Installing OpenSSH on
Solaris 2.X 2002 Feb 27
1. Go to
http://www.sunfreeware.com and install the following packages:
zlib prngd egd perl openssl openssh
2. To retrieve an ftp
document or an html page use
root# wget ftp://..../...
root# wget http://.../...
3. To install a
Solaris package
root# cd /tmp
root# gunzip [name_of_the package_file].gz
root# pkgadd -d [name_of_the_package_file]
4. Add the following
to the /.profile
root# vi /.profile
PATH=$PATH:/usr/local/bin:/usr/local/sbin
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib
5. Setup entropy.
root#
cat /var/adm/messages > /usr/local/etc/prngd/prngd-seed
root#
mkdir /var/spool/prngd
root#
/usr/local/bin/prngd
/var/spool/prngd/pool
root#
/usr/local/bin/egc.pl /var/spool/prngd/pool get
6. Create a startup /
shutdown script for entropy.
root# vi /etc/init.d/prngd
#!/bin/sh
# Used to start up Entropy for products like
OpenSSH OpenSSL.
# Determine the process id of the daemon and no
other processes
pid=`/bin/ps -ef | \
/bin/grep prngd | \
/bin/egrep -v "grep|$$|start|stop" | \
/bin/awk '{print $2}'`
case $1 in
'start')
if
[ "$pid" = '' ] ; then
/usr/local/bin/prngd /var/spool/prngd/pool
else
echo '' 1>&2
echo "WARNING: /etc/init.d/prngd
already running" 1>&2
echo '' 1>&2
fi
;;
'stop')
if
[ "${pid}" != '' ] ; then
/bin/kill ${pid}
fi
;;
*)
echo "usage: /etc/init.d/prngd {start|stop}"
;;
esac
root# chmod 744 /etc/init.d/prngd
root# chown root /etc/init.d/prngd
root# chgrp sys /etc/init.d/prngd
root# ln -s /etc/init.d/prngd
/etc/rc2.d/S98prngd
root# ln -s /etc/init.d/prngd
/etc/rc0.d/K98prngd
root# ln -s /etc/init.d/prngd
/etc/rcS.d/K98prngd
7a. To startup
entropy execute as root
root# /etc/init.d/prngd start
Note: Entropy must be running before
the ssh daemon will run.
7b. To shutdown
entropy execute as root
root# /etc/init.d/prngd stop
Note: Entropy can be stopped and
restarted while the ssh daemon is running and existing ssh connections will not
be affected.
8. Setup the
tcp_wrappers files by adding the sshd lines. Tcp_wrappers is a separate
optional package. It is not mandatory to install it and not having it installed
will not weaken your security. However OpenSSH relies on some of those
tcp_wrapper files to exist enough if the tcp_wrappers package is not installed.
There if the files exist then tcp_wrappers is probably installed and you only
need to modify them. If the files do not exist then tcp_wrappers is definitely
not installed and you need to create them.
root# vi /etc/hosts.deny
sshd: ALL
root# vi /etc/hosts.allow
sshd: [list of ip addresses, network portion is fine, with commas]
for example ssh:
127.0.0.1,47.150.51.3,47.150.50.,47.152.,48.
root# chmod 644 /etc/hosts.deny /etc/hosts.allow
root# chown root /etc/hosts.deny /etc/hosts.allow
root# chgrp other /etc/hosts.deny
/etc/hosts.allow
Note, any change to the above files
will require:
1)
reconfigure the ssh server or
2)
shutting down the sshd server and restarting, see below.
9. Generate the key
that will be used by OpenSSH.
root#
ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N ""
root#
ssh-keygen -t dsa -f
/usr/local/etc/ssh_host_dsa_key -N ""
root#
ssh-keygen -t rsa -f
/usr/local/etc/ssh_host_rsa_key -N ""
10. Create a startup
/ reconfigure / shutdown script for OpenSSH.
