Installation and configuration of OpenSSH in Linux system
Overview
Many network programs, such as Telnet, RSH, Rlogin or Rexec, use the plain text to transfer passwords and secret information, so any computer can be used to listen to communication between these programs and servers using a computer connected to the network and get a password and Secret information. Now, Telnet program is essential for daily management, but it is not safe, then what is it replaced? OpenSSH is those outdated, unsafe remote login programs such as: telnet, rlogin, RSH, RDIST or RCP alternatives.
In the OpenSSH's ReadMe file mentioned: SSH (Secure Shell) program can log in to the remote host over the network and execute the command. It provides a strong security verification that can be securely communicated in an unsafe network.
We configure OpenSSH to support TCP-Wrappers (inetd super server), which can further improve security and it is not necessary to run OpenSSH as a daemon (daemon) in the background. When the client's program proposes a connection request, the TCP-Wrappers daemon verifies and authorizes the connection request before redirecting the connection to OpenSsh. OpenSSH is free software and uses an encryption algorithm that is not subject to patented. Therefore, I suggest you use OpenSSH (free and fixing some bugs) without using SSH1 (free but BUG) and SSH2 (now using the commercial license agreement).
Precautions
All of the commands below are unix compatible commands.
The source path is "/ var / tmp" (of course, other paths can also be used in the actual situation).
Installed under Redhat Linux 6.1 and 6.2 test.
To install with the "root" user.
The version of OpenSSH is 1.2.3.
Source of the package
OpenSSH's Homepage: http://violet.ibs.com.au/openssh/.
Download: OpenSSH-1.2.3.Tar.gz.
Ready to work
Compiling OpenSSH Requires Zlib-Devel Package, this package includes header files and a library. To compile the compression and decompression functions of ZLIB, you should install this package in advance. You can install using RedHat 6.1 or 6.2.
l Verify if the following command is installed in the system already installed the Zlib-Devel package:
[root @ weep /] # rpm -qi zlib-deb
l Install the ZLIB-DEVEL package in the system with the following command:
[root @ deep /] # mount / dev / cdrom / mnt / cdrom / [root @ deep /] # cd / mnt / cdrom / redhat / rpms / [root @ deep rpms] # rpm -uvh zlib-wevel-version. I386.rpmgd ############################################################ ### [root @ Deep rpms] # rpm -uvh gd-design - version.i386.rpmzlib-wevel ############################################################################################################################################################################################################################################################## ################### [root @ deep rpms] # cd /; umount / mnt / cdrom /
OpenSSL must be installed before using OpenSSH. Because even if you don't use OpenSSL to create or save encrypted files, OpenSSH needs to use OpenSSL's library files to run normally.
Install packages need to pay attention to problems
It is best to make a list of all files in the system before compiling and compiled, and then use the "DIFF" command to compare them, find out where the differences are found and know where the software is installed. Just simply run the command "Find / *> OpenSSH1" before compiling, run the command "Find / *> OpenSSH2" after compiling and installing the software, and finally identify changes in the command "Diff OpenSSH1 OpenSSH2> OpenSSH-INSTALLED".
Compilation and installation
Unzip the package (tar.gz):
[root @ deep /] # cp openssh-version.tar.gz / var / tmp [root @ desk /] # cd / var / tmp [root @ Deep TMP] # tar xzpf openssh-version.tar.gz
Compilation and optimization
first step
Go to the new directory of OpenSSH, first set the compilation parameters of the compiler:
CC = "EGCS" / cflags = "- o9 -funroll-loops -ffast-math-malign-double-morcpu = pentiumpro-march = pentiumpro -ft-fomit-frame-pointer -fno-exceptions" / ./configure / - prefix = / usr / - sysconfdir = / etc / ssh / - with-tcp-wrappers / - with-ipv4-default / - with-ssl-dir = / usr / include / openssl
These settings tell the compiler how to compile OpenSSH:
l Link on the libwrap function library and plus support for TCP Wrappers
l Disable Linux / GLIBC-2.1.2 latency, shorten the time to establish a connection
l Set the path to the OpenSSL function library, so OpenSS can run normally
Second step
Now, compile and install OpenSSH:
[root @ Deep OpenSSH-1.2.3] # Make [root @ Deep OpenSSH-1.2.3] # make install [root @ Deep openssh-1.2.3] # Make Host-key [root @ Deep OpenSSH-1.2.3] # install -m644 control / redhat / sshd.pam /etc/pam.d/sshd
The "make" command compiles the source file into an executable binary, "make install" puts the binary file and configuration file in the appropriate directory. "Make Host-Key" generates a host key, the "install" command installs PAM support to OpenSSH on Redhat Linux.
Clear unnecessary files
Use the following command to delete unnecessary files:
[root @ deep /] # CD / var / tmp [root @ deep tmp] # rm -rf openssh-version / openssh-version.tar.gz
The "RM" command deletes all the source programs required to compile and install OpenSS, and delete the compressed package of the OpenSSH software.
Configure
You can download "FLOPPY.TGZ" file: http://www.openna.com/books/floppy.tgz. After unlocked the "FLOPPY.TGZ" file, you can discover all the profiles of all the software introduced in this book in the appropriate directory. This is not necessary to manually regenerate these files, or paste them into the configuration file with a copy of the paste. Whether it is intended to generate a configuration file or a copy, you have to learn to modify the configuration file and copy the configuration file to the correct directory. The details will be specifically described below. In order to run OpenSSH, you must create or copy the following files to the appropriate directory:
l Copy the "SSHD_CONFIG" file to "/ etc / ssh" directory
l Copy the "SSH_CONFIG" file to "/ etc / ssh" directory
l Copy the "SSH" file to "/etc/pam.d/" directory
After the "floppy.tgz" can be decompressed, find the files listed above and copy it to the appropriate directory, or use a copy of the paste to paste it directly from this book.
Configure "/ etc / ssh / ssh_config" file
The "/ etc / ssh / ssh_config" file is an OpenSSH system-wide profile that allows you to change the way the client program is changed by setting different options. Each line of this file contains the match match of "Keyword-Value", where "Keyword" is ignored. The most important keywords listed below, use the Man command to view the help page (SSH (1)) can get a detailed list.
Edit the "SSH_CONFIG" file (VI / etc / ssh / ssh_config), add or change the following parameters:
# Site-wide defaults for various optionsHost * ForwardAgent noForwardX11 noRhostsAuthentication noRhostsRSAAuthentication noRSAAuthentication yesPasswordAuthentication yesFallBackToRsh noUseRsh noBatchMode noCheckHostIP yesStrictHostKeyChecking noIdentityFile ~ / .ssh / identityPort 22Cipher blowfishEscapeChar ~
The following one by line explains the option settings above:
Host *
Option "Host" is only valid for computers that match the rear string. "*" Means all the computer.
ForwardAgent No
"ForwardAgent" settings whether to forward the authentication agent (if there is) forward to the remote computer.
Forwardx11 NO
"Forwardx11" Set whether the X11 connection is automatically redirected to a secure channel and display set.
RhostSauthentication NO
"Rhostsauthentication" settings whether to use RHOSTS-based security verification.
Rhostsrsaauthentication NO
"Rhostsrsaauthentication" settings whether to use RSA algorithm based on RHOSTS-based security verification.
Rsaauthentication Yes
"Rsaauthentication" settings whether to use the RSA algorithm for security verification.
PasswordAuthentication Yes
"PasswordAuthentication" settings if you use password verification.
Fallbacktorsh no
FallbackTorsh setting If an error occurs with an SSH connection error is automatically used.
Usersh no
"UserSH" settings whether to use "rlogin / RSH" on this computer.
BatchMode No
"BatchMode" If set to "YES", the prompt of the Passphrase / Password will be disabled. This option is very useful when you cannot interactively enter your password. This option is useful for script files and batch tasks. Checkhostip YES
"Checkhostip" sets whether SSH is viewed to the IP address of the host connected to the server to prevent DNS spoof. It is recommended to be "Yes".
StrictkeyChecking NO
"StricthostKeyChecking" If set to "yes", SSH will not automatically add the computer's key to the "$ home / .ssh / knower_hosts" file, and once the computer's key has changed, it refuses to connect.
IdentityFile ~ / .ssh / identity
"IdentityFile" setting which file reads the user's RSA security verification ID.
Port 22
"Port" settings the port connected to the remote host.
Cipher Blowfish
"Cipher" sets the password encrypted.
Escapechar ~
"Escapechar" sets the Escape character.
Configure "/ etc / ssh / sshd_config" file
"/ Etc / ssh / sshd_config" is OpenSSH configuration file, allowing the setting option to change this Daemon's run. Each line of this file contains the match match of "Keyword-Value", where "Keyword" is ignored. The most important keywords listed below, use the Man command to view the help page (SSHD (8)) can get a detailed list.
Edit the "SSHD_CONFIG" file (Vi / etc / ssh / sshd_config), add or change the following parameters:
# This is ssh server systemwide configuration file.Port 22ListenAddress 192.168.1.1HostKey / etc / ssh / ssh_host_keyServerKeyBits 1024LoginGraceTime 600KeyRegenerationInterval 3600PermitRootLogin noIgnoreRhosts yesIgnoreUserKnownHosts yesStrictModes yesX11Forwarding noPrintMotd yesSyslogFacility AUTHLogLevel INFORhostsAuthentication noRhostsRSAAuthentication noRSAAuthentication yesPasswordAuthentication yesPermitEmptyPasswords noAllowUsers admin
The following one by line explains the option settings above:
Port 22
"Port" sets the port number of SSHD listening.
