Problem: The common UNIX remote access protocols - telnet, FTP and the Berkeley r-commands -- are unencrypted. Account and password information can easily be sniffed by unauthorized intruders and others who have been granted access to the same network. OpenSSH can be used to encrypt all remote sessions, thereby eliminating this vulnerability.
OpenSSH is free and runs on virtually all of the different UNIX and Linux variants. Zlib, a compression library and OpenSSL, the secure sockets layer software, are required by OpenSSH, so you need to install them first. Also highly recommended is a suitable random number generator.
Note |
The examples and instructions in this section demonstrate installation and configuration of Zlib, ANDIrand, PRNGD, OpenSSL, and OpenSSH on Solaris 8. Depending on the version of UNIX/Linux you are running, there will be some slight variation in specifics. |
Tech Tip |
In the installation/configuration sections which follow, it is highly recommended and in keeping with best security practices that 1) the integrity of downloads is verified with any mechanisms made available to you, such as checksums and/or cryptographic signatures, and 2) all steps be performed using non- root accounts, except for those which require root permissions. |
Since all the software to install is in source code format and will have to be compiled, you need to make sure that you have a C compiler installed. If not, download and install the GNU C compiler.
$ cd /usr/local $ gunzip ./gcc-3.2-sol8-sparc-local.gz
$ su Password: ******** # pkgadd --d ./gcc-3.2-sol8-sparc-local
This will install a new Solaris package named SMCgcc. The gcc binary will be placed in /usr/local/bin . Use pkginfo to verify the installation, as shown below:
# pkginfo -l SMCgcc PKGINST: SMCgcc NAME: gcc CATEGORY: application ARCH: sparc VERSION: 3.2 BASEDIR: /usr/local VENDOR: Free Software Foundation PSTAMP: Steve Christensen INSTDATE: Nov 14 2002 16:52 EMAIL: steve@smc.vnet.net STATUS: completely installed FILES: 1776 installed pathnames 4 linked files 136 directories 43 executables 548584 blocks used (approx)
$ cd /usr/local $ gunzip ./zlib-1.1.4.tar.gz $ tar xvf ./zlib-1.1.4.tar
This will create a source-code directory structure such as /usr/local/zlib-1.1.4 .
$ cd /usr/local/zlib-1.1.4 $ ./configure $ make test $ su Password: ******** # make install
Some UNIX implementations , such as Solaris 8, do not provide a random number generator (e.g. /dev/random) out of the box. OpenSSL will automatically provide a random number generator if one is not found on the system, but it is highly recommended to use a higher quality random number generator, such as ANDIrand, PRNGD or EGD. Instructions are provided below for both ANDIrand and PRNGD .
ANDIrand is a simple package install (as opposed to a source-code compile) and creates the /dev/random and /dev/urandom devices at install time, from which SSL, one of the prerequisites to OpenSSH, obtains its random data.
# cd /usr/local # pkgadd -d ./ANDIrand-0.7-5.8-sparc-1.pkg
Note |
You will be prompted as to whether to continue to install the package with root privileges “ enter "Y" to continue |
This will install a new Solaris package named ANDIrand and will also create the /dev/random and /dev/urandom files on your system. Use pkginfo “l to see the details for the install:
# pkginfo -l ANDIrand PKGINST: ANDIrand NAME: random-0.7 CATEGORY: system ARCH: sparc VERSION: 0.7 VENDOR: Andreas Maier DESC: random number generator PSTAMP: 200111201124 INSTDATE: Nov 18 2002 14:28 HOTLINE: http://www.cosy.sbg.ac.at/~andi/ EMAIL: andi@cosy.sbg.ac.at STATUS: completely installed FILES: 13 installed pathnames 8 shared pathnames 2 linked files 7 directories 2 executables 26 blocks used (approx)
PRNGD is a source-code compile, which creates a prngd executable to be run as a daemon on the UNIX system.
$ cd /usr/local $ gunzip ./prngd-0.9.27.tar.gz $ tar xvf ./prngd-0.9.27.tar $ cd ./prngd-0.9.27
This will create a source-code directory structure such as /usr/local/prngd-0.9.27 .