root# vi /etc/init.d/sshd
#!/bin/sh
# Determine the process ids of the daemons and
no other processes
pids=`/bin/ps -ef | \
/bin/grep sshd | \
/bin/egrep -v "grep|$$|start|stop" | \
/bin/awk '{printf "%d ", $2}'`
case $1 in
'start')
if
[ "$pids" = '' ] ; then
/usr/local/sbin/sshd
else
echo '' 1>&2
echo 'WARNING: /etc/init.d/sshd already running' 1>&2
echo '' 1>&2
fi
;;
'reconfigure')
if [
"$pids" != '' ] ; then
if [ -f /var/run/sshd.pid ] ; then
/bin/kill -1 `/bin/cat
/var/run/sshd.pid`
elif [ -f /usr/local/etc/sshd.pid ] ;
then
/bin/kill -1 `/bin/cat
/usr/local/etc/sshd.pid`
else
echo '' 1>&2
echo 'ERROR: missing sshd
pid file' 1>&2
echo '' 1>&2
fi
else
echo '' 1>&2
echo 'ERROR: sshd is not running' 1>&2
echo '' 1>&2
fi
;;
'stop')
if [
"$pids" != '' ] ; then
/bin/kill
$pids
fi
;;
*)
echo '' 1>&2
echo 'usage:
/etc/init.d/sshd {start|reconfigure|stop}' 1>&2
echo '' 1>&2
;;
esac
root# chmod 744 /etc/init.d/sshd
root# chown root /etc/init.d/sshd
root# chgrp sys /etc/init.d/sshd
root# ln -s /etc/init.d/sshd
/etc/rc2.d/S98sshd
root# ln -s /etc/init.d/sshd
/etc/rc0.d/K98sshd
root# ln -s /etc/init.d/sshd
/etc/rcS.d/K98sshd
11. Modify the
OpenSSH daemon configuration files.
root# cd /usr/local/etc/
root# cp -p sshd_config sshd_config.0
root# cp -p ssh_config ssh_config.0
root# vi sshd_config
change #Protocol
2,1
to Protocol 2,1
change PermitRootLogin
yes
to #PermitRootLogin yes
PermitRootLogin no
change IgnoreRhosts
yes
to #IgnoreRhosts yes
IgnoreRhosts no
change X11Forwarding
no
to #X11Forwarding no
X11Forwarding yes
change PasswordAuthentication
no
to #PasswordAuthentication no
PasswordAuthentication yes
root# vi ssh_config
change #ForwardAgent
no
to #ForwardAgent no
ForwardAgent yes
change #ForwardX11
no
to #ForwardX11 no
ForwardX11 yes
change #PasswordAuthentication
yes
to #PasswordAuthentication no
PasswordAuthentication yes
change #Protocol
2,1
to #Protocol 2,1
Protocol 2,1
# /usr/local/sbin/sshd -t i.e. test conf files
12a. To startup the
OpenSSH daemon.
# /etc/init.d/sshd start
# ps -ef | grep sshd
12b. To reconfigure
the OpenSSH daemon.
# /etc/init.d/sshd reconfigure
# ps -ef | grep sshd
Note: Any change will only apply to
new ssh-client connections and
existing
ones will be left allow.
12c. To shutdown the
OpenSSH daemon.
# /etc/init.d/sshd stop
# ps -ef | grep sshd
Note!!! Stopping the sshd will cause
all ssh-client connections to end abruptly and then you will not be able to
reconnect remotely until the ssh daemon is restarted. So you will need to
either telnet to the machine if possible or you will have to login onto the
console directly!
13. To
verify the ssh daemon is working on your machine try to make a ssh connection
back to the same machine by do the following:
user# /usr/local/bin/ssh your_unix_login@your_unix_host
If you get a message about The
authenticity of ... can't be established
And it asks you Are you
sure you want ... connecting
Simply enter the value yes and it will continue.
Note this message will only appear
once for this host.
In your home directory a
subdirectory .ssh will be created.
In it will be a file called known_hosts which will contain the public key
for your local Unix machine.
