From: nmatavka Date: Sun, 12 Jan 2014 13:35:50 +0000 (+0000) Subject: No commit message specified. X-Git-Url: https://gitweb.dragonflybsd.org/ikiwiki.git/commitdiff_plain/4c1c8c31080862d9fe13338290aff3fc6afef7d7 No commit message specified. --- diff --git a/docs/newhandbook/Users/index.mdwn b/docs/newhandbook/Users/index.mdwn index 12aeebc6..f9641fc2 100644 --- a/docs/newhandbook/Users/index.mdwn +++ b/docs/newhandbook/Users/index.mdwn @@ -9,7 +9,7 @@ -DragonFly allows multiple users to use the computer at the same time. Obviously, only one of those users can be sitting in front of the screen and keyboard at any one time [(1)](#FTN.AEN6502), but any number of users can log in through the network to get their work done. To use the system every user must have an account. +Unix, including DragonFly BSD is, as previously explained, a multi-user, multi-tasking system. It is therefore possible, and in fact very common, to have a situation where many users are logged on to one computer, and every one of these users is running many different jobs. Although only one user can physically sit at the computer and use the monitor, keyboard, and mouse connected thereto, others can get their work done by logging in through the network. After reading this chapter, you will know: @@ -690,3 +690,341 @@ For more information about [pw(8)](http://leaf.dragonflybsd.org/cgi/web-man?comm +#SSH Server on DragonFly + +The best way to log in to a Unix machine across the network is with a program known as ssh. + +If you try to ssh to a newly installed dfly from another system you will get this error + + + $ ssh root@172.16.50.62 + ssh: connect to host 172.16.50.62 port 22: Connection refused + +This is because sshd is not up and running on dfly. +At this point if you check /etc/ssh you will only have the following files + + + # ls /etc/ssh + blacklist.DSA-1024 blacklist.RSA-2048 ssh_config + blacklist.DSA-2048 blacklist.RSA-4096 sshd_config + blacklist.RSA-1024 moduli + +You don't have any SSH host keys generated for the system yet! + +When you start sshd for the first time it is best to start it through the "/etc/rc.d/sshd" script which will automatically generate the host keys. For this to work right you need to do the following steps (these steps are not essential for DragonFly 2.8.2 since sshd is already enabled in rc.conf) + +1) Enable sshd in rc.conf + + #echo "sshd_enable=yes" >> /etc/rc.conf + +2) Start the sshd server using the rc script + + + # /etc/rc.d/sshd start + Generating public/private rsa1 key pair. + Your identification has been saved in /etc/ssh/ssh_host_key. + Your public key has been saved in /etc/ssh/ssh_host_key.pub. + The key fingerprint is: + ........ + Generating public/private dsa key pair. + Your identification has been saved in /etc/ssh/ssh_host_dsa_key. + Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub. + The key fingerprint is: + ........ + Starting sshd. + +Now if you go back and look in /etc/ssh you will find the SSH host key files too. + + + # ls /etc/ssh + blacklist.DSA-1024 moduli ssh_host_key.pub + blacklist.DSA-2048 ssh_config ssh_host_rsa_key + blacklist.RSA-1024 ssh_host_dsa_key ssh_host_rsa_key.pub + blacklist.RSA-2048 ssh_host_dsa_key.pub sshd_config + blacklist.RSA-4096 ssh_host_key + + +At this point if you try to ssh to the dfly you will get the following error + + + $ ssh sgeorge@172.16.50.62 + The authenticity of host '172.16.50.62 (172.16.50.62)' can't be established. + RSA key fingerprint is 46:77:28:c2:70:86:93:1a:23:32:5f:01:2c:80:de:de. + Are you sure you want to continue connecting (yes/no)? yes + Warning: Permanently added '172.16.50.62' (RSA) to the list of known hosts. + Permission denied (publickey). + +This is because of the following configuration option in the default **"/etc/ssh/sshd_config"** file. + + + # To disable tunneled clear text passwords, change to no here! + # We disable cleartext passwords by default + PasswordAuthentication no + +Change it to + + + PasswordAuthentication yes + + +and reload **sshd** configuration + + + # /etc/rc.d/sshd reload + Reloading sshd config files. + +Nowyou can login to the dragonfly system as a normal user. + + $ ssh sgeorge@172.16.50.62 + sgeorge at 172.16.50.62's password: + Last login: Tue Oct 19 04:17:47 2010 + Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 + The Regents of the University of California. All rights reserved. + + DragonFly v2.7.3.1283.gfa568-DEVELOPMENT (GENERIC.MP) #3: Thu Oct 14 12:01:24 IST 2010 + + .... + +But if you try to login by SSH as root you will get the following error. + + $ ssh root at 172.16.50.62 + root at 172.16.50.62's password: + Permission denied, please try again. + +If you investigate the log of the dragonfly system "/var/log/auth.log" you will find a line similar to + + + Oct 19 07:29:36 dfly-vmsrv sshd[17269]: Failed password for root from 172.16.2.0 port 56447 ssh2 + +even if you typed the right password for root. + +It is because of the following configuration option in the default **"/etc/ssh/sshd_config"** file + + # only allow root logins via public key pair + PermitRootLogin without-password + +which allowes only SSH key based authentication as root. + +If you change it to + + + PermitRootLogin yes + +and reload **sshd** configuration + + # /etc/rc.d/sshd reload + Reloading sshd config files. + +you can login as **root** + + $ ssh root@172.16.50.62 + root at 172.16.50.62's password: + Last login: Fri Oct 8 12:22:40 2010 + Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 + The Regents of the University of California. All rights reserved. + + DragonFly v2.7.3.1283.gfa568-DEVELOPMENT (GENERIC.MP) #3: Thu Oct 14 12:01:24 IST 2010 + + Welcome to DragonFly! + ...... + +Now in the **"/var/log/auth.log" ** you will find a line similar to + + + Oct 19 07:30:32 dfly-vmsrv sshd[17894]: Accepted password for root from 172.16.2.0 port 56468 ssh2 + + +##WARNING : +** It is not advisable to allow Root Login with password especially if your System is connected to the Internet unless you use Very Strong Passwords. You could be a victim of [ssh password based brute force attacks](http://en.wikipedia.org/wiki/Password_cracking#Brute_force_attack). If you are victim of one such attack you can find entries like the following in your** ****"/var/log/auth.log file"****. + + Oct 18 18:54:54 cross sshd[9783]: Invalid user maryse from 218.248.26.6 + Oct 18 18:54:54 cross sshd[9781]: input_userauth_request: invalid user maryse + Oct 18 18:54:54 cross sshd[9783]: Failed password for invalid user maryse from 218.248.26.6 port 34847 ssh2 + Oct 18 18:54:54 cross sshd[9781]: Received disconnect from 218.248.26.6: 11: Bye Bye + Oct 18 18:54:55 cross sshd[27641]: Invalid user may from 218.248.26.6 + Oct 18 18:54:55 cross sshd[3450]: input_userauth_request: invalid user may + Oct 18 18:54:55 cross sshd[27641]: Failed password for invalid user may from 218.248.26.6 port 34876 ssh2 + Oct 18 18:54:55 cross sshd[3450]: Received disconnect from 218.248.26.6: 11: Bye Bye + Oct 18 18:54:56 cross sshd[8423]: Invalid user admin from 218.248.26.6 + Oct 18 18:54:56 cross sshd[3131]: input_userauth_request: invalid user admin + Oct 18 18:54:56 cross sshd[8423]: Failed password for invalid user admin from 218.248.26.6 port 34905 ssh2 + Oct 18 18:54:56 cross sshd[3131]: Received disconnect from 218.248.26.6: 11: Bye Bye + Oct 18 18:54:57 cross sshd[7373]: Invalid user admin from 218.248.26.6 + Oct 18 18:54:57 cross sshd[28059]: input_userauth_request: invalid user admin + Oct 18 18:54:57 cross sshd[7373]: Failed password for invalid user admin