S o n o m a U s e r M a n u a l
46
C H A P T E R F I V E
47
S o n o m a U s e r M a n u a l
S E C U R I T Y
Configure Keys
On initial boot-up from out-of-the-box, the SSH start-up script, /etc/rc.d/rc.sshd, will detect that no
keys are present in the /etc/ssh directory. It will call ssh-keygen to generate a set of host keys and
then it will copy them to the /boot/etc/ssh directory. These will be copied to /etc/ssh during each boot
up. A complete set of security keys for both SSH1 and SSH2 versions of the protocol are generated.
RSA keys are supported by both versions, and DSA keys are supported when using the SSH2 version.
Should you need to replace your keys at any time, you can just remove the keys from the /boot/etc/
ssh directory and then reboot the Sonoma. A new set of host keys will automatically be generated.
To congure root logins to your Sonoma via passwordless, public key authentication, you must gen-
erate a public/private pair of SSH2 keys using your own ssh key generating utility, or you can use the
ssh-keygen that is resident on the Sonoma le system. You must then append the public key to the
/boot/root/.ssh/authorized_keys2 le in the non-volatile FLASH area on your Sonoma. At boot time,
the Sonoma will copy these to the actual working /root/.ssh directory of the system ramdisk. To use
this capability, the corresponding private key must reside in the /root/.ssh directory of your remote
computer as id_rsa or id_dsa. If you are unfamilar with this process, refer to the man page for the
ssh-keygen utility for details (issue man ssh-keygen at the prompt). (Be careful to maintain the
proper ownership and access permissions of the private key by using cp -p when copying the le.
It MUST be readable only by root.)
Advanced users wishing to modify the overall conguration of the sshd daemon should edit the
/etc/ssh/sshd_config le and then copy it to the /boot/etc/ssh directory of the Sonoma. Be careful to
maintain the proper ownership and access permissions by using cp -p when copying the le. At
boot time, it will be copied to the /etc/ssh directory of the system ramdisk, thereby replacing the fac-
tory default conguration le.
HTTPS
The HTTPS server in the Sonoma is built from the standard Apache version 2.4.10 distribution from:
http://httpd.apache.org
It uses HTTPS (HTTP over SSL) with mod_ssl (the Apache interface to OpenSSL). For more infor-
mation about this protocol, refer to:
http://www.modssl.org
NOTE: To disable the HTTPS protocol see Disable SNMP, SSH and HTTPS above. To restrict ac-
cess see Restrict Access - HTTPS above.
HTTP and SSL use les for the default conguration located in /etc/httpd. Of these, you will typi-
cally only need to modify httpd.conf. Advanced users who need to modify the default conguration
will need to edit the le and copy it to the /boot/etc/httpd directory. Do not attempt to change the
directives unless you have a real need to do so. (See Appendix C - Helpful Linux Information, Us-
ing Editors above.)
To Next Page
Loading...