The contents of the file can be
compared with the ssh public key files:
/usr/local/etc/ssh_host_*_key.pub
You will get a message Warning:
Permanently added ... to known hosts
Then it will prompt you for your
Unix password
your_unix_login@your_unix_host's
password:
Enter
your unix_password to complete the ssh connection.
loopback_user# ls -la verify
the local ssh connection works
loopback_user# tty ; who to see your ssh connection and all the
others
loopback_user#
exit disconnect the local ssh connection
user# tty ; who to see your original connection
14. To
verify the ssh daemon is working on your machine and another machine try to
make a ssh connection to a remote machine by do the following:
user# /usr/local/bin/ssh your_unix_login@remote_unix_host
If you get a message about The
authenticity of ... can't be established
And it asks you Are you
sure you want ... connecting
Simply enter the value yes and it will continue.
Note this message will only appear
once for each remote host.
In your home directory a
subdirectory .ssh will be created.
In it will be a file called known_hosts which will contain the public key
for the remote Unix machines.
The contents of the file can be
compared with the ssh public key
files on the remote Unix machine:
/usr/local/etc/ssh_host_*_key.pub
You will get a message Warning:
Permanently added ... to known hosts
Then it will prompt you for your
Unix password
your_unix_login@your_unix_host's
password:
Enter
your unix_password to complete the remote ssh connection.
remote_user# ls -la verify
the remote ssh connection works
remote_user# tty ; who to see your ssh connection and all
the others
remote_user# exit disconnect the ssh connection
user# tty ; who to see your original connection
15. To
verify the ssh daemon can copy a file on your machine try to copy a file from
your machine back to the same machine by do the following:
user# hostname > junk1
user# /usr/local/bin/scp your_unix_login@your_unix_host:junk1
junk2
If you get a message about The
authenticity of ... can't be established
And it asks you Are you
sure you want ... connecting
Simply enter the value yes and it will continue.
Note this message will only appear
once for this host.
In your home directory a
subdirectory .ssh will be created.
In it will be a file called known_hosts which will contain the public key
for your local Unix machine.
The contents of the file can be
compared with the ssh public key files:
/usr/local/etc/ssh_host_*_key.pub
You will get a message Warning:
Permanently added ... to known hosts
Then it will prompt you for your
Unix password
your_unix_login@your_unix_host's
password:
Enter
your unix_password to complete the scp transfer.
user# ls -la junk1 junk2 verify the local
scp works
16. To
verify the ssh daemon can copy a file from a remote machine try to copy a file
from a remote machine to the your
machine by do the following:
remote_user# hostname > junk1
user# /usr/local/bin/scp remote_unix_login@remote_unix_host:junk1
junk2
If you get a message about The
authenticity of ... can't be established
And it asks you Are you
sure you want ... connecting
Simply enter the value yes and it will continue.
Note this message will only appear
once for each remote host.
In your home directory a
subdirectory .ssh will be created.
In it will be a file called known_hosts which will contain the public key
for the remote Unix machine.
The contents of the file can be
compared with the ssh public key files:
/usr/local/etc/ssh_host_*_key.pub
You will get a message Warning:
Permanently added ... to known hosts
Then it will prompt you for your
Unix password
your_unix_login@your_unix_host's
password:
Enter
your unix_password to complete the scp transfer.
remote_user# ls -l junk1 verify the
remote scp works
user# ls -l junk2
17.
Currently when you :
- make a ssh connection back to the
same machine
- copy a file using scp back to the
same machine
it will prompt you for a password
before it completes the command.
This password authenication can be
avoided by setting up some some files.
user#
cd
user#
ssh-keygen -t rsa1 -N ""
This will prompt you Enter
file ... /your_unix_home_dir/.ssh/identity just hit
<CR>
user#
ssh-keygen -t rsa -N ""
This will prompt you Enter
file ... /your_unix_home_dir/.ssh/id_rsa
just hit <CR>
user#
ssh-keygen -t dsa -N ""
This will prompt you Enter
file ... /your_unix_home_dir/.ssh/id_dsa
just hit <CR>
user#
cd .ssh
user#
ls -l
-rw------- 1 user
group 668 Feb 26 19:26 id_dsa
-rw-r--r-- 1 user
group 601 Feb 26 19:26
id_dsa.pub
-rw------- 1 user
group 887 Feb 26 19:25 id_rsa
-rw-r--r-- 1 user
group 221 Feb 26 19:25
id_rsa.pub
-rw------- 1 user
group 526 Feb 26 19:24 identity
-rw-r--r-- 1 user
group 330 Feb 26 19:24
identity.pub
We need to take the public keys from
these files in the authorization file.
user#
cat identity.pub id_rsa.pub id_dsa.pub > authorized_keys
You will need to do these steps on
all local machines and remote machines.
