.NODE

Step 1.1 Install OpenSSH to Replace the Remote Access Protocols with Encrypted Versions

Overview

Problem: The common UNIX remote access protocols - telnet, FTP and the Berkeley r-commands -- are unencrypted. Account and password information can easily be sniffed by unauthorized intruders and others who have been granted access to the same network. OpenSSH can be used to encrypt all remote sessions, thereby eliminating this vulnerability.

OpenSSH is free and runs on virtually all of the different UNIX and Linux variants. Zlib, a compression library and OpenSSL, the secure sockets layer software, are required by OpenSSH, so you need to install them first. Also highly recommended is a suitable random number generator.

Note  

The examples and instructions in this section demonstrate installation and configuration of Zlib, ANDIrand, PRNGD, OpenSSL, and OpenSSH on Solaris 8. Depending on the version of UNIX/Linux you are running, there will be some slight variation in specifics.

Tech Tip  

In the installation/configuration sections which follow, it is highly recommended and in keeping with best security practices that 1) the integrity of downloads is verified with any mechanisms made available to you, such as checksums and/or cryptographic signatures, and 2) all steps be performed using non- root accounts, except for those which require root permissions.


Action 1 1 1 Download and install the GNU C compiler

Since all the software to install is in source code format and will have to be compiled, you need to make sure that you have a C compiler installed. If not, download and install the GNU C compiler.

  • Point your web browser to http://gcc.gnu.org/install/binaries.html
  • Click on the Solaris 2 - Sunfreeware link.
  • Click on FTP/Mirror Sites on the left-hand column, and then choose one of the mirror sites ( generally you will get better download performance from a mirror site).
  • Click on Sparc/Solaris 8 on the right-hand column to see the list of software available for Solaris 8; scroll down and click on the latest release of gcc (3.2 as of this writing)
  • Usually the latest gcc package will appear at the top of the page, e.g. gcc-3.2-sol8-sparc-local.gz . Download this package into /usr/local.
  • Uncompress the .gz file, as shown below:

    $ cd /usr/local
     $ gunzip ./gcc-3.2-sol8-sparc-local.gz
    
  • Use pkgadd to install the gcc binaries, as shown below:

    $ su
     Password: ********
     # pkgadd --d ./gcc-3.2-sol8-sparc-local
    

This will install a new Solaris package named SMCgcc. The gcc binary will be placed in /usr/local/bin . Use pkginfo to verify the installation, as shown below:

# pkginfo -l SMCgcc
 PKGINST: SMCgcc
 NAME: gcc
 CATEGORY: application
 ARCH: sparc
 VERSION: 3.2
 BASEDIR: /usr/local
 VENDOR: Free Software Foundation
 PSTAMP: Steve Christensen
 INSTDATE: Nov 14 2002 16:52
 EMAIL: steve@smc.vnet.net
 STATUS: completely installed
 FILES: 1776 installed pathnames
 4 linked files
 136 directories
 43 executables
 548584 blocks used (approx)


Action 1 1 2 Download, compile and install Zlib compression library

  • Point your web browser to http://www.gzip.org/zlib.
  • Download the latest version of the ".gz" format of Zlib (1.1.4 as of this writing) into /usr/local .
  • Use gunzip and tar to extract the source code, as shown below:

    $ cd /usr/local
     $ gunzip ./zlib-1.1.4.tar.gz
     $ tar xvf ./zlib-1.1.4.tar
    

This will create a source-code directory structure such as /usr/local/zlib-1.1.4 .

  • Review the README and Makefile files.
  • Configure, make and compile, as shown below:

    $ cd /usr/local/zlib-1.1.4
     $ ./configure
     $ make test
     $ su
    		 Password: ********
     # make install
    


Action 1 1 3 Download, compile and install a random number generator

Some UNIX implementations , such as Solaris 8, do not provide a random number generator (e.g. /dev/random) out of the box. OpenSSL will automatically provide a random number generator if one is not found on the system, but it is highly recommended to use a higher quality random number generator, such as ANDIrand, PRNGD or EGD. Instructions are provided below for both ANDIrand and PRNGD .

