- 论坛徽章:
- 0
|
最近刚写了个ssh方案,可以参考一下,看看对你有无帮助!
一、安装HP建议补丁:
HP recommends that you install the libc, PAM and pthreads patches listed in Table 1-6
with HP-UX Secure Shell A.05.00.024, A.05.00.025, and A.05.00.026.
Operating System Version libc Patch PAM Patch pthreads Patch
HP-UX 11i v1 PHCO_27740 PHCO_33215 PHCO_30402 PHCO_26466
HP-UX 11i v2 No libc patch required No PAM patch required No pthreads patch
required
HP-UX 11i v3 No libc patch required No PAM patch required No pthreads patch
required
#swinstall –s
#swlist –l product | grep PHCO_27740
#swlist –l product | grep PHCO_33215
#swlist –l product | grep PHCO_30402
#swlist –l product | grep PHCO_26466
二、建议安装Strong Random Number Generator(需重启主机)
HP-UX Secure Shell requires that a random number generator be located on the system. It searches for /dev/urandom and /dev/random (in that sequence) on the system and uses the first device it finds. If it fails to locate these two devices, HP-UX Secure Shell uses its own internal random number generator program. The /dev/urandom and /dev/random devices are available by default on HP-UX 11i v2 and HP-UX 11i v3 systems. These devices can also be obtained for HP-UX 11i v1 by downloading and installing the HP-UX Strong Random Number Generator from http://software.hp.com. If you are using HP-UX Secure Shell on HP-UX 11i v1, HP recommends that you install the Strong Random Number Generator product as it significantly speeds up program initialization and execution time for some commands.
安装步骤:
Installation of the Strong Random Number Generator will cause the kernel to rebuild and system to reboot. Following reboot, the /dev/random and /dev/urandom special files will be present and no further administrative actions are required.
1) Login as root.
2) Follow the instructions to download the KRNG11i product bundle into the /tmp directory.
3) Verify that the source depot file has downloaded correctly using swlist. Note that swlist and swinstall require you to specify the full path name to the location of the source depot file:
#swlist -d @ /tmp/KRNG11i_*.depot
4) Use swinstall to install the KRNG11i bundle from the source depot file. Note that because KRNG11i pulls in a set of kernel components, the autoreboot flag must be specified:
# swinstall -x autoreboot=true -s /tmp/KRNG11i_*.depot KRNG11i
The system will reboot after installation.
5) Verify that the KRNG11i bundle was installed:
#swlist | grep KRNG11i
This message should appear:
KRNG11i B.11.11.09 HP-UX 11.11 Strong Random Number Generator
When you install the KRNG11i bundle, the following items are included:
Enablement updates to the HP-UX 11i kernel.
A dynamically loadable kernel module, rng, that collects random data.
The /usr/include/sys/random.h header file.
The random(7) manual page.
软件删除:
Strong Random Number Generator contains kernel products. Removing them will cause a system reboot after removal is complete.
1) Login as root.
2) Run swremove to remove the produt.
#swremove -x autoreboot=true RandomNumGen RandomNumGenDyn
This removes the core functionality of the feature, but leaves the bundle wrapper and patches on your system. Removal of the patches that were included with the feature bundle is not recommended. Therefore, we advise you NOT to remove the patches from your system.
三、安装HP-UX Secure Shell:
To install HP-UX Secure Shell, complete the following steps:
1. Log in as superuser.
2. Insert the software CD into the appropriate drive if installing from the Application Release CD. If installing from http://software.hp.com, download the depot and use the swinstall directions provided on the Installation page where you downloaded the software.
3. Run $ swinstall -s /tmp/T1471AA_A.05.10.045_HP-UX_B.11.11_32_64.depot
4. In the Source Depot Path field, enter the drive mount point and click OK. Change theSource Host Name, if needed.
5. Select T1471AA from the list of available software, and click Mark for Install on the Actions menu.
6. Click Install on the Actions menu.
7. Click OK in the Install Analysis window when the Status field displays a Ready message.
8. Click Yes. The swinstall command loads the HP-UX Secure Shell files on the system in approximately 3 to 5 minutes.
NOTE: The sshd daemon is preconfigured, and it is started after installation.
The swinstall command installs HP-UX Secure Shell in the /opt/ssh/ directory.
四、验证HP-UX Secure Shell安装是否成功
• To verify whether the HP-UX Secure Shell software is successfully installed on
your system, run the following command at the HP-UX prompt:
# swlist grep T1471AA
The following output is displayed if the HP-UX Secure Shell software is installed
successfully on your system:
T1471AA A.04.50.012 HP-UX Secure Shell
NOTE: The version number displayed in the output varies according to the
version of HP-UX Secure Shell you installed.
