Configuring a client-to-site VPN through PPTP on a Cisco router
When config’ing up a new Cisco router, turning on the VPN server functionality is a really handy feature to have – but again it’s one of them that you only need once-in-a-while. There are millions of different things that you can tweak – authentication, IP allocation, etc – but I’ll run through how to configure it up for use in a small office enviroment.
First off, you’ll want to make sure that you have VPN server functionality. Again, this is determined by your IOS image. Check your feature set on the Cisco feature navigator:
Once you’ve done that – on to the configuration. I’ll point out anything that’s worth noting.
Enter configuration mode, set some basic aaa and enable vpdn:
phbrouter#conf t
phbrouter(config)#aaa new-model
phbrouter(config)#aaa authentication ppp default local
phbrouter(config)#aaa authorization network default if-authenticated
phbrouter(config)#vpdn enable
phbrouter(config)#
As mentioned, this is a fairly basic config. You’ll notice that we’re authenticating against the local userlist (which we’ll define later). If you wanted to, you could use RADIUS instead (which is outside the scope of this article! Maybe I’ll cover it some other time!). Next we need to setup a VPDN group, tell it that we accept dialin, define what protocol it should use and which virtual interface template to use for incoming connections (which we’ll do later):
phbrouter(config)#vpdn-group 1
phbrouter(config-vpdn)#accept-dialin
phbrouter(config-vpdn-acc-in)#protocol pptp
phbrouter(config-vpdn-acc-in)#virtual-template 1
phbrouter(config-vpdn-acc-in)#exit
phbrouter(config-vpdn)#exit
phbrouter(config)#
Great! Half way there. The next stage is to create a virtual interface that will be brought up when a user connects. This includes the address allocation and what authentication we want to accept. MS-Chap and MS-Chap v2 is good enough for our purposes:
phbrouter(config)#int Virtual-Template1
phbrouter(config-if)#desc VPN Virtual Interface
phbrouter(config-if)#ip unnumbered FastEthernet0/0
phbrouter(config-if)#peer default ip address pool vpnpool
phbrouter(config-if)#ppp encrypt mppe auto
phbrouter(config-if)#ppp authentication ms-chap ms-chap-v2
phbrouter(config-if)#exit
phbrouter(config)#
You’ll notice that it’ll try to grab an address from a pool (rather creatively) named vpnpool. We’ll define this now – but be sure to change this to a free address range on your network (also big enough to accomodate your number of users):
phbrouter(config)#ip local pool vpnpool 192.168.1.150 192.168.1.160
phbrouter(config)#
The final stage is to define some users. Seeing as we’re going to be using the local userlist, it’s a really good idea to set these users to privilege level 0 (for obvious reasons):
phbrouter(config)#username joebloggs privilege 0 password joebloggsrules
phbrouter(config)#username jackbloggs privilege 0 password brownbear
And you’re finished! You can either use the Cisco VPN Client to connect from remote locations – but I find the in-built Windows ‘Connection Wizard’ is a lot lighter (!) and is more than suffice.
This was done on a router with an existing aaa policy. If I’ve missed anything out – please post your feedback!
Are you looking to learn more about Cisco equipment? Well, here’s a selection of a few books that I’ve found useful over the years:
 Cisco: A Beginner’s Guide |
 CCNA – Cisco Certified Network Associate Study Guide |
 Cisco Networking for Dummies |
 Cisco IOS in a Nutshell – O’Reilly |
Citrix client under FreeBSD
After much faffing around, I’ve managed to get the Citrix client working under FreeBSD 7. Simply downloading the most current release of the Linux ICA client doesn’t seem seem to work anymore – so you will need an older version of linuxx86 client. Citrix don’t seem to carry old versions, so I’ve uploaded them for your convenience here:
http://www.phirebird.net/files/linuxx86-v7.00.tar.gz
or
http://www.phirebird.net/files/linuxx86-v10.tar.gz
Usual rules apply – I won’t be held responsible through any misuse of these, they’re provided as is with no support, etc given or implied.