ANDIrand

ANDIrand is a simple package install (as opposed to a source-code compile) and creates the /dev/random and /dev/urandom devices at install time, from which SSL, one of the prerequisites to OpenSSH, obtains its random data.

  • Point your web browser to http://www.cosy.sbg.ac.at/~andi/SUNrand/.
  • Download the latest version of the package format (0.7 of this writing) into /usr/local .
  • Use pkgadd to install the ANDIrand binaries as user root, as shown below:

    # cd /usr/local
     # pkgadd -d ./ANDIrand-0.7-5.8-sparc-1.pkg
    
Note  

You will be prompted as to whether to continue to install the package with root privileges “ enter "Y" to continue

This will install a new Solaris package named ANDIrand and will also create the /dev/random and /dev/urandom files on your system. Use pkginfo “l to see the details for the install:

# pkginfo -l ANDIrand
 PKGINST: ANDIrand
 NAME: random-0.7
 CATEGORY: system
 ARCH: sparc
 VERSION: 0.7
 VENDOR: Andreas Maier
 DESC: random number generator
 PSTAMP: 200111201124
 INSTDATE: Nov 18 2002 14:28
 HOTLINE: http://www.cosy.sbg.ac.at/~andi/
 EMAIL: andi@cosy.sbg.ac.at
 STATUS: completely installed
 FILES: 13 installed pathnames
 8 shared pathnames
 2 linked files
 7 directories
 2 executables
 26 blocks used (approx)

PRNGD

PRNGD is a source-code compile, which creates a prngd executable to be run as a daemon on the UNIX system.

  • Point your web browser to http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
  • Click on the prngd 0.9.27 link in the Download section to download the latest version of the prngd source-code (0.9.27 of this writing) into /usr/local
  • Use gunzip and tar to extract the source code, as shown below:

    $ cd /usr/local
     $ gunzip ./prngd-0.9.27.tar.gz
     $ tar xvf ./prngd-0.9.27.tar
     $ cd ./prngd-0.9.27
    

This will create a source-code directory structure such as /usr/local/prngd-0.9.27 .

  • Review the 00README file for compile and install instructions
  • Use your favorite editor to edit the "Makefile" file and make the following 2 changes:

    1. Scroll down to the section corresponding to your particular OS and uncomment the lines in that section.
    2. Scroll down to the section beginning with " # Move default locations " and select a default location for storing the prngd-seed and prngd.conf files. (if you don't specify a "new" default location, the default is /usr/local/etc/prngd ).
  • Become root

    $ su
     Password: *********
     #
    
  • After saving changes to the Makefile, run make to compile the prngd source code:

    # make
    
  • Copy the prngd executable to /usr/local/sbin

    # cp -p ./prngd /usr/local/sbin
    
  • Copy a default prngd.conf file. There are sample prngd.conf files for numerous OS' under the contrib subdirectory. The location of the prngd.conf file should be consistent with what you specified earlier when you edited the Makefile. In the following example, a sample Solaris prngd.conf file is copied to the default location of /usr/local/etc/prngd :

    # pwd
     /usr/local/prngd-0.9.27
     # cd contrib
     # ls
     AIX-3.2 IRIX-65 OSF1 SCO3 SunOS-4
     AIX-4.3 Linux-2 OSR5 Solaris-2.6 Tru64
     ATT-NCR MacOSX-10 OpenUNIX-8 Solaris-7 Ultrix-4.5
     HPUX NeXTStep-3.3 ReliantUNIX Solaris-8 Unixware-7
     # cd Solaris-7
     # ls
     prngd.conf.solaris-7
     # cp ./prngd.conf.solaris-7 /usr/local/etc/prngd/prngd.conf
    
    Note  

    The Solaris-8 directory simply has instructions to use the conf file from the Solaris-7 directory.