Try to make an ssh connection by
following step 13 and verify it does
not
request for a password.
Try to do a scp transfer by
following step 15 and verify it does
not
request for a password.
18.
Continuing for the previous step currently when you :
- make a ssh connection to a remote
machine
- copy a file using scp from/to a
remote machine
it will prompt you for a password
before it completes the command.
This password authenication can be
avoided by setting up some some files.
remote_user#
cd
remote_user#
ssh-keygen -t rsa1 -N ""
This will prompt you Enter
file ... /your_unix_home_dir/.ssh/identity just hit
<CR>
remote_user#
ssh-keygen -t rsa -N ""
This will prompt you Enter
file ... /your_unix_home_dir/.ssh/id_rsa
just hit <CR>
remote_user#
ssh-keygen -t dsa -N ""
This will prompt you Enter
file ... /your_unix_home_dir/.ssh/id_dsa
just hit <CR>
remote_user#
cd .ssh
remote_user#
ls -l
-rw------- 1 user
group 668 Feb 26 19:26 id_dsa
-rw-r--r-- 1 user
group 601 Feb 26 19:26
id_dsa.pub
-rw------- 1 user
group 887 Feb 26 19:25 id_rsa
-rw-r--r-- 1 user
group 221 Feb 26 19:25
id_rsa.pub
-rw------- 1 user
group 526 Feb 26 19:24 identity
-rw-r--r-- 1 user
group 330 Feb 26 19:24
identity.pub
We need to take the public keys from
these files in the authorization file.
remote_user#
cat identity.pub id_rsa.pub id_dsa.pub > authorized_keys
We need to take a copy of these
public keys in the authorization file
remote_user#
vi ~/.ssh/authorized_keys
Then paste them to the file on our
local machine.
Note make sure that each public key
is one line with no spaces inside.
user#
vi ~/.ssh/authorized_keys
:set
list this
will place a $ at end of each line
You will need to do these steps on
all local machines and remote machines.
Try to make an ssh connection by
following step 13 and verify it does
not
request for a password.
Try to do a scp transfer by
following step 15 and verify it does
not
request for a password.
80. There is a good
freeware ssh-client for windows called
Putty.
http://www.chiark.greenend.org.uk/~sgtatham/putty/
When you configure putty, make sure you
select the ssh protocol and not telnet.
Make sure you turn on the putty ssh
tunneling option to forward X-Window packets.
81. There is a good
freeware version of X-windows called
XFree86.
http://cygwin.com/
Plus I have a document on how to
install and configure this guy.
82. There is a good
commercial version of X-windows called
Hummingbird.
http://www.hummingbird.com/
83. To verify that
X-windows works on the Unix box and displays on your PC X-windows server.
user# /usr/openwin/bin/xterm -title hostname -name hostname &
user# /usr/dt/bin/netscape &
In order for an x-client to work you
will need to setup an environment variable
DISPLAY.
DISPLAY=your_pc_ip_address:0.0
Note: Normally this is set in your
Unix startup file .profile howerver if you are
going to
tunnel the X-window packets through
ssh then DO NOT set your environment variable
DISPLAY but instead let your ssh-client program,
i.e. putty or secure-crt, do it
instead automatically because it
needs to be set to a specific value.
99. Once it is
confirmed working for at least a few days and a few days after a Unix reboot
then you can disable the following Unix
daemons:
ftp telnet shell login exec uucp
finger systat netstat echo discard
daytime chargen rusersd walld
root# cp -p /etc/inet/inetd.conf
/etc/inet/inetd.conf.0
root# vi /etc/inet/inetd.conf
-- put ### in columns 123 for all the above
daemons
root# ps -ef | grep inetd
root# kill -1 inet_pid
Note: Once you have turned off these
daemons then you are very secure but if
something goes wrong then you will
have to login on to the Unix machine's console
to do any damage repair.