installation and configuration of OpenSSH in Linux systems
Overview
Many network programs, such as Telnet, rsh, rlogin, or rexec, transmit passwords and secret information in plaintext (plain text), so that any computer connected to the network can listen for communication between these programs and the server and obtain password and secret information. Now, the Telnet program is essential for day-to-day management, but it's not secure, so replace it with what. OpenSSH are outdated, unsafe Telnet programs such as Telnet, Rlogin, rsh, rdist, or RCP alternatives.
It is mentioned in the OpenSSH Readme file that ssh (Secure Shell) program can log on to a remote host and execute commands over the network. It provides strong security authentication for secure communication in unsecured networks.
We configure OpenSSH to support Tcp-wrappers (inetd Super Server), which can further improve security and there is no need to run OpenSSH as Daemon (daemon) in the background. When the client's program makes a connection request, the Tcp-wrappers daemon authenticates and authorizes the connection request before redirecting the connection to OpenSSH. OpenSSH is free software and uses a cryptographic algorithm that is not protected by a patent. Therefore, I recommend that you use OpenSSH (free and fix bugs) without using SSH1 (free but bug) and SSH2 (now using a commercial license agreement). Attention matters
All of the commands below are UNIX-compliant commands.
The source path is "/var/tmp" (of course, you can use a different path in fact).
Installed in Redhat Linux 6.1 and 6.2 under test pass.
To install with the "root" user.
The OpenSSH version is 1.2.3. The source of the software package
OpenSSH's homepage: http://violet.ibs.com.au/openssh/.
Download: openssh-1.2.3.tar.gz. preparatory work
Compiling openssh requires a zlib-devel software package, which includes header files and function libraries. To compile a program that uses zlib compression and decompression functions, you must install the package beforehand. Can be installed with Redhat 6.1 or 6.2 CD-ROM.
Use the following command to verify that the Zlib-devel package is installed in the system:
[Root@deep/]# Rpm-qi Zlib-devel
L Install the Zlib-devel package in the system with the following command:
[Root@deep/]# mount/dev/cdrom/mnt/cdrom/
[Root@deep/]# cd/mnt/cdrom/redhat/rpms/
[Root@deep rpms]# RPM-UVH zlib-devel-version.i386.rpm
GD ##################################################
[Root@deep rpms]# RPM-UVH gd-devel-version.i386.rpm
Zlib-devel ##################################################
[Root@deep rpms]# CD/; umount/mnt/cdrom/
Before you use OpenSSH, you must also install OpenSSL. Because even if you don't use OpenSSL to create or save encrypted files, OpenSSH need to use OpenSSL library files to function properly. issues to be aware of when installing packages
It's a good idea to make a list of all the files in the system before and after compiling, then use the diff command to compare them, find out the difference and know where to install the software. Simply run the command "Find/* >openssh1" before compiling, and run the command "Find/* > OpenSSH2" After compiling and installing the software, and finally use the command "diff OpenSSH1 OpenSSH2 > Openssh-installed "to find the change. Compiling and installing
Unpack the package (tar.gz):
[Root@deep/]# CP openssh-version.tar.gz/var/tmp
[Root@deep/]# Cd/var/tmp
[Root@deep tmp]# Tar xzpf openssh-version.tar.gz compilation and optimization
First Step
Go to the new directory in OpenSSH, set compiler parameters first:
Cc= "Egcs"/
Cflags= "-o9-funroll-loops-ffast-math-malign-double-mcpu=pentiumpro-march=pentiumpro-fomit-frame-
Pointer-fno-exceptions "/
./configure/
--PREFIX=/USR/
--SYSCONFDIR=/ETC/SSH/
--with-tcp-wrappers/
--with-ipv4-default/
--with-ssl-dir=/usr/include/openssl
These settings tell the compiler how to compile OpenSSH:
L link on the LibWrap function library and add support for the TCP wrappers
L prohibit the delay of domain name resolution in linux/glibc-2.1.2, shorten the time to establish the connection
L Set the path of the OpenSSL function library so that OPENSSH can run correctly
Second Step
Now, compile and install OpenSSH:
[Root@deep openssh-1.2.3]# make
[Root@deep openssh-1.2.3]# make install
[Root@deep openssh-1.2.3]# make Host-key
[Root@deep openssh-1.2.3]# install-m644 contrib/redhat/sshd.pam/etc/pam.d/sshd
The "make" command compiles the source file into an executable binary, and "make install" installs the binaries and configuration files in the appropriate directory. "Make Host-key" generates the master key, and the "Install" command installs Pam support for OpenSSH on Redhat Linux. Clear unnecessary files
