Chinaunix

标题: 请问如何在HPUX下做SSH服务? [打印本页]
作者: hetorry    时间: 2005-03-15 10:04
标题: 请问如何在HPUX下做SSH服务?
RT,谢谢!!!
作者: 我爱臭豆腐    时间: 2005-03-15 11:41
标题: 请问如何在HPUX下做SSH服务?
hp
有已经编译好的.你swinstall 就可以了.你可以在hp上面自己搜一下.我安装了很多机器都没有问题.而且缺省就是只支持ssh ver2 .
作者: 我爱臭豆腐    时间: 2005-03-15 11:42
标题: 请问如何在HPUX下做SSH服务?
http://www.software.hp.com/porta ... oductNumber=T1471AA
download it   
作者: hetorry    时间: 2005-03-15 12:01
标题: 请问如何在HPUX下做SSH服务?
谢谢,请问如何配置它呀!
作者: 我爱臭豆腐    时间: 2005-03-15 13:20
标题: 请问如何在HPUX下做SSH服务?
你可以看hp的资料另外可以去openssh上面看手册.基本配置是很简单的.你看看就知道了.和别的unix都是一样的.没有什么太大的区别.
作者: XUWENCHAO    时间: 2005-03-16 08:35
标题: 请问如何在HPUX下做SSH服务?
SSH是一个用来替代TELNET、FTP以及R命令的工具包,主要是想解决口令在网上明文传输的问题。为了系统安全和用户自身的权益,推广SSH是必要的。SSH有两个版本,我们现在介绍的是版本2。1.        安装SSH 具体步骤如下:1.        获得SSH软件包。 (ftp://ftp.pku.edu.cn:/pub/unix/ssh-2.3.0.tar.gz) 2.        成为超级用户(root). 3.        # gzip –cd ssh-2.3.0.tar.gz |tar xvf – 4.        # cd ssh-2.3.0 5.        # ./configure 注意,如果你希望用tcp_wrappers来控制SSH,那么在configure时需要加上选项“--with-libwrap=/path/to/libwrap/”, 用来告诉SSH关于libwrap.a 和tcpd.h的位置。6.        # make 7.        # make install 和SSH有关的程序都放置在/usr/local/bin下,包括ssh,sftp,sshd2, ssh-keygen等。二、配置SSH的配置文件在/etc/ssh2下,其中包括sshd2的主机公钥和私钥:hostkey和hostkey.pub。这两个文件通常是在安装SSH时自动生成的。你可以通过下面的命令重新来生成它们:# rm /etc/ssh2/hostkey*# ssh-keygen2 –P /etc/ssh2/hostkey而ssh2_config 文件一般情形下无需修改。三、启动sshd2每个要使用SSH的系统都必须在后台运行sshd2。用手工启动:# /usr/local/bin/sshd2&可以在“/etc/rc2.d/S99local”中加入该命令,这样系统每次启动时会自动启动sshd2。四、用tcp_wrappers控制SSH安装SSH的站点可以用tcp_wrappers来限制哪些IP地址可以通过ssh来访问自己。比如,在/etc/hosts.allow中加入sshd,sshd2: 10.0.0.1那么只有10.0.0.1可以通过ssh来访问该主机。以上都是系统管理员完成的工作。下面我们说说普通用户如何使用SSH。五、基本应用每个用户在使用SSH之前,都要完成以下步骤:1.        在本地主机(比如,local.pku.edu.cn)上生成自己的ssh公钥和私钥。命令如下: local# ssh-keygenGenerating 1024-bit dsa key pair1 oOo.oOo.oKey generated.1024-bit dsa, teng@ns, Fri Oct 20 2000 17:27:05Passphrase :************ /*在此输入你的口令,以后访问这台主机时要用。Again :************ /*Private key saved to /home1/teng/.ssh2/id_dsa_1024_aPublic key saved to /home1/teng/.ssh2/id_dsa_1024_a.pub生成的私钥和公钥(id_dsa_1024_a和id_dsa_1024_a.pub)存放在你家目录的~/.ssh2目录下。和用户相关的SSH配置文件都在~/.ssh2下。私钥由用户保存在本地主机上,而公钥需传送到远地主机的你自己的帐号的~/.ssh2下,如果你要用ssh2访问本地主机的话。2.        在~/.ssh2下创建“identification”文件用来说明进行身份认证的私钥。命令如下: local:~/.ssh2# echo "IdKey id_dsa_1024_a" >; identification3.同样地,在远地主机(比如,remote.pku.edu.cn)上完成上面步骤。4.将本地(local.pku.edu.cn)下你自己(这里是“teng”)的公钥(id_dsa_1024_a.pub)拷贝到远地主机(remote.pku.edu.cn)上你自己家目录下的.ssh2目录下,可命名为“local.pub”,一般用ftp上传即可。5.        在远地主机上,你自己家目录的.ssh2目录下,创建“authorization”文件,其中指定用来进行身份认证的公钥文件。命令如下: remote:~/.ssh2# echo “Key local.pub” >; authorization6.        现在你可以从本地用ssh2登录到远地系统了。命令如下: local# ssh remote.pku.edu.cnPassphrase for key "/home1/teng/.ssh2/id_dsa_1024_a" with comment "1024-bit dsa,teng@ns, Fri Oct 20 2000 17:27:05":***********这时会要你输入你的ssh口令(Passphrase)。验证通过后,即登录到remote主机上。
作者: fuqiang_leon    时间: 2007-10-10 11:30
不需要配置,使用安装包安装完成后服务会自动启动,并且可以直接连接!
作者: fp3016    时间: 2007-11-12 16:55
哥们!你弄成功了吗.
作者: czyf2001    时间: 2007-11-13 20:16
原帖由 我爱臭豆腐 于 2005-3-15 11:41 发表
hp
有已经编译好的.你swinstall 就可以了.你可以在hp上面自己搜一下.我安装了很多机器都没有问题.而且缺省就是只支持ssh ver2 .



