The Schneider Family Website

Let's Secure Your SGxx Using OpenSSH Keys

So, you want to securely access your Toshiba Magnia SGxx series internet server appliance (SG10?, SG20, SG25 and SG30) from anywhere on the internet, do you? And you don't want hackers to be able to do the same? Now I'm no expert or guru, but this is what worked for me. Consequently, I am not responsible if something goes wrong. Use this information at your own risk. At least it's 100% free!

Everything you need in the way of software to run a SSH server is already loaded into your machine and just needs to be configured. You will, however, need to download and configure the necessary applications to run on your Windoze box.

The following example is based on everything I did to get this working on my and other Linux boxes. Much of the stuff here in blue you can copy/paste (assuming the paths are the same - if you are on a typical Redhat box they should be) to the command line or config files to make it work with the exception of things that have the word 'NAME'. You'll have to substitute the appropriate user for the word 'NAME'.

It's not as hard as it might look, so don't be intimidated. I have included lots of example code and explanation to the best of my limited ability. Nothing we will do is going to crash your machine but be careful!!! You can easily lock yourself out of your own machine just like you'd like to do to the hackers, possibly for good!!! If you do lock yourself out, you can likely get back in using telnet. Hopefully I will have done a good enough job of explaining things you'll even understand what you are doing after you have finished. More help is available at http://openssh.org/manual.html

Again, USE AT YOUR OWN RISK! Everyone should have a disclaimer for something, right?

If you get yourself all in a kerfuffle contact me and I'll do what I can to help you out.

Remember, comments are done with the pound sign (#).

Let's Get Ready

Open up port 22 on your SGxx by navagating to your Toshiba admin page (http://myserver:8282 or whatever your server is named), going to Network->Firewall->Customize. Click 'SSH Server' and OK.

Next, download Putty.exe and Puttygen.exe at http://www.putty.nl/download.html.

While you are at it, download WinSCP too at http://winscp.net/eng/download.php#download2. This is a nice GUI tool for file management on a remote server. You can edit files, run some commands and do other stuff with it too.

I like the Standalone applications for both of the above because they run as a stand alone app and don't need to be installed. This is nice because they can be run on any machine from a USB drive.

Let's Get Started

Use Puttygen.exe to make a public and private key file. To do this, open Puttygen.exe, click the 'Generate' button and move your mouse around until the progress bar moves all the way to the right and a bunch of options appear. Enter a pass phrase and confirm it. Click 'Save Public Key' and, to keep things simple, name it the same as the users name, in this case we'll call it NAME.

Upload the public key to the .ssh directly in the home directory of the user it is being created for. On a SGxx you can easily do this by using Explorer to move it to \\myserver\public. That gets it onto the SGxx hard drive. Then, using PuTTY (there will be permission issues so log on as root for this), move it to the users home directory like this:

mkdir /home/users/NAME/.ssh
mv /home/public/NAME home/ /home/users/NAME/.ssh/NAME

The root users home directory is /root so the command would be (remember, the key file is named for the user "root"):

mv /home/public/root home/ /root/.ssh/root

Append the public key to your authorized_keys file with the following command, but first, make a backup copy just in case:

cp /home/users/.ssh/authorized_keys /home/users/.ssh/authorized_keys.copy
ssh-keygen -i -f NAME >> /home/users/.ssh/authorized_keys

You need to change the owner and permissions of the users .ssh directory and its contents.

chown -R NAME:users /home/users/NAME/.ssh
chmod 0700 /home/users/NAME/.ssh
chmod 0600 /home/users/NAME/.ssh/*

Move the private key file, NAME.ppk, into the same directory on your Windoze box that PuTTY is in so it's handy (especially if you put it on a USB drive).

Let's Get Configured

First off, lets get PuTTY ready. Open PuTTY. On the left you will see a tree view of options to set. When opening, the tree default is 'Session'. Here you will enter your static public IP address or domain name or domain name. Enter the same IP (or whatever you want to name it, the IP makes it easy to keep straight) into the 'Saved Sessions' field also. In the left tree, scroll down and expand 'Connection' and 'SSH' and click on 'Auth'. You should see the label 'Authentication Parameters' and a 'Browse' button. Browse to the private key file, NAME.ppk, you put in the PuTTY directory. Go back up to 'Session' again in the left tree and click 'Save'.

You'll also want to configure WinSCP. Open up WinSCP and click 'New'. Again, enter your static public IP address or domain name into the 'Host name' field. Next to the 'Private key file' field, click 'Browse' and navigate to your private key file, NAME.ppk. Click 'Save' and enter a good descriptive name. Again, I recommend you use the same thing as in the 'Host name' field to keep it simple.

To get open SSH to reject all password logins and accept only logins with a key you need to edit the config file /etc/ssh/sshd_config. Make the following changes and save. Note: Be careful not to log out or close the file at least until you test the configuration and get favorable results. You can easily lock yourself out of your machine, possibly for good!!!:

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no

Let's Try It Out

Open PuTTY, select the configuration you just made from the 'Saved Sessions' field and select 'Load', then 'Open'. Hopefully, you are greeted with the prompt 'login as:'. Type in the username the key file was created for and enter. You should then be prompted for the pass phrase. Type in the correct pass phrase and you should be in. If not, PuTTY will exit and go away and you'll know there is a problem.

WinSCP will either prompt you for the pass phrase if your setup is successful or you will get a dialog box with the following error message:

Authentication log (see session log for details):
Using username "root".
No supported authentication methods left to try!

Connection has been unexpectedly closed. Server sent command exit status 0.

If you don't get favorable results you will need to closely examine all of the steps above to find where you yount wrong. Remember: Do not log out or close the file /etc/ssh/sshd_config at least until you test the configuration and get favorable results. You can easily lock yourself out of your machine, possibly for good!!!

For added convenience you may wish to use Pagent.exe as well. This step is not needed but is nice. Pagent stores your keys passphrase in memory so you don't have to type it in every time you log on with PuTTY or WinSCP. The best way to set it up is in a shortcut by having something similar to this under the 'Shortcut' tab in the 'Target' field:

"C:\Program Files\PuTTY and WinSCP\pageant.exe" "C:\Program Files\PuTTY\NAME.ppk"

Double-click the shortcut, type in your passphrase and click 'OK'. You will now see an icon of a monitor with a hat on it in your system tray. For PuTTY, right click on it, hover over 'Saved Sessions' and pick your session. For WinSCP, just use as normal. You won't be prompted for a passphrase again until you close Pagent.

If you have questions, comments or suggestions for improvements to this page, please contact me.

Most Viewed

Random Image

Most Recent