Delete unnecessary files with the following command:
[Root@deep/]# Cd/var/tmp
[Root@deep tmp]# RM-RF openssh-version/openssh-version.tar.gz
The RM command deletes all the source programs required to compile and install OpenSSH, and deletes the OPENSSH software's compressed package. configuration
You can go here to download the "floppy.tgz" file: http://www.openna.com/books/floppy.tgz. After you have unpacked the "floppy.tgz" file, you can find the configuration files for all the software we described in this book in the appropriate directory. There is no need to manually regenerate these files, or paste them into a configuration file with a copy-and-paste method. Whether you plan to build your own configuration files or copy them, you have to learn to modify the configuration files yourself and copy the configuration files to the correct directory. The following will be specified.
In order to run OpenSSH, you must create or copy the following files to the appropriate directory:
L Copy "sshd_config" file to "/etc/ssh" directory
L Copy "ssh_config" file to "/etc/ssh" directory
L Copy "ssh" file to "/etc/pam.d/" directory
You can extract the "floppy.tgz" after decompression, find the file listed above, and copy to the appropriate directory, or use the copy paste method from the book directly pasted out. Configure the "/etc/ssh/ssh_config" file
The "/etc/ssh/ssh_config" file is a OpenSSH system-wide configuration file that allows you to change the way the client program runs by setting different options. Each row of this file contains a "keyword-value" match, where "keyword" is ignored. Listed below are the most important keywords, the man command to view the help page (SSH (1)) can get a detailed list.
Edit the "ssh_config" file (vi/etc/ssh/ssh_config) to add or change the following parameters:
# Site-wide defaults for various options
Host *
Forwardagent No
ForwardX11 No
Rhostsauthentication No
Rhostsrsaauthentication No
Rsaauthentication Yes
Passwordauthentication Yes
Fallbacktorsh No
Usersh No
Batchmode No
Checkhostip Yes
Stricthostkeychecking No
Identityfile ~/.ssh/identity
Port 22
Cipher Blowfish
Escapechar ~
The above option settings are described in line by row below: Host *
Option ' Host ' is valid only for computers that can match the back string. "*" means all computers. forwardagent No
"Forwardagent" Sets whether the connection is authenticated by proxy (if present) to the remote computer. ForwardX11 No
"ForwardX11" sets whether the X11 connection is automatically redirected to a secure channel and display set. rhostsauthentication No
Whether the "Rhostsauthentication" setting uses rhosts security authentication. rhostsrsaauthentication No
Whether the "Rhostsrsaauthentication" setting uses rhosts security authentication with the RSA algorithm. rsaauthentication Yes
Whether the "Rsaauthentication" setting uses the RSA algorithm for security authentication. passwordauthentication Yes
Whether the "Passwordauthentication" Setting uses password authentication. Fallbacktorsh No
The "Fallbacktorsh" setting automatically uses RSH if an error occurs with an SSH connection. Usersh No
Whether the "Usersh" setting uses "Rlogin/rsh" on this machine. Batchmode No
If "Batchmode" is set to "Yes", the Prompt for Passphrase/password (interactive input password) will be disabled. This option is useful for scripting files and batch tasks when the password cannot be entered interactively. Checkhostip Yes
"Checkhostip" sets whether SSH will view the IP address of the host connected to the server to prevent DNS spoofing. The recommended setting is yes. stricthostkeychecking No
If "stricthostkeychecking" is set to "yes", SSH does not automatically add the computer's key to the "$HOME/.ssh/known_hosts" file and rejects the connection once the computer's key has changed. identityfile ~/.ssh/identity
The Identityfile setting reads the user's RSA security authentication identity from which file. Port
The port sets the ports to connect to the remote host. Cipher Blowfish
"Cipher" sets the password used for encryption. Escapechar ~
"Escapechar" sets the escape character. Configure the "/etc/ssh/sshd_config" file
"/etc/ssh/sshd_config" is a openssh configuration file that allows setting options to change the operation of this daemon. Each row of this file contains a "keyword-value" match, where "keyword" is ignored. Listed below are the most important keywords, the man command to view the help page (sshd (8)) can get a detailed list.
Edit the "sshd_config" file (vi/etc/ssh/sshd_config) and add or change the following parameters:
# This is SSH server systemwide configuration file.
Port 22
ListenAddress 192.168.1.1
Hostkey/etc/ssh/ssh_host_key
Serverkeybits 1024
Logingracetime 600
Keyregenerationinterval 3600
Permitrootlogin No
Ignorerhosts Yes
Ignoreuserknownhosts Yes
Strictmodes Yes
X11forwarding No
PRINTMOTD Yes
Syslogfacility AUTH
LogLevel INFO
Rhostsauthentication No
Rhostsrsaauthentication No
Rsaauthentication Yes
Passwordauthentication Yes
Permitemptypasswords No
Allowusers Admin
The following line-by-row description of the above option settings: Port
"Port" sets the port number on which sshd listens. listenaddress 192.168.1.1
"ListenAddress" sets the IP address of the SSHD server binding.
Hostkey/etc/ssh/ssh_host_key
"Hostkey" Sets the file that contains the private key for the computer. serverkeybits 1024
"Serverkeybits" defines the number of digits of the server key. Logingracetime
"Logingracetime" Setting the time (in seconds) that the server waits before disconnecting a connection if the user cannot log on successfully. Keyregenerationinterval 3600
The "Keyregenerationinterval" setting automatically regenerates the server's key (if a key is used) after the number of seconds. The key is regenerated to prevent the intercepted information from being decrypted using the stolen key. Permitrootlogin No
"Permitrootlogin" setting root can not log in with SSH. This option must not be set to "yes". ignorerhosts Yes
"Ignorerhosts" sets whether the "Rhosts" and "shosts" files are used when validating. ignoreuserknownhosts Yes
"Ignoreuserknownhosts" sets whether the SSH daemon ignores the user's "$HOME/.ssh/known_hosts" when Rhostsrsaauthentication security verification is performed Strictmodes Yes
"Strictmodes" Sets whether SSH checks the permissions and ownership of the user's home directory and rhosts files before receiving the logon request. This is usually necessary because novices often make their own directories and files available to anyone with write access. x11forwarding No
Whether the "x11forwarding" setting allows X11 forwarding. PRINTMOTD Yes
The "PRINTMOTD" setting sshd whether the information in "/ETC/MOTD" is displayed when the user logs on. syslogfacility AUTH
"Syslogfacility" sets whether "facility code" is given when recording messages from Sshd. loglevel INFO
"LogLevel" sets the level of logging sshd log messages. Info is a good choice. See Sshd's Man help page for more information. rhostsauthentication No
The "rhostsauthentication" setting only uses Rhosts or "/etc/hosts.equiv" for security verification is sufficient. rhostsrsaauthentication No
The "Rhostsrsa" setting allows security authentication with rhosts or "/ETC/HOSTS.EQUIV" plus RSA. rsaauthentication Yes
The "rsaauthentication" setting allows only RSA security authentication. passwordauthentication Yes
Whether the "Passwordauthentication" setting allows password authentication. Permitemptypasswords No
The "Permitemptypasswords" setting allows you to log on with an account with an empty password. allowusers Admin
"Allowusers" can be followed by a string of matching strings (patterns) or user@host of any number of user names, separated by spaces. The host name can be either a DNS name or an IP address. Configure OpenSSH to use the tcp-wrappers inetd Super Server