from 218.248.26.6 port 34930 ssh2 + Oct 18 18:54:57 cross sshd[28059]: Received disconnect from 218.248.26.6: 11: Bye Bye + Oct 18 18:54:58 cross sshd[12081]: Invalid user admin from 218.248.26.6 + Oct 18 18:54:58 cross sshd[22416]: input_userauth_request: invalid user admin + Oct 18 18:54:58 cross sshd[12081]: Failed password for invalid user admin from 218.248.26.6 port 34958 ssh2 + Oct 18 18:54:58 cross sshd[22416]: Received disconnect from 218.248.26.6: 11: Bye Bye + +#SSH Server on DragonFly + +Unix, including DragonFly BSD is, as previously explained, a multi-user, multi-tasking system. It is therefore possible, and in fact very common, to have a situation where many users are logged on to one computer, and every one of these users is running many different jobs. Although only one user can physically sit at the computer and use the monitor, keyboard, and mouse connected thereto, others can log in through the network. + +This document is very detailed so that a new user can be familiar with the environment. + +If you try to ssh to a newly installed dfly from another system you will get this error + + + $ ssh root@172.16.50.62 + ssh: connect to host 172.16.50.62 port 22: Connection refused + +This is because sshd is not up and running on dfly. +At this point if you check /etc/ssh you will only have the following files + + + # ls /etc/ssh + blacklist.DSA-1024 blacklist.RSA-2048 ssh_config + blacklist.DSA-2048 blacklist.RSA-4096 sshd_config + blacklist.RSA-1024 moduli + +You don't have any SSH host keys generated for the system yet! + +When you start sshd for the first time it is best to start it through the "/etc/rc.d/sshd" script which will automatically generate the host keys. For this to work right you need to do the following steps (these steps are not essential for DragonFly 2.8.2 since sshd is already enabled in rc.conf) + +1) Enable sshd in rc.conf + + #echo "sshd_enable=yes" >> /etc/rc.conf + +2) Start the sshd server using the rc script + + + # /etc/rc.d/sshd start + Generating public/private rsa1 key pair. + Your identification has been saved in /etc/ssh/ssh_host_key. + Your public key has been saved in /etc/ssh/ssh_host_key.pub. + The key fingerprint is: + ........ + Generating public/private dsa key pair. + Your identification has been saved in /etc/ssh/ssh_host_dsa_key. + Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub. + The key fingerprint is: + ........ + Starting sshd. + +Now if you go back and look in /etc/ssh you will find the SSH host key files too. + + + # ls /etc/ssh + blacklist.DSA-1024 moduli ssh_host_key.pub + blacklist.DSA-2048 ssh_config ssh_host_rsa_key + blacklist.RSA-1024 ssh_host_dsa_key ssh_host_rsa_key.pub + blacklist.RSA-2048 ssh_host_dsa_key.pub sshd_config + blacklist.RSA-4096 ssh_host_key + + +At this point if you try to ssh to the dfly you will get the following error + + + $ ssh sgeorge@172.16.50.62 + The authenticity of host '172.16.50.62 (172.16.50.62)' can't be established. + RSA key fingerprint is 46:77:28:c2:70:86:93:1a:23:32:5f:01:2c:80:de:de. + Are you sure you want to continue connecting (yes/no)? yes + Warning: Permanently added '172.16.50.62' (RSA) to the list of known hosts. + Permission denied (publickey). + +This is because of the following configuration option in the default **"/etc/ssh/sshd_config"** file. + + + # To disable tunneled clear text passwords, change to no here! + # We disable cleartext passwords by default + PasswordAuthentication no + +Change it to + + + PasswordAuthentication yes + + +and reload **sshd** configuration + + + # /etc/rc.d/sshd reload + Reloading sshd config files. + +Nowyou can login to the dragonfly system as a normal user. + + $ ssh sgeorge@172.16.50.62 + sgeorge at 172.16.50.62's password: + Last login: Tue Oct 19 04:17:47 