tachtler:ssh
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
| Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende Überarbeitung | ||
| tachtler:ssh [2012/08/29 11:11] – klaus | tachtler:ssh [2014/10/01 16:19] (aktuell) – [Public-Key Authentifizierung] klaus | ||
|---|---|---|---|
| Zeile 55: | Zeile 55: | ||
| Die folgende Konfigurationsdatei des SSH-Daemons wurde auf höhere Sicherheitsbedürfnisse angepasst. | Die folgende Konfigurationsdatei des SSH-Daemons wurde auf höhere Sicherheitsbedürfnisse angepasst. | ||
| <code ini> | <code ini> | ||
| - | + | # | |
| - | # | + | |
| # This is the sshd server system-wide configuration file. See | # This is the sshd server system-wide configuration file. See | ||
| Zeile 70: | Zeile 69: | ||
| AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES | AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES | ||
| AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT | AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT | ||
| - | AcceptEnv LC_IDENTIFICATION LC_ALL | + | AcceptEnv LC_IDENTIFICATION LC_ALL |
| - | AllowUsers | + | AcceptEnv XMODIFIERS |
| + | AllowUsers | ||
| + | AddressFamily inet | ||
| Banner / | Banner / | ||
| ChallengeResponseAuthentication no | ChallengeResponseAuthentication no | ||
| - | GSSAPIAuthentication | + | GSSAPIAuthentication |
| GSSAPICleanupCredentials yes | GSSAPICleanupCredentials yes | ||
| - | | + | |
| + | HostKey / | ||
| + | ListenAddress 192.168.0.10: | ||
| + | ListenAddress 127.0.0.1: | ||
| + | MaxAuthTries 12 | ||
| Protocol 2 | Protocol 2 | ||
| Subsystem | Subsystem | ||
| SyslogFacility AUTHPRIV | SyslogFacility AUTHPRIV | ||
| - | UsePAM | + | UsePAM |
| + | UsePrivilegeSeparation sandbox | ||
| X11Forwarding yes | X11Forwarding yes | ||
| - | # Settings for " | + | # Settings for Key-Authorization |
| AuthorizedKeysFile %h/ | AuthorizedKeysFile %h/ | ||
| - | PasswordAuthentication no | + | PasswordAuthentication no |
| - | PermitRootLogin no | + | PermitRootLogin no |
| PermitEmptyPasswords no | PermitEmptyPasswords no | ||
| - | RSAAuthentication no | + | RSAAuthentication no |
| Zeile 293: | Zeile 298: | ||
| # | # | ||
| - | # HostKey | + | # HostKey |
| # Specifies a file containing a private host key used by SSH. The | # Specifies a file containing a private host key used by SSH. The | ||
| # default is / | # default is / | ||
| Zeile 660: | Zeile 665: | ||
| ==== Konfiguration SSH-Client ==== | ==== Konfiguration SSH-Client ==== | ||
| - | < | + | < |
| - | # | + | # |
| # This is the ssh client system-wide configuration file. See | # This is the ssh client system-wide configuration file. See | ||
| Zeile 685: | Zeile 690: | ||
| SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES | SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES | ||
| SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT | SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT | ||
| - | SendEnv LC_IDENTIFICATION LC_ALL | + | SendEnv LC_IDENTIFICATION LC_ALL |
| + | SendEnv XMODIFIERS | ||
| # Host Restricts the following declarations (up to the next Host key- | # Host Restricts the following declarations (up to the next Host key- | ||
| Zeile 1430: | Zeile 1436: | ||
| Hier ein Beispiel für die Erzeugung eines solchen digitalen Schlüsselpaares, | Hier ein Beispiel für die Erzeugung eines solchen digitalen Schlüsselpaares, | ||
| < | < | ||
| - | # ssh-keygen -b 4096 -t rsa -C username@rechner.tld | + | ssh-keygen -b 4096 -t rsa -C username@rechner.tld |
| Generating public/ | Generating public/ | ||
| - | Enter file in which to save the key (/ | + | Enter file in which to save the key (/home/ |
| - | Created directory '/ | + | Enter passphrase (empty for no passphrase): |
| - | Enter passphrase (empty for no passphrase): | + | Enter same passphrase again: |
| - | Enter same passphrase again: | + | Your identification has been saved in /home/ |
| - | Your identification has been saved in / | + | Your public key has been saved in /home/ |
| - | Your public key has been saved in / | + | |
| The key fingerprint is: | The key fingerprint is: | ||
| - | a1:a3:bc:35:a2:d0:22:99:73:72:3b:96:31:65:42:14 username@rechner.tld | + | f7:34:69:ce:d6:28:a5:72:78:a7:0b:7d:16:8d:f6:f6 username@rechner.tld |
| + | The key's randomart image is: | ||
| + | +--[ RSA 4096]----+ | ||
| + | | | | ||
| + | | | | ||
| + | | | | ||
| + | | | ||
| + | | S . X . | | ||
| + | | + X * | | ||
| + | | + * X + | | ||
| + | | = B . . | | ||
| + | | o. E| | ||
| + | +-----------------+ | ||
| </ | </ | ||
| + | |||
| + | Hier ein weiteres Beispiel für die Erzeugung eines solchen digitalen Schlüsselpaares, | ||
| + | < | ||
| + | $ ssh-keygen -b 256 -t ecdsa -C username@rechner.tld | ||
| + | Generating public/ | ||
| + | Enter file in which to save the key (/ | ||
| + | Enter passphrase (empty for no passphrase): | ||
| + | Enter same passphrase again: | ||
| + | Your identification has been saved in / | ||
| + | Your public key has been saved in / | ||
| + | The key fingerprint is: | ||
| + | 17: | ||
| + | The key's randomart image is: | ||
| + | +--[ECDSA | ||
| + | | | | ||
| + | | | | ||
| + | | o o . | | ||
| + | |.o B . + . . | | ||
| + | |o.= = o.S.. | | ||
| + | |o o E o. | | ||
| + | |. . . | ||
| + | | +. . o . . | | ||
| + | |o.. . . . | | ||
| + | +-----------------+ | ||
| + | </ | ||
| + | |||
| + | :!: **ACHTUNG** - **Aufgrund der Inkompatibilität von ECDSA-Schlüssel zu OpenSSH-Version __VOR__ Version 5.7, sollte der Einsatz genau geprüft werden. Auch wurde das Unterverfahren NIST mit Unterstützung der NSA erstellt !!!** | ||
| === " | === " | ||
tachtler/ssh.1346231494.txt.gz · Zuletzt geändert: 2012/08/29 11:11 von klaus