|
||||||
|
||||||
|
User Information Home
 NCSA's Help Desk is available 24 hours a day, seven days a week, 365 days a year: NCSA OpenSSH Installation GuideThis document is for installing the OpenSSH server on machines in the NCSA environment. If you are only wanting to run the client, and need not install the server, then please refer to using SSH at NCSA. The commands shown below will need to be executed as "root". If there are any questions or problems with this document, or an installation, then please contact ssh@ncsa.uiuc.edu.
Installing binaries and configuration files We first want to copy the sshd server process to local disk. This is because we still want sshd to run even if AFS does not start up or we lose contact with AFS. You may not need to create the /usr/local/sbin directory. # mkdir /usr/local/sbin # chmod 755 /usr/local/sbin # cp /usr/ncsa/sbin/sshd /usr/local/sbin/sshd # chmod 700 /usr/local/sbin/sshdNow create the configuration directory. # mkdir /etc/opensshCopy the configuration files to local disk. # cp /afs/ncsa/common/etc/openssh/ssh_config /etc/openssh/ssh_config # cp /afs/ncsa/common/etc/openssh/sshd_config /etc/openssh/sshd_config # chmod 644 /etc/openssh/ssh_config # chmod 644 /etc/openssh/sshd_configCreate a key pair for the version 1 protocol. Note:If you had a previous version of ssh running on the machine you will want to copy the old key into the new configuration directory so that users with the old key in their known_hosts file will not have problems. Previous version 1 keys: # cp /etc/ssh_host_key /etc/openssh # cp /etc/ssh_host_key.pub /etc/openssh # chmod 600 /etc/openssh/ssh_host_key # chmod 644 /etc/openssh/ssh_host_key.pubIf you didn't have a previous version running then you will need to create new version 1 host keys. New version 1 keys: # /usr/ncsa/bin/ssh-keygen -t rsa1 -f /etc/openssh/ssh_host_key -N "" # chmod 600 /etc/openssh/ssh_host_key # chmod 644 /etc/openssh/ssh_host_key.pubNow create key pairs for version 2 protocol on the host machine. Make sure you include the empty quotes at the end. This will create the keys with no pass phrase, which is required for the server keys. # /usr/ncsa/bin/ssh-keygen -t dsa -f /etc/openssh/ssh_host_dsa_key -N "" # /usr/ncsa/bin/ssh-keygen -t rsa -f /etc/openssh/ssh_host_rsa_key -N "" # chmod 600 /etc/openssh/ssh_host_dsa_key # chmod 600 /etc/openssh/ssh_host_rsa_key # chmod 644 /etc/openssh/ssh_host_dsa_key.pub # chmod 644 /etc/openssh/ssh_host_rsa_key.pubLastly, if you want the sshd to accept connections if AFS connectivity is lost then you will need to have a local copy of the krb5.conf file. # cp /usr/local/krb5/etc/krb5.conf /etc/krb5.conf # chmod 644 /etc/krb5.conf
Creating ssh user (for privsep) In the most recent versions of OpenSSH they have enabled something called privilege separation. Privilege separation, or privsep, is a method in OpenSSH by which operations that require root privilege are performed by a separate privileged monitor process. Its purpose is to prevent privilege escalation by containing corruption to an unprivileged process. For this to work a sshd user and group needs to be created. Here are the steps: # mkdir /var/empty # chown root:sys /var/empty # chmod 755 /var/empty # groupadd sshd # useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshdPrivilege separation does not work on HP-UX systems with a trusted system configuration.
Startup scripts In order to get the sshd to start on boot you will need to configure the startup script. The startup scripts are located at: /afs/ncsa/common/etc/openssh/OS_VERwhere OS_VER is the version of operating system you are running. At the top of each of the startup scripts is instructions on installation. You are now ready to start the sshd process: # /etc/init.d/sshd start |
||||||
|
|
||||||
