openssh on server

OpenSSH is bundled in RedHat Linux and Solaris 9.  The ssh service is enabled by default.  We need not deploy on these platforms though we need configure them.  For Solaris version older than 9, we have to deploy OpenSSH manually.

Solaris 8

grams

The sources for these different programs are on sunfreeware.com or you can go to their home pages at

Package	URL	Remarks
zlib
PERL
prngd
OpenSSL
OpenSSH
egd
TCP wrapper	ftp://ftp.porcupine.org/pub/security/index.html	Optional

 

8

To obtain the patches, go to

112438-03 SPARC/Solaris 8 patch for /kernel/drv/random

It has been pointed out that some of the recommended patch clusters already contain the patches above. So, you may want to check to see if the patch is already installed.

Download the patch and install it as indicated in the instructions. You will probably need to reboot your system to have the patch apply. Rebooting requires boot -r to create the new devices.

Note: If you are running a system where unscheduled downtime is not allowed, then it is possible to do with without rebooting.  For example:

patchadd 112438-01

mknod /devices/pseudo/random@0:random c 82 0

mknod /devices/pseudo/random@0:urandom c 82 1

chgrp sys /devices/pseudo/random*

cd /dev

ln -s ../devices/pseudo/random@0:random /dev/random

ln -s ../devices/pseudo/random@0:urandom /dev/urandom

modload /kernel/drv/random

 

:

openssh-4.3p2-sol8-sparc-local.gz

openssl-0.9.8b-sol8-sparc-local.gz

tcp_wrappers-7.6-sol8-sparc-local.gz (optional,but recommended)

zlib-1.2.1-sol8-sparc-local.gz

libgcc-3.3-sol8-sparc-local.gz

perl-5.8.5-sol8-sparc-local.gz (optional)

prngd-0.9.25-sol8-sparc-local.gz (optional) 

egd-0.8-sol8-sparc-local.gz (optional)

 

 

:

Uncompress the gz packages by gunzip and install them by pkgadd.

 

# unzip openssh-4.3p2-sol8-sparc-local.gz

# pkgadd -d openssh-3.8.1p1-sol8-sparc-local

Create the folder /var/spool/prngd.

Create the init script for prngd:

 

-r-xr-xr-x   1 root     sys           292 Jul  8  2004 /etc/init.d/prngd

lrwxrwxrwx   1 root     other          15 Jul  8  2004 /etc/rc0.d/K03prngd -> ../init.d/prngd

lrwxrwxrwx   1 root     other          15 Jul  8  2004 /etc/rc3.d/S98prngd -> ../init.d/prngd

 

Contents of /etc/init.d/prngd:

 

#!/bin/sh

 

pid=`/usr/bin/ps -e | /usr/bin/grep prngd | /usr/bin/sed -e 's/^  *//' -e 's/ .*//'`

case $1 in

'start')

        /usr/local/sbin/prngd /var/spool/prngd/pool

        ;;

'stop')

        if [ "${pid}" != "" ]

        then

                /usr/bin/kill ${pid}

        fi

        ;;

*)

        echo "usage: /etc/init.d/prngd {start|stop}"

        ;;

esac

 

sshd user and the /var/empty directory:

 

# mkdir /var/empty

# chown root:sys /var/empty

# chmod 755 /var/empty

# groupadd sshd

# useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd

 

/var/empty should not contain any files.

 

:

Each machine that you want to communicate with via the ssh client will need to have an sshd daemon running. But first, you need to run the following three lines to create the key information for the server machine.

 

# ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N ""

# ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key -N ""

# ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key -N ""

 

Set the init script

 

-rwxr-xr-x   1 root     bin           268 Jul  8  2004 /etc/init.d/sshd

lrwxrwxrwx   1 root     other          14 Jul  8  2004 /etc/rc0.d/K04sshd -> ../init.d/sshd

lrwxrwxrwx   1 root     other          14 Jul  8  2004 /etc/rc3.d/S99sshd -> ../init.d/sshd

 

Contents of /etc/init.d/sshd.

 

#!/bin/sh

 

pid=`/usr/bin/ps -e | /usr/bin/grep sshd | /usr/bin/sed -e 's/^  *//' -e 's/ .*//'`

case $1 in

'start')

        /usr/local/sbin/sshd

        ;;

'stop')

        if [ "${pid}" != "" ]

        then

                /usr/bin/kill ${pid}

        fi

        ;;

*)

        echo "usage: /etc/init.d/sshd {start|stop}"

        ;;

esac

 

 

4.2                   Setting up test_user user account for remote access

Below procedures describe how to set up user account test_user on allenunix so as to access remote server testunix without supplying password.  It assumes the UNIX account exists on both allenunix and testunix servers.

 

4.2.1                        Generate private and public key pair

On allenunix,

 

/usr/local/bin/ssh-keygen -t dsa -b 1024

Generating public/private dsa key pair.

