Logo
About Us
Partners
Product Information
Latest News
Support
FAQs
Version Changes
Administrator's Manual
Links & Resources
Product Announcements
Quick Install Guide
VPN Guides
Site Map

Technical difficulties
or feedback:
webmaster@cequrux.com		   HomeContact Us Support
 

 

How to SSH to a CEQURUX Firewall with PuTTY for Windows 95/98/NT/ME/2000/XP

NOTE:

Wherever you are instructed by this guide to edit files on the firewall, use the ee tool, ie. ee <filename>
All the commands that you will need are displayed in the upper section of the ee screen.

You will also need to be logged in as root, so be careful!

  1. Obtaining PuTTY and PuTTYGen for Windows

    1. Dowload and save putty.exe and puttygen.exe.
      It is recommended that you save these files directly to your desktop as they are the actual program executables and are run directly from where they are saved.
    2. See the main web site for daily snapshots, FAQ, other client software, etc.

  2. Generating the private and public RSA key pair

    1. Run the puttygen.exe program.
    2. Click on the Generate button. You will have to move your mouse around to generate some random salt for the key.
    3. Fill in a comment (eg. Joe's RSA key) and type in a password for your private key.
      Be sure that the type of key is SSH1.
      Your screen should now look something like this screenshot.
    4. The public key appears in a text box near the top of the client window.
      To save it, highlight it with your mouse, then right-click on it and select copy.
      Open your favourite text editor, right-click and select paste.
      You should now see your public key appear as one long continous line.
      Save this into a file, eg. identity.pub. Remember to save this somewhere where you will find it again.
    5. To save your private key, go back to the puttygen client window.
      Click on the Save button and save this file as eg. identity.
      You may wish to save it in the same location as your public key, but remember: Your private key (and your password) must be kept secure.

  3. Installing your Public key on the Firewall

    1. You will need to have KeyAdmin setup first. See the Quick Install Guide for more information.
    2. Run the CEQURUX KeyAdmin application and click the Retrieve Keys from Firewall button Retrieve Keys from Firewall button to open a connection to your Firewall.
      You should see something like this screenshot.
    3. Click the Add key button Add key button.
    4. Select RSA Public Key as the Key/User type and then click Next.
    5. When prompted Where from, click the File radion button and then click the Browse button.
      You could also directly add the public key directly from the clipboard (after copying the key from the puttygen client.), but it is better to have a copy of the public key on file.
    6. Browse for your RSA public key and remember to select the correct file type.
    7. Click the Next button. You will now be prompted for your username. Enter it and click the Finish button.
    8. You should now see a new line corresponding to your RSA public key.
    9. Click the Save Keys to Firewall button Save Keys to Firewall button.
      If succesful, you will see Keys sent succesfully appearing at the bottom of the KeyAdmin client window.

  4. Setting up the trusted friend in FWADMIN

    1. Invoke fwadmin and navigate to the following menu: 

          Other keys->Setup->Other keys->Remote admin

    2. In the trusted friend section, type in the username of the user who will be allowed remote ssh access.
    3. Fill in appropriate fields (most defaults should be fine).
    4. When you are finished, press Done several times until prompted to save.
    5. Save the changes and exit.
    6. Edit the file: /usr/local/custom/login.access.
      If the file is empty, insert a line similar to this: 
          +:joe:ALL
      where joe is replaced with your username.
      If the above line already exists, just insert the new username in the line so that usernames are separated by a comma as follows: 
          +:joe,fred:ALL
      Don't forget to type a comma to separate usernames!
      Save and exit.

      NOTE: Only one user can be added as a 'trusted friend' in this way.
      See further below for instructions on allowing ssh access for multiple users.


  5. Adding ssh permission on the firewall

    1. Invoke either fwadmin or remadmin and find the TCP Proxies setup screen.
      For fwadmin: 

          Other keys->Setup->Access control->Services->TCP Proxies

      For remadmin: 

          Access(radio button)->Proxies(tab)

    2. Insert/Append one ssh service. You may wish to set a source address restriction.
      NB: Leave the authentication method set to none. The SSH server will automatically attempt to use RSA authentication.
      If you specify an authentication method, then you will have to configure the authagent to handle authentication for SSH.

  6. Making the connection

    1. Invoke PuTTY by running the putty.exe executable.
    2. On the Session menu, enter your Firewall's hostname or IP address (remember to use the correct address ie. internal/external depending on where you are connecting from) and select the SSH protocol radio button.
      The port will default to 22 for SSH.
    3. Click on the Connection category on the left. The Terminal type string should be xterm-color.
      Fill in your username in the Auto login username field. See the screenshot for an example.
    4. Select Auth under the SSH category and then click the browse button to find the private key file for authentication that you generated earlier.
    5. To setup the correct key bindings, select the Keyboard under the Terminal category.
      Select the Control-H radio button for The Backspace key, Standard for Home and End keys and Xterm R6 for Function keys.
      Here is a screenshot.
    6. Go back to the Session category. You may now wish to save this connection profile by typing a name in the Saved Sessions field and clicking the Save button. See the screenshot for an example.
    7. To connect, click the Open button. You should see a window pop up and shortly thereafter you should receive a prompt for your RSA password.
      If all goes well, you should be logged in at the bash shell.

  7. Allowing ssh access for users other than the trusted friend

    1. Create an RSA Private/Public Key pair for the user using puttygen and add the public key using KeyAdmin (Both procedures are explained earlier in this guide).
    2. As root user on the Firewall, type the adduser command (followed by enter) to add a new user.
      Follow the prompts on the screen. Most of the defaults ( in square brackets [ ] ) should be fine.
    3. Edit the file: /usr/local/custom/login.access.
      If the file is empty, insert a line similar to this: 
          +:joe:ALL
      where joe is replaced with your username.
      If the above line already exists, just insert the new username in the line so that usernames are separated by a comma as follows: 

          +:joe,fred:ALL
      Don't forget to type a comma to separate usernames!
      Save and exit.
    4. Now edit /usr/local/custom/keepusers.
      Add the new username to the end of the list.
      Save and exit.
    5. NB: Run the command fwadmin -A to initiate the changes.

  8. Becoming the "root" superuser

    1. In order to become the root user, you will use the su - command, however, you first need to be part of the wheel group.
    2. Log into the firewall's console as root and edit the file: /etc/group
    3. You should see something like this: 
      wheel:*:0:root,support
daemon:*:1:daemon
kmem:*:2:root
sys:*:3:root
etc.....
    4. Move the cursor (using your cursor keys) to the end of the wheel line and append a comma followed by your username.
    5. The line should now look somthing like this: 
      wheel:*:0:root,support,joe
      Save and exit.


The End.