  • Use the following command to generate an initial "seed" for PRNGD:

    # cat /var/adm/messages /var/log/syslog > /usr/local/etc/prngd/prngd-seed
    
  • Start PRNGD:

    # /usr/local/sbin/prngd /var/run/egd-pool
    

Since PRNGD is a daemon, you'll want to be sure to create a startup script and place it in the appropriate OS startup directory so the system will automatically start PRNGD on system startup. There are sample startup scripts for most OS' in the "contrib" sub-directory:

# pwd
 /usr/local/prngd-0.9.27
 # cd contrib
 # ls
 AIX-3.2 IRIX-65 OSF1 SCO3 SunOS-4
 AIX-4.3 Linux-2 OSR5 Solaris-2.6 Tru64
 ATT-NCR MacOSX-10 OpenUNIX-8 Solaris-7 Ultrix-4.5
 HPUX NeXTStep-3.3 ReliantUNIX Solaris-8 Unixware-7


Action 1 1 4 Download, compile and install OpenSSL

  • Point your web browser to http://www.openssl.org/source/
  • Download the latest version of the source code (0.9.7b as of this writing) into /usr/local
  • Use gunzip and tar to extract the source code, as shown below:

    $ cd /usr/local
     $ gunzip ./openssl-0.9.7b.tar.gz
     $ tar xvf ./openssl-0.9.7b.tar
     $ cd openssl-0.9.7b
    

This will create the source-code directory structure, such as /usr/local/openssl-0.9.7b

  • Review the README and INSTALL files
  • Configure, make and compile, as shown below:

    $ ./config
     $ make
    
    (go for coffee, this takes awhile)
    
    $ make test
     $ su
     Password: ********
     # make install
    


Action 1 1 5 Download, compile and install OpenSSH

  • Point your web browser to http://www.openSSH.com/portable.html
  • Download the latest version of the source code (3.6.1p2 as of this writing) into /usr/local
  • Use gunzip and tar to extract the source code, as shown below:

    $ cd /usr/local
     $ gunzip ./openSSH-3.6.1p2.tar.gz
     $ tar xvf ./openSSH-3.6.1p2.tar
    

This will create a source-code directory structure such as /usr/local/openSSH-3.6.1p2 .

  • Review the README and INSTALL files.
  • Issue the following commands to configure, make and compile OpenSSH. The default options, such as where the binaries will be installed, can be changed when the configure script is run. The options can be displayed by running ./configure “help .

    $ cd /usr/local/openSSH-3.6.1p2
     $ ./configure
     $ make
     $ su
     Password: ********
    
  • The OpenSSH software requires that we have an sshd UNIX account defined before it will start the "sshd" daemon. If we do not do this before we run make install , we will see the message "Privilege separation user sshd does not exist" at the end of the make install output.

Since we do not want anyone logging in directly to this account, we should make it a non-interactive account. The following command creates the sshd user with a user id of 1100 and an invalid shell that prevents anyone from logging in directly:

# useradd -c "sshd owner" -d /var/empty 
 -u 1100 -s /bin/false sshd

If the home directory for this account, /var/empty , does not exist, it should be created as follows :

# mkdir /var/empty
 # chmod 555 /var/empty

As an extra measure of securing this account, issue the following command to lock it:

# passwd -l sshd
  • Once the "sshd" user is created, OpenSSH can be installed as shown below.

    # make install
    

At the end of the make install output, you should see messages similar to the following:

Generating public/private rsa1 key pair.
 Your identification has been saved in /usr/local/etc/ssh_host_key.
 Your public key has been saved in /usr/local/etc/ssh_host_key.pub.
 The key fingerprint is:
 71:9f:97:e7:23:53:1e:38:84:f2:91:ff:bc:6e:4a:59 root@client.example.com
 Generating public/private dsa key pair.
 Your identification has been saved in /usr/local/etc/ssh_host_dsa_key.
 Your public key has been saved in /usr/local/etc/ssh_host_dsa_key.pub.
 The key fingerprint is:
 24:95:93:f2:9f:c8:68:37:08:32:f8:12:95:63:26:3a root@client.example.com
 Generating public/private rsa key pair.
 Your identification has been saved in /usr/local/etc/ssh_host_rsa_key.
 Your public key has been saved in /usr/local/etc/ssh_host_rsa_key.pub.
 The key fingerprint is:
 45:a1:35:51:06:2d:0d:0f:1a:0c:a4:ab:41:05:cd:70 root@client.example.com
 /usr/local/sbin/sshd -t -f /usr/local/etc/sshd_config

