Remote Access from Windows on FreeBSD for Beginners
Once it was necessary to establish remote ssh access on a working machine under Win XP to a remote computer running FreeBSD.
There are a lot of separate manuals for working in Fryushka, key generation in OpenSSL, etc., but there was no suitable one for this situation, so I decided to bring separate instructions together.
The following is a description of the whole process from preparing the platform to the performance test.
First, all work is done on a remote computer under Fryusha.
I did not have my user on the remote computer, so I need to create it first.
further questions will be answered that can be answered approximately like this:
After all, the user’s profile will appear in the terminal with a question whether they agree or not: I type yes To a new request to create another user, answer no: In order for the newly created user to have the right to sudo, either the entire wheel group must be registered in the sudoers file, or only the user. This is done as follows: In the file / PCBSD / local / etc / sudoers, uncomment the line (This means that now access to sudo (superuser do) is open to all members of the wheel group without a password) ,! Changes to the sudoers file take effect immediately after saving it. You must put 440 rights on it. Now log in as a new user: You can find out what commands are available to this user
You can display a list of all groups and their members:
Part 2, the main. Setting up the sshd daemon.
I will work with the Openssh program.
1. Configuring the ssh program
Open port 22 on the gateway.
First, check if the daemon is running on the server. (The ssh daemon is called sshd)
Methods:
Or
If it displays:
then port 22 is listening (by default. Ssh goes through this port)
If the port is not listening, then the ssh daemon is not running.
Or you can simply give the command:
If you swear, then you need to change the configuration file.
Then we go to the rc.conf.local configuration file (Located in / etc). If it is not there, then create it and set sshd_enable = ”YES” there. (You can instead write the same line simply in rc.conf.)
This is necessary so that you can start the ssh daemon with the start command. Changes take effect immediately.
Now again we give the command to start ssh: it
Now check its operation again, whether port 22 is listening:
I must output:
In addition, you can give a command, for example, connect to the localhost:
If ..connection refused, then ssh is not running. And we must again look at the config.
2. Key generation
We give a command to generate keys:
The default encryption method is rsa. To generate, for example, the dsa encryption method, it must be said that
private key / public key pair generation will begin.
Said:
Keys are generated in the ~ / .ssh directory (/home/shurchik/.ssh).
Now let's check what lies there:
id_rsa is a private key (can be called, for example, just rsa),
id_rsa.pub is a public key (can be called, for example, rsa.pub).
Next, you need to put the public key on the server in an understandable way. To do this, do the following:
Add the contents of the id_rsa.pub file to the contents of the authorized_keys file.
This is done by the command:
It adds the contents of id_rsa.pub to the end of the authorized_keys file. And if it is not, it creates. cat is short for concatenate.
If there is no authorized_keys file at all, you can create it by copying id_rsa.pub:
Check the contents of the .ssh folder again:
(It should be something like the following)
The authorized_keys file is left on the remote computer, and id_rsa and id_rsa.pub are saved somewhere else and removed from the ~ / .ssh folder. It is important not to lose the public key, because otherwise you will have to regenerate everything.
And finally, we find out the host name on the remote machine (it is needed when connecting via ssh), after which we will go to the working computer and will already torment him. Now we find out the ip-address of the computer :! Note: FreeBsd7 uses the des- encryption method, which is compatible with Putty. But FreeBsd9 already uses a different encryption method, which this program does not recognize. Therefore, in this case, you will have to generate the keys already in the putty-gen program itself, and then convert them into a form that Unix understands.
3. Convert the private key to a format that Putty understands.
(On Windows)
Download Putty program, install it. Bring a freshly generated key to the Windows machine. Putty understands the keys of only one format (own =) .ppk
Run the Putty-gen program (installed simultaneously with the main or separately).
a. File-load private key (since I have Putty installed on a working machine that needs a private key, we convert it.)
B. Save private key (e.g. id_rsa.ppk)
1. Run Putty.
The settings are as follows:
Session: hostname testhost (or ip)
Logging: any logs, optional + mark always overwrite it (or append to the end of it) so that it does not ask each time whether to rewrite the logs;
Window: translation utf-8
Connection: auto-login username shurchik
SSH: browse ... specify the path to the id_rsa.ppk file (it can be anywhere, putty is absolutely indifferent. Where to get it.)
