soi-asia unofficial operators meeting [email protected] 10 may 2004
TRANSCRIPT
![Page 2: SOI-ASIA Unofficial Operators Meeting kotaro@sfc.wide.ad.jp 10 May 2004](https://reader033.vdocuments.mx/reader033/viewer/2022061306/5514913a550346d36e8b524a/html5/thumbnails/2.jpg)
AI3 Security Policy
• Basics– Moderately independent site by site– Self defense
![Page 3: SOI-ASIA Unofficial Operators Meeting kotaro@sfc.wide.ad.jp 10 May 2004](https://reader033.vdocuments.mx/reader033/viewer/2022061306/5514913a550346d36e8b524a/html5/thumbnails/3.jpg)
User Account Management
• Account creation– No user password for local operators– “If necessary,” allow user password for foreign operat
ors
• A case when we allow user password– A foreign operator needs root authority– Su2 / sudo
• An operator can be root by user password without root password
![Page 4: SOI-ASIA Unofficial Operators Meeting kotaro@sfc.wide.ad.jp 10 May 2004](https://reader033.vdocuments.mx/reader033/viewer/2022061306/5514913a550346d36e8b524a/html5/thumbnails/4.jpg)
Remote Access Administration
• SSH– Prohibit root login– Prohibit password authentication– Use public key authentication
• RSA authentication for SSH1• RSA or DSA authentication for SSH2
![Page 5: SOI-ASIA Unofficial Operators Meeting kotaro@sfc.wide.ad.jp 10 May 2004](https://reader033.vdocuments.mx/reader033/viewer/2022061306/5514913a550346d36e8b524a/html5/thumbnails/5.jpg)
RSA / DSA
• Public key authentication methods
• RSA (Rivest, Shamir, Adleman)– Developed based on the difficulty of factorizati
on into prime factors from a large number
• DSA (Digital Signature Algorithm)– Expanded beyond ElGamal
![Page 6: SOI-ASIA Unofficial Operators Meeting kotaro@sfc.wide.ad.jp 10 May 2004](https://reader033.vdocuments.mx/reader033/viewer/2022061306/5514913a550346d36e8b524a/html5/thumbnails/6.jpg)
Actual Work FlowNew User Host Operator
Create RSA / DSA key pair (1)
Request a new account with attaching the public key
Create a new account and put the public key in the host (2)
Try the new account (3)
Send notification
![Page 7: SOI-ASIA Unofficial Operators Meeting kotaro@sfc.wide.ad.jp 10 May 2004](https://reader033.vdocuments.mx/reader033/viewer/2022061306/5514913a550346d36e8b524a/html5/thumbnails/7.jpg)
Step 1: Create RSA/DSA Key Pair
• On Windows PC– Use “puttygen”
• On Unix PC– Use “ssh-keygen” of OpenSSH suite
• Do we have to create many pairs of RSA/DSA key for every remote host?– I don’t think so.– “Private Key” has to be safely kept on your PC.– “Public Key” can be shared on remote host.
• Put the public key on the WEB site?• Send the public key by e-mail?
![Page 8: SOI-ASIA Unofficial Operators Meeting kotaro@sfc.wide.ad.jp 10 May 2004](https://reader033.vdocuments.mx/reader033/viewer/2022061306/5514913a550346d36e8b524a/html5/thumbnails/8.jpg)
Puttygen (1): Generate key pair
![Page 9: SOI-ASIA Unofficial Operators Meeting kotaro@sfc.wide.ad.jp 10 May 2004](https://reader033.vdocuments.mx/reader033/viewer/2022061306/5514913a550346d36e8b524a/html5/thumbnails/9.jpg)
Puttygen (2): Save keys
![Page 10: SOI-ASIA Unofficial Operators Meeting kotaro@sfc.wide.ad.jp 10 May 2004](https://reader033.vdocuments.mx/reader033/viewer/2022061306/5514913a550346d36e8b524a/html5/thumbnails/10.jpg)
Puttygen (3): Save keys
![Page 11: SOI-ASIA Unofficial Operators Meeting kotaro@sfc.wide.ad.jp 10 May 2004](https://reader033.vdocuments.mx/reader033/viewer/2022061306/5514913a550346d36e8b524a/html5/thumbnails/11.jpg)
Puttygen (4): Save keys
![Page 12: SOI-ASIA Unofficial Operators Meeting kotaro@sfc.wide.ad.jp 10 May 2004](https://reader033.vdocuments.mx/reader033/viewer/2022061306/5514913a550346d36e8b524a/html5/thumbnails/12.jpg)
Step 2: Create a new account and put the public key in the host
• Where do we put the public key?– ~/.ssh/
• What is the file name?– ~/.ssh/authorized_keys
• What point do we have to take care?– The owner of authorized_keys should be the c
orrect user.
