Secure Tunnelling with SSH - Kicking The Tyres (
Page 2 of 9 )
If you're planning to use SSH, the first thing to do is make sure that it's available on both the client (usually your local system) and the server (the remote system).
The easiest way to check this is to telnet to port 22 of both hosts, which is the port the SSH daemon traditionally runs on. If SSH services are available, you'll be rewarded with an identification string containing the version number, like this:
[me@olympus] $ telnet localhost 22
Connected to olympus.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.5p1
othing? Well, you could politely ask your ISP/Web hosting service/friendly neighbourhood geek to install it for you - or, if you have super-user access to the system, and are comfortable with installing new software on your system, you could download and install it yourself.
This article uses OpenSSH, an open-source alternative to commercial SSH that does away with many of the licensing restrictions of SSH1 and SSH2. Drop by the official Web site at
http://www.openssh.org/and get yourself the latest stable release of the software (this tutorial uses OpenSSH 3.5). Note that you will also need a copy of the zlib library, available from http://www.gzip.org/zlib/ (this tutorial uses zlib 1.1.4) and the OpenSSL library, available from
http://www.openssl.org/(this tutorial uses OpenSSL 0.9.7).
Once you've downloaded the source code archive to your Linux box (mine is named "olympus"), log in as "root".
[me@olympus] $ su -
Password: ****
You'll first need to compile and install zlib. Extract the source to a temporary directory.
[root@olympus] $ cd /tmp
[root@olympus] $ tar -xzvf zlib-1.1.4.tar.gz
Next, configure the package using the provided "configure" script,
[root@olympus] $ cd /tmp/zlib-1.1.4
[root@olympus] $ ./configure
and compile and install it.
[root@olympus] $ make
[root@olympus] $ make install
Unless you specified a different path to the "configure" script, zlib will have been installed to the directory "/usr/local/lib".
Next up, OpenSSL. Extract the source to a temporary directory,
[root@olympus] $ cd /tmp
[root@olympus] $ tar -xzvf openssl-0.9.7a.tar.gz
configure it,
[root@olympus] $ cd /tmp/openssl-0.9.7a
[root@olympus] $./config
and compile and install it.
[root@olympus] $ make
[root@olympus] $ make test
[root@olympus] $ make install
The compilation process here is fairly involved and may take a few minutes - get yourself a cup of coffee while you're waiting for it to happen. By the time you get back, OpenSSL should be installed to the directory "/usr/local/ssl".
Finally, it's time to install the OpenSSH package itself. Again, extract the source to a temporary directory,
[root@olympus] $ cd /tmp
[root@olympus] $ tar -xzvf openssh-3.5p1.tar.gz
and configure the software via the provided "configure" script. Remember to tell "configure" where it can find the libraries you just installed as well.
[root@olympus] $ cd /tmp/openssh-3.5p1
[root@olympus] $ ./configure --with-ssl-dir=/usr/local/ssl/
--with-zlib=/usr/local/lib/ --prefix=/usr/local/ssh
Once the software has been configured, you can compile and install it.
[root@olympus] $ make
[root@olympus] $ make install
In this case, since I specified an installation path to the "configure" script, OpenSSH would have been installed to the "/usr/local/ssh" directory.
During the install part of the cycle, you'll notice a set of host keys being generated - this is the private/public key pair for your system, and the two keys are usually stored in the files "/usr/local/ssh/etc/ssh_host_key" and "/usr/local/ssh/etc/ssh_host_key.pub" respectively.
Once the software has been installed, you need to start up the "sshd" daemon.
[root@olympus] $ /usr/local/ssh/sbin/sshd
Privilege separation user "sshd" does not exist
Oops! Something obviously went wrong somewhere...
Actually, the reason for the error above is fairly simple. As the OpenSSH manual puts it, "privilege separation is a method in OpenSSH by which operations that require root privilege are performed by a separate privileged monitor process [...] the purpose is to prevent privilege escalation by containing corruption to an unprivileged process."
You can correct this error by creating a user and group for the "sshd" daemon to run as, by executing the following commands:
[root@olympus] $ mkdir /var/empty
[root@olympus] $ chown root:sys /var/empty
[root@olympus] $ chmod 755 /var/empty
[root@olympus] $ groupadd sshd
[root@olympus] $ useradd -g sshd -c 'sshd privsep' -d /var/empty -s
/bin/false sshd
Now, try restarting the daemon,
[root@olympus] $ /usr/local/ssh/bin/sshd
and all should be well.
You can verify that the daemon is, in fact, alive via a telnet to port 22:
[me@olympus] $ telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.5p1
Remember that you need an OpenSSH daemon at both ends of the connection; in the absence of this, SSH will revert back to using insecure rsh mechanisms to perform a remote login.
Next, I'll be showing you how to generate your own public/private key pair, which you'll be using to authenticate your remote logins.