And now we’ll save everything:
Session: Saved sessions: new (set the name of this session), click Save, the new session will appear in the list.
To call it later without setting everything up again, after starting Putty, simply select new from the list and press Load.
Now click Open and a terminal opens asking you to enter a pass phrase.
If something goes wrong with the keys, the program, cursing, will ask for a username and password (shurchik and password for it).
2. At the end, you can prohibit accessing the encrypted connection to the remote computer using the login password (leaving only passphrase connections possible.)
On the remote computer, go to the ssh configuration file:
/ etc / ssh / sshd_config.
There you need to add (or uncomment) the line:
UsePAM no.
Then you need to restart ssh: That's it!
There are a lot of separate manuals for working in Fryushka, key generation in OpenSSL, etc., but there was no suitable one for this situation, so I decided to bring separate instructions together.
The following is a description of the whole process from preparing the platform to the performance test.
Part 1, preparatory. Creating a user and granting him the necessary rights.
First, all work is done on a remote computer under Fryusha.
I did not have my user on the remote computer, so I need to create it first.
% sudo adduserfurther questions will be answered that can be answered approximately like this:
Username: shurchikFull name:(you can not answer it, this is infa for the user profile), UID (Leave empty for default):(we allow the system to choose a free identifier, skip this), Login group [shurchik]: wheel (here we enter the main user group, by default it is equal to the username , but to create a system administrator it is better to place him in the wheel group), Login group is wheel. Invite shurchik into other groups?: (You can also skip the request, since you do not need to include this user in other groups. Then you can also add him to the groups),Login class [default]: (I skip it too, but theoretically you can set the locale - layout and user language by saying russian.), Shell (sh csh tcsh bash nologin) [sh]: bash (This is a request for a command shell, you can leave the shell, which comes by default, but more convenient bash or zsh), Home directory [/home/shurchik/]: (If this is home the directory is fine, then I press Enter, if not, I write another one, for example, / home / test /), Home directory permissions (Leave empty for default): (you can force access rights, but I leave everything as it is by default), Use password-based authentication? [yes]: (I leave it by default, because otherwise I’ll enter the usual way the system can not), Use an empty password? (yes/no) [no]: (also leave the default as input does not see without a password ALS), Enter password: (enter the password for the user, but keep in mind that the password you type is not indicated in any way, even with asterisks), Enter password again: (here, too, everything is clear, repeat the password)Lock out the account after creation [no]:After all, the user’s profile will appear in the terminal with a question whether they agree or not: I type yes To a new request to create another user, answer no: In order for the newly created user to have the right to sudo, either the entire wheel group must be registered in the sudoers file, or only the user. This is done as follows: In the file / PCBSD / local / etc / sudoers, uncomment the line (This means that now access to sudo (superuser do) is open to all members of the wheel group without a password) ,! Changes to the sudoers file take effect immediately after saving it. You must put 440 rights on it. Now log in as a new user: You can find out what commands are available to this user
Username: shurchik
Password:******
Full name:
UID: 1010
Class:
Groups: wheel
Home directory: /home/shurchik/
Home mode:
Shell: /bin/bash
Locked: no
OK? (yes/no):Adduser: INFO: Successfully added (shurchik) to user database.Add another user? (yes/no): no
Goodbye!% wheel ALL=(ALL) NOPASSWD: ALL% su shurchik
password:% sudo –lYou can display a list of all groups and their members:
% less /etc/groupPart 2, the main. Setting up the sshd daemon.
Private and public key generation.
I will work with the Openssh program.
1. Configuring the ssh program
Open port 22 on the gateway.
First, check if the daemon is running on the server. (The ssh daemon is called sshd)
Methods:
% ps auwx | grep sshdOr
% sockstat -4l | grep :22If it displays:
sshd …tcp4 :22then port 22 is listening (by default. Ssh goes through this port)
If the port is not listening, then the ssh daemon is not running.
Or you can simply give the command:
% sudo /etc/rc.d/sshd startIf you swear, then you need to change the configuration file.