 

 

 

Enter file in which to save the key (/test_user/home/test_user/.ssh/id_dsa): Enter

passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /test_user/home/test_user/.ssh/id_dsa.

Your public key has been saved in /test_user/home/test_user/.ssh/id_dsa.pub.

The key fingerprint is:

e3:fe:fa:da:de:b9:23:a3:30:43:55:a4:f7:bc:2f:32 test_user@allenunix

 

The private and public keys are stored in the home directory as id_dsa and id_dsa.pub respectively.

 

allenunix:root /test_user/home/test_user/.ssh  5 > ls -la

total 16

drwxr-xr-x   2 test_user     other        512 Oct 11 13:24 .

drwxr-xr-x   4 test_user     afsa        5120 Oct 11 12:16 ..

-rw-------   1 test_user     staff        668 Oct 11 13:24 id_dsa

-rw-r--r--   1 test_user     staff        604 Oct 11 13:24 id_dsa.pub

allenunix:root /test_user/home/test_user/.ssh  6 > cat id_dsa

-----BEGIN DSA PRIVATE KEY-----

MIIBuwIBAAKBgQDpSxz5XUL7IO9lzk7U3xHj08eBtLkMnLUDOeKLsQtzs2Dvr4Gx

3Vz0xXIb6efQsst1gJ39FNLWPzu6LtuVDMPzn7vi8TfNR9QiWGvd/rLtlt3/cNAs

09GqjhTgv2Ew02oXMlDzIA6jvG9ivzj8JqW2fFceM+DPDJGMaVVN4Z+NvQIVAJM3

BI0K9aTS0dBV6I0Wg2zivxcLAoGBAJQLajBH9fB48Zdp3m2bwkvO5CepeyTKUZN7

3J/Jv/dZZQIO1ZZEepYBqvFYi21ImroqKqRX+QRqkx+h8TvsON0STTwLhmktHM92

IKXy+wvGoH7Tp47wnrK/HcGsy5qBrhH8YEx4GFTZv1zAcuVlY8ynoyL2qMexjKNb

Ch0vdTRzAoGAdah6ldQ/jq0MGj3PsevKtOzLLVAxDOJzAh4YsGlDTfJD8+EOg/LE

tgRaQOd4v/9S1tszE0ALMqRO7E1XP92zsWc/AMdDjALNLSHmRB8Cf35i9glvNxig

Jr16m8NFBpEz4zJSKX8KQGmUbxqIsVYZ928LoZUXVKmuaW2K0xh4GMYCFEiIYIV6

U+lc7N7r7CWoOUBiN27z

-----END DSA PRIVATE KEY-----

allenunix:root /test_user/home/test_user/.ssh  7 > cat id_dsa.pub

ssh-dss AAAAB3NzaC1kc3MAAACBAOlLHPldQvsg72XOTtTfEePTx4G0uQyctQM54ouxC3OzYO+vgbHdXPTFchvp59Cyy3WAnf0U0tY/O7ou25UMw/Ofu+LxN81H1CJYa93+su2W3f9w0CzT0aqOFOC/YTDTahcyUPMgDqO8b2K/OPwmpbZ8Vx4z4M8MkYxpVU3hn429AAAAFQCTNwSNCvWk0tHQVeiNFoNs4r8XCwAAAIEAlAtqMEf18Hjxl2nebZvCS87kJ6l7JMpRk3vcn8m/91llAg7VlkR6lgGq8ViLbUiauioqpFf5BGqTH6HxO+w43RJNPAuGaS0cz3YgpfL7C8agftOnjvCesr8dwazLmoGuEfxgTHgYVNm/XMBy5WVjzKejIvaox7GMo1sKHS91NHMAAACAdah6ldQ/jq0MGj3PsevKtOzLLVAxDOJzAh4YsGlDTfJD8+EOg/LEtgRaQOd4v/9S1tszE0ALMqRO7E1XP92zsWc/AMdDjALNLSHmRB8Cf35i9glvNxigJr16m8NFBpEz4zJSKX8KQGmUbxqIsVYZ928LoZUXVKmuaW2K0xh4GMY= test_user@allenunix

 

Please note that the public key file is always a single-line file.

 

4.2.2                        Append public key to the authorized_keys file on the remote server

Copy id_dsa.pub to testunix server.  Append it to the authorized_keys file which contains all the public keys to be used from different remote users.

 

On testunix,

 

testunix:test_user /tmp  2 > cat id_dsa.pub >> ~test_user/.ssh/authorized_keys

4.2.3                        Try running ssh on allenunix

On allenunix,

 

allenunix:test_user ~  5 > ssh testunix ls

 

It should list out the contents of home directory of user test_user on testunix.

other such traditional programs transmit users’ password across the Internet unencrypted. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. It makes your connection much safe

 

The OpenSSH suite includes the ssh program which replaces telnet, rsh and rlogin, and scp which replaces rcp and ftp.  OpenSSH has also added sftp and sftp-server which implement an easier solution for file transfer.