Replacing Telnet; OpenSSH, a secure alternative
By
Mayank Sarup <mayank@freeos.com>
Posted: ( 2000-11-21 07:34:46 EST by
mayank )
The Internet was originally designed as a research and educational resource and
the technology that today forms the backbone of the Internet is largely based on
that philosophy. However as time has gone by, security has become an important
issue on the Internet and this article looks at implementing more secure
versions of common Internet applications.
The
Internet is built with communication in mind. You will routinely movearound the
Web from one site to the other or telnet to another machine to check your mail
or to administer that machine. The trouble with most of these protocols is that
they are not encrypted. Over a telnet connection,
your passwords are sent as plain-text, which can be read by anyone.
Using sophisticated programs called packet sniffers, even a amateur hacker can
spy on your connection and grab your data.
Secure Shell (SSH) was built to address these faults and provide a more secure environment to work in. SSH encrypts all your traffic including your passwords when you connect to another machine over the net. SSH also replaces telnet, ftp, rsh, rlogin and rexec.
Let's take a look at OpenSSH, an excellent and more importantly open source implementation of SSH. It is very well supported by the OpenBSD team and includes rock-solid SSH2 support. Versions are available for nearly all the Unices including Linux, which is what we are using here.
OpenSSH can be downloaded from www.openssh.com. The latest version as of writing this article is 2.3.0. It is available as source tarballs or in RPM format. If you are downloading the RPM's, then you need to get the following files.
openssh-2.3.0p1-1.i386.rpm
openssh-clients-2.3.0p1-1.i386.rpm
openssh-server-2.3.0p1-1.i386.rpm
Zlib - This
is an open source and patent free lossless data compression library. This should
already have been installed as part of your standard Linux installation. If not
then you can download it from
http://www.freesoftware.com/pub/infozip/zlib/. Source is available as also
RPMs. Take your pick.
OpenSSL - Another open source effort, aimed at creating a commercial grade toolkit implementing Secure Socket Layer (SSL), Transport Layer Security (TLS) and a strong cryptography library. This is also available as source or RPM packages. The RPM packages are available right where the OpenSSH RPMs are. The source packages are available at www.openssl.org
Installation
Zlib
RPM: rpm -ivh zlib-1.1.3-i386.rpm
For the tar.gz
tar zxvf
zlib-1.1.3.tar.gz
cd zlib-1.1.3
./configure
make
su -c "make install"
OpenSSL
RPM: rpm -ivh openssl-0.9.5a-i386.rpm
For the tar.gz
tar zxvf
openssl-0.9.5a.tar.gz
cd openssl-0.9.5a
./configure
make
su -c "make install"
OpenSSH
RPM: rpm -ivh
openssh-2.3.0p1-1.i386.rpm <- Should be installed first
rpm -ivh openssh-clients-2.3.0p1-1.i386.rpm
rpm -ivh openssh-server-2.3.0p1-1.i386.rpm
For the tar.gz
tar zxvf
openssh-2.3.0p1.tar.gz
cd openssh-2.3.0p1
./configure --sysconfdir=/etc/ssh
By default
OpenSSH places the configuration files under /usr/local/etc. Using
the --sysconfdir allows you to set your own.
make
su -c "make install"
su -c "make host-key"
This will create the RSA and DSA host keys for your system. SSH works on the public/private key pair method. RSA is the older format whereas DSA is the new format and the one used by SSH2.
Enter the
contrib sub-directory. There are a few files of importance here. First is
ssh.pam.generic. Most new Linux distributions use PAM for authentication. This
is a generic file that suits most distributions. A version for Red Hat can be
found in the redhat sub-directory. Copy this
file to /etc/pam.d as sshd.
cp sshd.pam.generic /etc/pam.d/sshd
Also provided here are init script for use with SuSE and Red Hat. The SuSE directory also contains a configuration file that you should copy to /etc/rc.config.d
cat rc.config.sshd >> /etc/rc.config
You can use
these scripts across most distributions with a few changes.
One of the changes that we needed to make to the SuSE script was to change
the path from /usr/sbin to /usr/local/sbin. Copy the startup script to /etc/rc.d/init.d
(Red Hat) /sbin/init.d (SuSE).
next >>