Then we go to the rc.conf.local configuration file (Located in / etc). If it is not there, then create it and set sshd_enable = ”YES” there. (You can instead write the same line simply in rc.conf.)
This is necessary so that you can start the ssh daemon with the start command. Changes take effect immediately.
Now again we give the command to start ssh: it
% sudo /etc/rc.d/sshd startshould start. Now check its operation again, whether port 22 is listening:
% sockstat -4l | grep :22I must output:
sshd …tcp4 :22In addition, you can give a command, for example, connect to the localhost:
% ssh localhostIf ..connection refused, then ssh is not running. And we must again look at the config.
2. Key generation
We give a command to generate keys:
% ssh-keygenThe default encryption method is rsa. To generate, for example, the dsa encryption method, it must be said that
% ssh-keygen –t dsaprivate key / public key pair generation will begin.
Said:
Enter passphrase: (better long and complicated)Keys are generated in the ~ / .ssh directory (/home/shurchik/.ssh).
Now let's check what lies there:
% ls –l ~/.sshid_rsa is a private key (can be called, for example, just rsa),
id_rsa.pub is a public key (can be called, for example, rsa.pub).
Next, you need to put the public key on the server in an understandable way. To do this, do the following:
Add the contents of the id_rsa.pub file to the contents of the authorized_keys file.
This is done by the command:
% cat id_rsa.pub >> authorized_keysIt adds the contents of id_rsa.pub to the end of the authorized_keys file. And if it is not, it creates. cat is short for concatenate.
If there is no authorized_keys file at all, you can create it by copying id_rsa.pub:
% cp id_rsa.pub authorized_keysCheck the contents of the .ssh folder again:
% ls –l ~/.ssh(It should be something like the following)
id_rsa
id_rsa.pub
authorized_keysThe authorized_keys file is left on the remote computer, and id_rsa and id_rsa.pub are saved somewhere else and removed from the ~ / .ssh folder. It is important not to lose the public key, because otherwise you will have to regenerate everything.
And finally, we find out the host name on the remote machine (it is needed when connecting via ssh), after which we will go to the working computer and will already torment him. Now we find out the ip-address of the computer :! Note: FreeBsd7 uses the des- encryption method, which is compatible with Putty. But FreeBsd9 already uses a different encryption method, which this program does not recognize. Therefore, in this case, you will have to generate the keys already in the putty-gen program itself, and then convert them into a form that Unix understands.
% hostname
testhost% host testhost3. Convert the private key to a format that Putty understands.
(On Windows)
Download Putty program, install it. Bring a freshly generated key to the Windows machine. Putty understands the keys of only one format (own =) .ppk
Run the Putty-gen program (installed simultaneously with the main or separately).
a. File-load private key (since I have Putty installed on a working machine that needs a private key, we convert it.)
B. Save private key (e.g. id_rsa.ppk)
Part 3, solemn. Configure Putty and establish an encrypted remote connection.
1. Run Putty.
The settings are as follows:
Session: hostname testhost (or ip)
Logging: any logs, optional + mark always overwrite it (or append to the end of it) so that it does not ask each time whether to rewrite the logs;
Window: translation utf-8
Connection: auto-login username shurchik
SSH: browse ... specify the path to the id_rsa.ppk file (it can be anywhere, putty is absolutely indifferent. Where to get it.)
And now we’ll save everything:
Session: Saved sessions: new (set the name of this session), click Save, the new session will appear in the list.
To call it later without setting everything up again, after starting Putty, simply select new from the list and press Load.
Now click Open and a terminal opens asking you to enter a pass phrase.
If something goes wrong with the keys, the program, cursing, will ask for a username and password (shurchik and password for it).
2. At the end, you can prohibit accessing the encrypted connection to the remote computer using the login password (leaving only passphrase connections possible.)
On the remote computer, go to the ssh configuration file:
/ etc / ssh / sshd_config.
There you need to add (or uncomment) the line:
UsePAM no.
Then you need to restart ssh: That's it!
% sudo /etc/rc.d/sshd stop
% sudo /etc/rc.d/sshd start