http://e4776m4mg.blogspot.jp/2014/03/84-releasessh.html
設定要素を記述する最初の一行が間違っています。orz
誤: /etc/ssh/sshd_conf
正: /etc/ssh/sshd_config
さておき、現状においてsshd_configの内容が以前と全く違います。おそらく、インストール時に転送ファイル容量を減らすためにdistributionを
ワケもわからず何となく
変更したことが原因でしょう、ここに異変が生じるような要素は他に考えられません。
というわけで、sysinstallです。そういえばかつては/stand/sysinstallだったんですね。すっかり忘れていましたが他の設定で他所様のコンテンツを拝読しておりまして思い出しました。
とりあえずdistributionの選択で
4 Developer
5 Kern-Developer
を選択して、8 Customでドキュメントの類の選択を外して設定修正。
/etc/ssh/sshd_config
の中身をあらためて、今度は問題なし、というより以前設定したファイルの内容であるように見える。次に以前同様の修正を加えて、
Protocol 2
PermitRootLogin no
PasswordAuthentication yes
PermitEmptyPasswords no
AllowUsers daredare
PermitRootLogin no
PasswordAuthentication yes
PermitEmptyPasswords no
AllowUsers daredare
ps
で見たところsshdが起動していないようなので
/etc/rc.d/sshd start
を叩いてみたところ
sshd already runnni? (pid=581).
あれっ!? でなくて単にpsがマヌケなのか。-a でも -au でもダメで、-auxでないと見えない。
-a は他ユーザも
-u は詳細
-x はシステム全体
というわけで
とりあえずアクセス確認・・・NG。
sshアクセス用に作成したユーザアカウントが消えている、adduser。
rootのパスワードも消えている、passwd。忘れまくり。
それから以前はとても手が回らなかった鍵生成。
参考にさせていただくのはこちら様。
http://www.kishiro.com/FreeBSD/ssh.html
まずはこの設定
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
ちゃんと読むと
Pub key Authentication yes
Authorized KeysFile .ssh/authorized_keys
公開鍵認証 はい
認証されたキーファイル .ssh以下の atuthorized_keys
この機器のこの状況における修正前は
#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
認証されたキーファイルに 2 があるがとりあえずこの状態からコメント#を外して、
/etc/rc.d/sshd restart
次に鍵の生成。
ssh-keygen -t rsa
オプションがたいへん多岐に渡る。-tはタイプ指定でここではRSA。
リベスト&シャミア&エーデルマン共同制作暗号
http://ja.wikipedia.org/wiki/RSA%E6%9A%97%E5%8F%B7
ssh-keygen
http://www.freebsd.org/cgi/man.cgi?query=ssh-keygen&sektion=1
パスフレーズは...
# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa. <--秘密鍵
Your public key has been saved in /root/.ssh/id_rsa.pub. <--公開鍵
The key fingerprint is:
4f:d7:07:af:86:f5:55:c9:5c:20:4f:df:26:89:7c:b8 root@netvista.testdomain
The key's randomart image is:
+--[ RSA 2048]----+
| . o..|
| . *oo+|
| + *+=|
| + =.|
| S . E o +|
| o . o +.|
| . . o .|
| . |
| |
+-----------------+
#
生成完了。
次に、流し込み(業界用語)。ユーザ毎の/.sshdで
cat id_rsa.pub >> authorized_keys
で、クライアント側の設定をこちらなどを確認しつつ
http://www.j-oosk.com/teraterm/authorized_keys/306/
...秘密鍵の受け渡し方法がない。ないものは無いのでここで保留。
Samba36
参考にさせていただくのはこちら様。
http://bakuretsu.atso-net.jp/bakuretsu/freebsd/samba36.html
/usr/local/etc
8.4-Releaseだと samba.conf、samba.conf.sampleが生成されているので、
cp smb.conf smb.conf.default
と、いちおうバックアップを取ってから編集。
# vi smb.conf
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# For a step to step guide on installing, configuring and using samba,
# read the Samba-HOWTO-Collection. This may be obtained from:
# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# Many working examples of smb.conf files can be found in the
# Samba-Guide which is generated daily and can be downloaded from:
# http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings =====================================
[global]
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
workgroup = MYGROUP
# server string is the equivalent of the NT Description field
server string = Samba Server
# Security mode. Defines in which mode Samba will operate. Possible
# values are share, user, server, domain and ads. Most people will want
# user level security. See the Samba-HOWTO-Collection for details.
security = user
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
; hosts allow = 192.168.1. 192.168.2. 127.
# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
load printers = yes
# you may wish to override the location of the printcap file
; printcap name = /etc/printcap
# on SystemV system setting printcap name to lpstat should allow
# you to automatically obtain a printer list from the SystemV spool
# system
; printcap name = lpstat
# It should not be necessary to specify the print system type unless
# it is non-standard. Currently supported print systems include:
# bsd, cups, sysv, plp, lprng, aix, hpux, qnx
; printing = cups
# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
; guest account = pcguest
# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Put a capping on the size of the log files (in Kb).
max log size = 50
# Use password server option only with security = server
# The argument list may include:
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
# password server = *
; password server = <NT-Server-Name>
# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
; realm = MY_REALM
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
; passdb backend = tdbsam
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting.
