- If you are running a recent version of RedHat then you can cheat by running this script:
#!/bin/sh
SSH=ssh-1.2.27
SSH_ARCHIVE=$SSH.tar.gz
MD5='c22bc000bee0f7d6f4845eab72a81395'
ncftpget ftp://ftp.cs.hut.fi/pub/ssh/$SSH_ARCHIVE
if md5sum $SSH_ARCHIVE | grep $MD5 >/dev/null
then
echo "$SSH downloaded; extracting."
else
echo "Bad checksum on $SSH_ARCHIVE!"
echo "Please be careful with it, as it may be"
echo "corrupt or subverted."
echo
echo "Aborting ssh installation."
exit 1
fi
ncftpget ftp://ftp.funet.fi/pub/crypt/cryptography/asymmetric/rsa/rsaref2.tar.gz
tar -xzvf $SSH_ARCHIVE >/dev/null
cd $SSH
tar -xzvf ../rsaref2.tar.gz
./configure --with-etcdir=/etc/ssh --with-x --without-rsh --with-rsaref --with-libwrap --prefix=/usr --program-transform-name='s/^s/r/'
make >/dev/null
make install
/usr/bin/scp neptune:/etc/ssh_known_hosts /etc/ssh/ssh_known_hosts
/usr/bin/scp maxwell:/maxwell/user0/chandra/adm/ssh/linuxstartup /etc/rc.d/init.d/sshd
chkconfig --add sshd
- get ssh source from
ftp.cs.hut.fi
- get rsaref from
ftp.funet.fi
- For Irix 6.5 get the Irix binaries from
CISE
- untar the ssh-1.2.27.tar.gz and then cd into the ssh dir,
then untar the rsaref2.tar.gz inside there.
./configure --with-etcdir=/etc/ssh --with-x --without-rsh --with-rsaref --with-libwrap
Remember that make distclean does not remove the files in
the rsaref/source dir, you have to remove the lib and .o
files by hand.
- make
- make -n install
- Check to be sure that make install will do what you like
- Then as root
make install
Note: If ssh2 is already installed on this machine then you
must decide if you will use ssh2 or ssh1. On the Dec
Alphas ssh2 does not currently work, so remove the link from
/local/bin/ssh2 -> /local/bin/ssh and create a new link from
/local/bin/ssh1 -> /local/bin/ssh. Same thing for keygen
etc. Here is an ls from a proper machine configured to use ssh1:
/local/bin/ssh@ -> ssh1*
/local/bin/ssh-add@ -> ssh-add1*
/local/bin/ssh-add1*
/local/bin/ssh-agent@ -> ssh-agent1*
/local/bin/ssh-agent1*
/local/bin/ssh-askpass@ -> ssh-askpass1*
/local/bin/ssh-askpass1*
/local/bin/ssh-keygen@ -> ssh-keygen1*
/local/bin/ssh-keygen1*
/local/bin/ssh1*
- Make sshd start on boot:
Here is a startup file for Solaris 2.6:
#! /bin/sh
#
# start/stop the secure shell deamon
# Make links to get sshd start/stoped at the right time:
# /etc/rc0.d/K57sshd
# /etc/rc1.d/K57sshd
# /etc/rc2.d/S99sshd
case "$1" in
'start')
# Start the ssh deamon
if [ -f /usr/local/sbin/sshd ]; then
echo "starting SSHD daemon"
/usr/local/sbin/sshd &
fi
;;
'stop')
# Stop the ssh deamon
PID=`/usr/bin/ps -e -u 0|/usr/bin/fgrep sshd|/usr/bin/awk '{print $1}'`
if [ ! -z "$PID" ] ; then
/usr/bin/kill ${PID} 1>/dev/null 2>&1
fi
;;
*)
echo "usage: /etc/init.d/cron {start|stop}"
;;
esac
Here is a startup script for Digital Unix 4.0D:
#!/sbin/sh
#
# Make links to get the scripts run at start/stop:
# /sbin/rc0.d/K25sshd
# /sbin/rc2.d/K30sshd
# /sbin/rc3.d/S40sshd
#
case "$1" in
'start')
echo "SSH Daemon Started"
(uac p 0; /usr/local/sbin/sshd)
;;
'stop')
pid=`/bin/ps -e | grep sshd | sed -e 's/^ *//' -e 's/ .*//' | head -1
`
if [ "X$pid" != "X" ]; then
/bin/kill $pid
else
echo "No pid for sshd Service found"
exit 1
fi
;;
*)
echo "usage: $0 {start|stop}"
;;
esac
Here is a startup file for Irix 6.5:
#! /sbin/sh
#Links should be made to get the start and stop scripts run:
# /etc/rc0.d/K99sshd
# /etc/rc2.d/S99sshd
# demons which may be present when taking the system down
DEMONS="sshd"
case $1 in
'start')
/usr/local/sbin/sshd -f /etc/ssh/sshd_config
;;
'stop')
/sbin/killall 15 $DEMONS
sleep 1
/sbin/killall $DEMONS
;;
*)
echo "usage: /etc/init.d/sshd {start|stop}"
;;
esac
Here is a startup file for Linux:
