 Site Administration Page 2 - Secure Tunnelling with SSH |
Kicking The Tyres - AdministrationYou probably already know how to use SSH to securely log in toremote hosts over the Web. In this article, take things a little further byusing SSH to encrypt connections to other ports as well. Scenarios coveredinclude securing your mail server connection so that your mail password isalways protected and creating secure pathways through firewalls for trustedhosts.
print this article SEARCH DEV SHED |
If you're planning to use SSH, the first thing to do is make sure that it's available on both the client (usually your local system) and the server (the remote system). The easiest way to check this is to telnet to port 22 of both hosts, which is the port the SSH daemon traditionally runs on. If SSH services are available, you'll be rewarded with an identification string containing the version number, like this: [me@olympus] $ telnet localhost 22 Connected to olympus. Escape character is '^]'. SSH-1.99-OpenSSH_3.5p1othing? Well, you could politely ask your ISP/Web hosting service/friendly neighbourhood geek to install it for you - or, if you have super-user access to the system, and are comfortable with installing new software on your system, you could download and install it yourself. This article uses OpenSSH, an open-source alternative to commercial SSH that does away with many of the licensing restrictions of SSH1 and SSH2. Drop by the official Web site at http://www.openssh.org/and get yourself the latest stable release of the software (this tutorial uses OpenSSH 3.5). Note that you will also need a copy of the zlib library, available from http://www.gzip.org/zlib/ (this tutorial uses zlib 1.1.4) and the OpenSSL library, available from http://www.openssl.org/(this tutorial uses OpenSSL 0.9.7). Once you've downloaded the source code archive to your Linux box (mine is named "olympus"), log in as "root". [me@olympus] $ su - Password: ****You'll first need to compile and install zlib. Extract the source to a temporary directory. [root@olympus] $ cd /tmp [root@olympus] $ tar -xzvf zlib-1.1.4.tar.gzNext, configure the package using the provided "configure" script, [root@olympus] $ cd /tmp/zlib-1.1.4 [root@olympus] $ ./configureand compile and install it. [root@olympus] $ make [root@olympus] $ make installUnless you specified a different path to the "configure" script, zlib will have been installed to the directory "/usr/local/lib". Next up, OpenSSL. Extract the source to a temporary directory, [root@olympus] $ cd /tmp [root@olympus] $ tar -xzvf openssl-0.9.7a.tar.gzconfigure it, [root@olympus] $ cd /tmp/openssl-0.9.7a [root@olympus] $./configand compile and install it. [root@olympus] $ make [root@olympus] $ make test[root@olympus] $ make installThe compilation process here is fairly involved and may take a few minutes - get yourself a cup of coffee while you're waiting for it to happen. By the time you get back, OpenSSL should be installed to the directory "/usr/local/ssl". Finally, it's time to install the OpenSSH package itself. Again, extract the source to a temporary directory, [root@olympus] $ cd /tmp[root@olympus] $ tar -xzvf openssh-3.5p1.tar.gzand configure the software via the provided "configure" script. Remember to tell "configure" where it can find the libraries you just installed as well. [root@olympus] $ cd /tmp/openssh-3.5p1[root@olympus] $ ./configure --with-ssl-dir=/usr/local/ssl/--with-zlib=/usr/local/lib/ --prefix=/usr/local/sshOnce the software has been configured, you can compile and install it. [root@olympus] $ make[root@olympus] $ make installIn this case, since I specified an installation path to the "configure" script, OpenSSH would have been installed to the "/usr/local/ssh" directory. During the install part of the cycle, you'll notice a set of host keys being generated - this is the private/public key pair for your system, and the two keys are usually stored in the files "/usr/local/ssh/etc/ssh_host_key" and "/usr/local/ssh/etc/ssh_host_key.pub" respectively. Once the software has been installed, you need to start up the "sshd" daemon. [root@olympus] $ /usr/local/ssh/sbin/sshdPrivilege separation user "sshd" does not existOops! Something obviously went wrong somewhere... Actually, the reason for the error above is fairly simple. As the OpenSSH manual puts it, "privilege separation is a method in OpenSSH by which operations that require root privilege are performed by a separate privileged monitor process [...] the purpose is to prevent privilege escalation by containing corruption to an unprivileged process." You can correct this error by creating a user and group for the "sshd" daemon to run as, by executing the following commands: [root@olympus] $ mkdir /var/empty[root@olympus] $ chown root:sys /var/empty[root@olympus] $ chmod 755 /var/empty[root@olympus] $ groupadd sshd[root@olympus] $ useradd -g sshd -c 'sshd privsep' -d /var/empty -s/bin/false sshdNow, try restarting the daemon, [root@olympus] $ /usr/local/ssh/bin/sshdand all should be well. You can verify that the daemon is, in fact, alive via a telnet to port 22: [me@olympus] $ telnet localhost 22 Trying 127.0.0.1...Connected to localhost.Escape character is '^]'.SSH-1.99-OpenSSH_3.5p1Remember that you need an OpenSSH daemon at both ends of the connection; in the absence of this, SSH will revert back to using insecure rsh mechanisms to perform a remote login. Next, I'll be showing you how to generate your own public/private key pair, which you'll be using to authenticate your remote logins.
blog comments powered by Disqus |
Using SSH in HeidiSQL and MySQL Query Browser: Encrypting Sessions
