- 论坛徽章:
- 1
|
这里有一个ssh的安装使用文档,可供参考
openssh4.1p1在sparc solaris9下的安装
所有软件均来自www.sunfreeware.com
1. 确认所需软件包
源包地址
The sources for these different programs are on sunfreeware.com or you can go to their home pages at
http://www.zlib.org zlib
http://www.perl.org perl
http://www.aet.tu-cottbus.de/per ... tfix_tls/prngd.html prngd
http://www.openssl.org openssl
http://www.openssh.org openssh
http://www.lothar.com/tech/crypto/ egd
ftp://ftp.porcupine.org/pub/security/index.html tcp_wrappers
从sunfreeware下载的安装包
openssh-4.1p1-sol9-sparc-local.gz
openssl-0.9.7g-sol9-sparc-local.gz
tcp_wrappers-7.6-sol9-sparc-local.gz (optional, but recommended)
(unless you are using IPV6 - see the tcp_wrappers listing for details on this issue)
zlib-1.2.1-sol9-sparc-local.gz
perl-5.8.5-sol9-sparc-local.gz (optional)
prngd-0.9.25-sol9-sparc-local.gz (optional)
egd-0.8-sol9-sparc-local.gz (optional)
2. 安装下载的软件包
With the files downloaded, go to the directory where you put them and run
# gunzip openssh-4.1p1-sol9-sparc-local.gz
# gunzip openssl-0.9.7g-sol9-sparc-local.gz
# gunzip zlib-1.2.2-sol9-sparc-local.gz
# gunzip libgcc-3.3-sol9-sparc-local.gz (if you don't have gcc 3.3.2 installed)
# gunzip tcp_wrappers-7.6-sol9-sparc-local.gz (again optional)
and optionally for the other packages. Then run as root
# pkgadd -d openssh-4.1p1-sol9-sparc-local
# pkgadd -d openssl-0.9.7g-sol9-sparc-local
# pkgadd -d zlib-1.2.2-sol9-sparc-local
# pkgadd -d libgcc-3.3-sol9-sparc-local (if you don't have gcc 3.3.2 installed)
# pkgadd -d tcp_wrappers-7.6-sol9-sparc-local (optional)
可选的那些软件包也装了,安装过程同上
3. sshd用户的安全设定
# mkdir /var/empty
# chown root:sys /var/empty
# chmod 755 /var/empty
# groupadd sshd
# useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/sh sshd
增加了一个系统用户sshd,预备来启动sshd进程,sshd用户的home目录为/var/empty只有root用户才有权限
4. sshd的系统启动关闭脚本的设置
solaris9 自带的sshd启动关闭脚本已经非常好了,只要略加改造即可使用新安装的openssh4.1p1
solaris9 自己的ssh目录分布如下
/etc/ssh ;ssh 和sshd的配置文件以及密匙文件
/usr/lib/ssh :sshd等server端程序文件
/usr/bin/ssh :ssh等client端程序文件
openssh4.1p1的程序包安装以后的目录分布
/usr/local/etc : ssh 和sshd的配置文件以及密匙文件
/usr/local/sbin : sshd等server端程序文件
/usr/local/bin : ssh等client端程序文件
根据上面的分析即可将原有的sshd文件改造成如下
#!/sbin/sh
#
# Copyright (c) 2001 by Sun Microsystems, Inc.
# All rights reserved.
#
# ident "@(#)sshd 1.1 01/09/19 SMI"
#
# If sshd is configured (/etc/ssh/sshd_config exists and is readable),
# the start it up.
# Checks to see if RSA, and DSA host keys are available
# if any of these keys are not present, the respective keys are created.
KEYDIR=/usr/local/etc #将以前的/etc/ssh 修改为/usr/local/etc
KEYGEN="/usr/local/bin/ssh-keygen -q" #将以前的/usr/bin/修改为/usr/local/bin
PIDFILE=/var/run/sshd.pid
case $1 in
'start')
if [ -x /usr/local/bin/ssh-keygen ]; then # 将以前的/usr/bin/修改为/usr/local/bin
if [ ! -f "$KEYDIR/ssh_host_rsa_key" ]; then
echo "Creating new RSA public/private host key pair"
$KEYGEN -f $KEYDIR/ssh_host_rsa_key -t rsa -N ''
fi
if [ ! -f "$KEYDIR/ssh_host_dsa_key" ]; then
echo "Creating new DSA public/private host key pair"
$KEYGEN -f $KEYDIR/ssh_host_dsa_key -t dsa -N ''
fi
fi
[ -x /usr/local/sbin/sshd ] && /usr/local/sbin/sshd & #将以前的/usr/lib/ssh/修改为/usr/local/sbin
;;
'stop')
#
# If we are switching Run level downwards then we disconnect
# all connections.
#
# Otherwise we just kill the master daemon that is listening
# and leave the connections active
if [ -z "$_INIT_RUN_LEVEL" ]; then
set -- `/usr/bin/who -r`
_INIT_RUN_LEVEL="$7"
_INIT_PREV_LEVEL="$9"
fi
if [ $_INIT_RUN_LEVEL -lt $_INIT_PREV_LEVEL ]; then
/usr/bin/pkill -u 0 -x sshd
fi
if [ -f "$PIDFILE" ]; then
/usr/bin/kill -TERM `/usr/bin/cat $PIDFILE`
fi
;;
'restart')
if [ -f "$PIDFILE" ]; then
/usr/bin/kill -HUP `/usr/bin/cat $PIDFILE`
fi
;;
*)
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
5. 原有的 ssh相关文件的善后处理工作
可以删除原有的sshd软件包,也可改名处理,这次是改名处理
# cd /usr/bin
# mv ssh-add ssh-add.old
# ln -s /usr/local/bin/ssh-add ssh-add
# mv ssh-agent ssh-agent.old
# mv ssh-keygen ssh-keygen.old
# ln -s /usr/local/bin/ssh-agent ssh-agent
# ln -s /usr/local/bin/ssh-keygen ssh-keygen
# ln -s /usr/local/bin/ssh-keyscan ssh-keyscan
# mv /usr/bin/sftp /usr/bin/sftp.od
# ln -s /usr/local/bin/sftp /usr/bin/sftp
sshd文件是通过sshd脚本的来启动的,所以没有改动。
可能openssh4.1p1的编译成安装包默认就认为sshd_config和ssh_config文件就在/usr/local/etc,所以以前的/etc/ssh文件也没有改名,只是
再也用不到了。
6. tcp_wrappers 的设置工作
其实就是设置/etc/hosts.allow和/etc/hosts.deny,文件格式如下:
sshd: ALL
规则:如果hosts.allow和hosts.deny存在,只有在hosts.allow里面的条目才能登陆。
改了一下/etc/ssh/sshd_config
AllowTcpForwarding yes //把原来no改为yes
PermitRootLogin yes //把原来no改为yes
7. 启用新的openssh4.1p1
kill -9 杀掉 老的进程,/etc/init.d/sshd start开始新的sshd进程
8. 主要参考了http://www.sunfreeware.com/openssh9.html |
|
免费注册
发表于 2006-07-11 18:12