#!/bin/sh
#
# sshd This shell script takes care of starting and stopping
# sshd.
#
# chkconfig: 2345 80 30
# description: sshd is a secure daemon that replaces rshd and telnetd
# processname: sshd
# config: /etc/sshd_config
# pidfile: /var/run/sshd.pid
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
[ -f /usr/local/sbin/sshd ] || exit 0
# See how we were called.
case "$1" in
start)
# Start daemons.
echo -n "Starting sshd: "
daemon /usr/local/sbin/sshd
echo
;;
stop)
# Stop daemons.
echo -n "Shutting down sshd: "
killproc sshd
echo
;;
restart)
$0 stop
$0 start
;;
status)
status sshd
;;
*)
echo "Usage: sshd {start|stop|restart|status}"
exit 1
esac
exit 0
After you have the above script in place generate the start and stop links with the command :
chkconfig --add sshd
- on subsequent machines you can just rdist the binaries and
manpages and then setup the scripts to get things going. There are a couple of Distfiles following:
Here is an rdist Distfile to setup the Alpha Linux machines after doing the install on Helix14:
# Distfile for ssh-1.2.27. Ther command to rdist this out is:
# rdist -p /usr/sbin/rdistd -f /usr/local/adm/rdist/Distfile.ssh
#
HELIX = ( helix01 helix02 helix03 helix04 helix05 helix06 helix07
helix08 helix09 helix10 helix11 helix12 helix13 )
HOSTS = ( ${HELIX} )
FILES = ( /etc/ssh/ssh_config
/etc/ssh/sshd_config
/usr/local/bin/ssh1
/usr/local/bin/ssh
/usr/local/bin/ssh-keygen1
/usr/local/bin/ssh-keygen
/usr/local/bin/ssh-askpass1
/usr/local/bin/ssh-askpass
/usr/local/bin/ssh-agent1
/usr/local/bin/ssh-agent
/usr/local/bin/ssh-add1
/usr/local/bin/ssh-add
/usr/local/bin/scp1
/usr/local/bin/scp
/usr/local/bin/slogin
/usr/local/bin/make-ssh-known-hosts1
/usr/local/bin/make-ssh-known-hosts
/etc/rc.d/init.d/sshd
/etc/rc.d/rc1.d/K30sshd
/etc/rc.d/rc0.d/K30sshd
/etc/rc.d/rc2.d/S80sshd
/etc/rc.d/rc3.d/S80sshd
/etc/rc.d/rc4.d/S80sshd
/etc/rc.d/rc5.d/S80sshd
/etc/rc.d/rc6.d/K30sshd
/usr/local/sbin/sshd1
/usr/local/sbin/sshd )
EXLIB = (
)
${FILES} -> ${HOSTS}
install -oremove,chknfs ;
except ${EXLIB} ;
special /usr/local/bin/ssh-keygen
"/usr/local/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' ";
special /etc/rc.d/init.d/sshd
"/etc/rc.d/init.d/sshd restart";
The setup on the SGI machines is a little different as we use precompiled binaries. Before you rdist this out edit the sshd_config to have it look for the host key in /etc/ssh and also the random seed in /etc/ssh. Here is a Distfile to setup the Irix machines:
SGI = ( mildew coquina )
HOSTS = ( ${SGI} )
FILES = ( /etc/ssh/ssh_config
/etc/ssh/sshd_config
/usr/local/bin/ssh1
/usr/local/bin/ssh
/usr/local/bin/ssh-keygen1
/usr/local/bin/ssh-keygen
/usr/local/bin/ssh-askpass1
/usr/local/bin/ssh-askpass
/usr/local/bin/ssh-agent1
/usr/local/bin/ssh-agent
/usr/local/bin/ssh-add1
/usr/local/bin/ssh-add
/usr/local/bin/scp1
/usr/local/bin/scp
/usr/local/bin/slogin
/usr/local/bin/make-ssh-known-hosts1
/usr/local/bin/make-ssh-known-hosts
/etc/init.d/sshd
/etc/rc0.d/K99sshd
/etc/rc2.d/S99sshd
/usr/local/sbin/sshd1
/usr/local/sbin/sshd )
EXLIB = (
)
${FILES} -> ${HOSTS}
install -oremove,chknfs ;
except ${EXLIB} ;
special /usr/local/bin/ssh-keygen
"/usr/local/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' ";
special /etc/init.d/sshd
"/etc/init.d/sshd stop;/etc/init.d/sshd start";
- To make ssh-agent start when a user logs in with CDE change /usr/dt/bin/Xsession:
# Session startup clients and args
#
if [ "$SESSIONTYPE" = "altDt" ]; then
dtstart_session[0]="$SDT_ALT_SESSION"
dtstart_hello[0]="$SDT_ALT_HELLO"
else
dtstart_session[0]="$DT_BINPATH/dtsession"
dtstart_hello[0]="$DT_BINPATH/dthello &"
fi
to
# Session startup clients and args
#
if [ "$SESSIONTYPE" = "altDt" ]; then
dtstart_session[0]="$SDT_ALT_SESSION"
dtstart_hello[0]="$SDT_ALT_HELLO"
else
if [ -d $HOME/.ssh ]; then
dtstart_session[0]="/usr/local/bin/ssh-agent $DT_BINPATH/dtsession"
dtstart_hello[0]="$DT_BINPATH/dthello &"
else
dtstart_session[0]="$DT_BINPATH/dtsession"
dtstart_hello[0]="$DT_BINPATH/dthello &"
fi
fi
Here is the diff:
251,257c251,252
< if [ -d $HOME/.ssh ]; then
< dtstart_session[0]="/usr/local/bin/ssh-agent
$DT_BINPATH/dtsession"
< dtstart_hello[0]="$DT_BINPATH/dthello &"
< else
< dtstart_session[0]="$DT_BINPATH/dtsession"
< dtstart_hello[0]="$DT_BINPATH/dthello &"
< fi
---
> dtstart_session[0]="$DT_BINPATH/dtsession"
> dtstart_hello[0]="$DT_BINPATH/dthello &"
And here is my .dt/sessions/sessionetc:
#!/bin/sh
#
# ask for my passphrase when CDE is running under ssh-agent
#
if [ "$SSH_AGENT_PID" -a -x /usr/local/bin/ssh-add ]; then
exec /usr/local/bin/ssh-add < /dev/null
fi
- To configure the Solstice PC-Xware client (from NCD, through Sun)
for connections tunnelled through ssh you need to edit the file
C:\Program Files\Solstice\PCX\CONFIGS\changes.usr
There is
a utility which comes with the Solstice client to edit this file,
Click on Start-Run then type in
"c:\program files\Solstice\PCX\xncd.exe" console
To
configure the X client to use only ssh you need to prevent it from
accepting connections from anywhere other than the localhost
(127.0.0.1) Using the xncd.exe program with the console
argument:
- Setup
- Change Setup Parameters
- Access Control
- Make sure that Default for Enable X Access Control is on
- Make sure that Enable X Access Control is on
- Make sure that Enable Execution Access Control is on
Now click on New or Delete to leave only 127.0.0.1 in the Access Control Lists. Apply the changes and exit the configuration utility. To test the behaviour:
- Start PC-Xware
- Connect to a Unix host with ssh (make sure X11 forwarding is on)
- start an X application (xterm, emacs, xeyes - whatever)
- Now try starting an x application with the -display yourip:0 argument
If things are working properly the first X application should have been displayed to your PC, but the second one should have been refused. This is refused becuase it is trying to connect from the Unix host, rather than tunnelling through ssh.
Here is my file, note the settings for access-control:
xserver-default-font-path = {
{ 'misc' }
{ '75dpi' }
{ 'mswin' }
{ 'xol' }
}
exec-pcx-known-clients = {
{ "/usr/openwin/bin/xterm -tn vt220 -ls -display $DISPLAY &" }
{ "/usr/openwin/bin/cmdtool -display $DISPLAY &" }
{ "/usr/openwin/bin/cm -display $DISPLAY &" }
{ "/usr/openwin/bin/olwm -display $DISPLAY &" }
{ "/usr/openwin/bin/textedit -display $DISPLAY &" }
{ "/usr/openwin/bin/mailtool -display $DISPLAY &" }
{ "/usr/dt/bin/dtterm -tn vt220 -ls -fg white -bg slategray -display $DISPLAY &" }
{ "/usr/dt/bin/dtfile -fg white -bg slategray -display $DISPLAY &" }
{ "/usr/dt/bin/dtpad -display $DISPLAY &" }
{ "/usr/dt/bin/dtcm -fg white -bg slategray -display $DISPLAY &" }
{ "/usr/dt/bin/dtmail -fg white -bg slategray -display $DISPLAY &" }
{ "/usr/bin/X11/xterm -tn vt220 -ls -display $DISPLAY &" }
}
exec-pcx-known-hosts = {
{ "neptune" }
}
exec-wm-for-desktop-mode = microsoft
exec-wm-for-single-window-mode = ncdwm
pref-keyboard-shortcut-strategy = send-them-all-to-windows
pref-font-extended-diagnostics = false
diag-add-timestamps = true
pref-font-substitution = disabled
xserver-enable-initial-x-resources = false
pref-xserver-topdown-colormaps = true
pref-xserver-fast-dash-0-graphics = true
pref-xserver-fast-width-1-graphics = true
wui-use-ip-number-for-display = true
login-persistant-window-manager = false
exec-enable-exec-tcp = true
pref-compatibility-permit-old-x-bugs = true
pref-keyboard-except-alt-enter = false
pref-keyboard-except-alt-esc = false
pref-keyboard-except-alt-f4 = false
pref-keyboard-except-alt-shift-tab = false
pref-keyboard-except-alt-space = false
pref-keyboard-except-alt-tab = false
pref-keyboard-except-ctl-esc = false
pref-local-numlock-support = true
pref-send-desktop-mouse-clicks-to-x = send-them-to-windows
pref-xserver-backing-store = disabled
xserver-initial-x-resources = '#include "C:\Program Files\Solstice\pcx\user\xdefault"'
pref-server-keymap-file = ''
exec-enable-virtual-screen = false
login-xdm-action-on-disconnect = prompt
pref-xserver-mwm-focus-support = true
xserver-allocate-minimum-system-colors = false
exec-virtual-screen = {
{ nil nil "f" nil nil }
}
net-xremote-over-tcp = false
xserver-access-control-enabled-default = true
xserver-access-control-list = {
{ "127.0.0.1" tcpip }
}
xserver-current-access-control-list = {
{ "127.0.0.1" tcpip }
}
exec-access-control-enabled = true
exec-access-control-list = {
{ "127.0.0.1" tcpip }
}
exec-startup-commands = {
{ "select" }
}
serial-test-for-com1 = false
serial-test-for-com2 = false
serial-test-for-com3 = false
serial-test-for-com4 = false
wui-default-application-path = "/usr/openwin/bin"
login-xdm-startup-action = none
wui-terminal-reported = vt220
pref-screen-size-enable = true
- A good PC client for ssh is SecureCRT.
You can configure this client to forward X11. To get SecureCRT to
remember your pass phrase you have to use regedit. The key to modify
is
HKEY_LOCAL_MACHINE\Software\Van Dyke Technologies\SecureCRT\SSH\Save Passphrase In Shared Memory
Change it from a "0" to a "1"
The most secure way to use ssh is with RSA authentication. To do this you should generate a key pair on the PC, then transfer the public key to the Unix system. The SecureCRT help file discusses this, I have reproduced their text here:
RSA authentication uses a public-private key pair to authenticate and log in to an SSH Server. It offers a higher level of authentication security than password authentication by requiring both the private key and the passphrase that protects the private key to complete authentication.
Setting up RSA Authentication for a SecureCRT session is a multi-step process. Identity Files are created with the RSA Key Generation Wizard. The identity file is defined for global or session-specific use in the SSH Advanced Dialog. Then the public key is added to the SSH server's authorized_keys file.
- In the Connect dialog, select an SSH session and click Edit (or create a session by clicking New).
- Click the Advanced button on the Session tab and select Create Identity File on the Identity Filename Tab.
- Follow the instructions in the RSA Key Generation Wizard to create your identity files. The identity filename will be inserted in the current Use session-specific or Use global field in the SSH Advanced Dialog.
- Connect to the remote SSH server using SSH and password authentication.
- Append the contents of the public key file created with the RSA Key Generation Wizard to the file ~/.ssh/authorized_keys on the remote host. The default name of the public key file is identity.pub. Create the ~/.ssh/authorized_keys file if it does not already exist. If you want multiple authorized keys, append the contents of the public key file to the authorized_keys file. The simplest way way to do this is typically
%cat identity.pub >> ~/.ssh/authorized_keys
(note that the name of the identity file can be different than the example)
- Now you can change the session to use RSA authentication. Disconnect from the remote server if you have not already done so. In the Connect dialog, select the SSH session and click Edit. Change the Authentication setting from Password to RSA. Click OK to save the changes and click OK again in the Connect dialog to open the connection. If you supplied a passphrase when you created your key, you will be prompted to enter it before you are connected.
Note on placing public keys: The format of the authorized_keys file requires that each entry consist of a single long line. If you use Copy and Paste to add a public key to the ~/.ssh/authorized_keys file, make sure that the entry contains no additional newline characters.
For the users, here is a nice intro to ssh.