2010 + Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 + The Regents of the University of California. All rights reserved. + + DragonFly v2.7.3.1283.gfa568-DEVELOPMENT (GENERIC.MP) #3: Thu Oct 14 12:01:24 IST 2010 + + .... + +But if you try to login by SSH as root you will get the following error. + + $ ssh root at 172.16.50.62 + root at 172.16.50.62's password: + Permission denied, please try again. + +If you investigate the log of the dragonfly system "/var/log/auth.log" you will find a line similar to + + + Oct 19 07:29:36 dfly-vmsrv sshd[17269]: Failed password for root from 172.16.2.0 port 56447 ssh2 + +even if you typed the right password for root. + +It is because of the following configuration option in the default **"/etc/ssh/sshd_config"** file + + # only allow root logins via public key pair + PermitRootLogin without-password + +which allowes only SSH key based authentication as root. + +If you change it to + + + PermitRootLogin yes + +and reload **sshd** configuration + + # /etc/rc.d/sshd reload + Reloading sshd config files. + +you can login as **root** + + $ ssh root@172.16.50.62 + root at 172.16.50.62's password: + Last login: Fri Oct 8 12:22:40 2010 + Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 + The Regents of the University of California. All rights reserved. + + DragonFly v2.7.3.1283.gfa568-DEVELOPMENT (GENERIC.MP) #3: Thu Oct 14 12:01:24 IST 2010 + + Welcome to DragonFly! + ...... + +Now in the **"/var/log/auth.log" ** you will find a line similar to + + + Oct 19 07:30:32 dfly-vmsrv sshd[17894]: Accepted password for root from 172.16.2.0 port 56468 ssh2 + + +##WARNING : +** It is not advisable to allow Root Login with password especially if your System is connected to the Internet unless you use Very Strong Passwords. You could be a victim of [ssh password based brute force attacks](http://en.wikipedia.org/wiki/Password_cracking#Brute_force_attack). If you are victim of one such attack you can find entries like the following in your** ****"/var/log/auth.log file"****. + + Oct 18 18:54:54 cross sshd[9783]: Invalid user maryse from 218.248.26.6 + Oct 18 18:54:54 cross sshd[9781]: input_userauth_request: invalid user maryse + Oct 18 18:54:54 cross sshd[9783]: Failed password for invalid user maryse from 218.248.26.6 port 34847 ssh2 + Oct 18 18:54:54 cross sshd[9781]: Received disconnect from 218.248.26.6: 11: Bye Bye + Oct 18 18:54:55 cross sshd[27641]: Invalid user may from 218.248.26.6 + Oct 18 18:54:55 cross sshd[3450]: input_userauth_request: invalid user may + Oct 18 18:54:55 cross sshd[27641]: Failed password for invalid user may from 218.248.26.6 port 34876 ssh2 + Oct 18 18:54:55 cross sshd[3450]: Received disconnect from 218.248.26.6: 11: Bye Bye + Oct 18 18:54:56 cross sshd[8423]: Invalid user admin from 218.248.26.6 + Oct 18 18:54:56 cross sshd[3131]: input_userauth_request: invalid user admin + Oct 18 18:54:56 cross sshd[8423]: Failed password for invalid user admin from 218.248.26.6 port 34905 ssh2 + Oct 18 18:54:56 cross sshd[3131]: Received disconnect from 218.248.26.6: 11: Bye Bye + Oct 18 18:54:57 cross sshd[7373]: Invalid user admin from 218.248.26.6 + Oct 18 18:54:57 cross sshd[28059]: input_userauth_request: invalid user admin + Oct 18 18:54:57 cross sshd[7373]: Failed password for invalid user admin from 218.248.26.6 port 34930 ssh2 + Oct 18 18:54:57 cross sshd[28059]: Received disconnect from 218.248.26.6: 11: Bye Bye + Oct 18 18:54:58 cross sshd[12081]: Invalid user admin from 218.248.26.6 + Oct 18 18:54:58 cross sshd[22416]: input_userauth_request: invalid user admin + Oct 18 18:54:58 cross sshd[12081]: Failed password for invalid user admin from 218.248.26.6 port 34958 ssh2 + Oct 18 18:54:58 cross sshd[22416]: Received disconnect from 218.248.26.6: 11: Bye Bye +