Cover V09, I10
Article

oct2000.tar


Installing and Configuring OpenSSH

Matt Lesko

Thanks to the proliferation of packet sniffers and the escalating reasons for data security and integrity, it should no longer be acceptable to allow network logins to be sent in plain text. By discovering passwords sent over the wire or hijacking a connection via man-in-the-middle attacks, a malicious cracker could quickly commandeer your network for her own nefarious purposes. Luckily, a solution has been created, Secure Shell, which replaces plain-text communication protocols, such as telnet, rsh, and rlogin. Many other features are included besides encryption, such as X11 forwarding (which allows secure use of X applications across a network), port forwarding (allowing standard TCP ports to be securely accessed), strong authentication, authentication forwarding (allowing a single resource to hold authorization information), Kerberos and AFS ticket forwarding, and data compression.

Secure Shell, or SSH, was originally a free implementation written by Tatu Ylonen. After restrictive licenses were placed upon the code, Bjorn Gronvall decided to write a more open version of the software, called OSSH. This caught the attention of the developers of OpenBSD, already well known for their extensive attention to security. Within a few months, OpenSSH 1.2.2 had been released (and incorporated into OpenBSD 2.6). Many additions and improvements were made to the previous version, including: all patent-encumbered algorithms removed and replaced, support of ssh 1.5 protocol, support for Kerberos IV authentication, and far leaner, cleaner, more secure code. The license is extremely liberal, and may be used without charge for commercial and non-commercial applications alike. The patent on RSA public-key algorithm expires in September 2000, making both protocol versions usable free of charge.

Development continued on OpenSSH, culminating on May 4, 2000 when OpenSSH 2.0 was released. OpenSSH 2.0 works with the ssh 1.3, 1.5, and superior 2.0 protocols, with the ability to automatically adjust to the best performing protocol. Since then, development has continued, particularly in the area of porting to other operating systems. OpenSSH is now available for Linux, Solaris, HP/UX, Irix, AIX, SCO, and NeXT.

Getting OpenSSH

OpenSSH can be downloaded from the team's Web site at:

http://www.openssh.com/portable.html
It is available in RPM format for Linux systems, and as source in the standard tarballed format. Find a mirror close to you, and download the format you want. If downloading for a non-OpenBSD system, make sure you grab the file from the “portable” directory, or you may have trouble installing OpenSSH. You will also need OpenSSL version 9.5.0a or greater. It should be available as either an RPM in the RPMs directory or from the OpenSSL Web site at:

http://www.openssl.org/source/
Zlib is also required. If you do not have it already, fetch it from:

ftp.freesoftware.com/pub/infozip/zlib/zlib.tar.gz
If the target system does not have an entropy device (/dev/random, /dev/urandom, etc.), you must also download and install egd, the entropy gathering device, from:

http://www.lothar.com/tech/crypto/
PAM (pluggable authentication modules) support is included in OpenSSH -- Solaris contains PAM by default, as do some Linux distributions. If you do not have PAM and wish to use it, you can get it at:

http://www.kernel.org/pub/linux/libs/pam/
The OpenSSH installation process will automatically detect and install support for PAM if it is found on the system.

If your media is tarballed, do the following:

Install OpenSSL:

1. Untar the archive and enter the openssl-version directory.
2. Read the INSTALL file if desired.
3. ./config (change the directory in which ssl is installed via --openssldir=directory, default is /usr/local/ssl).
4. make && make test
5. /bin/su
6. make install

Install compression libraries (if not already present):

1. Untar the archive and enter the zlib-version directory.
2. ./configure
3. make && make test
4. /bin/su
5. make install

Install the entropy gathering daemon (egd) if your system does not have /dev/random or /dev/urandom:

1. Untar the archive and enter the egd-version directory.
2. perl Makefile.PL
3. make && make test
4. /bin/su
5. make install
6. Configure your rc scripts to run egd.pl socket at bootup; the argument given is the socket used for random data. Example: /usr/local/bin/egd.pl /dev/random would create a UNIX-socket at /dev/random that can be read for the entropy egd.pl provides. egd.pl will automatically fork into the background.

Install OpenSSH via tarball:

1. Untar the archive and enter the openssh-version directory
2. ./configure --with-openssl-dir=/ \
usr/local/ssl--with-entropy-pool=/ \
dev/random
(or wherever you had egd.pl create an entropy socket). If you did not use use egd.pl, but have a random device in an unusual place, use --with-random=FILE.
3. make
4. make install
5. These files are by default stored in /usr/local/bin for the clients and /usr/local/sbin for the server (sshd), which can be changed via ./configure --with-prefix=DIR.