Right, first you’ll want to enable Linux binary support (lang/linux_base). Adding linux_load=”YES” to your /boot/loader.conf will ensure that you have support next time you boot. As for the installation of the client:
- Save the client (above) into an empty directory and cd to it.
- gzip -d linuxx86.tar.gz (or whatever you’ve called it)
- tar -xvf linuxx86.tar
- cp /usr/bin/true /bin/true
- cp /usr/bin/fale /bin/false
- ./setupwfc
After running through the installation (pretty self explanitory), if everthing’s ok, you should now have the Citrix client located in /usr/lib/ICAClient/. CD to this location and run ./wfcmgr
Did you find this hint useful? Are you looking to learn more? Well, here’s a few books that I’ve found useful – have a goosie!
 Absolute FreeBSD: The Complete Guide |
 FreeBSD unleashed |
 Design and Implementation of FreeBSD |
 The Best of FreeBSD Basics |
EDIT 17th June 2009: I’ve just noticed that Thomas Abthorpe will be committing net/citrix_xenapp (v11) to the FreeBSD ports collection. Requires a bit of tweaking, but you can read up on it at his page here:
Thanks Thomas!
Wireless configuration under FreeBSD 7 wpi0
This is something that I keep coming back to and Googling for. After pieceing all the bits of information together last time, I thought I’d share what I’ve found. Using these modifications, I’ve successfully configured an Intel PRO/Wireless 3945ABG network interface in my IBM ThinkPad R60 to automatically associate with a wireless network on startup (via WPA authentication) and grab an IP address through DHCP. With slight modifications, you should be able to get PRO 2100/2200 working.
First off, you want to make sure that your wireless interface is picked up and the necessary kernel modules are loaded before anything. So, after making sure that you’ve read the Intel WPI license agreement, edit /boot/loader.conf and add:
if_wpi_load=”YES”
wlan_load=”YES”
wlan_amrr_load=”YES”
legal.intel_wpi.license_ack=1
wpifw_load=”YES”
Next, create yourself the file that contains your wireless config – /etc/wpa_supplicant.conf
network={
ssid=”YOURWIRESSLESSNAME”
psk=”YOURWIRELESSKEY”
}
Finally, you want to edit /etc/rc.conf to make sure that you’re device is configured and grabs an IP on startup. Add this line:
ifconfig_wpi0=”WPA DHCP”
You should be done! Time to reboot and see! If not, try first a quick ‘ifconfig’ to see if your interface has been detected (should be wpi0):
wpi0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 00:13:02:6b:a9:03
inet 192.168.0.103 netmask 0xffffff00 broadcast 192.168.0.255
media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/54Mbps)
status: associated
ssid <YOURSSIDHERE> channel 11 (2462 Mhz 11g) bssid 00:18:f8:33:f5:1f
authmode WPA2/802.11i privacy ON deftxkey UNDEF TKIP 2:128-bit
TKIP 3:128-bit txpower 50 bmiss 7 scanvalid 60 protmode CTS
roaming MANUAL
Things to check for – an IP address and if it’s associated (or not!). If you’re not even seeing the wpi0 interface, check your /boot/loader.conf is correct.
If the interface is there, but not associated – check /etc/wpa_supplicant.conf (and /etc/rc.conf). Chances are though that your wireless configuration is wrong. Make sure you’ve spelt your SSID correctly and that your key is also right (case sensitive – remember!)
If you’re associated, but aren’t getting an IP address – first make sure that you’re key is correct, that rc.conf is trying to get you an IP and that (duh) a DHCP server is in operation on your network!
Did you find this hint useful? Are you looking to learn more? Well, here’s a few books that I’ve found useful – have a goosie!
Absolute FreeBSD: The Complete Guide |
FreeBSD unleashed |
Design and Implementation of FreeBSD |
The Best of FreeBSD Basics |
Cisco IOS VPN Configurarion
Not too sure where I got this information from originally, but it has helped me to configure my own VPNs over the years:
Cisco IOS VPN Configuration
Scenario 1: Gateway-to-gateway with preshared secrets
The following is a typical gateway-to-gateway VPN that uses a preshared
secret for authentication.
10.5.6.0/24 172.23.9.0/24
| |
--| |--
| +-----------+ /-^-^-^-^--\ +-----------+ |
|-----| Gateway A |=====| Internet |=====| Gateway B |-----|
| AL+-----------+AW \--v-v-v-v-/ BW+-----------+BL |
--| 10.5.6.1 14.15.16.17 22.23.24.25 172.23.9.1 |--
| |
Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's
LAN interface has the address 10.5.6.1, and its WAN (Internet) interface has
the address 14.15.16.17.
Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway
B's WAN (Internet) interface has the address 22.23.24.25. Gateway B's LAN
interface address, 172.23.9.1, can be used for testing IPsec but is not
needed for configuring Gateway A.
The IKE Phase 1 parameters used in Scenario 1 are:
* Main mode
* TripleDES
* SHA-1
* MODP group 2 (1024 bits)
* pre-shared secret of "hr5xb84l6aa9r6"
* SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying
The IKE Phase 2 parameters used in Scenario 1 are:
* TripleDES
* SHA-1
* ESP tunnel mode
* MODP group 2 (1024 bits)
* Perfect forward secrecy for rekeying
* SA lifetime of 3600 seconds (one hour) with no kbytes rekeying
* Selectors for all IP protocols, all ports, between 10.5.6.0/24 and
172.23.9.0/24, using IPv4 subnets
To set up Gateway A for this scenario, use the following steps:
Cisco IOS includes IPSec support, beginning with early versions of IOS
Version 12; however the commands have changed during the evolution of IOS
Version 12 point releases. The following example uses the current release
version, Cisco IOS Version 12.2(8)T4.
This example uses a Cisco 1700 series router, which has one ethernet port
and one serial port. The ethernet port, FastEthernet0, will be the outside,
or Internet-facing interface. The serial port, Serial0, will be the inside
interface. (This is just an example. Your interfaces may be different.)
All configuration changes are volatile, and immediate, until the "write"
command is executed, when the configuration is saved to flash and will be
reloaded after a reboot. At any time, you may examine the running
configuration with the command "show running-configuration", or view the
saved configuration with the command "show config". Most commands can be
abbreviated. Use a ? at the prompt or in a command to see options.
Configure IP on the interfaces:
Router# config term
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# int fa0
Router(config-if)# ip address 14.15.16.17 255.255.255.0
Router(config-if)# speed auto
Router(config-if)# ^Z
Router# config term
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# int ser0
Router(config-if)# ip address 10.5.6.1 255.255.255.0
Router(config-if)# no shutdown
Router(config-if)# ^Z
Router#
Define the default route:
Router# config term
Router(config)# ip route 0.0.0.0 0.0.0.0 14.15.16.1
Router(config)# exit
Cisco supports only one IKE policy per router, so you must design one which
is acceptable to all systems you are going to interoperate with. Assign it
an ordering number of 5. If you wanted to have more than one proposal in
the policy, the proposals would be given in order defined by this policy
order number. Configure the IKE Policy:
Router# config term
Router(config)# crypto isakmp policy 5
Router(config-isakmp)# encryption 3des
Router(config-isakmp)# group 2
Router(config-isakmp)# hash sha
Router(config-isakmp)# lifetime 28800
Router(config-isakmp)# authentication pre-share
Router(config-isakmp)# exit
Since multiple peers will share the same IKE policy, you must match each
peer with its pre-shared secret:
Router# config term
Router(config)# crypto isakmp key hr5xb84l6aa9r6 address 22.23.24.25
Router(config-isakmp)# exit
The IPSEC transform will be combined later with the rest of the IPSEC policy
in a crypto map command. In this command, "STRONG" is just a label. Labels
are CASE-SENSITIVE. Define the IPSEC transform:
Router# config term
Router(config)# crypto ipsec transform-set STRONG esp-3des esp-sha-hmac
Router(config-isakmp)# exit
Cisco IOS uses access lists for SPD entries. Many features of access lists
(.e.g. TCP flag checking) don't work in IPSEC. This kind of access list
MUST be labelled with a 3-digit number. The netmask in Cisco access lists
are inverted. Nobody knows why, they just are. This list says "all traffic
from 10.5.6.0/24 to 172.23.9.0/24, all ports, all IP protocols". Create the
IPSEC access list:
Router# config term
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# access-list 101 permit ip 10.5.6.0 0.0.0.255 172.23.9.0 0.0.0.255
Router(config)# ip route 0.0.0.0 0.0.0.0 14.15.16.1
Router(config)# exit
Because IOS is a router first and an IPSEC gateway second, we have to tell
IOS which interface to send packets on if the default route is not enough.
