Difference between revisions of "Freeside:1.9:Documentation:Administration:SSH Keys"

From Freeside
Jump to: navigation, search
(New page: = Introduction = Freeside can login to remote machines unattended using SSH. This can pose a security risk if not configured correctly, and will allow an intruder who breaks into your fr...)
 
 
Line 10: Line 10:
 
* You may need to set <code>PermitRootLogin without-password</code> (meaning with keys only) in your <code>sshd_config</code> file on the remote machine(s).
 
* You may need to set <code>PermitRootLogin without-password</code> (meaning with keys only) in your <code>sshd_config</code> file on the remote machine(s).
 
* You may want to set <code>ForwardX11 = no</code> in <code>~root/.ssh/config</code> to prevent spurious errors and increase security if your distribution turns on X11 forwarding by default.
 
* You may want to set <code>ForwardX11 = no</code> in <code>~root/.ssh/config</code> to prevent spurious errors and increase security if your distribution turns on X11 forwarding by default.
 +
 +
= Cisco devices =
 +
 +
* Cisco IOS devices are configured differently than UNIX servers.  See the Cisco documentation on how to [https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html#iossshserver Setup an IOS Router as an SSH server that performs RSA based User Authentication].

Latest revision as of 13:56, 18 August 2017

Introduction

Freeside can login to remote machines unattended using SSH. This can pose a security risk if not configured correctly, and will allow an intruder who breaks into your freeside machine access to your remote machines. Do not use this feature unless you understand what you are doing and have first properly secured your Freeside machine.

Instructions

  • As the freeside user (on your freeside machine), generate an authentication key using ssh-keygen. Since this is for unattended operation, use a blank passphrase.
  • Append the newly-created identity.pub file to ~root/.ssh/authorized_keys (or the appopriate ~username/.ssh/authorized_keys) on the remote machine(s).
  • Some new SSH v2 implementation accept v2 style keys only. Use the -t option to ssh-keygen, and append the created id_dsa.pub or id_rsa.pub to ~root/.ssh/authorized_keys2 (or the appopriate ~username/.ssh/authorized_keys) on the remote machine(s).
  • You may need to set PermitRootLogin without-password (meaning with keys only) in your sshd_config file on the remote machine(s).
  • You may want to set ForwardX11 = no in ~root/.ssh/config to prevent spurious errors and increase security if your distribution turns on X11 forwarding by default.

Cisco devices