Configuration files are also therefore placed in /usr/local/etc automatically, and you can change this via ./configure with the --with-sysconfdir=PATH.

Installing OpenSSH and OpenSSL via RPM:

1. Make sure you have downloaded an RPMs for OpenSSL, server, and clients. Most Linux distributions contain zlib and /dev/random already installed.

2. rpm -i openssl-version.rpm
3. rpm -i openssh-version.rpm
4. rpm -i openssh-server-version.rpm
5. rpm -i openssh-clients-version.rpm
Configuring OpenSSH to Work

OpenSSH main configuration files are located at /usr/local/etc/sshd_config and /usr/local/etc/ssh_config (unless you changed the sysconfdir varible). Most of the options are fairly self-explanatory and do not need to be changed. The default installation point for these files when installed by RPMs is /etc/ssh/sshd_config and /etc/ssh/ssh_config. It's good to look through these files and familiarize yourself with the options. The Protocol line is commented out by default (#) in sshd_config, and contains information for sshd about which protocols to use. The default is to use SSH Version 2 followed by Version 1.5; however, this can be changed if you do not wish to serve 1.5 clients (or vice versa).

Various options are available in ssh_config and can be set on a host-by-host or default configuration. If your installation media was RPMs, you will find a start-up script installed into /etc/rc.d/init.d/sshd and /etc/rc.d/rc[2-5].d/S55sshd. If you installed via source code, you will need to configure /usr/local/sbin/sshd and /usr/local/bin/egd.pl to start during your system's boot sequence. At this time, you may generate your RSA or DSA keys using ssh-keygen if you plan to use them. The default is to create an RSA key in $HOME/.ssh/identity; however, with the -d option, a DSA key is generated in $HOME/.ssh/id_dsa. RSA is used by protocols 1.3 and 1.5; whereas DSA is used by protocol 2.0. A passphrase increases security for these keys, but is not necessary.

Using OpenSSH

The main focus of ssh is to replace telnet, which is easily accomplished by simply typing: ssh host. Assuming sshd is running on the target host, you should soon see a password prompt for your user name, enter it, and you will be dropped into your default shell. Some useful options are:

-l login -- Login as this user.
-v -- Verbose, gives plenty of output while it connects, good for diagnosing problems.
-C -- Compression, compresses all data, very useful for slow data links.

You may also decline from starting an interactive shell; simply place a command after the host and it will be executed on the remote machine, akin to rexec. If you created an RSA or DSA key for yourself, copy either $HOME/.ssh/identity.pub to $HOME/.ssh/authorized_keys or $HOME/.ssh/id_dsa.pub to $HOME/.ssh/authorized_keys2 on the remote machine, and you will not be required to enter your password. Use the cat >> command for those files since more than one authorized key is allowed, a separate line for each key. If you want a replacement for ftp/rcp, use the OpenSSH supplied program scp, which works in a manner similar to that of rcp (e.g., scp user@host:path localname). For the functionality of interactive ftp with ssh, check out Brian Wellington's sftp at:

http://www.xbill.org/sftp
The latest version is 0.9.5, but works reasonably well. There are too many options to describe here, so check the man pages for more information on these programs. Some other interesting features not covered here include X11 session forwarding, port forwarding, and support for IPv6.

Conclusion

I hope that this article has provided you with an understanding of the need for secure communication channels and the ease with which these services can be installed and used. Remember that installing OpenSSH makes your system more secure only if you then disable rsh, rlogin, rexec, telnet, and possibly, ftp from /etc/inetd.conf. OpenSSH is Open Source and will continue to be improved, particularly in September 2000 when the RSA patent expires. Consult the following references for more information on Secure Shell:

http://www.openssh.com -- OpenSSH: The free, open version of ssh.
http://www.ssh.com -- A commercial alternative.
http://www.zip.com.au/~roca/ttssh.html -- A ssh extension to the popular TeraTerm for Windows.
http://www.xbill.org/sftp/ -- An interactive ftp service over ssh.
http://www.openssl.org -- A free implementation of the Secure Sockets Layer.
http://www.openbsd.org -- OpenBSD: The proactive security-minded UNIX.
comp.security.ssh
SSH, The Secure Shell: The Definite Guide. Daniel J. Barrett and Richard Silverman. O'Reilly and Associates. ISBN: 0596000111.

About the Author

Matt works as the systems administrator for a database consulting company. He is a big fan of Linux, BSD, and Free Software in general, and has been using them since 1997. He can be reached at: matt@advancedatatools.com.