4. SSH setup

You may want to run your PDC on one box and have another box as a managed gateway for any reason. If so you must setup your gateway to accept rsa authenticated logins without passwords from the PDC.

Take a look at www.openssh.org for information on how to properly setup your ssh server and client for this.

4.1 Important

You should read the ssh documentation and make shure that you fully understand what you are doing when you setup rsa or any other kind of cryptographic authentication.

If security isn't an issue, just use my example and go on.

4.2 Key pair generation

To create a key pair issue the following commands on the manchine meant to be the PDC:

pdc:~# ssh-keygen -t rsa

Answer the questions and copy the resulting public key to the gateway it self. Usually the public key goes to "~.ssh/id_rsa.pub"

pdc:~# cd .ssh
pdc:~# scp id_rsa.pub root@gateway:/root/.ssh/authorized_keys2

4.3 SSH enabled logon script

The following is a standard /etc/smbgate/users/user script modified to use the ssh cryptographic authentication.

#!/bin/sh
#
COMMAND=$1
ADDRESS=$2
EXTIF=$3
IPTABLES='/sbin/iptables'
ssh root@gateway $IPTABLES $COMMAND POSTROUTING -t nat -s $ADDRESS -o $EXTIF -j MASQUERADE

Note that the iptables binary in called through ssh at the "gateway". Again, make sure that you read the ssh server documentation.