Congratulations “ you have successfully installed the OpenSSH software - both client-side and server-side. If the machine on which you installed will function as an OpenSSH client only (i.e., will initiate connections to remote systems, but not accept remote connections), then we're ready to test and verify that the installation is correct. If the machine will be an OpenSSH client and server (will accept remote connections) or an OpenSSH server only, there are a few more steps to perform.


Action 1 1 6 Configure the sshd_config configuration file

Now that the OpenSSH software is installed, we need to make sure the server configuration is set up correctly. The configuration file for the SSH daemon is usually located in /etc/ssh and is called sshd_config. You can leave most of the settings alone as the defaults should work for most installations. However, the following should be verified to make sure they are set correctly.

Appendix A of this book contains a sample sshd_config file with comments pertaining to each option. This sample configuration file should work for most, if not all, current versions of OpenSSH.

Note  

In the OpenSSH configuration files, the absence of an option means OpenSSH will use the default settings for that option as specified in the man page for sshd.

  • Protocol “ The Protocol option sets which SSH protocol version to use. By default, SSHv1 and SSHv2 are permitted. Protocol version 1 has a number of vulnerabilities and its use is discouraged. More information on protocol version 1's problems can be found at http://www.openSSH.com/security.html

    OpenSSH should be set to only allow SSHv2 connections. To do this, uncomment the line "Protocol" in sshd_config and place only a "2" after it, as shown below:

    Protocol 2
    
  • PermitRootLogin “ is a setting which specifies whether or not root is allowed to log in remotely to the server. By default, OpenSSH allows this. Allowing root to log in remotely is typically discouraged since it provides one more avenue for an attacker to target and if root is compromised, an entire system is compromised. To disable the ability to remotely log in as root, change the "PermitRootLogin" as shown below:

    PermitRootLogin no
    
  • PubkeyAuthentication “ specifies whether or not SSHv2 public key authentication is allowed to be used. By default, this is set to "yes". If you plan on using public key authentication, you should verify that this option is still set to "yes". You can manually allow public key authentication by setting the option as shown below:

    PubkeyAuthentication yes
    
  • X11Forwarding “ specifies whether or not the OpenSSH daemon will allow connecting clients to use X11 Forwarding. X11 Forwarding is explained in detail in Step 6.3.

    By default, this is not allowed. If you wish to allow incoming clients the ability to use the X11 Forwarding feature of OpenSSH, set the X11Forwarding option as shown below:

    X11Forwarding yes
    
  • Banner “ The Banner option specifies a text file that will be displayed whenever anyone connects to the server with an SSH client. This may be required for legal purposes. The Banner option can be set as shown below:

    banner /etc/issue
    


Action 1 1 7 Configure auto start of sshd daemon (for OpenSSH server)

The OpenSSH server daemon, sshd, must be started before OpenSSH clients will be allowed to connect.

You can simply launch the sshd daemon as root and place it in the background as follows :

# /usr/local/sbin/sshd &

You should also place this command in a startup script so that it launches each time the system is booted . For example, on Solaris 8 we could use an editor to insert and save the above command in the file /etc/init.d/sshd_start , then issue the following commands:

# ln /etc/init.d/sshd_start /etc/rc3.d/S95sshd

Now each time the system is booted, the sshd daemon will start automatically as user "sshd".






OpenSSH. A Survival Guide for Secure Shell Handling, Version 1.0
OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
ISBN: 0972427384
EAN: 2147483647
Year: 2002
Pages: 90
Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net