- 论坛徽章:
- 0
|
4
Deploying openssh on server
OpenSSH is bundled in RedHat Linux and Solaris
9. The ssh service is enabled by default. We need not deploy on these platforms though
we need configure them. For Solaris version
older than 9, we have to deploy OpenSSH manually.
4.1
Installing OpenSSH Packages for
Solaris 8
4.1.1
Source programs
The sources for these different programs are on
sunfreeware.com or you can go to their home pages at
Package
URL
Remarks
zlib
http://www.zlib.org
PERL
http://www.perl.org
prngd
http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
OpenSSL
http://www.openssl.org
OpenSSH
http://www.openssh.org
egd
http://www.lothar.com/tech/crypto/
TCP wrapper
ftp://ftp.porcupine.org/pub/security/index.html
Optional
4.1.2
Getting the random patches for
Solaris 8
To obtain the patches, go to
112438-03 SPARC/Solaris 8 patch for
/kernel/drv/random
It has been pointed out that some of the
recommended patch clusters already contain the patches above. So, you may want
to check to see if the patch is already installed.
Download the patch and install it as indicated in
the instructions. You will probably need to reboot your system to have the
patch apply. Rebooting requires boot -r to create the new devices.
Note: If you are running a system where unscheduled
downtime is not allowed, then it is possible to do with without rebooting. For example:
patchadd 112438-01
mknod
/devices/pseudo/random@0:random c 82 0
mknod
/devices/pseudo/random@0:urandom c 82 1
chgrp sys
/devices/pseudo/random*
cd /dev
ln -s
../devices/pseudo/random@0:random /dev/random
ln -s
../devices/pseudo/random@0:urandom /dev/urandom
modload
/kernel/drv/random
4.1.3
Getting the packages:
openssh-4.3p2-sol8-sparc-local.gz
openssl-0.9.8b-sol8-sparc-local.gz
tcp_wrappers-7.6-sol8-sparc-local.gz (optional,but
recommended)
zlib-1.2.1-sol8-sparc-local.gz
libgcc-3.3-sol8-sparc-local.gz
perl-5.8.5-sol8-sparc-local.gz
(optional)
prngd-0.9.25-sol8-sparc-local.gz
(optional)
egd-0.8-sol8-sparc-local.gz (optional)
4.1.4
Installing the packages:
Uncompress the gz packages by gunzip and
install them by pkgadd.
# unzip openssh-4.3p2-sol8-sparc-local.gz
# pkgadd -d openssh-3.8.1p1-sol8-sparc-local
4.1.5
Setting up the prngd:
Create the folder /var/spool/prngd.
Create the init script for prngd:
-r-xr-xr-x 1 root
sys 292 Jul 8 2004
/etc/init.d/prngd
lrwxrwxrwx 1 root
other 15 Jul 8 2004
/etc/rc0.d/K03prngd -> ../init.d/prngd
lrwxrwxrwx 1 root
other 15 Jul 8 2004
/etc/rc3.d/S98prngd -> ../init.d/prngd
Contents of /etc/init.d/prngd:
#!/bin/sh
pid=`/usr/bin/ps -e |
/usr/bin/grep prngd | /usr/bin/sed -e 's/^
*//' -e 's/ .*//'`
case $1 in
'start')
/usr/local/sbin/prngd
/var/spool/prngd/pool
;;
'stop')
if [ "${pid}" != ""
]
then
/usr/bin/kill ${pid}
fi
;;
*)
echo "usage: /etc/init.d/prngd
{start|stop}"
;;
esac
4.1.6
Setting up the sshd user and the /var/empty directory:
# mkdir
/var/empty
# chown
root:sys /var/empty
# chmod
755 /var/empty
#
groupadd sshd
#
useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
/var/empty
should not contain any files.
4.1.7
Installing ssh and sshd:
Each machine that you want to
communicate with via the ssh client will need to have an sshd daemon running.
But first, you need to run the following three lines to create the key
information for the server machine.
# ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N ""
# ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key -N ""
# ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key -N ""
Set the init script
-rwxr-xr-x 1 root
bin 268 Jul 8 2004
/etc/init.d/sshd
lrwxrwxrwx 1 root
other 14 Jul 8 2004
/etc/rc0.d/K04sshd -> ../init.d/sshd
lrwxrwxrwx 1 root
other 14 Jul 8 2004
/etc/rc3.d/S99sshd -> ../init.d/sshd
Contents of /etc/init.d/sshd.
#!/bin/sh
pid=`/usr/bin/ps -e |
/usr/bin/grep sshd | /usr/bin/sed -e 's/^
*//' -e 's/ .*//'`
case $1 in
'start')
/usr/local/sbin/sshd
;;
'stop')
if [ "${pid}" != ""
]
then
/usr/bin/kill ${pid}
fi
;;
*)
echo "usage: /etc/init.d/sshd {start|stop}"
;;
esac
4.2
Setting up test_user user
account for remote access
Below procedures describe how to set up
user account test_user on allenunix so as to access remote server testunix without
supplying password. It assumes the UNIX
account exists on both allenunix and testunix servers.
4.2.1
Generate private and public key
pair
On allenunix,
allenunix:test_user ~ 2 > /usr/local/bin/ssh-keygen -t dsa -b 1024
Generating public/private dsa key pair.
