[CCP14 Home: (Frames | No Frames)]
CCP14 Mirrors: [UK] | [CA] | [US] | [AU]

(This Webpage Page in No Frames Mode)

CCP14

Methods, Problems and Solutions

Linux Information for Crystallography

Compiling and Installing OpenSSH (Secure Shell clone) for Linux/UNIX

then Disabling Unrequired Deamons such as telnetd, ftpd, fingerd, rshd, rlogind, etc

The CCP14 Homepage is at http://www.ccp14.ac.uk

[To Problems and Solutions]
[To: BSD UNIX Information for Crystallography]
[To: Linux Information for Crystallography]
[Back to Installing a Linux and Win95 Dual Boot System] |

Overview

Last Updated 9th April 2003 - install OpenSSH 3.6.1p1

SSH is a encryption protocol/program for sending and receiving information via possibly insecure networks. This allows you to login to remote machines in a way where the passwords and information are encrypted against possible sniffers/intrusion, that can detect the plain ASCII user names passwords that would normally flow using standard telnet, ftp and other unencrypted protocols.

OpenSSH is the Open source completely free alternative to the psuedo-commercial SSH. In early March 2001, OpenSSL was compiled and installed (replacing SSH) due to security problems with ssh 1.2.x which did not seem to be getting fixed in a timely manner.


An old version of installing Secure Shell 1.2.30 with manual application of patches is still viewable (but has security exploits that hackers can use to gain entry to systems)

An old version of installing Secure Shell 1.2.27 with manual application of patches is still viewable (but has security exploits that hackers can use to gain entry to systems)


Related Links


Installation

(If compiling on an SGI, use "cc" - not "gcc" due to the bugs in gcc when compiling internet applications)


Download, Compile and Install ZLIB


Download, Compile and Install OpenSSL

  • Download the compile the latest released of OpenSSL available at: http://www.openssl.org/

    • If using an SGI O2 running IRIX 6.5.x, use the following configure parameter ./Configure irix-cc

    • Now make to compile up OpenSSL.


Download and Install OpenSSH

  • Using BASH shell, run (for IRIX):

      As root: cp /usr/local/lib/libz* /usr/lib32

    • libwrap should be in /usr/local/lib/libwrap.a
    • tcpd.h should be in /usr/local/include/tcpd.h

    • For OpenSSH 3.4, you have to add the following into the /etc/passwd then run "pwconv". Change the user ID and Group ID as required.
      • sshd:x:74:74:sshd priv sep:/dev/null:/dev/null

    • Also relevant to OpenSSH 3.4 (more complications due to a rushed update) - from Chris:
      • From: (Chris)
        To: Lachlan Cranswick
        Cc: Love, DJG 
        Subject: RE: New Openssh feature that stops it working 
        Date: Thu, 27 Jun 2002 11:41:30 +0100
        
        Hi,
        
        I have added the sshd id the passwd/shadow files. BUT ....
        if you run priv sep on irix, then you CANNOT use compression.
        
        More recent advisories suggest that an alternative to using
        priv sep is to turn off ChallengeResponseAuthentication in
        the sshd_config file. I.e. ensure that the entry
        ChallengeResponseAuthentication no
        exists in the config.
        
        Also, turn off PAMAuthenticationViaKbdInt  This may or may not
        be relevant to IRIX
        
        Turning off the above 2 features is supposed to render ssh
        Not vulnerable to the current hole without the need for the
        sshd entry in the password file (ok you have to turn priv sep
        off as well !) and compression will still work.
        
        I am still catching up with the info that is currently flying
        around about this. If it turns out that we need to run priv
        sep, I'll get back to you.
        
        Chris

    • CC=cc ./configure --build=mips-sgi-irix6.5 --with-tcp-wrappers --with-ldflags='-L/usr/local/lib'
      This will generate the make file and enable OpenSSH to be able to use /etc/host.allow and /etc/host.deny tcp wrappers. Many web pages describing how to compile OpenSSH under SGI IRIX with "tcpwrappers" support give the wrong options which can cause confusion - e.g., failing to find libwrap.a even if you specify where it is with a ./configure option.

    (libwrap.a and tcpd.h is obtained (after compiling) in the TCP Wrapper distribution at : ftp://ftp.porcupine.org/pub/security/)

  • Run make

  • As root, run make install which installs the executables into /usr/local/sbin and /usr/local/bin; and the configuration files into /etc (check this as it is running as it may install the config files into /usr/local/etc)

  • Edit the /etc/sshd_config make the config look the way that makes you happy. I tend to not permit direct root login; do not permit Empty passwords.

  • Edit the /etc/ssh_config and enable the X-forwarding/enable agent options if you wish to run X-applications via secure-shell.

