My Adventures in Linux - Part 2 … Installing secure shell remote access
to my Linux Box
Continuing with my Unix training at Centennial College, I got into the habit
of using telnet from whichever computer I was working in class, to access my
Linux box at home, and make notes online. The teachers were tickled too, in the
sense of having access to a Linux box with up to date kernel, etc. However, I
was aware of the dangers of using telnet, in which your data is flowing in an
unencrypted format on the Internet. One of the teachers suggested that instead
of telnet, I should install SSH (secure shell) which is widely used in business
circles by organizations who have data of a sensitive nature being transferred
around the net. I did so reading up on the subject, initially at www.ssh.org,
and then being a supporter of open source software, I ended up at www.openssh.com.
The latest source (openssh-2.5.1p1.tar.gz) was readily available, so I downloaded
it, untarred it into my software install directory on the linux box and my
adventure started. As is the case in most linux installations, the software
usually has to be tweaked to match your computer, or you might need
differential tools to make it work, so this being the case here, I decided to
document this.
Here are the steps, which allowed me to enable the sshd daemon on my Linux
box:
- I untarred
openssh-2.5.1p1.tar.gz into a directory in /mnt/linux_2/soft which is
where I usually do all my program installations from. After reading the
INSTALL and README docs which came with the tarball, I discovered that I
would need OPENSSL (Open Source Secure Socket Layer) which is the
program(s) which encrypts the data online. I found a link to the source of
this on www.openssh.com
so I downloaded it too.
- I untarred
openssl-0.96.tar.gz in /mnt/linux_2/soft, and read the README and INSTALL
docs. It looked like a fairly simple linux/Unix install.. ./configure then
make then make install, but the make part aborted because the installation
could not find a program called bc ( a Unix Calculator). So I headed to ftp.gnu.org
and found the latest version of bc, downloaded bc-1.0.6.tar.gz into
/mnt/linux_2/soft, and installed it. Moving back to my OPENSSL
installation directory, I did a make clean to clean up the aborted
installation, ./configure to create a fresh make file, an restarted the
make only to see it abort again because a utility program called cmp was
not on my linux box. I did a search for cmp on the net (google-linux) and
discovered it was a part of the linux diffutils package. I downloaded
diffutils-2.7.tar.gz from ftp.gnu.org, into /mnt/linux_2/soft,
untarred and installed it, and was finally able to install the OPENSSL
program(s).
- Finally ready to get to my
OpenSSH installation, the README and INSTALL notes indicated that because
I was using Slackware 7.x, I would have to tweak the config by warning the
compiler to use the lcrypt option in creating the make file. This was done
by typing (as root in an xterm) LIBS=-lcrypt. /configure. The make and
make install seemed to go without incident, and I was informed that a
public RSA key had been installed. As per the documentation, I opened an
xterm in my user account name (clived) and typed in ssh-keygen to generate
a key for myself, which created the key in /home/clived/.ssh. A ps aux
indicated that the sshd daemon (/usr/sbin/sshd) was running, so I decided
to try to do an ssh login from my Windows box.
- I opened my registered copy
of SecureCRT (a telnet/ssh terminal client) and attempted to do an ssh
login to my Linux box, using as hostname, the IP address of my Iprimus
connection (216.254.xxx.xxx) and my username clived. The attempted
connection kept giving me Password Authentication failed messages. I
searched high and low on the net, an apart from the Slackware
LIBS=-lcrypt. /configure requirement, I seemed to have covered all my
bases but still the damn thing would not work. I resigned myself to
another bout of google-linux searches and was fortunate to find an archive
of OpenSSH related documents at http://marc.theaimsgroup.com/?l=openssh-unix-dev&r=1&w=2.
Here I scanned the hundreds of emails relating to OpenSSH and in one of
them, I found the following comment: Slackware 7.x uses md5-hash
based passwords instead of crypt, a hash based on DES. Rerun configure
with --with-md5-passwords and rebuild/ reinstall and it should work. This
was the break that I was looking for !!. I followed these instructions,
re-installed, restarted the sshd daemon, and I finally had ssh1 and sshd2
login access from my Windows computer to my Linux computer.
I am documenting this adventure, as a way of reminding myself of the steps I
used to set this daemon/process up. It is also a reminder to myself and to
other Linux users as to the importance of patience when involved
with Linux. As of July 31, 2001, I have updated my sshd daemon to OpenSSH 2.9p2
using the source code. It was as easy as getting openssh-2.9p2.tar.gz from
WWW.OpenSSH.com, doing the ./configure as described above, and then doing make
followed by make install
As of June 21, 2002, Version OpenSSH 3.3p1 was released which included a new
security feature called privilege separation as a default option in the
configuration. Privilege separation, or privsep, is method in OpenSSH by which
operations that require root privilege are performed by a separate privileged
monitor process. Its purpose is to
prevent privilege escalation by containing corruption to an unprivileged
process. By reason of this default setup, the following was necessary after
OpenSSH 3.3p1 was compiled and installed.:
# mkdir /var/empty
# chown root:sys /var/empty
# chmod 755 /var/empty
# groupadd sshd
# useradd -g sshd sshd