ListenAddress 192.168.1.1
"ListenAddress" sets the IP address bound by the SSHD server.
HostKey / etc / ssh / ssh_host_key
"Hostkey" setting files containing computer private keys.
ServerKeyBITS 1024
"ServerKeyBITS" Defines the number of servers.
LogingRacetime 600
"LogingRacetime" setting If the user cannot log in successfully, the server needs to wait for the time (in seconds) before cutting the connection.
KeyRegenerationInterval 3600
"KeyRegenerationInterval" is set to automatically regenerate the server's key after how many seconds, if you use the key. Regeneration The key is to prevent the intercepted information to be decrypted with the stolen key.
Permitrootlogin No
"PermitrootLogin" setting root can log in with SSH. This option must not be set to "Yes". Ignorerhosts YES
"Ignorerhosts" settings whether to use "rhosts" and "shost" files when verify.
Ignoreuserknownhosts YES
"Ignoreuserknownhosts" Set whether SSH Daemon ignores "$ home / .ssh / knower_hosts" when RhostsrsaAuthentication is safely verified.
Strictmodes YES
"StricTModes" settings SSH Whether you check if you check the permissions and ownership of the user's directory and RHOSTS files before receiving the login request. This is usually necessary because novices often set their own directory and files to anyone.
X11Forwarding NO
"X11Forwarding" settings whether X11 is allowed to forward.
PrintMotd Yes
"PrintMotd" sets whether SSHD displays information in "/ etc / motd" when the user is logged in.
Syslogfacility Auth
"Syslogfacility" is set to log "Facility Code" when logging from SSHD.
Loglevel Info
"Loglevel" sets the level of the SSHD log message. INFO is a good choice. View SSHD's Man Help page, get more information.
RhostSauthentication NO
"Rhostsauthentication" settings are only secure authentication only with rhosts or "/etc/hosts.equiv".
Rhostsrsaauthentication NO
"RhostsRSA" settings are allowed to use rhosts or "/etc/hosts.equiv" plus RSA for security verification.
Rsaauthentication Yes
"Rsaauthentication" settings are allowed to only RSA security verification.
PasswordAuthentication Yes
"PasswordAuthentication" settings whether the password verification is allowed.
PermitemptyPasswords No
"PermiteMptyPasswords" settings if you are allowed to log in with an empty account.
AllowUsers admin
"AllowUsers" can follow the matching string of any number of usernames or User @ Host, which is separated by spaces. The host name can be a DNS name or an IP address.
Configure OpenSSH to make it use TCP-Wrappers inetd super servers
TCP-Wrappers is used to start and stop SSHD1 service. When inetd runs, it will read configuration information from the configuration file (default "/etc/inetd.conf"). Different items in each line in the configuration file are separated by Tab or space.
first step
Edit the "inetd.conf" file (vi /etc/inetd.conf) and join this line:
SSH Stream TCP NOWAIT ROOT / USR / SBIN / TCPD SSHD-I
Note: "- i" parameters are important, it shows that SSHD is running by inetd. After adding this line, update the "inetd.conf" file by sending a SIGHUP signal (KILLALL-HUP INETD).
[root @ deep / root] # killall -hup inetd
Second step
Edit "Hosts.allow" file (vi /etc/hosts.allow) and join this line:
Sshd: 192.168.1.4 win.openarch.com
This line indicates that the IP address is "192.168.1.4", and the host name "win.openarch.com" allows the server to access the server with the SSH. These "daemon" strings (for tcp-wrappers) are used by SSHD1:
SSHDFWD-X11 (Allow / Disable X11 Forward) .sshdfwd-
Note: If you are ready to use SSH, you must use on all servers. If the ten secure servers and an unsafe server are all together, they will not talk about any security.