![Page 13: SOI-ASIA Unofficial Operators Meeting kotaro@sfc.wide.ad.jp 10 May 2004](https://reader033.vdocuments.mx/reader033/viewer/2022061306/5514913a550346d36e8b524a/html5/thumbnails/13.jpg)
Create a New User Account
![Page 14: SOI-ASIA Unofficial Operators Meeting kotaro@sfc.wide.ad.jp 10 May 2004](https://reader033.vdocuments.mx/reader033/viewer/2022061306/5514913a550346d36e8b524a/html5/thumbnails/14.jpg)
Put the Public Key
![Page 15: SOI-ASIA Unofficial Operators Meeting kotaro@sfc.wide.ad.jp 10 May 2004](https://reader033.vdocuments.mx/reader033/viewer/2022061306/5514913a550346d36e8b524a/html5/thumbnails/15.jpg)
Change the Directory Permission
![Page 16: SOI-ASIA Unofficial Operators Meeting kotaro@sfc.wide.ad.jp 10 May 2004](https://reader033.vdocuments.mx/reader033/viewer/2022061306/5514913a550346d36e8b524a/html5/thumbnails/16.jpg)
Step 3: Try the new account
• Major SSH clients– PuTTY– TeraTerm with TTSSH
• PuTTY– SSH1 RSA– SSH2 RSA, DSA
• TeraTerm with TTSSH– SSH1 RSA only
![Page 17: SOI-ASIA Unofficial Operators Meeting kotaro@sfc.wide.ad.jp 10 May 2004](https://reader033.vdocuments.mx/reader033/viewer/2022061306/5514913a550346d36e8b524a/html5/thumbnails/17.jpg)
PuTTY (1)
![Page 18: SOI-ASIA Unofficial Operators Meeting kotaro@sfc.wide.ad.jp 10 May 2004](https://reader033.vdocuments.mx/reader033/viewer/2022061306/5514913a550346d36e8b524a/html5/thumbnails/18.jpg)
PuTTY (2)
![Page 19: SOI-ASIA Unofficial Operators Meeting kotaro@sfc.wide.ad.jp 10 May 2004](https://reader033.vdocuments.mx/reader033/viewer/2022061306/5514913a550346d36e8b524a/html5/thumbnails/19.jpg)
PuTTY (3)
![Page 20: SOI-ASIA Unofficial Operators Meeting kotaro@sfc.wide.ad.jp 10 May 2004](https://reader033.vdocuments.mx/reader033/viewer/2022061306/5514913a550346d36e8b524a/html5/thumbnails/20.jpg)
PuTTY (4)
![Page 21: SOI-ASIA Unofficial Operators Meeting kotaro@sfc.wide.ad.jp 10 May 2004](https://reader033.vdocuments.mx/reader033/viewer/2022061306/5514913a550346d36e8b524a/html5/thumbnails/21.jpg)
PuTTY (5)
![Page 22: SOI-ASIA Unofficial Operators Meeting kotaro@sfc.wide.ad.jp 10 May 2004](https://reader033.vdocuments.mx/reader033/viewer/2022061306/5514913a550346d36e8b524a/html5/thumbnails/22.jpg)
Sshd Operation
• Sshd configuration file– /usr/local/etc/sshd_config
• Points– No root login– No password authentication
• After editing sshd_config, restart sshd.
![Page 23: SOI-ASIA Unofficial Operators Meeting kotaro@sfc.wide.ad.jp 10 May 2004](https://reader033.vdocuments.mx/reader033/viewer/2022061306/5514913a550346d36e8b524a/html5/thumbnails/23.jpg)
No Root Login
![Page 24: SOI-ASIA Unofficial Operators Meeting kotaro@sfc.wide.ad.jp 10 May 2004](https://reader033.vdocuments.mx/reader033/viewer/2022061306/5514913a550346d36e8b524a/html5/thumbnails/24.jpg)
No Password Authentication
![Page 25: SOI-ASIA Unofficial Operators Meeting kotaro@sfc.wide.ad.jp 10 May 2004](https://reader033.vdocuments.mx/reader033/viewer/2022061306/5514913a550346d36e8b524a/html5/thumbnails/25.jpg)
Tips: Let’s mount FDD on FreeBSD
liverpool# mount /dev/fd0.1440 /mnt/fdd
liverpool# cd /mnt/fdd
liverpool# ls
boot kernel.gz
liverpool#