Janou's Secure Shell (SSH/SSH2) Setup
Created on December 28th, 1999
Last updated on December 29th, 1999
New Server Installation
So you might say, "What's wrong with plain telnet?". Well with regular telnet, your password is sent to the other machine in plain text form allowing the sniffing of passwords. With SSH strong cryptography is used for protecting all transmitted confidential data, including passwords, binary files, and administrative commands.
I first learned about ssh when I became involved in an IRC server that required it. I thought that it was going to be a problem to install because when you hear the word "security", you say to yourself, "Good Gosh .. I am gonna have to get this, then that, then the other ..."
Well, I am here once again to give you assurance that it is no where as bad as you think. Within a few minutes, I had ssh up and running, and also found a few cool ssh clients for those people that are using IP MASQuerading from a windows machine. I have also listed some links to where you can get some cool clients for Windows.
The two current versions of ssh is SSH and SSH-2. The differences between the two include different protocols and different licensing schemes. However, whatever your needs are, this guide will pretty much help you install either one. My emphasis will be on ssh.
The first thing you need to do is get the SSH software and install it. The ssh software you will need is packaged in a tar file which is available on the web. You can get the nesseary file(s) by logging onto:
or
ftp://dimonieta.udg.es/mirror/ssh/
For the installation of ssh, you will need:
ssh-1.2.27.tar.gz for ssh or
ssh-2.0.13.tar.gz for ssh-2
Also please make sure to get the recent patch for SSH-1.2.27 that corrects a buffer overflow in rsaglue.c. You can download the patch from http://www.ssh.org/patches/patch-ssh-1.2.27-rsaref.buffer.overflow. To install it, simply copy the file into the ssh-1.2.27 source directory and as root run the command:
patch -p1 -l < patch-ssh-1.2.27-rsaref.buffer.overflow
After you have patched SSH, for most machines and configurations all you need to do is the typical:
./configure make make install
*** For those people that are in a networked environment with a shared binary, after you make install on one machine, you can do make hostinstall on the others to generate host keys and install config files.
For you tarball scaredy cats, tarballs are not hard at all. With tarballs, you get to control how the program is installed. You have the option to change parms, function calls, paths, etc.
Once the compile is done, you can check to see if sshd_config and ssh_config was created in the /etc directory.
What I did was edited my /etc/init.d/rc.local (Red Hat) (/etc/init.d/rcS in Debian) file to execute sshd at boot time. Some people debate on whether it should be in init.d instead, so I will show you how to do that later on in this guide.
Now, set your umask so that the files you install preserve their permissions correctly.
type --> umask 022
Now that you got that all out of the way, you can now make the key-gen. Change your directory to /etc (cd /etc) and run:
ssh-keygen -b 1024 -f /etc/ssh_host_key -N ''
*** The ssh-keygen binary lies in the /usr/local/bin, and also the /usr/ssh paths
This will generate and test /etc/ssh_host_key and /etc/ssh_host_key.pub. Be patient, generating the key takes several seconds. ssh_host_key is a private key file (mode 0600, owned by root); sshd_host_key.pub is the public key file (mode 0644, owned by root). The security of SSH sessions depends, in part, on the security of the private key.
By running ssh-keygen to create the host key will create the file ~/.ssh/random_seed (~/ means your home dir). This file is a by-product of the key creation process and may be deleted after you have generated the key.
This is the Install boot script thingy for the init.d I mentioned earlier
As root, copy sshd.rc to your system's init.d directory and create a link so that sshd will start automatically when you reboot. The appropriate path varies by system.
For Linux, initialization varies by vendor. For a RedHat system, as root, run
mv /etc/sshd.rc /etc/rc.d/init.d/sshd cd /etc/rc.d/rc3.d ln -s ../init.d/sshd S70sshd -- to create the symbolic link
For other Linux systems, install as appropriate, using the instructions above as a guideline.
Customizing this configuration
The default configuration should work for most systems. If you need to change the defaults, edit /etc/sshd_config. See the sshd man page for details about the options. The sshd man page is available in /usr/local/man/man8/sshd.8; it can be read with "man sshd" or "man ssh".
Running sshd
The sshd will start automatically when the system reboots. You can manually start the daemon now to see if it works. As root, run:
/usr/local/sbin/sshd
Testing sshd
Try to connect to your host. As a user, enter the command:
ssh -l your_login_name hostname_or_ip -c 3des
If you get "connection refused," you may need to make a small change in your local tcpwrapper configuration files. Check to see if you have an /etc/hosts.deny file. Look for the entry in that file that looks like this:
ALL: ALL
If you find it, add the following entries to your /etc/hosts.allow file:
sshd: ALL sshdfwd-X11: your_local_hostname
The first entry permits remote sshd connections into your host. Instead of using "ALL", you can use this area to restrict the machines that are allowed to connect.
The second entry permits the forwarding of ssh X connections. For example, if your machine were named example.linuxhelp.net, that setting would read:
sshdfwd-X11: example.linuxhelp.net
I have listed below some windows ssh clients that you can use to telnet into. Remember, ssh uses port 22, and normal telnet uses port 23. This is something I found out when It wasn't working for me .. :)
- TTSSH: An Extension for TeraTerm -
http://www.zip.com.au/~roca/ttssh.html
- PuTTY: A Free Win32 Telnet/SSH Client -
http://www.chiark.greenend.org.uk/~sgtatham/putty/
- Secure CRT - http://www.vandyke.com/
Special shout out to my pplz: LyteSter, x2xtreme, ToxiC_Myst (did you get your sparc box up and running yet?), FEDERAL_AGENT (Pretty fly for a Desi Guy), and to the Linux/Unix community!
Having trouble? Got questions? Require further assistance? If so please feel free to visit our Help Forums and ask the experts!