豆腐老大,现在还在做安全方面的吗,在深圳还是珠海啊?
好久好久没有看到你了,呵呵!
作者: czyf2001    时间: 2007-11-13 20:20
不同的平台ssh不一样,
11平台的是: T1471AA_A.04.50.003_HP-UX_B.11.11_32+64.depot

[Ssh安装和配置]
1,        下载T1471AA_A.04.50.003_HP-UX_B.11.11_32+64.depot,bin方式上传到/tmp目录下;
2,        执行: swinstall –s /tmp/T1471AA_A.04.50.003_HP-UX_B.11.11_32+64.depot
3,        查看是否安装成功: swlist |grep T147
4,        #ps –ef|grep ssh  会找到/opt/ssh/sbin/sshd 守护进程;
5,        Kill 该进程: ps –ef|grep ssh 找到进程号,然可kill ;
6,        此时无法使用ssh登录;报告:refused the connection…
7,        启动ssh :  /opt/ssh/sbin/sshd
此时可以将系统的telnet port禁用。


如果是通过SecureCRT 5.1来登录,要选用用ssh连接!
作者: JonZhao    时间: 2009-04-03 15:44
标题: 回复 #10 czyf2001 的帖子
请问,在哪儿下载包?
在HP网站上只能进到这时在,需要一个key num.

http://h20392.www2.hp.com/ecomme ... ownload.do?lc=EN_US
作者: wwwlh    时间: 2009-04-05 17:49
应用程序光盘就带有的,要不下个OPENSSH好了
作者: lonely    时间: 2009-04-09 12:04
最近刚写了个ssh方案,可以参考一下,看看对你有无帮助!
一、安装HP建议补丁:
HP recommends that you install the libc, PAM and pthreads patches listed in Table 1-6
with HP-UX Secure Shell A.05.00.024, A.05.00.025, and A.05.00.026.

Operating System Version        libc Patch        PAM Patch        pthreads Patch
HP-UX 11i v1        PHCO_27740        PHCO_33215 PHCO_30402        PHCO_26466
HP-UX 11i v2        No libc patch required        No PAM patch required        No pthreads patch
required
HP-UX 11i v3        No libc patch required        No PAM patch required        No pthreads patch
required

#swinstall –s
#swlist –l product | grep PHCO_27740
#swlist –l product | grep PHCO_33215
#swlist –l product | grep PHCO_30402
#swlist –l product | grep PHCO_26466