Enter file in which to save the key (/test_user/home/test_user/.ssh/id_dsa):
Enter
passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /test_user/home/test_user/.ssh/id_dsa.
Your public key has been saved in /test_user/home/test_user/.ssh/id_dsa.pub.
The key fingerprint is:
e3:fe:fa:da:de:b9:23:a3:30:43:55:a4:f7:bc:2f:32
test_user@allenunix
The
private and public keys are stored in the home directory as id_dsa
and id_dsa.pub respectively.
allenunix:root /test_user/home/test_user/.ssh 5 > ls -la
total 16
drwxr-xr-x
2 test_user other
512 Oct 11 13:24 .
drwxr-xr-x
4 test_user afsa 5120 Oct 11 12:16 ..
-rw-------
1 test_user staff 668 Oct 11 13:24 id_dsa
-rw-r--r--
1 test_user staff 604 Oct 11 13:24 id_dsa.pub
allenunix:root /test_user/home/test_user/.ssh 6 > cat id_dsa
-----BEGIN DSA PRIVATE KEY-----
MIIBuwIBAAKBgQDpSxz5XUL7IO9lzk7U3xHj08eBtLkMnLUDOeKLsQtzs2Dvr4Gx
3Vz0xXIb6efQsst1gJ39FNLWPzu6LtuVDMPzn7vi8TfNR9QiWGvd/rLtlt3/cNAs
09GqjhTgv2Ew02oXMlDzIA6jvG9ivzj8JqW2fFceM+DPDJGMaVVN4Z+NvQIVAJM3
BI0K9aTS0dBV6I0Wg2zivxcLAoGBAJQLajBH9fB48Zdp3m2bwkvO5CepeyTKUZN7
3J/Jv/dZZQIO1ZZEepYBqvFYi21ImroqKqRX+QRqkx+h8TvsON0STTwLhmktHM92
IKXy+wvGoH7Tp47wnrK/HcGsy5qBrhH8YEx4GFTZv1zAcuVlY8ynoyL2qMexjKNb
Ch0vdTRzAoGAdah6ldQ/jq0MGj3PsevKtOzLLVAxDOJzAh4YsGlDTfJD8+EOg/LE
tgRaQOd4v/9S1tszE0ALMqRO7E1XP92zsWc/AMdDjALNLSHmRB8Cf35i9glvNxig
Jr16m8NFBpEz4zJSKX8KQGmUbxqIsVYZ928LoZUXVKmuaW2K0xh4GMYCFEiIYIV6
U+lc7N7r7CWoOUBiN27z
-----END DSA PRIVATE KEY-----
allenunix:root /test_user/home/test_user/.ssh 7 > cat id_dsa.pub
ssh-dss AAAAB3NzaC1kc3MAAACBAOlLHPldQvsg72XOTtTfEePTx4G0uQyctQM54ouxC3OzYO+vgbHdXPTFchvp59Cyy3WAnf0U0tY/O7ou25UMw/Ofu+LxN81H1CJYa93+su2W3f9w0CzT0aqOFOC/YTDTahcyUPMgDqO8b2K/OPwmpbZ8Vx4z4M8MkYxpVU3hn429AAAAFQCTNwSNCvWk0tHQVeiNFoNs4r8XCwAAAIEAlAtqMEf18Hjxl2nebZvCS87kJ6l7JMpRk3vcn8m/91llAg7VlkR6lgGq8ViLbUiauioqpFf5BGqTH6HxO+w43RJNPAuGaS0cz3YgpfL7C8agftOnjvCesr8dwazLmoGuEfxgTHgYVNm/XMBy5WVjzKejIvaox7GMo1sKHS91NHMAAACAdah6ldQ/jq0MGj3PsevKtOzLLVAxDOJzAh4YsGlDTfJD8+EOg/LEtgRaQOd4v/9S1tszE0ALMqRO7E1XP92zsWc/AMdDjALNLSHmRB8Cf35i9glvNxigJr16m8NFBpEz4zJSKX8KQGmUbxqIsVYZ928LoZUXVKmuaW2K0xh4GMY=
test_user@allenunix
Please note that the public key file is
always a single-line file.
4.2.2
Append public key to the
authorized_keys file on the remote server
Copy id_dsa.pub to testunix server. Append it to the authorized_keys file which
contains all the public keys to be used from different remote users.
On testunix,
testunix:test_user
/tmp 2 > cat id_dsa.pub >> ~test_user/.ssh/authorized_keys
4.2.3
Try running ssh on allenunix
On allenunix,
allenunix:test_user
~ 5
> ssh testunix ls
It should list out the contents of home
directory of user test_user on testunix.
other such traditional
programs transmit users’ password across the Internet unencrypted. OpenSSH encrypts all
traffic (including passwords) to effectively eliminate eavesdropping,
connection hijacking, and other network-level attacks. It makes your connection
much safe
The OpenSSH suite includes
the ssh program which
replaces telnet, rsh and rlogin, and scp which replaces rcp and ftp. OpenSSH has also added sftp and sftp-server which implement
an easier solution for file transfer.
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u1/52953/showart_546310.html |
|
免费注册
发表于 2008-04-17 16:13