be distributed to other computers. 2. Create an "identification" file in your ".ssh2" directory on Local. Local> cd ~/.ssh2 Local> echo "IdKey id_dsa_1024_a" > identification This will create a file "identification" in your ".ssh2" directory, which has one line that denotes which file contains your identification. An identification corresponds a passphrase (see above). You can create multiple identifications by executing ssh-keygen again, but rarely you should. 3. Do the same thing (1, and optionally 2) on Remote. This is needed just to setup ".ssh2" directory on Remote. Passphrase may be different. 4. Copy your public key of Local (id_dsa_1024_a.pub) to ".ssh2" directory of Remote under the name, say, "Local.pub". ".ssh2" on Remote now contains: Remote>ls -F ~/.ssh2 Local.pub authorization hostkeys/ id_dsa_1024_a id_dsa_1024_a.pub identification random_seed 5. Create an "authorization" file in your ".ssh2" directory on Remote. Add the following one line to "authorization", Key Local.pub which directs SSH server to see Local.pub when authorizing your login. If you want to login to Remote from other hosts, create authorization keys on the hosts (step 1 and 2) and repeat step 4 and 5 on Remote. 6. Now you can login to Remote from Local using SSH2! Try to login: Local>ssh Remote Passphrase for key "/home/ymmt/.ssh2/id_dsa1024_a" with comment "1024-bit dsa, created by ymmt@Local Mon Sep 21 17:53:01 1998": Enter your passphrase on Local, good luck! -------------------------------------------------------------------- Peter Mittermayer Phone: +43 1 4277 518 - 73,72 Institute for Astronomy email: p.mittermayer@astro.univie.ac.at 1180 Vienna, AUSTRIA =============================================================================== Date: Tue, 20 Aug 2002 16:52:50 +0200 From: Peter Mittermayer To: nendwich@tycho.astro.univie.ac.at Subject: Sicherheitshinweis!! Diese Nachricht ist zum Lesen gedacht!! Dies gilt fuer alle, die ihre email ueber IMAP lesen (z.B. Netscape, usw). Bei diesem Protokoll wird das Passwort im Klartext uebertragen. Aus diesem Grund habe ich OpenSSL installiert und es steht in Zukunft die Moeglichkeit zur Verfuegung die Verbindung verschluesselt aufzubauen. Dazu muss allerdings im Mailprogramm bein den Einstellungen fuer den Mailserver die Verschluesselung aktiviert werden. Die funktioniert bei Netscape folgendermassen: Edit->Preferences->Mail & Newsgroups->Mail Server Dann Tycho auswaehlen und auf Edit gehen. Auf dem Blatt IMAP den Punkt 'use secure connection (SSL)' auswaehlen. Alles mit OK bestaetigen. Netscape neu starten, alle Fragen lesen(!!) und beantworten. Das war's! Sollte bei jedem Neustart von Netscape Mail eine Certificate-Meldung auftauchen, dann ist wahrscheinlich statt tycho der name ams eingetragen. Dies waere dann auf tycho zu aendern. Damit ist ein weiterer wichtiger Schritt zur Systemsicherheit getan. Jetzt ist mir nur mehr Telnet und FTP ein Dorn im Auge! Ich hoffe auch dafuer wird sich bald eine Loesung finden. Daher nochmals: Sollte auf einem Rechner ssh,scp,sftp verfuegbar sein, so ist dieses bitte auch zu benutzen. Erst wenn dies nicht funktioniert das sehr unsichere Telnet oder FTP verwenden!! Danke! Peter -------------------------------------------------------------------- Peter Mittermayer Phone: +43 1 4277 518 - 73,72 Institute for Astronomy email: p.mittermayer@astro.univie.ac.at 1180 Vienna, AUSTRIA