question about sshd_config

03/11/2006, 04h07

I am still a bit of a newb when it comes to sshd security, but I am
attempting to set up a public-key based sshd server for my internal
server network.
The config is as follows:
=================================
Port 22
Protocol 2
HostKey /root/CA/sshd_rsa.key
SyslogFacility AUTHPRIV
LogLevel INFO
LoginGraceTime 40s
PermitRootLogin yes
StrictModes no
MaxAuthTries 4
PubkeyAuthentication yes
AuthorizedKeysFile /etc/ssh/int_auth_keys
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AllowTCPForwarding yes
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
PrintMotd yes
PrintLastLog yes
TCPKeepAlive yes
UsePrivilegeSeparation yes
Compression delayed
ClientAliveInterval 0
ClientAliveCountMax 5
PermitTunnel yes
Banner /etc/ssh/banner
Subsystem sftp /usr/libexec/openssh/sftp-server
=====================
Most of it comes from the stock FC5 sshd_config. When I try to start
the server it whines about not being able to load /root/CA/sshd_rsa.key
even though the file exists and is a RSA PRIVATE KEY.
Did I use the wrong command to generate it? ( it was `openssl genrsa
-out <file> 2048` IIRC)
Are there any special tools for generating this key that I could use?

03/11/2006, 10h05

crazyForDynamite wrote:

> Are there any special tools for generating this key that I could use?

ssh-keygen
but AFAIK sshd should generate apropriate keys when first run and place them
in /etc/ssh, or whatever is the default ssh configuration directory in your
OS.
--
Cezary Morga

03/11/2006, 19h05

>>>>> "CM" == Cezary Morga <cezarym@data.pl> writes:

CM> crazyForDynamite wrote:
>> Are there any special tools for generating this key that I could
>> use?

CM> ssh-keygen but AFAIK sshd should generate apropriate keys when
CM> first run and place them in /etc/ssh, or whatever is the default
CM> ssh configuration directory in your OS. -- Cezary Morga

sshd does not do this, althought many SSH init scripts do.

--
Richard Silverman
res@qoxp.net

03/11/2006, 19h31

Richard E. Silverman wrote:

>>>>>> "CM" == Cezary Morga <cezarym@data.pl> writes:
>
> CM> crazyForDynamite wrote:
> >> Are there any special tools for generating this key that I could
> >> use?
>
> CM> ssh-keygen but AFAIK sshd should generate apropriate keys when
> CM> first run and place them in /etc/ssh, or whatever is the default
> CM> ssh configuration directory in your OS. -- Cezary Morga
>
> sshd does not do this, althought many SSH init scripts do.
>
mkay. My fault, You're right.
--
Cezary Morga

03/11/2006, 04h07	#1
crazyForDynamite Messages: n/a Hébergeur:	question about sshd_config I am still a bit of a newb when it comes to sshd security, but I am attempting to set up a public-key based sshd server for my internal server network. The config is as follows: ================================= Port 22 Protocol 2 HostKey /root/CA/sshd_rsa.key SyslogFacility AUTHPRIV LogLevel INFO LoginGraceTime 40s PermitRootLogin yes StrictModes no MaxAuthTries 4 PubkeyAuthentication yes AuthorizedKeysFile /etc/ssh/int_auth_keys PasswordAuthentication no ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes UsePAM yes AllowTCPForwarding yes X11Forwarding yes X11DisplayOffset 10 X11UseLocalhost yes PrintMotd yes PrintLastLog yes TCPKeepAlive yes UsePrivilegeSeparation yes Compression delayed ClientAliveInterval 0 ClientAliveCountMax 5 PermitTunnel yes Banner /etc/ssh/banner Subsystem sftp /usr/libexec/openssh/sftp-server ===================== Most of it comes from the stock FC5 sshd_config. When I try to start the server it whines about not being able to load /root/CA/sshd_rsa.key even though the file exists and is a RSA PRIVATE KEY. Did I use the wrong command to generate it? ( it was `openssl genrsa -out <file> 2048` IIRC) Are there any special tools for generating this key that I could use?

03/11/2006, 10h05	#2
Cezary Morga Messages: n/a Hébergeur:	Re: question about sshd_config crazyForDynamite wrote: > Are there any special tools for generating this key that I could use? ssh-keygen but AFAIK sshd should generate apropriate keys when first run and place them in /etc/ssh, or whatever is the default ssh configuration directory in your OS. -- Cezary Morga

03/11/2006, 19h05	#3
Richard E. Silverman Messages: n/a Hébergeur:	Re: question about sshd_config >>>>> "CM" == Cezary Morga <cezarym@data.pl> writes: CM> crazyForDynamite wrote: >> Are there any special tools for generating this key that I could >> use? CM> ssh-keygen but AFAIK sshd should generate apropriate keys when CM> first run and place them in /etc/ssh, or whatever is the default CM> ssh configuration directory in your OS. -- Cezary Morga sshd does not do this, althought many SSH init scripts do. -- Richard Silverman res@qoxp.net

03/11/2006, 19h31	#4
Cezary Morga Messages: n/a Hébergeur:	Re: question about sshd_config Richard E. Silverman wrote: >>>>>> "CM" == Cezary Morga <cezarym@data.pl> writes: > > CM> crazyForDynamite wrote: > >> Are there any special tools for generating this key that I could > >> use? > > CM> ssh-keygen but AFAIK sshd should generate apropriate keys when > CM> first run and place them in /etc/ssh, or whatever is the default > CM> ssh configuration directory in your OS. -- Cezary Morga > > sshd does not do this, althought many SSH init scripts do. > mkay. My fault, You're right. -- Cezary Morga

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email