Replacing Telnet; OpenSSH, a secure alternative

By Mayank Sarup <mayank@freeos.com>
Posted: ( 2000-11-21 07:34:46 EST by mayank )

The Internet was originally designed as a research and educational resource and the technology that today forms the backbone of the Internet is largely based on that philosophy. However as time has gone by, security has become an important issue on the Internet and this article looks at implementing more secure versions of common Internet applications.

The Internet is built with communication in mind. You will routinely movearound the Web from one site to the other or telnet to another machine to check your mail or to administer that machine. The trouble with most of these protocols is that they are not encrypted. Over a telnet connection,
your passwords are sent as plain-text, which can be read by anyone.
Using sophisticated programs called packet sniffers, even a amateur hacker can spy on your connection and grab your data.

Secure Shell (SSH) was built to address these faults and provide a more secure environment to work in. SSH encrypts all your traffic including your passwords when you connect to another machine over the net. SSH also replaces telnet, ftp, rsh, rlogin and rexec.

Let's take a look at OpenSSH, an excellent and more importantly open source implementation of SSH. It is very well supported by the OpenBSD team and includes rock-solid SSH2 support. Versions are available for nearly all the Unices including Linux, which is what we are using here.

OpenSSH can be downloaded from www.openssh.com. The latest version as of writing this article is 2.3.0. It is available as source tarballs or in RPM format. If you are downloading the RPM's, then you need to get the following files.

openssh-2.3.0p1-1.i386.rpm
openssh-clients-2.3.0p1-1.i386.rpm
openssh-server-2.3.0p1-1.i386.rpm

Zlib - This is an open source and patent free lossless data compression library. This should already have been installed as part of your standard Linux installation. If not then you can download it from
http://www.freesoftware.com/pub/infozip/zlib/. Source is available as also RPMs. Take your pick.

OpenSSL - Another open source effort, aimed at creating a commercial grade toolkit implementing Secure Socket Layer (SSL), Transport Layer Security (TLS) and a strong cryptography library. This is also available as source or RPM packages. The RPM packages are available right where the OpenSSH RPMs are. The source packages are available at www.openssl.org

Installation

Zlib

RPM: rpm -ivh zlib-1.1.3-i386.rpm

For the tar.gz

tar zxvf zlib-1.1.3.tar.gz
cd zlib-1.1.3
./configure
make
su -c "make install"

OpenSSL

RPM: rpm -ivh openssl-0.9.5a-i386.rpm

For the tar.gz

tar zxvf openssl-0.9.5a.tar.gz
cd openssl-0.9.5a
./configure
make
su -c "make install"

OpenSSH

RPM: rpm -ivh openssh-2.3.0p1-1.i386.rpm <- Should be installed first
rpm -ivh openssh-clients-2.3.0p1-1.i386.rpm
rpm -ivh openssh-server-2.3.0p1-1.i386.rpm

For the tar.gz

tar zxvf openssh-2.3.0p1.tar.gz
cd openssh-2.3.0p1
./configure --sysconfdir=/etc/ssh

By default OpenSSH places the configuration files under /usr/local/etc. Using
the --sysconfdir allows you to set your own.

make
su -c "make install"
su -c "make host-key"

This will create the RSA and DSA host keys for your system. SSH works on the public/private key pair method. RSA is the older format whereas DSA is the new format and the one used by SSH2.

Enter the contrib sub-directory. There are a few files of importance here. First is ssh.pam.generic. Most new Linux distributions use PAM for authentication. This is a generic file that suits most distributions. A version for Red Hat can be found in the redhat sub-directory. Copy this
file to /etc/pam.d as sshd.

cp sshd.pam.generic /etc/pam.d/sshd

Also provided here are init script for use with SuSE and Red Hat. The SuSE directory also contains a configuration file that you should copy to /etc/rc.config.d

cat rc.config.sshd >> /etc/rc.config

You can use these scripts across most distributions with a few changes.
One of the changes that we needed to make to the SuSE script was to change
the path from /usr/sbin to /usr/local/sbin. Copy the startup script to /etc/rc.d/init.d (Red Hat) /sbin/init.d (SuSE).

 

next >>

1