In this scenario we don't need it, but in other situations you might need to
define a route for the remote protected network:
Router# config term
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ip route 172.23.9.0 255.255.255.0 14.15.16.17
Router(config)# exit
A crypto map binds all the assorted crypto parameters with a specific remote
gateway. Several crypto maps bound to different remote gateways can be
grouped together in one crypto map SET which is then bound to an outgoing
interface. The number following the crypto map set name is the ordering of
the map in the set. Bind the policy together with a crypto map, and give it
the label CISCO:
Router# config term
Router(config)# crypto map CISCO 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router(config-crypto-map)# set security-association life seconds 3600
Router(config-crypto-map)# set transform-set STRONG
Router(config-crypto-map)# set pfs group2
Router(config-crypto-map)# set peer 22.23.24.25
Router(config-crypto-map)# match address 101
Router(config-crypto-map)# exit
Because Ciscos could have many interfaces, you have to bind the SPD to the
outgoing interface:
Router# config term
Router(config)# interface fa0
Router(config-if)# crypto map CISCO
Router(config-if)# ^Z
If you had multiple tunnels to multiple gateways, you would need to create a
different access list for each tunnel, add an isakmp key entry for each
gateway, and possibly create a different ipsec transform if your security
policy is different. For example, let's say you have another remote peer at
23.23.24.25, for which you have created access-list 102. You could then add
a crypto map to the set created above:
Router# config term
Router(config)# crypto map CISCO 20 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router(config-crypto-map)# set security-association life seconds 3600
Router(config-crypto-map)# set transform-set STRONG
Router(config-crypto-map)# set pfs group2
Router(config-crypto-map)# set peer 23.23.24.25
Router(config-crypto-map)# match address 102
Router(config-crypto-map)# exit
Now the outgoing interface FastEthernet0 has both crypto maps, and it will
compare traffic to each map in order to determine if the traffic requires
encryption.
Save the configuration:
Router# write
Building configuration...
[OK]
Here is the completed IPSEC part of the Cisco configuration:
Router# show config
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key hr5xb84l6aa9r6 address 22.23.24.25
!
crypto ipsec transform-set strong esp-3des esp-sha-hmac
!
crypto map CISCO 101 ipsec-isakmp
set peer 22.23.24.25
set transform-set STRONG
set pfs group2
match address 101
!
interface FastEthernet0
ip address 14.15.16.17 255.255.255.0
speed auto
crypto map CISCO
!
interface Serial0
ip address 10.5.6.1 255.255.255.0
!
access-list 101 permit ip 10.5.6.0 0.0.0.255 172.23.9.0 0.0.0.255
!
Now, bring up a tunnel! The IOS ping command extensions will allow you to
select the source interface, and hence IP address, of the ping:
Router# ping
Protocol [ip]:
Target IP address: 172.23.9.10
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: serial0
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.23.9.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Hmmmm ... what could be wrong? Let's check some basics:
Router# show ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0 14.15.16.17 YES manual up up
Serial0 10.5.6.1 YES manual down down
Ah, the serial interface is down. I have to actually connect it up to something
to bring the interface up. Now, the ping works and brings up the SAs.
