Sophie: howto-html-en-20080722-2mdv2010.1 noarch

howto-html-en-20080722-2mdv2010.1.noarch.rpm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.21">
 <TITLE>Samba Authenticated Gateway HOWTO: SSH setup</TITLE>
 <LINK HREF="Samba-Authenticated-Gateway-HOWTO-6.html" REL=next>
 <LINK HREF="Samba-Authenticated-Gateway-HOWTO-4.html" REL=previous>
 <LINK HREF="Samba-Authenticated-Gateway-HOWTO.html#toc5" REL=contents>
</HEAD>
<BODY>
<A HREF="Samba-Authenticated-Gateway-HOWTO-6.html">Next</A>
<A HREF="Samba-Authenticated-Gateway-HOWTO-4.html">Previous</A>
<A HREF="Samba-Authenticated-Gateway-HOWTO.html#toc5">Contents</A>
<HR>
<H2><A NAME="s5">5.</A> <A HREF="Samba-Authenticated-Gateway-HOWTO.html#toc5">SSH setup</A></H2>

<P>You may want to run your PDC on one box and have another box
as a managed gateway for any reason. If so you must setup your gateway
to accept rsa authenticated logins without passwords from the PDC.</P>

<P>Take a look at 
<A HREF="http://www.openssh.org/manual.html">www.openssh.org</A> for information on how to properly setup your
ssh server and client for this.</P>

<H2><A NAME="ss5.1">5.1</A> <A HREF="Samba-Authenticated-Gateway-HOWTO.html#toc5.1">Important</A>
</H2>

<P>You should read the ssh documentation and make shure that you
fully understand what you are doing when you setup rsa or any other
kind of cryptographic authentication.</P>

<P>If security isn't an issue, just use my example and go on.</P>

<H2><A NAME="ss5.2">5.2</A> <A HREF="Samba-Authenticated-Gateway-HOWTO.html#toc5.2">Key pair generation</A>
</H2>

<P>To create a key pair issue the following commands on the manchine
meant to be the PDC:</P>

<P>
<PRE>
pdc:~# ssh-keygen -t rsa
</PRE>
</P>
<P>Answer the questions and copy the resulting public key to the
gateway it self. Usually the public key goes to "~.ssh/id_rsa.pub"</P>

<P>
<PRE>
pdc:~# cd .ssh
pdc:~# scp id_rsa.pub root@gateway:/root/.ssh/authorized_keys2
</PRE>
</P>
<H2><A NAME="ss5.3">5.3</A> <A HREF="Samba-Authenticated-Gateway-HOWTO.html#toc5.3">SSH enabled logon script</A>
</H2>

<P>The following is a standard /etc/smbgate/users/user script modified
to use the ssh cryptographic authentication.</P>

<P>
<PRE>
#!/bin/sh
#
COMMAND=$1
ADDRESS=$2
EXTIF=$3
IPTABLES='/sbin/iptables'
ssh root@gateway $IPTABLES $COMMAND POSTROUTING -t nat -s $ADDRESS -o $EXTIF -j MASQUERADE
</PRE>
</P>
<P>Note that the iptables binary in called through ssh at the "gateway".
Again, make sure that you read the ssh server documentation.</P>

<HR>
<A HREF="Samba-Authenticated-Gateway-HOWTO-6.html">Next</A>
<A HREF="Samba-Authenticated-Gateway-HOWTO-4.html">Previous</A>
<A HREF="Samba-Authenticated-Gateway-HOWTO.html#toc5">Contents</A>
</BODY>
</HTML>