# Note: Consider carefully the location in the configuration file of
# this line. The included file is read at that point.
; include = /usr/local/etc/smb.conf.%m
# Most people will find that this option gives better performance.
# See the chapter 'Samba performance issues' in the Samba HOWTO Collection
# and the manual pages for details.
# You may want to add the following on a Linux system:
; socket options = SO_RCVBUF=8192 SO_SNDBUF=8192
# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
; interfaces = 192.168.12.2/24 192.168.13.2/24
# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
; local master = no
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
; os level = 33
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
; domain master = yes
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
; preferred master = yes
# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
; domain logons = yes
# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
; logon script = %m.bat
# run a specific logon batch file per username
; logon script = %U.bat
# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
; logon path = \\%L\Profiles\%U
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
; wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z
# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
; wins proxy = yes
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The default is NO.
dns proxy = no
# Charset settings
; display charset = koi8-r
; unix charset = koi8-r
; dos charset = cp866
# Use extended attributes to store file modes
; store dos attributes = yes
; map hidden = no
; map system = no
; map archive = no
# Use inherited ACLs for directories
; nt acl support = yes
; inherit acls = yes
; map acl inherit = yes
# These scripts are used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
; add user script = /usr/sbin/useradd %u
; add group script = /usr/sbin/groupadd %g
; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
; delete user script = /usr/sbin/userdel %u
; delete user from group script = /usr/sbin/deluser %u %g
; delete group script = /usr/sbin/groupdel %g
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
# Un-comment the following and create the netlogon directory for Domain Logons
; [netlogon]
; comment = Network Logon Service
; path = /usr/local/samba/lib/netlogon
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;[Profiles]
; path = /usr/local/samba/profiles
; browseable = no
; guest ok = yes
# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes
# This one is useful for people to share files
;[tmp]
; comment = Temporary file space
; path = /tmp
; read only = no
; public = yes
# A publicly accessible directory, but read only, except for people in
# the "staff" group
;[public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = yes
; printable = no
; write list = @staff
# Other examples.
#
# A private printer, usable only by fred. Spool data will be placed in fred's
# home directory. Note that fred must have write access to the spool directory,
# wherever it is.
;[fredsprn]
; comment = Fred's Printer
; valid users = fred
; path = /homes/fred
; printer = freds_printer
; public = no
; writable = no
; printable = yes
# A private directory, usable only by fred. Note that fred requires write
# access to the directory.
;[fredsdir]
; comment = Fred's Service
; path = /usr/somewhere/private
; valid users = fred
; public = no
; writable = yes
; printable = no
# a service which has a different directory for each machine that connects
# this allows you to tailor configurations to incoming machines. You could
# also use the %U option to tailor it by user name.
# The %m gets replaced with the machine name that is connecting.
;[pchome]
; comment = PC Directories
; path = /usr/pc/%m
; public = no
; writable = yes
# A publicly accessible directory, read/write to all users. Note that all files
# created in the directory by users will be owned by the default user, so
# any user with access can delete any other user's files. Obviously this
# directory must be writable by the default user. Another user could of course
# be specified, in which case all files would be owned by that user instead.
;[public]
; path = /usr/somewhere/else/public
; public = yes
; only guest = yes
; writable = yes
; printable = no
# The following two entries demonstrate how to share a directory so that two
# users can place files there that will be owned by the specific users. In this
# setup, the directory should be writable by both users and should have the
# sticky bit set on it to prevent abuse. Obviously this could be extended to
# as many users as required.
;[myshare]
; comment = Mary's and Fred's stuff
; path = /usr/somewhere/shared
; valid users = mary fred
; public = no
; writable = yes
; printable = no
; create mask = 0765
;
# This is a DRAFT sample configuration for the ACLs on the ZFS partition.
#
; nt acl support = yes
; inherit acls = no
; map acl inherit = yes
;
;[zpool]
; path = /tank/zpool
; unix extensions = no
; vfs objects = zfsacl
; nfs4:mode = special
; nfs4:acedup = merge
; nfs4:chown = yes
:q
#
何のこっちゃなのでこれもあわせて。
http://www.samba.gr.jp/project/translation/3.5/htmldocs/manpages-3/smb.conf.5.html
先ずは、何もしてないのに
# testparm
次に、
# smbpasswd -a daredare
New SMB password:
Retype new SMB password:
Added user daredare.
#
/etc/rc.confに追加
samba_enalbe="YES"
winbindd_enable="YES"
後者はWindowsのコンピュータブラウズのためか!?
0 件のコメント:
コメントを投稿