Manuals / Apple / Computer Equipment / Server

Apple 10.6 manual SSH and SSH Keys, Key-Based SSH Login, Generating a Key Pair for SSH

Models: 10.6

1 197

Download 197 pages 50.37 Kb

Page 72

SSH and SSH Keys

SSH is a network protocol that establishes a secure channel between your computer and a remote computer. It uses public-key cryptography to authenticate the remote computer. It also provides traffic encryption and data integrity exchanged between computers.

SSH is frequently used to log in to a remote machine to execute commands, but you can also use it to create a secure data tunnel, forwarding through an arbitrary TCP port. You can also use SSH to transfer files using SFTP and SCP. By default, an SSH server uses the standard TCP port 22.

Mac OS X Server uses OpenSSH as the basis for its SSH tools. Notably, portable home directory synchronization is provided via SSH.

Key-Based SSH Login

Key-based authentication is helpful for such tasks as automating file transfers and backups and for creating failover scripts because it allows computers to communicate without a user needing to enter a password.

Important: Key-based authentication has risks. If the private key you generate becomes compromised, unauthorized users can access your computers. You must determine whether the advantages of key-based authentication are worth the risks.

Generating a Key Pair for SSH

The following outlines the process of setting up key-based SSH login on Mac OS X and Mac OS X Server. To set up key-based SSH, you must generate the keys the two computers will use to establish and validate the identity of each other.

This doesn’t authorize all users of the computer to have SSH access. Keys must be generated for each user account.

To do this, run the following commands in Terminal:

1Verify that an .ssh folder exists in your home folder by entering the command:

ls -ld ~/.ssh.

If .ssh is listed in the output, move to step 2. If .ssh is not listed in the output, run mkdir ~/.ssh and continue to step 2.

2Change directories in the shell to the hidden .ssh directory by entering the following command:

cd ~/.ssh

3Generate the public and private keys by entering the following command:

ssh-keygen -b 1024 -t rsa -f id_rsa -P ''

72

Chapter 4    Enhancing Security

Image 72

Apple 10.6 manual SSH and SSH Keys, Key-Based SSH Login, Generating a Key Pair for SSH