• To verify whether the sshd daemon is running, run the following command:
# ps -ef grep sshd
The following output is displayed if the sshd daemon is running on the system:
root 743 1 0 Sep 28 ? 0:00 /opt/ssh/sbin/sshd
root 14909 14800 0 20:39:05 pts/0 0:00 grep sshd
• To verify whether the host keys have been generated, run the following command:
# ls /opt/ssh/etc
If host keys were generated, the /opt/ssh/etc directory contains the following
files:
— moduli
— ssh_host_key
— ssh_prng_cmds
— ssh_config
— ssh_host_key.pub
— sshd_config
— ssh_host_dsa_key
— ssh_host_rsa_key
— ssh_host_dsa_key.pub
— ssh_host_rsa_key.pub
If the HP-UX Secure Shell software is not installed successfully on your system, run
the following command at the HP-UX prompt to view the log file for errors:
# grep -i error /var/adm/sw/swagent.log
一、系统默认就是telnet,必须禁用telnet,改成使用ssh2 的登录方式
#vi /etc/services
将其中的
telnet 23/tcp # Virtual Terminal Protocol
注释掉,并且
#vi /etc/inetd.conf
将其中的
telnet stream tcp nowait root /usr/lbin/telnetd telnetd
注释掉,
然后通过以下命令重新启动inetd服务,telnet就不能用了
#/sbin/init.d/inetd stop
#/sbin/init.d/inetd start
现在已经安装了SSH,用户无法看到SSH的加密部分,因为对用户来讲加密是不可见的。可以查看连接情况,看看是否能够打开一个套接字以连接到远程计算机上。不必担心应用程序速度—所要查找的仅仅是网络的可连接性。
一个成功的登录应该看起来有些类似于rsh登录。即使看不到,连接实际上已经被加密了。用户的密码只是用来保护用户的认证密钥,而不用于直接进行认证,除非你定要使用密码来进行认证。如果下面的结果显示出来,表明你的SSH连接工作正常:
#ssh hostname
因为这是第一次连接到这台SSH服务器,SSH服务器的主机加密密钥公共部分还不在SSH客户端的known_hosts数据库中,应该看到一个警告信息,如:
swt1:[/]#ssh swt1
The authenticity of host 'swt1 (192.168.1.151)' can't be established.
RSA key fingerprint is 0f:01:88:b6:be:ed:ec:94:2c:4b:e1:3f:0d:58:32:01.
Are you sure you want to continue connecting (yes/no)? yes
当输入yes并按回车键后,SSH客户端将添加SSH服务器加密密钥公共部分到known_hosts数据库中,并显示:
Warning: Permanently added 'swt1,192.168.1.151' (RSA) to the list of known hosts.
welcome to SWT1!
Password:
Last login: Wed Apr 1 12:51:28 2009 from 192.168.1.17
(c)Copyright 1983-2003 Hewlett-Packard Development Company, L.P.
(c)Copyright 1979, 1980, 1983, 1985-1993 The Regents of the Univ. of California
(c)Copyright 1980, 1984, 1986 Novell, Inc.
(c)Copyright 1986-2000 Sun Microsystems, Inc.
(c)Copyright 1985, 1986, 1988 Massachusetts Institute of Technology
(c)Copyright 1989-1993 The Open Software Foundation, Inc.
(c)Copyright 1990 Motorola, Inc.
(c)Copyright 1990, 1991, 1992 Cornell University
(c)Copyright 1989-1991 The University of Maryland
(c)Copyright 1988 Carnegie Mellon University
(c)Copyright 1991-2003 Mentat Inc.
(c)Copyright 1996 Morning Star Technologies, Inc.
(c)Copyright 1996 Progressive Systems, Inc.
RESTRICTED RIGHTS LEGEND
Use, duplication, or disclosure by the U.S. Government is subject to
restrictions as set forth in sub-paragraph (c)(1)(ii) of the Rights in
Technical Data and Computer Software clause in DFARS 252.227-7013.
Hewlett-Packard Company
3000 Hanover Street
Palo Alto, CA 94304 U.S.A.
Rights for non-DOD U.S. Government Departments and Agencies are as set
forth in FAR 52.227-19(c)(1,2).
You have mail.
Value of TERM has been set to "hp".
WARNING: YOU ARE SUPERUSER !!
swt1:[/]#
表明连接正常。
然而,如果到SSH的连接可以完成,但不能进行加密,那么在提示你输入密码以前,会看到一个警告。这时可能是远程系统没有运行SSH进程或SSH被挡在路由器或防火墙以外了。如果你不想利用rsh继续连接,可以按Ctrl c来退出。即使SSH警告你,也很容易忘记你使用的是rsh,而不是SSH。请看:
swt1:[/]#ssh swt2
Using rsh. WARNING: Connection will not be encrypted.
Password:
注意 如果你想保持安全的连接,即使SSH不能加密也不要使用rsh。
更多的故障检修信息和错误信息在/vat/log/messages文件和/var/log/secure文件中也可得到。 |
|
免费注册
楼主: hetorry
发表于 2009-04-03 15:44