Show the SAs with these commands:
Router# show crypto isakmp sa
dst src state conn-id slot
14.15.16.17 22.23.24.25 QM_IDLE 1 0
Router# show crypto ipsec sa
interface: FastEthernet0
Crypto map tag: CISCO, local addr. 14.15.16.17
local ident (addr/mask/prot/port): (10.5.6.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.23.9.0/255.255.255.0/0/0)
current_peer: 22.23.24.25
PERMIT, flags={origin_is_acl,}
# pkts encaps: 12, # pkts encrypt: 12, # pkts digest 12
# pkts decaps: 23, # pkts decrypt: 23, # pkts verify 23
# pkts compressed: 0, # pkts decompressed: 0
# pkts not compressed: 0, # pkts compr. failed: 0, # pkts decompress failed: 0
# send errors 0, # recv errors 0
local crypto endpt.: 14.15.16.17, remote crypto endpt.: 22.23.24.25
path mtu 1500, media mtu 1500
current outbound spi: 3C39A800
inbound esp sas:
spi: 0xD7228E4B(3609366091)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: CISCO
sa timing: remaining key lifetime (k/sec): (4607999/3574)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3C39A800(1010411520)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: CISCO
sa timing: remaining key lifetime (k/sec): (4607999/3574)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
The easiest way to clear SAs from a Cisco IOS system varies with version, but
one of these two will generally work:
RouterRouter# clear crypto isakmp
RouterRouter# clear crypto sa
To enable debugging in IOS, you must turn on the debug as well as turn on the
debug monitor, which is normally the terminal you are logged in on:
Router# debug crypto verbose
Router# debug crypto isakmp
Router# term monitor
To disable debugging:
Router# nodebug all
Router# term no monitor
Are you looking to learn more about Cisco equipment? Well, here’s a selection of a few books that I’ve found useful over the years:
Cisco: A Beginner’s Guide |
CCNA – Cisco Certified Network Associate Study Guide |
Cisco Networking for Dummies |
Cisco IOS in a Nutshell – O’Reilly |
Hide Run option from the Start Menu
Another useful tweak (especially useful for terminal server environments!) is the ability to hide the Run option from the Start Menu. Start registry editor and navigate to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Create a new DWORD value and set it to 1.
Prevent viewing of drives through Internet Explorer
I’ve already covered how to hide local drives from My Computer (and common dialog boxes). But, you might want to also crack down on users circumventing this by typing the drive letter into an Internet Explorer window to get access to them.
Navigate to the key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Create a DWORD value and name it NoFileURL. Set it to 1 (which means that drives can not be viewed with IE)
You might also consider hiding the Run menu option too (which I’ll have another dig around for!)
Hide drives from My Computer
Here’s how to hide drive letters from within My Computer. When users open My Computer from the desktop, they will see an icon for each drive on the system. With the following Registry change, you can hide these icons, preventing users from finding them and using them.
Why would you want to do this? Well, apart from the obvious shifty method of hiding your stuff, it’s VERY useful in terminal server environments where you want to hide the potentially sensitive system drives, local floppy disk or CD-ROM drives. Not so silly now, eh? Remember that you can still access these drives by typing the drive letter directly (for instance in an Open/Save/Run dialog box). I’ll dig out another tweak later to show how to crack down on this too!
Open Registry Editor and navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Create a DWORD value and name it NoDrives. As for it’s value, you’ll need to work it out depending on what drives you wish to hide. Simply add them together from the following list. The total is what you’ll use for the the NoDrives value.
A=1
B=2
C=4
D=8
E=16
F=32
G=64
H=128
I=256
J=512
K=1024
L=2048
M=4096
N=8192
O=16384
P=32768
Q=65536
R=131072
S=262144
T=524288
U=1048576
V=2097152
W=4194304
X=8388608
Y=16777216
Z=33554432
For examply, if you want to hide drives A, C and D the value would be 13 (1 + 4 + 8).