  • Edit the /etc/hosts.allow and the /etc/hosts.deny file and set which computers you will allow to log into your computer. Set the DenyHosts to ALL:ALL and set the AllowHosts to the the domains you want people to be able to log in from, including yourself. I.e.,

    /etc/hosts.allow

    ALL: LOCAL, 127.0.0.1  : banners /usr/etc/tcpwrap/banner2
    ALL: .blah.ac.uk, .joeblogs.uk, .academic.ac.uk  : banners /usr/etc/tcpwrap/banner2

    /etc/hosts.deny

    ALL:ALL
  • If you have a policy on trusted hosts within your network, implement this.

  • Still as root, run /usr/local/sbin/sshd and check out if this works.

  • Use slogin -l username your-own-computername and see if you can log in to your own box. When prompted about not having a host key, etc, just type yes, that you want to continue the connection. Hopefully you can then log in and have happy times.

  • Try and login to another server (the admin may have to set some Host keys before this is possible) - slogin -l username another-computername

  • Unless you like doing all that SYSV startup script stuff, put a line in the /etc/rc.d/rc.local file to tell Secure Shell to start when booted; i.e.,
    /usr/local/sbin/sshd

  • To properly check this out, try and reboot to make sure this is going to work as it is easy to make typos here. (for Linux: ps ef | grep sshd: for SGI ps -ef | grep sshd) And also actually try to slogin into yourself.

  • If things are happy - time to disable deamons that are not required or that secure shell (ssh) replaces.

Enhancing the Security of the system by disabling unneccessary deamons

Overall, the idea here is that any unneccessary deamon that runs is a possible entry point for a hacker. Thus only running what you require in a safe manner lessens the chance you system will be compromised and data ruined. The following primarily consists of killing off unneeded deamons in the /etc/inetd.conf. They can always be enabled later on if you find that you do need some of them to run.

  • Edit the /etc/inetd.conf file and disable un-needed deamons using a # statement at the start of the line.
    • telnetd (don't need it now that secure shell in running)
    • ftpd (don't need it unless you want to ftp to the machine)
    • gopher (don't need it)
    • shell, login, talk, ntalk (it's all gotta go!)
    • pop-2, pop-3, imap (send it the way of all flesh)
    • finger (send this to hell! - or your favourite retirement home)
    • Anything else you don't like or know about here - send it to heaven - time, auth, linuxconf remote config

  • Restart the inetd deamon using the command killall -HUP inetd

  • Just in case, (do not logout) try and log into yourself (the computer!) using slogin. If you can, things are good. If you cannot, reenable the relevant deamons in inetd.conf (telnetd) and try and figure out what is wrong.
  • Now try and telnet into yourself. This should be refused because the insecure telnet deamon is not running.

  • Done!


Getting ssh to run on startup on an SGI running IRIX

From: werner@visaw.rus.uni-stuttgart.de (Andreas Werner)
Newsgroups: comp.sys.sgi.admin
Subject: Re: sshd
Date: 8 Apr 2000 19:42:51 GMT
Organization: Comp.Center (RUS), U of Stuttgart, FRG


there are lots of ways to do this, but the SGI typical way is:

1. Create a file /etc/init.d/sshd containing the following:

====================================
#! /bin/sh
#
#  start up ssh server at boot
#
case "$1" in
 'start')
    if /sbin/chkconfig sshd ; then
      if test -x /usr/local/sbin/sshd; then
         /usr/local/sbin/sshd
      fi
    fi
 ;;
 'stop')
    /sbin/killall sshd sshd1
 ;;
 *)
    echo "usage: $0 {start|stop}"
 ;;
esac
#
====================================

2. Create two links:

# ln -s ../init.d/sshd /etc/rc0.d/K01sshd
# ln -s ../init.d/sshd /etc/rc2.d/S99sshd

3. Create a config variable:

# chkconfig -f sshd on

That's all, including the possibility to configure the daemon
on or off woth the 'chkconfig' command.

For the experts: Yes, I know that the 'killall' command will
kill user ssh daemons, too, but that's exactly the thing I want 
when the machine shuts down ;-)



Getting ssh to run on startup on Linux

Quick way to do this is edit the /etc/rc.d/rc.local file and add the line:

/usr/local/sbin/sshd


[To Problems and Solutions]
[To: BSD UNIX Information for Crystallography]
[To: Linux Information for Crystallography]
[Back to Installing a Linux and Win95 Dual Boot System] |

[CCP14 Home: (Frames | No Frames)]
CCP14 Mirrors: [UK] | [CA] | [US] | [AU]

(This Webpage Page in No Frames Mode)

If you have any queries or comments, please feel free to contact the CCP14