二、建议安装Strong Random Number Generator(需重启主机)
HP-UX Secure Shell requires that a random number generator be located on the system. It searches for /dev/urandom and /dev/random (in that sequence) on the system and uses the first device it finds. If it fails to locate these two devices, HP-UX Secure Shell uses its own internal random number generator program. The /dev/urandom and /dev/random devices are available by default on HP-UX 11i v2 and HP-UX 11i v3 systems. These devices can also be obtained for HP-UX 11i v1 by downloading and installing the HP-UX Strong Random Number Generator from http://software.hp.com. If you are using HP-UX Secure Shell on HP-UX 11i v1, HP recommends that you install the Strong Random Number Generator product as it significantly speeds up program initialization and execution time for some commands.
安装步骤:
Installation of the Strong Random Number Generator will cause the kernel to rebuild and system to reboot. Following reboot, the /dev/random and /dev/urandom special files will be present and no further administrative actions are required.
1) Login as root.
2) Follow the instructions to download the KRNG11i product bundle into the /tmp directory.
3) Verify that the source depot file has downloaded correctly using swlist. Note that swlist and swinstall require you to specify the full path name to the location of the source depot file:
#swlist -d @ /tmp/KRNG11i_*.depot
4)  Use swinstall to install the KRNG11i bundle from the source depot file. Note that because KRNG11i pulls in a set of kernel components, the autoreboot flag must be specified:
# swinstall -x autoreboot=true -s /tmp/KRNG11i_*.depot KRNG11i
The system will reboot after installation.
5) Verify that the KRNG11i bundle was installed:
#swlist | grep KRNG11i
This message should appear:
    KRNG11i    B.11.11.09    HP-UX 11.11 Strong Random Number Generator
When you install the KRNG11i bundle, the following items are included:
Enablement updates to the HP-UX 11i kernel.
A dynamically loadable kernel module, rng, that collects random data.
The /usr/include/sys/random.h header file.
The random(7) manual page.
软件删除:
Strong Random Number Generator contains kernel products. Removing them will cause a system reboot after removal is complete.
1) Login as root.
2) Run swremove to remove the produt.
#swremove -x autoreboot=true RandomNumGen RandomNumGenDyn
This removes the core functionality of the feature, but leaves the bundle wrapper and patches on your system. Removal of the patches that were included with the feature bundle is not recommended. Therefore, we advise you NOT to remove the patches from your system.

三、安装HP-UX Secure Shell:
To install HP-UX Secure Shell, complete the following steps:
1.        Log in as superuser.
2.        Insert the software CD into the appropriate drive if installing from the Application Release CD. If installing from http://software.hp.com, download the depot and use the swinstall directions provided on the Installation page where you downloaded the software.
3.        Run $ swinstall -s /tmp/T1471AA_A.05.10.045_HP-UX_B.11.11_32_64.depot
4.        In the Source Depot Path field, enter the drive mount point and click OK. Change theSource Host Name, if needed.
5.        Select T1471AA from the list of available software, and click Mark for Install on the Actions menu.
6.        Click Install on the Actions menu.
7.        Click OK in the Install Analysis window when the Status field displays a Ready message.
8.        Click Yes. The swinstall command loads the HP-UX Secure Shell files on the system in approximately 3 to 5 minutes.








NOTE: The sshd daemon is preconfigured, and it is started after installation.
The swinstall command installs HP-UX Secure Shell in the /opt/ssh/ directory.







四、验证HP-UX Secure Shell安装是否成功

• To verify whether the HP-UX Secure Shell software is successfully installed on
your system, run the following command at the HP-UX prompt:
# swlist grep T1471AA
The following output is displayed if the HP-UX Secure Shell software is installed
successfully on your system:
T1471AA A.04.50.012 HP-UX Secure Shell
NOTE: The version number displayed in the output varies according to the
version of HP-UX Secure Shell you installed.
• To verify whether the sshd daemon is running, run the following command:
# ps -ef grep sshd
The following output is displayed if the sshd daemon is running on the system:
root 743 1 0 Sep 28 ? 0:00 /opt/ssh/sbin/sshd
root 14909 14800 0 20:39:05 pts/0 0:00 grep sshd
• To verify whether the host keys have been generated, run the following command:
# ls /opt/ssh/etc
If host keys were generated, the /opt/ssh/etc directory contains the following
files:
— moduli
— ssh_host_key
— ssh_prng_cmds
— ssh_config
— ssh_host_key.pub
— sshd_config
— ssh_host_dsa_key
— ssh_host_rsa_key
— ssh_host_dsa_key.pub
— ssh_host_rsa_key.pub
If the HP-UX Secure Shell software is not installed successfully on your system, run
the following command at the HP-UX prompt to view the log file for errors:
# grep -i error /var/adm/sw/swagent.log