Please make sure that you backup your registry BEFORE carrying out this modification, etc, etc, etc!
Enabling SSH on a Cisco Router
So, you want to configure SSH on your Cisco router, eh? Well, it’s a good choice to make! So how do you do it? Well, first you’ve got to make sure that your IOS image has IPSec (DES or 3DES) encryption and later than 12.1(1)T – which you can easily tell from entering the image filename into the Cisco feature navigator:
I’m running a Cisco 3660 with c3660-ik9o3s-mz.124-6.T.bin which has IPSec and 3DES – so we’re good to go.
SSH doesn’t like a router that doesn’t have a configured hostname or domain name. So, we’ll make sure that both of them are done now:
Router# conf term
Router(config)# hostname phbrouter
phbrouter(config)# ip domain-name phirebird.net
phbrouter(config)#
Right. Now you’re ready to create an RSA encryption key pair. Whilst generating, you’ll notice that it asks how many bits you’d like to use in the modulus. Don’t accept the default of 512. Instead, select at least 1024 bits.
phbrouter(config)# crypto key generate rsa
The name for the keys will be: phbrouter.phirebird.net
Choose the size of the key modulus in the range of 360 to 2048
for your General Purpose Keys. Choosing a key modulus greater than
512 may take a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys …[OK]
phbrouter(config)#
* May 16 10:05:28.283: %SSH-5-ENABLED: SSH 1.99 has been enabled
phbrouter(config)#
To make sure that everything has been configured correctly, you can issue these commands:
show ip ssh (Displays the version and basic configuration)
show ssh (Displays the status of any connections)
You may stop reading here, but it’s a good idea to familiarise yourself with the other SSH configuration options open to you:
phbrouter(config)#ip ssh ?
authentication-retries Specify number of authentication retries
break-string break-string
logging Configure logging for SSH
maxstartups Maximum concurrent sessions allowed
port Starting (or only) Port number to listen on
rsa Configure RSA keypair name for SSH
source-interface Specify interface for source address in SSH
connections
time-out Specify SSH time-out interval
version Specify protocol version to be supported
Most notable here is thatrunning SSH on a differnt port is probably a good idea (but try leaving it on the default 22 and see how many connection attempts you get!). The number of authentication-retries default is 3 – which is fair enough, and the timeout default is 120 seconds (maybe a bit long?).
Are you looking to learn more about Cisco equipment? Well, here’s a selection of a few books that I’ve found useful over the years:
Cisco: A Beginner’s Guide |
CCNA – Cisco Certified Network Associate Study Guide |
Cisco Networking for Dummies |
Cisco IOS in a Nutshell – O’Reilly |
Enabling SSH under FreeBSD
Anyone that’s diddled around with SSH under FreeBSD will be all too familiar with this error message when trying to start the SSH daemon directly:
fbsd1# /usr/sbin/sshd
Could not load host key: /etc/ssh/ssh_host_dsa_key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available — exiting.
fbsd1#
To keep it happy, you could generate /etc/ssh/ssh_host_dsa_key
manually by using ssh_keygen (as you used to in previous FreeBSD releases) - but a much more straight forward way of
enabling it now exists. All you have to do is to edit /etc/rc.conf and tag on this line:
sshd_enable=”YES”
Next time the system starts, it’ll automatically generate any
necessary keys for you and start accepting SSH requests. If you’re
of the impatient type and want SSH to start right now, use this:
killall sshd
/etc/rc.d/sshd start
And that’s it!
Did you find this hint useful? Are you looking to learn more? Well, here’s a few books that I’ve found useful – have a goosie!
Absolute FreeBSD: The Complete Guide |
FreeBSD unleashed |
Design and Implementation of FreeBSD |
The Best of FreeBSD Basics |
