|
DISCLAIMER: All the information contained in this page, or any linked from it, is provided as is, having no warranty or support of any kind, and is used entirely at your own risk.
 
HOWTO build, install and configure OpenSSH
One of the more common security problems that I come across these days, is the continuing use of Telnet for remote access, which is always a very bad idea, as its security ranges from at best, minimal to totally nonexistent, with all traffic being sent in the clear, yes even your passwords. General rule is, Telnet is bad, do not use it!
The preferred solution to this problem is to use SSH, which at a basic level can be though of Telnet with encryption. This HOWTO covers; building OpenSSH (GPL licensed SSH) from source, installation, basic configuration and usage under Slackware 8.x. Whats not covered here are the other uses for SSH, such as the use of tunnels to secure other services or sftp, scp etc.
Before continuing, you need to understand that this HOWTO has only been tested under Slackware Linux, and does not support binary packages. So if you are using a different distribution or any form of pre-built binary packages, you are on your own, it may work or it may not. As always if it does help you, please tell me and I will update this page, crediting you.
Requirements
The first thing you need is the OpenSSH software, plus its prerequisite OpenSSL. Direct download links for both of these are shown below, together with the all important digital signature files.
Once you have downloaded both these files and digital signatures, I strongly recommend that you verify the downloaded files against these signatures, as in the past, there have been incidents where the source archives where tojaned, now that would ruin your day real fast!.
Starting
Now that you have downloaded the files listed above and verified their digital signatures, we can move onto the actual installation, which is broken up into several steps, which you DO NEED TO work through in order, or you are going to end up in trouble. So now log in as the root user, and start with Step 1.
Step 1. Installing OpenSSL
Yes you downloaded this for a reason, its the main dependency for the OpenSSH that we will be using and configuring in later steps. The first thing you need to do is uncompress the source archive which is done like this.
tar xvfz openssl-0.9.7c.tar.gz
TIP: For help with handling compressed files under Linux/Unix/OSX see my HOWTO, which covers most of the common formats in detail.
This will uncompress the source archive into a new directory called openssl-0.9.7c which you change into then build/install OpenSSL with the following commands.
./config
make
make test
make install
ldconfig
Thats it for the OpenSSL installation, now you move onto Step 2 which is the pre-installation for OpenSSH.
Step 2. OpenSSH Pre-installation
This step will setup the new user and group needed to support the privilege separation feature of OpenSSH, which with this version is enabled by default. Here is not the place to go into what this separation does, all you need to know is it offers a additional level of security. For those interested in the details have a look at this page. That out of the way, first you create the group with the following command.
groupadd -g 1000 sshd
This will create a new group called sshd with the group id of 1000. Now with the group created, you move onto create the user, which is done with the following command.
useradd -u 1000 -g 1000 -d /var/empty 'sshd privilege user' sshd
Thats it, with the above command you have created the sshd user, which together with the sshd group that you created earlier, marks the end of this step. Now move onto the next step which is the actual OpenSSH installation.
Step 3. Installing OpenSSH
In this step you actually build and install OpenSSH from source. So just like with the OpenSSL installation you performed earlier, first you uncompress the archive, which is done like this.
tar xvfz openssh-3.7.1p2.tar.gz
TIP: For help with handling compressed files under Linux/Unix/OSX see my HOWTO, which covers most of the common formats in detail.
This will uncompress the source archive into a new directory called openssh-3.7.1p2, which you change into and build/install OpenSSH with the following commands.
LIBS=-lcrypt ./configure --sysconfdir=/etc/ssh
make
make install
The above, will build and install OpenSSH, with the configuration file location set to /etc/ssh. That done now you move onto the next step which is setting up the logs.
NOTE: The LIBS=-lcrypt used on the configure line is a Slackware specific thing, and is essential, or nothing is going to work, as configure will fail to find its libraries.
Step 4. Setting Up the Logs
Now that you have both OpenSSL and OpenSSH you need to setup the ever important logs, so you can keep track of how they are working, and even more importantly what the users are up to. So starting by adding editing /etc/syslog.conf, which is the configuration file for the syslog daemon which is used for the logging. The only change thats needed is to add the following to the end of the file.
local7.* /var/log/sshd
Now that you have updated the configuration you need to restart the syslog daemon in order for the changes to take effect. So for Slackware 8 users only use the following commands to do this.
killall syslogd
/usr/sbin/syslogd
Now for Slackware 8.1, its easier and much neater, you use the following command.
/etc/rc.d/rc.syslog restart
Thats it for this step, the logs are now setup, the next step is to move onto the actual OpenSSH configuration
Step 5. OpenSSH Configuration
You will find that each is already present, just that some are commented out, and so need to be checked. You really need to be careful to make sure this is done right, or you are asking for problems.
We start by setting up the OpenSSH side of the logs, to match what we did in the previous section. Then we set the level of the logging, which is actually the amount of information that is sent to the syslog daemon. I always set this to VERBOSE which give more than enough information for most users. For all the settings that are possible have a look at the man page for sshd. For this HOWTO we are using my standards for this, which are shown below.
SyslogFacility LOCAL7LogLevel VERBOSE
Now the logs are out of the way we move onto the security settings. So starting with one thats actually optional, but strongly recommended, it controls the root users ability to login remotely via SSH. Call me paranoid but the thought of the root user logging remotely, no matter how secure the link is, looks bad, others disagree, so this one is up to you, just remember you have been warned about this one. Anyway this is controlled with the following setting.
PermitRootLogin no
Thats the optional one out of the way, this next one, you really need to set, it controls the validity of blank passwords. Blank passwords as we all know are a bad thing, and if you are using them, there is no need to move away from Telnet, as you have no security anyway. So as you are looking for security, make sure blank passwords are not permitted, by verifying the following is set.
PermitEmptyPasswords no
This next one is enabled by default, so I have included it here to make sure that you are aware of it, and know not to ever disable it. What this is the control over the privilege separation feature, remember we created the user and group for this in Step 2, anyway you really want this enabled, as it provides additional security. Make sure the following is set.
UsePriviledgeSeperation yes
Thats the end of the very basic configuration thats covered by this HOWTO, the other settings in the configuration file are outside the scope set for this HOWTO. For those interested in learning more, details on all the settings are available on the man page for sshd.
At this point you have configured the SSH daemon to the point where it has a good level of security, and supports remote access in the same way that Telnet did, but with one major difference, its now encrypted. Now we move on to testing your new installation.
Step 6. Testing SSH
You now have built and configured OpenSSH, so before moving onto the final stages of the setup, its a good idea to make sure all is working. For this test you do not need a second machine, it can all be done locally. The first thing to do is to start the SSH daemon, you do this with the following command
/usr/local/sbin/sshd
Assuming that there where no error messages reported, the SSH daemon has started (it does not return any success messages either), now you can move onto trying to connect to it. To do this test you need to use a user other than root as if you remember we disabled that users ability to use SSH. You run the test with the following command.
ssh username@localhost
After you run the above command you should see the following message.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is b0:71:1a:51:41:2e:dd:3a:a8:9a:dc:15:1a:fe:5f:91.
Are you sure you want to continue connecting (yes/no)?
This message is nothing to worry about, all it means is that SSH does not know the host you are connecting to, and is asking you to confirm that it really is the host it claims to be, which in this case as its your own machine it is, so answer yes. The next message you should see will look like this.
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
This one is normal, and just means, exactly what it says, localhost has been added to the list of known trusted hosts. Next you will be prompted for the password for the user you used for this test. If all is good you will be able to login OK, if you get an error message such as Permission Denied, then you need to recheck all the above steps.
As all is working, you can now move onto the next section that covers the setup to start the SSH daemon automatically at boot time
Step 7. Starting SSHD on bootup
This seventh and final step covers the configuration needed to start the SSH daemon automatically on those very rare occasions when you need to reboot your machine. Slackware 8.x uses a very simple set of start up scripts which are all located in /etc/rc.d. The only one that you are interested in, is rc.local which as the name sort of suggests is where local startup commands live. So open it and add the following lines to the end.
# start SSHD
/usr/local/sbin/sshd
Thats all it takes, now when you reboot, SSHD will start automatically. Also this is the end of the installation and configuration.
Closing Words
After working through this HOWTO you have (or should have) a fully working SSH installation, that has what I call a basic level of security, and will act as a secure replacement to the Telnet you used to use. As I mentioned in the introduction OpenSSH does have additional functionality well above that offered by Telnet, but is well outside the scope of this HOWTO.
|