一、系统默认就是telnet,必须禁用telnet,改成使用ssh2 的登录方式
#vi /etc/services
将其中的
telnet        23/tcp                 # Virtual Terminal Protocol
注释掉,并且
#vi /etc/inetd.conf
将其中的
telnet       stream tcp nowait root /usr/lbin/telnetd  telnetd
注释掉,
然后通过以下命令重新启动inetd服务,telnet就不能用了
#/sbin/init.d/inetd stop
#/sbin/init.d/inetd start
现在已经安装了SSH,用户无法看到SSH的加密部分,因为对用户来讲加密是不可见的。可以查看连接情况,看看是否能够打开一个套接字以连接到远程计算机上。不必担心应用程序速度—所要查找的仅仅是网络的可连接性。
一个成功的登录应该看起来有些类似于rsh登录。即使看不到,连接实际上已经被加密了。用户的密码只是用来保护用户的认证密钥,而不用于直接进行认证,除非你定要使用密码来进行认证。如果下面的结果显示出来,表明你的SSH连接工作正常:
#ssh  hostname
因为这是第一次连接到这台SSH服务器,SSH服务器的主机加密密钥公共部分还不在SSH客户端的known_hosts数据库中,应该看到一个警告信息,如:

swt1:[/]#ssh swt1
The authenticity of host 'swt1 (192.168.1.151)' can't be established.
RSA key fingerprint is 0f:01:88:b6:be:ed:ec:94:2c:4b:e1:3f:0d:58:32:01.
Are you sure you want to continue connecting (yes/no)? yes
当输入yes并按回车键后,SSH客户端将添加SSH服务器加密密钥公共部分到known_hosts数据库中,并显示:
Warning: Permanently added 'swt1,192.168.1.151' (RSA) to the list of known hosts.
welcome to SWT1!
Password:
Last login: Wed Apr  1 12:51:28 2009 from 192.168.1.17
(c)Copyright 1983-2003 Hewlett-Packard Development Company, L.P.
(c)Copyright 1979, 1980, 1983, 1985-1993 The Regents of the Univ. of California
(c)Copyright 1980, 1984, 1986 Novell, Inc.
(c)Copyright 1986-2000 Sun Microsystems, Inc.
(c)Copyright 1985, 1986, 1988 Massachusetts Institute of Technology
(c)Copyright 1989-1993  The Open Software Foundation, Inc.
(c)Copyright 1990 Motorola, Inc.
(c)Copyright 1990, 1991, 1992 Cornell University
(c)Copyright 1989-1991 The University of Maryland
(c)Copyright 1988 Carnegie Mellon University
(c)Copyright 1991-2003 Mentat Inc.
(c)Copyright 1996 Morning Star Technologies, Inc.
(c)Copyright 1996 Progressive Systems, Inc.
  

                  RESTRICTED RIGHTS LEGEND
Use, duplication, or disclosure by the U.S. Government is subject to
restrictions as set forth in sub-paragraph (c)(1)(ii) of the Rights in
Technical Data and Computer Software clause in DFARS 252.227-7013.


                  Hewlett-Packard Company
                  3000 Hanover Street
                  Palo Alto, CA 94304 U.S.A.

Rights for non-DOD U.S. Government Departments and Agencies are as set
forth in FAR 52.227-19(c)(1,2).
You have mail.
Value of TERM has been set to "hp".
WARNING:  YOU ARE SUPERUSER !!
swt1:[/]#
表明连接正常。

然而,如果到SSH的连接可以完成,但不能进行加密,那么在提示你输入密码以前,会看到一个警告。这时可能是远程系统没有运行SSH进程或SSH被挡在路由器或防火墙以外了。如果你不想利用rsh继续连接,可以按Ctrl c来退出。即使SSH警告你,也很容易忘记你使用的是rsh,而不是SSH。请看:

swt1:[/]#ssh swt2

Using rsh. WARNING: Connection will not be encrypted.

Password:

注意 如果你想保持安全的连接,即使SSH不能加密也不要使用rsh。

更多的故障检修信息和错误信息在/vat/log/messages文件和/var/log/secure文件中也可得到。
作者: liaosnet    时间: 2010-01-21 10:47
4)  Use swinstall to install the KRNG11i bundle from the source depot file. Note that because KRNG11i pulls in a set of kernel components, the autoreboot flag must be specified:
# swinstall -x autoreboot=true -s /tmp/KRNG11i_*.depot KRNG11i
The system will reboot after installation.


安装这个random 必须重启系统呀~



欢迎光临 Chinaunix (http://bbs.chinaunix.net/) Powered by Discuz! X3.2