Contents

Mac OS X Server 019-1410/2009-08-15 Contents Administration Tools Enhancing SecurityInstallation and Deployment Initial Server Setup Ongoing System Management Monitoring Your System Push Notification Server IndexContents About This Guide What’s in This GuideUsing Onscreen Help To see the most recent server help topicsDocument Road Map Getting StartedPreface About This Guide Getting Documentation Updates Getting Additional InformationSystem Requirements for Installing Mac OS X Server StandardsWhat’s New in Mac OS X Server ÂÂ iCal ServerWhat’s New in Server Admin Understanding Server Configuration MethodsSnmp NFS Supported Standards RadiusSystem Overview and Supported Standards System Overview and Supported Standards Mac OS X Server’s Unix Heritage Planning Server Usage Determining Your Server NeedsDetermining Whether to Upgrade or Migrate Setting Up a Planning TeamIdentifying Servers to Set Up Determining Services to Host on Each ServerPlanning Server Usage Defining a Migration Strategy Migrating from WindowsDefining an Integration Strategy Defining Server Setup Infrastructure Requirements Defining Physical Infrastructure RequirementsSetting up basic server infrastructure Minimizing the Need to Relocate Servers After Setup Defining Backup and Restore PoliciesMaking Sure Required Server Hardware Is Available Understanding Backup and Restore Policies Understanding Backup Types Understanding Backup Scheduling Understanding RestoresOther Backup Policy Considerations Defining a Backup Verification MechanismCommand-Line Backup and Restoration Tools Understanding Time Machine as a Server Backup ToolÂÂ Remote Access Settings ÂÂ Software Update ÂÂ Wiki ÂÂ XgridServer Admin Opening and Authenticating in Server AdminServer Admin Interface M NCustomizing the Server Admin Environment Server Assistant Server Assistant is used forServer Preferences Workgroup ManagerWorkgroup Manager Interface Server Monitor Customizing the Workgroup Manager EnvironmentFor additional information, see Server Monitor Help ICal Service Utility ICal Service Utility InterfaceSystem Image Management Media Streaming ManagementCommand-Line Tools RAID AdminServer Status Widget Xgrid Admin Podcast Capture, Composer, and ProducerApple Remote Desktop Enhancing Security About Physical SecurityAbout Network Security Firewalls and Packet FiltersNetwork DMZ VLANs MAC FilteringTransport Encryption Payload EncryptionAbout File Security File and Folder PermissionsAbout File Encryption About Authentication and Authorization Secure DeleteYou have several options for authenticating users ÂÂ Secure Shell SSHSingle Sign-On About Certificates, SSL, and Public Key Infrastructure Public and Private KeysCertificates About Certificate Authorities CAsAbout Identities About Self-Signed CertificatesAbout Intermediate Trust Certificate Manager in Server Admin To configure clients to trust a certificateFrom the command line Enhancing Security Readying Certificates Creating a Self-Signed Certificate Requesting a Certificate from a Certificate AuthorityTo create a self-signed certificate To request a signed certificateCreating a Certificate Authority To create a CAEnhancing Security Using a CA to Create a Certificate for Someone Else Importing a Certificate IdentityTo create a certificate for someone else To import an existing OpenSSL style certificateManaging Certificates Editing a CertificateDistributing a CA Public Certificate to Clients Deleting a CertificateTo distribute your certificate to your clients To delete a certificateUsing Certificates Renewing an Expiring CertificateReplacing an Existing Certificate To renew an expiring certificateKey-Based SSH Login To do this, run the following commands in TerminalSSH and SSH Keys Generating a Key Pair for SSHKey-Based SSH with Scripting Sample Administration Level Security Setting Administration Level PrivilegesService Level Security Setting Sacl PermissionsTo set Sacl permissions for a service Security Best Practices Password Guidelines Creating Complex Passwords Installation Overview Confirm you meet the requirements Gather your information Set up the environment Start up the computer from an installation disk Start the installer Prepare the target disk Set Up Services Gathering the Information You NeedSetting Up Network Services About the Server Install DiscConnecting to the Directory During Installation SSH During InstallationPreparing an Administrator Computer Mac OS X Server Install DiscAdministration Tools CD About Starting Up for Installation To install Mac OS X Server v10.6 administration toolsBefore Starting Up Starting Up from the Install DVD To start up the computer with the installation discStarting Up from an Alternate Partition Create a restorable image of the Install DVD Restore the image to the alternate partitionTo create an image of the Install DVD Prepare the disks and partitions on the target computerTo restore the image to a free volume Remotely Accessing the Install DVD To access the computer with Server AssistantTo access the computer with VNC To access the computer using Screen SharingTo access the computer with SSH Identifying Remote Servers When Installing Mac OS X Server Identify the target serverStarting Up from a NetBoot Environment Preparing Disks for Installing Mac OS X Server Create a NetInstall image from the Install DVD Start up the computer from the NetBoot server To create a NetInstall image from the Install DVDChoosing a File System ÂÂ Mac OS Extended Journaled, Case-Sensitive aka HfsxAbout Hard Disk Partitioning To partition a disk using Disk Utility Partitioning a DiskSo the command is About Creating a RAID SetTo create a RAID set using Disk Utility You cannot create a RAID set from the startup diskDiskutil createRAID mirror setName format device device Installing Server Software Interactively For exampleInstalling Locally from the Installation Disc To install server software locallyInstalling Remotely with Server Assistant To install on a remote server by using Server AssistantInstalling Remotely with Screen Sharing and VNC Changing a Remote Computer’s Startup Disk To change a remote computer’s startup diskTo use installer to