OPENSSH Lab Page 1 Install OpenSSH and OpenSSL on all machines if required: pkgrm SMCossl (The SSH package is SSL version sensitive) pkgadd -d /sc300/openssl-0.9.7b-sol9-sparc-local pkgadd -d /sc300/openssh-3.7.1p2-sol9-sparc-local Start SSH On The Server: server: # echo sshd::67: >>/etc/group server: # useradd -c "sshd" -u67 -g sshd -s/bin/false -d/var/empty sshd server: # mkdir /var/empty server: # chown root:sys /var/empty server: # chmod 755 /var/empty server: # ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key -N "" server: # ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key -N "" server: # echo "Protocol 2" >>/usr/local/etc/sshd_config server: # sshd -d (debug mode only runs for one connection) client: # ssh server -Since these computers have not before connected, they cannot authenticate each other, so you will prompted to continue to establish the connection. Say yes. The client computer's key will be added to /.ssh/known_hosts for next time. -After entering roots password, you should be logged in. client: # exit server: vi /usr/local/etc/sshd_config change line 37: PermitRootLogin no server: sshd Create Identity Keys For Fred On The Client: client: # su - fred client: $ PATH=$PATH:/usr/local/bin client: $ mkdir .ssh client: $ ssh-keygen -t rsa -f .ssh/id_rsa -If you enter a passphrase you will need to enter it to run ssh on the client each time (preventing someone using your ssh) Copy Fred's Public Key From The Client To The Server: client: $ ssh server (yes to continue connecting, enter fred's password) client on server: $ id (fred) client on server: $ mkdir .ssh client on server: $ exit client: $ scp .ssh/id_rsa.pub server:.ssh/authorized_keys2 (enter fred's password) Test That Fred Is Now Trusted: client: $ ssh server -You may need to enter the passphrase so ssh can load the fred's secret key. -Fred will receive a $ prompt on the server, without authenticating to the server with a password. Use snoop To Confirm The Data Is Encrypted (in another window): client: # snoop -x 0 server Via ssh: ls /etc -data is encrypted Via rsh: ls /etc -can read filenames in packets OPENSSH Lab Page 2 - Public domain implimentation - supports SSH versions 1.3, 1.5 and 2.0, use only version 2 - based on OpenSSL (secure socket layer) SOURCE URLS: OpenSSH www.openssh.org OpenSSL www.openssl.org IMPORTANT FILES ON CLIENT: $HOME/.ssh/id_rsa.pub (user's public key) $HOME/.ssh/id_dsa.pub (user's public key) $HOME/.ssh/id_rsa (user's secret key, possibly protected by a passphrase) $HOME/.ssh/id_dsa (user's secret key, possibly protected by a passphrase) $HOME/.ssh/known_hosts2 (server public keys) IMPORTANT FILES ON SERVER: $HOME/.ssh/authorized_keys2 (user's public keys, 1 per client host to avoid entering password) /usr/local/etc/sshd_config PermitRootLogin no (to prevent root logins via SSH) Protocol 2 (to prevent version 1 support) /usr/local/etc/ssh_host_dsa_key (servers private key) /usr/local/etc/ssh_host_dsa_key.pub (servers public key) /usr/local/etc/ssh_host_rsa_key (servers private key) /usr/local/etc/ssh_host_rsa_key.pub (servers public key)