Presentation is loading. Please wait.

Presentation is loading. Please wait.

SOI-ASIA Unofficial Operators Meeting 10 May 2004.

Similar presentations

Presentation on theme: "SOI-ASIA Unofficial Operators Meeting 10 May 2004."— Presentation transcript:

1 SOI-ASIA Unofficial Operators Meeting 10 May 2004

2 AI3 Security Policy Basics –Moderately independent site by site –Self defense

3 User Account Management Account creation –No user password for local operators –If necessary, allow user password for foreign operators A case when we allow user password –A foreign operator needs root authority –Su2 / sudo An operator can be root by user password without root password

4 Remote Access Administration SSH –Prohibit root login –Prohibit password authentication –Use public key authentication RSA authentication for SSH1 RSA or DSA authentication for SSH2

5 RSA / DSA Public key authentication methods RSA (Rivest, Shamir, Adleman) –Developed based on the difficulty of factorization into prime factors from a large number DSA (Digital Signature Algorithm) –Expanded beyond ElGamal

6 Actual Work Flow New User Host Operator Create RSA / DSA key pair (1) Request a new account with attaching the public key Create a new account and put the public key in the host (2) Try the new account (3) Send notification

7 Step 1: Create RSA/DSA Key Pair On Windows PC –Use puttygen On Unix PC –Use ssh-keygen of OpenSSH suite Do we have to create many pairs of RSA/DSA key for every remote host? –I dont think so. –Private Key has to be safely kept on your PC. –Public Key can be shared on remote host. Put the public key on the WEB site? Send the public key by e-mail?

8 Puttygen (1): Generate key pair

9 Puttygen (2): Save keys

10 Puttygen (3): Save keys

11 Puttygen (4): Save keys

12 Step 2: Create a new account and put the public key in the host Where do we put the public key? –~/.ssh/ What is the file name? –~/.ssh/authorized_keys What point do we have to take care? –The owner of authorized_keys should be the correct user.

13 Create a New User Account

14 Put the Public Key

15 Change the Directory Permission

16 Step 3: Try the new account Major SSH clients –PuTTY –TeraTerm with TTSSH PuTTY –SSH1 RSA –SSH2 RSA, DSA TeraTerm with TTSSH –SSH1 RSA only

17 PuTTY (1)

18 PuTTY (2)

19 PuTTY (3)

20 PuTTY (4)

21 PuTTY (5)

22 Sshd Operation Sshd configuration file –/usr/local/etc/sshd_config Points –No root login –No password authentication After editing sshd_config, restart sshd.

23 No Root Login

24 No Password Authentication

25 Tips: Lets mount FDD on FreeBSD liverpool# mount /dev/fd0.1440 /mnt/fdd liverpool# cd /mnt/fdd liverpool# ls boot kernel.gz liverpool#

Download ppt "SOI-ASIA Unofficial Operators Meeting 10 May 2004."

Similar presentations

Ads by Google