$ su Password: ********* #
# make
# cp -p ./prngd /usr/local/sbin
# pwd /usr/local/prngd-0.9.27 # cd contrib # ls AIX-3.2 IRIX-65 OSF1 SCO3 SunOS-4 AIX-4.3 Linux-2 OSR5 Solaris-2.6 Tru64 ATT-NCR MacOSX-10 OpenUNIX-8 Solaris-7 Ultrix-4.5 HPUX NeXTStep-3.3 ReliantUNIX Solaris-8 Unixware-7 # cd Solaris-7 # ls prngd.conf.solaris-7 # cp ./prngd.conf.solaris-7 /usr/local/etc/prngd/prngd.conf
Note |
The Solaris-8 directory simply has instructions to use the conf file from the Solaris-7 directory. |
# cat /var/adm/messages /var/log/syslog > /usr/local/etc/prngd/prngd-seed
# /usr/local/sbin/prngd /var/run/egd-pool
Since PRNGD is a daemon, you'll want to be sure to create a startup script and place it in the appropriate OS startup directory so the system will automatically start PRNGD on system startup. There are sample startup scripts for most OS' in the "contrib" sub-directory:
# pwd /usr/local/prngd-0.9.27 # cd contrib # ls AIX-3.2 IRIX-65 OSF1 SCO3 SunOS-4 AIX-4.3 Linux-2 OSR5 Solaris-2.6 Tru64 ATT-NCR MacOSX-10 OpenUNIX-8 Solaris-7 Ultrix-4.5 HPUX NeXTStep-3.3 ReliantUNIX Solaris-8 Unixware-7
$ cd /usr/local $ gunzip ./openssl-0.9.7b.tar.gz $ tar xvf ./openssl-0.9.7b.tar $ cd openssl-0.9.7b
This will create the source-code directory structure, such as /usr/local/openssl-0.9.7b
$ ./config $ make (go for coffee, this takes awhile) $ make test $ su Password: ******** # make install
$ cd /usr/local $ gunzip ./openSSH-3.6.1p2.tar.gz $ tar xvf ./openSSH-3.6.1p2.tar
This will create a source-code directory structure such as /usr/local/openSSH-3.6.1p2 .
$ cd /usr/local/openSSH-3.6.1p2 $ ./configure $ make $ su Password: ********
Since we do not want anyone logging in directly to this account, we should make it a non-interactive account. The following command creates the sshd user with a user id of 1100 and an invalid shell that prevents anyone from logging in directly:
# useradd -c "sshd owner" -d /var/empty -u 1100 -s /bin/false sshd
If the home directory for this account, /var/empty , does not exist, it should be created as follows :
# mkdir /var/empty # chmod 555 /var/empty
As an extra measure of securing this account, issue the following command to lock it:
# passwd -l sshd
# make install
At the end of the make install output, you should see messages similar to the following:
Generating public/private rsa1 key pair. Your identification has been saved in /usr/local/etc/ssh_host_key. Your public key has been saved in /usr/local/etc/ssh_host_key.pub. The key fingerprint is: 71:9f:97:e7:23:53:1e:38:84:f2:91:ff:bc:6e:4a:59 root@client.example.com Generating public/private dsa key pair. Your identification has been saved in /usr/local/etc/ssh_host_dsa_key. Your public key has been saved in /usr/local/etc/ssh_host_dsa_key.pub. The key fingerprint is: 24:95:93:f2:9f:c8:68:37:08:32:f8:12:95:63:26:3a root@client.example.com Generating public/private rsa key pair. Your identification has been saved in /usr/local/etc/ssh_host_rsa_key. Your public key has been saved in /usr/local/etc/ssh_host_rsa_key.pub. The key fingerprint is: 45:a1:35:51:06:2d:0d:0f:1a:0c:a4:ab:41:05:cd:70 root@client.example.com /usr/local/sbin/sshd -t -f /usr/local/etc/sshd_config
Congratulations “ you have successfully installed the OpenSSH software - both client-side and server-side. If the machine on which you installed will function as an OpenSSH client only (i.e., will initiate connections to remote systems, but not accept remote connections), then we're ready to test and verify that the installation is correct. If the machine will be an OpenSSH client and server (will accept remote connections) or an OpenSSH server only, there are a few more steps to perform.
Now that the OpenSSH software is installed, we need to make sure the server configuration is set up correctly. The configuration file for the SSH daemon is usually located in /etc/ssh and is called sshd_config. You can leave most of the settings alone as the defaults should work for most installations. However, the following should be verified to make sure they are set correctly.
Appendix A of this book contains a sample sshd_config file with comments pertaining to each option. This sample configuration file should work for most, if not all, current versions of OpenSSH.
Note |
In the OpenSSH configuration files, the absence of an option means OpenSSH will use the default settings for that option as specified in the man page for sshd. |
OpenSSH should be set to only allow SSHv2 connections. To do this, uncomment the line "Protocol" in sshd_config and place only a "2" after it, as shown below:
Protocol 2
PermitRootLogin no
PubkeyAuthentication yes
By default, this is not allowed. If you wish to allow incoming clients the ability to use the X11 Forwarding feature of OpenSSH, set the X11Forwarding option as shown below:
X11Forwarding yes
banner /etc/issue
The OpenSSH server daemon, sshd, must be started before OpenSSH clients will be allowed to connect.
You can simply launch the sshd daemon as root and place it in the background as follows :
# /usr/local/sbin/sshd &
You should also place this command in a startup script so that it launches each time the system is booted . For example, on Solaris 8 we could use an editor to insert and save the above command in the file /etc/init.d/sshd_start , then issue the following commands:
# ln /etc/init.d/sshd_start /etc/rc3.d/S95sshd
Now each time the system is booted, the sshd daemon will start automatically as user "sshd".
SECTION I - Obtaining, Compiling and Installing OpenSSH
SECTION II - How to Use OpenSSH Clients for Unix-to-Unix Connectivity
SECTION III - How To Use PuTTY/WinSCP For PC-To-Unix Connectivity
SECTION IV - Using Public Key Authentication
SECTION V - Troubleshooting SSH Connections
SECTION VI - Advanced SSH Topics
Conclusion
Appendix - Sample sshd_config File