Using Public Key encryption
for Brazil Firewall SSH

When you use PuTTY to connect to your BrazilFW via SSH it will warn you if the firewall encryption key is different than the last time. Now you know the host at the other end is valid but how does the server know the user is valid? The password!What prevents someone from trying all night with some special program?

Using Public Key encryption in SSH authenticates both sides. Of course, if your key is stolen you are still compromised just as if someone stole your password. Chapter 8 of the PuTTY help explains all about using Public Keys. This is recommended reading to understand the process.You can use this public key while accessing BrazilFW Webadmin from the Internet.

In this demonstration I use the Windows version of PuTTY and its companion program puttygen.exe to generate a SSH-RSA key pair and install the public key in BrazilFW. I would do this while at the location of BrazilFW just in case.

Generating the SSH-RSA public key

To generate the SSH-RSA key pair start puttygen.exe. On the bottom of the form select SSH2 RSA. You can leave the number of bits in the generated key at 1024 or increase it if you are paranoid. Click generate and nothing happens. You must move the mouse around (wildly) for it to generate the key pair. This creates randomness.

After it generates the keys a form appears where you can enter a name in the key comment field, like BrazilFW-Office, if you like. This is so you can tell them apart if you use many keys.
Use a strong Key passphrase.Don't cut-and-paste the Confirm passphrase because if you type it wrong or forget it you are dead. There is no recovery. This passphrase is used to encrypt the key on your disk.Now save the private key and call it what you like. Default .ppk extension. Then save the public key under a name you like.Below you will use the displayed public key in a copy-and-paste operation.

Ok, so how is this passphrase thing different than just using a password for root? Passwords can be tried by anyone on the Internet. This passphrase is only to access the key on your computer and I presume it is secure.Chapter 9 of the help describes how to use the program pageant.exe to enter the passphrase each time you use this Public Key instead of typing it by hand.

Implementing the Public Key

The idea is to create a file in the home directory of the userid root that will hold all the keys that are authorized. This file of keys will not survive a boot since the directory is not backed up in the BrazilFW backup function. Solve this by installing the package authorized_keys.tgz which creates this authorized_keys file filled with a dummy entry.Adding a new package requires a re-boot.

Connect to BrazilFW with PuTTY and type: edit /root/.ssh/authorized_keys at the command prompt. Erase the dummy entry. Copy the public key displayed on the puttygen form and paste it into the editor. It should all be on one line. CRTL-Q to exit and Y to save. You can add as many keys as you want. One per line.
Now backup up your BrazilFW. IMPORTANT!

Exit PuTTY and restart it again. Fill in the IP address in session and near the bottom left click auth in the SSH section. Browse for your private key and open it. Start your session and it will ask for the passphrase to use your Public Key. Enter it and you are authenticated.

Tighter Control in BrazilFW

You can still login using the root password method just by not selecting the private key above. This can be blocked by starting sshd with the -s option. Edit the file /etc/rc.d/rc.inet and near line 220 there is the following line:
/usr/sbin/sshd -p $SSH_PORT. Change it to :/usr/sbin/sshd -s -p $SSH_PORT. The change requires a backup to survive a reboot.The next time you start SSH you will only be able to use public keys.