More information
If you want to find a detailed information, you can use the Man command to check the help page, read the relevant information:
$ Man ssh (1) - OpenSSH secure shell client (remote login program) $ man ssh [slogin] (1) - OpenSSH secure shell client (remote login program) $ man ssh-add (1) - adds identities for the authentication agent $ man ssh-agent (1) - Authentication agent $ man ssh-keygen (1) - Authentication Key Generation $ man sshd (8) - Secure shell daemon
SSH1 per user configuration
first step
Create a private and public key for the local server, perform the following command:
[root @ Deep] # SU Username [username @ deep] $ ssh-keygen1
For example, the results displayed may be:
Initializing Random Number Generator ... generating p: ........................... (Distance 430) generating Q: ... ................. (distance 456) computing the key ... Testing the key ... Key Generation Complete.Enter File in Which to save the key /home/username/.ssh/identity): [press Enter] Enter passphrase: Enter the same passphrase again: Your identification has been saved in /home/username/.ssh/identity.Your public key is: 1024 37149377575112519555336911203184772938622900493947151365111458061088700017643784946768312975778431585322723612061006231460440536487184367748423324091941848098890786099717524446977589647127757030728779973708569993017043141563536333068888944038178461608592483844590202154102756903055846534063365635584899765402181 Username@deep.openarch.comYour public key haas been saved in /Home/Username/.ssh/identity.pub
Note: If you have multiple accounts to create a key for each account. You may have to create a key for the following servers:
l Mail server
l web server
l gateway server
This allows for limited access to these servers, for example, not allowing an account of the Mail server to access the web server or gateway server. This can increase the overall security, even because some reason has a key to leak, nor does it affect other servers.
Second step
Copy the utility of this unit to the "/home/username/.ssh" directory of the remote host, for example, using the name of "Authorized_Keys".
Note: A method of copying files uses the ftp command, and another means to send the utility with Email (containing the contents of "~ / .sssh / identity.pub" file to the system administrator.
Change Pass-Phrase
The pass-phrase can be changed at any time by adding the "SSH-Key" command of the "-P" parameter. Use the following command to change Pass-phrase:
[root @ deskp] # SU Username [username @ deep] $ ssh-keygen1 -p
Enter file key is in (/Home/Username/.ssh/identity): [Press Enter] Enter Old Passphrase: Key Has Comment'USERNAME@deep.openarch.com'Enter New Passphrase: Enter the Same Passphrase Again: Your Identification Has Been Saved with The New Passphrase.
OpenSSH User Tools
The following is some of the orders we often use, and of course there are still many other commands, more detailed information can view the Man Help page or other documentation.
SSH
SSH (Secure Shell) is a program used to log in to a remote computer and execute the command on a remote computer. It is used to replace Rlogin and RSH, and provide security and encryption information exchange between two computers in an insecure network environment. The X11 connection and TCP / IP ports can be forwarded to a secure channel.
Use the following command to log in to the remote computer:
[root @ deskp] # ssh
E.g:
[root @ Deep] # SSH username www.openarch.comusername@deep.openarch.com's Password: Last Login: Tue Oct 19 1999 18:13:00 -0400 from get.openarch.com On Deepforest.
SCP
You can use this command to copy the file from the local computer to the remote computer, or in turn, even between the two remote computers to copy files with the "SCP" command. Copy the file on the remote host to a simple method of the current directory is as follows.
Use the following command to copy the file from the remote host on the local host:
[root @ deep /] # SU admin [admin @ deep /] $ scp -p
E.g:
[username @ deep] $ scp -p username @ mail: / etc / test1 / tmpenter passphrase for rsa key 'username@mail.openarch.com': test1 | 2 KB | 2.0 Kb / s | eta: 00:00:00 100%
Use the following command to copy the file from the local host on the remote host:
[root @ Deep /] # SU admin [admin @ desk /] $ scp -p localdir / to / filelocation
E.g:
[username @ deep] $ scp -p / usr / bin / test2 username @ mail: / var / tmpusername @ mail's password: test2 | 7 KB | 7.9 KB / S | ETA: 00:00:00 | 100%
Note: "- P" option indicates the change and access time properties of the file, and the permissions are retained during the copy. It is usually in this way.
Install files in the system
> / etc / ssh> / etc / ssh / ssh_config> / etc / ssh / sshd_config> / etc / ssh_host_key> /etc/ssh_host_key.pub> / usr / bin / ssh> / usr / bin / slogin> / usr / man /man1/ssh.1> /usr/man/man1/scp.1> /usr/man/man1/ssh-add.1> /usr/man/man1/ssh-agent.1> / usr / man / man1 /ssh-keygen.1> / usr / bin / scp> / usr / bin / ssh-add> / usr / bin / ssh-agent> / usr / bin / ssh-keygen> / usr / man / man1 / slogin. 1> /usr/man/man8/sshd.8> / usr / sbin / sshd
Free SSH Customer Software on Windows Platform
PUTTY
PUTTY's Homepage: http://www.chiark.greenend.org.uk/~sgtatham/putty.html
Tera Term Pro and TTSSH
TERA TERM Pro's homepage: http://hp.vector.co.jp/authors/va002416/teraterm.html
TTSSH HomePage: http://www.zip.com.au/~roca/download.html
Copyright statement
This article translated and adapted from Gerhard Mourani's "Securing and Optimizing Linux: Redhat Edition", the original text and its copyright agreement, please refer to: www.openna.com.
The copyright of the Chinese version belongs to the author brimmer and www.linuxaid.com.cn.
