Securing-Optimizing-RH-Linux-1_2_189
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
189
Configuration of the /etc/pam.d/ssh file
For better security of your ssh2 server, you can configure it to use pam authentication. Do to that,
you must create the /etc/pam.d/ssh file.
Create the ssh file (touch /etc/pam.d/ssh) and add or change, if necessary:
#%PAM-1.0
auth
required /lib/security/pam_pwdb.so shadow
auth
required /lib/security/pam_nologin.so
account
required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so use_authtok nullok md5 shadow
session
required /lib/security/pam_pwdb.so
Further documentation
For more details, there are several man pages you can read:
$ man ssh-add2 (1)
- adds identities for the authentication agent
$ man ssh-agent2 (1)
- authentication agent
$ man ssh-keygen2 (1)
- authentication key pair generation
$ man ssh2 (1)
- secure shell client (remote login program)
$ man sshd2 (8)
- secure shell daemon
Ssh2 Per-User Configuration
Step 1
Create your private & public keys of local, by executing:
[root@deep /]# su admin
[admin@deep /]$ ssh-keygen2
Generating 1024-bit dsa key pair
6 Oo..oOo.oOo.
Key generated.
1024-bit dsa, admin@deep.openarch.com, Sun Feb 13 2000 05:33:38 -0500
Passphrase :
Again :
Private key saved to /home/admin/.ssh2/id_dsa_1024_a
Public key saved to /home/admin/.ssh2/id_dsa_1024_a.pub
Step 2
Create an identification file in your ~/.ssh2 home directory on local:
[admin@deep]$ cd ~/.ssh2
[admin@deep .ssh2]$ echo IdKey id_dsa_1024_a > identification
NOTE: Its optional to create an identification file on Remote. The identification file contains name
of the private key that is to be used in authentication.
Step 3
Copy your public key of Local (id_dsa_1024_a.pub) to ~/.ssh2 home directory of remote under
the name, say, Local.pub.
Step 4
Create an authorization file in your ~/.ssh2 home directory on remote:
[admin@remote .ssh2]$ touch authorization