install server software 105 Installing Multiple Servers Most Efficient Methods of InstallationMore Interactive Methods of Installation How to Keep Current Upgrading a Computer from Mac OS X to Mac OS X ServerPostponing Server Setup Following Installation To postpone setting up Mac OS X ServerInformation You Need Connecting to the Network During Initial Server Setup Configuring Servers with Multiple Ethernet PortsAbout Settings Established During Initial Server Setup Specifying Initial Open Directory Usage ÂÂ Create Users and GroupsNot Changing Directory Usage When Upgrading ÂÂ Configure ManuallyÂÂ Import Users and Groups Setting Up a Server as a Standalone Server Binding a Server to Multiple Directory ServersSetting up Servers Interactively To interactively connect to an additional directory serverTo set up servers interactively Select the target servers from the configuration listUsing Automatic Server Setup Creating and Saving Setup Data To create a setup data file Using Encryption with Setup Data Files How a Server Searches for Saved Setup Data FilesSetting Up Servers Automatically Using Data Saved in a File To use setup data from a file remotely Create the saved setup folder on the remote serverRestart the remote server To set the server serial numberHandling Setup Errors Setting Up Services Adding Services to the Server ViewTo change services to administer From the command-lineSetting Up Open Directory Setting Up User ManagementSetting Up All Other Services To set up a user accountComputers You Can Use to Administer a Server Setting Up an Administrator ComputerUsing a Non-Mac OS X Computer for Administration Insert the Mac OS X Server Admin Tools CDUsing the Administration Tools Working with Pre-v10.6 Computers from v10.6 ServersPorts Used for Administration Ports Open By DefaultServer Admin Basics Adding and Removing Servers in Server AdminGrouping Servers Using Smart Groups Grouping Servers ManuallyTo create a server group Working with Settings for a Specific Server To create a server smart groupToolbar button Shows 132 ÂÂ Directory Service ÂÂ Firewall ÂÂ Mobile Access ÂÂ NetBootUnderstanding Mac OS X Server Names Directory Service and Kerberos DhcpMobile Access Proxy Services NetBootFirewall ÂÂ MySQL WebCertificates for Web and Wiki Services MySQLWiki 138 Certificates for Mail Services ÂÂ Certificates for collaboration servicesImap and POP Mailing ListAddress Book Service ICal ServiceIChat Service Certificates for Collaboration Services To change the IP address of the Podcast Producer computer To change the DNS name of the Podcast Producer computerSoftware Update Server PrintPush Notification XgridChanging the Server’s DNS Name After Setup Changing the IP Address of a ServerChanging the Server’s Computer Name and the Local Hostname To change the DNS nameAdministering Services From the command lineTo change computer name and local hostname Adding and Removing Services in Server Admin Importing and Exporting Service SettingsTo add or remove a service in Server Admin To export service settingsControlling Access to Services To configure service access SACLsUsing SSL for Remote Server Administration Managing SharingTiered Administration Permissions Defining Administrative Permissions Workgroup Manager BasicsTo assign permissions Administering Accounts Opening and Authenticating in Workgroup ManagerWorking with Users and Groups 152 Defining Managed Preferences Working with Directory Data To display the inspectorService Configuration Assistants Critical Configuration and Data FilesAssistants are available for the following services GeneralFirewall Service Mail ServiceIChat Server Mail-POP/IMAP Server DovecotMySQL Service NAT ServiceOpenDirectory Service NotificationsQuickTime Streaming Server Tomcat App ServerImproving Service Availability Web ServiceEliminating Single Points of Failure Wiki and Blog ServerUsing Xserve for High Availability Setting Up Your Server for Automatic Restart Using Backup PowerUsing UPS with Xserve Following is the Energy Saver panel of System PreferencesTo enable automatic restart Ensuring Proper Operational ConditionsProviding Open Directory Replication Automatic restart options areLink Aggregation About the Link Aggregation Control Protocol Lacp Link Aggregation ScenariosComputer to Switch Setting Up Link Aggregation in Mac OS X Server To create a link aggregateMonitoring Link Aggregation Status To monitor the status of a link aggregateLoad Balancing Using launchd for Daemon Control ÂÂ mDNSresponder local network service discovery processDaemon Overview Viewing Running Daemons170 Planning a Monitoring Policy Planning Monitoring ResponseUsing with Server Status Widget Using Server MonitorTo configure the Server Status widget Using RAID Admin for Server Monitoring Using Console for Server MonitoringUsing Disk Monitoring Tools Using Network Monitoring Tools Using Server Status Notification in Server Admin Monitoring Server Status Overviews Using Server AdminTo set a notification To see a status overview for one serverUsing Remote Kernel Core Dumps Following shows a sample Overview pane for a single server177 Setting Up a Core Dump Server Setting up a core dump serverSetting Up a Core Dump Client Setting up a core dump clientRestart the computer for the settings to take effect Configuring Common Core Dump Options About Simple Network Management Protocol SnmpConfiguring snmpd To enable SnmpEnabling Snmp reporting To enable and configure Snmp Customize data Restart snmpd to take changes About Notification and Event Monitoring Daemons Additional Information about SnmpTools to Use with Snmp There are two main notification daemons syslogd and emond Logging SyslogDirectory Service Debug Logging Syslog Configuration FileOpen Directory Logging To start debugging at startupTo enable client-side logging Additional Monitoring AidsAFP Logging To run slapd in debugging modePush Notification Server About Push Notification ServerTo enable Push Notification Starting and Stopping Push NotificationChanging a Service’s Push Notification Server Click Save, then restart the serviceTo change the existing push notification server Index 192 193 194 195 196 197