ISP-Planet - Equipment - SSH - Configuring the Server, Setp 1: SSHD & HostKey Config

Sections

• Best of the Lists
• Business
• CLEC-Planet
• Equipment
• Executive
Perspectives
• Fixed Wireless
• Investor
• Marketing
• Market Research
• News
• Notable Quotes
• Politics
• Profiles
• Resources
• Technology
• Value-Added
Services
• Webhosting
Also ...
• About Us
• Authors
• Letters
• Site Map
• Technology Jobs

internet.com

IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

internet.commerce

Partner With Us

SSH: From Secure Administration to Virtual Private Networking

Configuring the Server, Step 1: SSHD & HostKey Config
The first step is to install the OpenSSH daemon (sshd) on either the server that you want to administer securely, or the "VPN" server that will forward ports into your private network. We installed OpenSSH on a dual-Ethernet PC with IP forwarding disabled to ensure that nothing but tunneled traffic would get past our SSH "VPN" server.

OpenSSH requires zlib and OpenSSL. We found our RedHat server already had zlib and quickly installed OpenSSL without incident. We also removed a prior version of SSH from our server before installing OpenSSH to avoid ending up with a mix-and-match set of binaries. To compile and install, simply execute the following:

gzip -dc openssh-2.1.0.tar.gz | tar xvpf -
cd openssh-2.1.0
./configure
make
make install
make host-keys

By default, the SSH daemon is installed in /usr/local/sbin and SSH client apps are installed in /usr/local/bin. A pair of configuration files (sshd_config and ssh_config) are installed in /usr/local/etc.

Open source fans will be familiar with all but the last step. SSH uses public keys to authenticate hosts and (optionally) users. To do so, we generate a pair of keys that are mathematically related such that if one is used to encrypt a message, only the other can decrypt it. One host key is made public to all clients, the other is kept private. To prove our server's identity, we encrypt a known value with our private host key. The client decrypts that value with the our public key and considers us authentic if the two values match. An SSH1 daemon requires an RSA key pair; an SSH2 daemon requires a DSA key pair. The "make host-keys" step generates both key pairs and stores them in /usr/local/etc. It is essential that the private host key files are accessible only to root.

Pluggable authentication modules (PAM) are automatically enabled on platforms that support them. To run OpenSSH, you'll either need to disable PAM using the --without-pam ./configure option or create a config file for PAM. On RedHat, this is easily accomplished by copying openssh-2.1.0/contrib/redhat/sshd.pam to /etc/pam.d/sshd. See openssh-2.1.0/contrib for further information and examples.

The default configuration is relatively strict: it prohibits .rhosts authentication, X.11 forwarding, and empty passwords. Use the sshd_config file to modify protocol versions and ports, file locations, and enable/disable authentication methods. We enabled DSA authentication for SSH2, negotiated SSH2 before SSH1, prohibited simple password authentication, and boosted the logging level by making the following changes:

Protocol 2,1
HostDSAKey /usr/local/etc/ssh_host_dsa_key
LogLevel VERBOSE
DSAAuthentication yes
PasswordAuthentication no

The SSH daemon runs in the background when you invoke /usr/local/sbin/sshd. Status and errors can be seen in the system log.

Introduction	> SSH User Configuration
The Evolution of SSH	Running the OpenSSH Client
Commercial Product vs. Open Source <	Configuring Windows SSH Clients
SSHD and HostKey Configuration	Bottom Line

ISP-Planet's RSS feed

The Network for Technology Professionals

About Internet.com

Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | E-mail Offers

Whitepapers and eBooks

Microsoft Personalized Whitepapers and Resources for You
Article: Why Migrating from MySQL to SQL Server 2008 Makes Sense
Articles: Build a More Agile Business with IBM
Articles: IBM Offers Enhanced Measurement and Management for Energy Usage
Microsoft Article: Windows 7 Features Your Clients Will Need on Day One

Articles: IBM Helps Transformation to an Information-Based Enterprise
Microsoft Articles: Visual Studio 2010
Adobe Article: Java Developers Finding a Home at Adobe Flex
MORE WHITEPAPERS, EBOOKS, AND ARTICLES

Webcasts

Webcast: Connecting PHP to Microsoft Technologies
Video: Windows Azure Debugging Tips

MORE WEBCASTS, PODCASTS, AND VIDEOS

Downloads and eKits

Ready. Set. Windows 7.
HP PartnerONE | SolutionsINFINITE Visit us at hp.com/partners/us
Microsoft Free Trials: Windows Server 2008 R2, Exchange Server 2010 and Windows 7
Get the Windows 7 SDK

Free Trial: Red Gate SQL Backup Pro 6
Iron Speed Designer Application Generator
MORE DOWNLOADS, EKITS, AND FREE TRIALS

Tutorials and Demos

Learn Unified Communications
BlackBerry Application Development Resources
Learn SQL Server 2008
Learn Windows Server 2008 R2
Internet.com Hot List: Get the Inside Scoop on IT and Developer Products

Learn Forefront
Learn System Center
All About Botnets
Learn SharePoint
MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES