Home arrow Site Administration arrow Page 2 - Secure Tunnelling with SSH

Kicking The Tyres - Administration

You probably already know how to use SSH to securely log in toremote hosts over the Web. In this article, take things a little further byusing SSH to encrypt connections to other ports as well. Scenarios coveredinclude securing your mail server connection so that your mail password isalways protected and creating secure pathways through firewalls for trustedhosts.

TABLE OF CONTENTS:
  1. Secure Tunnelling with SSH
  2. Kicking The Tyres
  3. Test Drive
  4. Et Tu, Brute?
  5. No Forwarding Address
  6. Any Port In A Storm
  7. Remote Control
  8. In And Out
  9. Log Out
By: icarus, (c) Melonfire
Rating: starstarstarstarstar / 29
April 02, 2003

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement
If you're planning to use SSH, the first thing to do is make sure that it's available on both the client (usually your local system) and the server (the remote system).

The easiest way to check this is to telnet to port 22 of both hosts, which is the port the SSH daemon traditionally runs on. If SSH services are available, you'll be rewarded with an identification string containing the version number, like this:
[me@olympus] $ telnet localhost 22
Connected to olympus.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.5p1
othing? Well, you could politely ask your ISP/Web hosting service/friendly neighbourhood geek to install it for you - or, if you have super-user access to the system, and are comfortable with installing new software on your system, you could download and install it yourself.

This article uses OpenSSH, an open-source alternative to commercial SSH that does away with many of the licensing restrictions of SSH1 and SSH2. Drop by the official Web site at http://www.openssh.org/and get yourself the latest stable release of the software (this tutorial uses OpenSSH 3.5). Note that you will also need a copy of the zlib library, available from http://www.gzip.org/zlib/ (this tutorial uses zlib 1.1.4) and the OpenSSL library, available from http://www.openssl.org/(this tutorial uses OpenSSL 0.9.7).

Once you've downloaded the source code archive to your Linux box (mine is named "olympus"), log in as "root".
[me@olympus] $ su -
Password: ****
You'll first need to compile and install zlib. Extract the source to a temporary directory.
[root@olympus] $ cd /tmp
[root@olympus] $ tar -xzvf zlib-1.1.4.tar.gz
Next, configure the package using the provided "configure" script,
[root@olympus] $ cd /tmp/zlib-1.1.4
[root@olympus] $ ./configure
and compile and install it.
[root@olympus] $ make
[root@olympus] $ make install
Unless you specified a different path to the "configure" script, zlib will have been installed to the directory "/usr/local/lib".

Next up, OpenSSL. Extract the source to a temporary directory,
[root@olympus] $ cd /tmp
[root@olympus] $ tar -xzvf openssl-0.9.7a.tar.gz
configure it,
[root@olympus] $ cd /tmp/openssl-0.9.7a
[root@olympus] $./config
and compile and install it.
[root@olympus] $ make
[root@olympus] $ make test[root@olympus] $ make install
The compilation process here is fairly involved and may take a few minutes - get yourself a cup of coffee while you're waiting for it to happen. By the time you get back, OpenSSL should be installed to the directory "/usr/local/ssl".

Finally, it's time to install the OpenSSH package itself. Again, extract the source to a temporary directory,
 
[root@olympus] $ cd /tmp[root@olympus] $ tar -xzvf openssh-3.5p1.tar.gz
and configure the software via the provided "configure" script. Remember to tell "configure" where it can find the libraries you just installed as well.
 
[root@olympus] $ cd /tmp/openssh-3.5p1[root@olympus] $ ./configure --with-ssl-dir=/usr/local/ssl/--with-zlib=/usr/local/lib/ --prefix=/usr/local/ssh 
Once the software has been configured, you can compile and install it.
 
[root@olympus] $ make[root@olympus] $ make install
In this case, since I specified an installation path to the "configure" script, OpenSSH would have been installed to the "/usr/local/ssh" directory.

During the install part of the cycle, you'll notice a set of host keys being generated - this is the private/public key pair for your system, and the two keys are usually stored in the files "/usr/local/ssh/etc/ssh_host_key" and "/usr/local/ssh/etc/ssh_host_key.pub" respectively.

Once the software has been installed, you need to start up the "sshd" daemon.
 
[root@olympus] $ /usr/local/ssh/sbin/sshdPrivilege separation user "sshd" does not exist
Oops! Something obviously went wrong somewhere...

Actually, the reason for the error above is fairly simple. As the OpenSSH manual puts it, "privilege separation is a method in OpenSSH by which operations that require root privilege are performed by a separate privileged monitor process [...] the purpose is to prevent privilege escalation by containing corruption to an unprivileged process."

You can correct this error by creating a user and group for the "sshd" daemon to run as, by executing the following commands:
 
[root@olympus] $ mkdir /var/empty[root@olympus] $ chown root:sys /var/empty[root@olympus] $ chmod 755 /var/empty[root@olympus] $ groupadd sshd[root@olympus] $ useradd -g sshd -c 'sshd privsep' -d /var/empty -s/bin/false sshd
Now, try restarting the daemon,
 
[root@olympus] $ /usr/local/ssh/bin/sshd
and all should be well.

You can verify that the daemon is, in fact, alive via a telnet to port 22:
[me@olympus] $ telnet localhost 22
Trying 127.0.0.1...Connected to localhost.Escape character is '^]'.SSH-1.99-OpenSSH_3.5p1
Remember that you need an OpenSSH daemon at both ends of the connection; in the absence of this, SSH will revert back to using insecure rsh mechanisms to perform a remote login.

Next, I'll be showing you how to generate your own public/private key pair, which you'll be using to authenticate your remote logins.

 
 
>>> More Site Administration Articles          >>> More By icarus, (c) Melonfire
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

SITE ADMINISTRATION ARTICLES

- Coding: Not Just for Developers
- To Support or Not Support IE?
- Administration: Networking OSX and Win 7
- DotNetNuke Gets Social
- Integrating MailChimp with Joomla: Creating ...
- Integrating MailChimp with Joomla: List Mana...
- Integrating MailChimp with Joomla: Building ...
- Integrating MailChimp with Joomla
- More Top WordPress Plugins for Social Media
- Optimizing Security: SSH Public Key Authenti...
- Patches and Rejects in Software Configuratio...
- Configuring a CVS Server
- Managing Code and Teams for Cross-Platform S...
- Software Configuration Management
- Back Up a Joomla Site with Akeeba Backup

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: