headerImage

Contents

Introduction

One of the problems of using a FreeBSD box on your Windows network is how to acess it without a monitor and keyboard. In a small embedded systems shop, there may not be any free space for a monitor and keyboard. On top of that, most commercial embedded development tools run under Windows, so it's more than likely that your developers are running Windows as well.

If you have remote developers, you'll want to give them access to the FreeBSD machine too, but it had better be secure access! Standard applications like telnet are not good enough because they transmit sensitive information such as passwords over the network in clear-text.

These issues are neatly solved by a free application called PuTTY, a free Windows app that provides SSH (secure shell) access to machines running sshd and it's an xterm terminal emulator as well! Did I mention it's also free?

If you do end up using PuTTY, consider making a donation to the developers. At the very least, write them a nice email about how their work has helped you.

Resources

The following paragraphs from the Berkley CSUA SSH-howto document neatly summarize the purpose of SSH...

SSH (Secure Shell) is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels. It is intended as a replacement for rlogin, rsh, and rcp.
SSH protects the user from illicit network snooping ("packet sniffing"), whereby un-encrypted passwords and text can be read by unscrupulous persons.
SSH is most useful for logging into a UNIX computer from a Windows or Mac computer or from another UNIX computer, where the traditional 'telnet' and 'rlogin' programs would not provide password and session encryption; the CSUA administrative personnel tend to use SSH exclusively in preference to telnet or rlogin, except in cases where SSH is not available.

When we set up FreeBSD and booted for the first time, one of the things that got done included setting up the RSA key pairs that allow SSH (and other encryption technologies on the server) to work. Here's a part of the log from the post-install section of the FreeBSD Installation Guide. 

Doing additional network setup:. 
Starting final network daemons: creating ssh RSA host key 
Generating public/private rsa1 key pair.
Your identification has been saved in /etc/ssh/ssh_host_key. 
Your public key has been saved in /etc/ssh/ssh_host_key.pub. 
The key fingerprint is: 
cd:76:89:16:69:0e:d0:6e:f8:66:d0:07:26:3c:7e:2d root@k6-2.example.com
 creating ssh DSA host key 
Generating public/private dsa key pair.
Your identification has been saved in /etc/ssh/ssh_host_dsa_key. 
Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub. 
The key fingerprint is: 
f9:a1:a9:47:c4:ad:f9:8d:52:b8:b8:ff:8c:ad:2d:e6 root@k6-2.example.com.

Of course, your keys will be different than the ones shown here, but the locations of the key pairs will still be in /etc/ssh/.

Using PuTTY

Using PuTTY is pretty easy once you have it installed, which is as easy as clicking on the self-installing archive you can download directly from their site.

After installing the program, click on the PuTTY icon on your desktop. In the box labelled "Host Name (or IP address)" enter the fixed address for your new FreeBSD box. Then click on the "Open" button to start the session.

The first time you connect with your FreeBSD box, you will be greeted with the following security alert.

PuTTY Security Alert

Now, double check the number you wrote down in the checkout phase of the setup procedure and verify that the fingerprints match. If they do, click "Yes" and the fingerprint will be added to PuTTY's list of known servers.

From now on, you won't need to verify the server key, and you'll go right to the normal login screen you'd see as if you were in front of your FreeBSD box. Cool, eh?

Eventually, you'll allow other users, or even remote access to the FreeBSD box, so you might want to keep track of the fingerprint and send it out to users that want to connect to your machine. There's no reasonable way to figure out your host keys from the fingerprint, so don't worry about sending it out.

To reduce the security risk of someone being able to log in as root, the standard FreeBSD securiuty does not allow logins from that account. Now you'll find out why we added sysadmin to the wheel group. Log in as sysadmin. Now type su and give the root password when prompted.

Voila!. You are now root and can do stuff like add users, groups, and do generally dangerous stuff on your shiny new FreeBSD box.

With this in mind, do not, unless absolutely necessary and you really know what you are going to do, log into your root account. When you're done, exit the root account to minimize the risk of doing something really stupid!

The next installment of this series goes into some detail about installing an up-to-date perl and the Apache 2 server from source. We'll also cover the very cool FreeBSD Ports system.

Stay tuned!