A sample SSH configuration

In the following sections, we describe an installation and configuration example of an SSH connection for a client in the service providers network, to the SSH server, which will be installed on network management server in the customers network. Figure 74 on page 151 shows an example.

Function Source Destination Protocol Src- Port

a. SSH clients use a port below 1024 when using rhost-based authentication methods and a port above otherwise.

22

Figure 74. SSH test environment

For our test configuration, we are using the freeware implementation of SSH protocol known as OpenSSH. Besides the OpenSSH binaries, the program requires the following packets:

• freeware.perl.rte • freeware.egd.rte • freeware.openssl.rte • freeware.perl.md5.rte • freeware.zip.exe • freeware.zlib.exe

The required packets and the OpenSSH installation packet can be downloaded from the AIX freeware/shareware server:

http://freeware.bull.net

Transfer the downloaded files to your network management server.

Inflate the downloaded packets to obtain the installp-format “*.bff” of these packets. The following screen shows the inflation process.

After inflating the packages, you can install them with the AIX software installation command ^installp for the freeware.openssh.rte packet. Because of the -g flag, ^installp also installs the required filesets automatically (see the installp man page for further information on the installation process).

The following screen shows the installp command with the message for the successful installation of the software package.

# ls -ali total 18528

8211 drwxr-xr-x 2 root system 512 Feb 20 10:29 . 2 drwxr-xr-x 23 bin bin 1024 Feb 20 10:28 ..

8218 -rw-r--r-- 1 root system 86296 Feb 20 10:29 egd-0.8.0.0.exe 8219 -rw-r--r-- 1 root system 671914 Feb 20 10:29 openssh-2.3.0.101.exe 8220 -rw-r--r-- 1 root system 1620889 Feb 20 10:29 openssl-0.9.6.0.exe 8221 -rw-r--r-- 1 root system 6561822 Feb 20 10:29 perl-5.6.0.1.exe 8222 -rw-r--r-- 1 root system 138972 Feb 20 10:29 perl.md5-2.12.0.0.exe 8223 -rw-r--r-- 1 root system 241718 Feb 20 10:29 zip-2.3.0.0.exe 8224 -rw-r--r-- 1 root system 137279 Feb 20 10:29 zlib-1.1.3.2.exe

# chmod 700 *.exe

# egd-0.8.0.0.exe

UnZipSFX 5.32 of 3 November 1997, by Info-ZIP ([email protected]).

inflating: egd-0.8.0.0.bff inflating: egd-0.8.0.0.bff.asc

# openssh-2.3.0.101.exe

UnZipSFX 5.32 of 3 November 1997, by Info-ZIP ([email protected]).

inflating: openssh-2.3.0.101.bff inflating: openssh-2.3.0.101.bff.asc

#openssl-0.9.6.0.exe

UnZipSFX 5.32 of 3 November 1997, by Info-ZIP ([email protected]).

inflating: openssl-0.9.6.0.bff inflating: openssl-0.9.6.0.bff.asc

# perl-5.6.0.1.exe

UnZipSFX 5.32 of 3 November 1997, by Info-ZIP ([email protected]).

inflating: perl-5.6.0.1.bff inflating: perl-5.6.0.1.bff.asc

# perl.md5-2.12.0.0.exe

UnZipSFX 5.32 of 3 November 1997, by Info-ZIP ([email protected]).

inflating: perl.md5-2.12.0.0.bff inflating: perl.md5-2.12.0.0.bff.asc

# zip-2.3.0.0.exe

UnZipSFX 5.41 of 16 April 2000, by Info-ZIP ([email protected]).

inflating: zip-2.3.0.0.bff inflating: zip-2.3.0.0.bff.asc

# zlib-1.1.3.2.exe

UnZipSFX 5.32 of 3 November 1997, by Info-ZIP ([email protected]).

inflating: zlib-1.1.3.2.bff inflating: zlib-1.1.3.2.bff.asc

Verify that all modules are successfully installed. The OpenSSH daemon will be automatically started after installation.

The configuration of the OpenSSH daemon is contained in the file /usr/local/bin/opensshd. By default, the OpenSSH daemon sets the SSH protocol to SSH Version 1. You can set the protocol to SSH Version 2 in the configuration file by uncommenting the protocol line. We will use SSH Version 1. The described configuration points are similar to SSH version 2.

See the following screen.

# installp -acgX -d . freeware.openssh.rte ....

....

Starting OpenSSH daemon on port 22

Finished processing all filesets. (Total time: 1 mins 4 secs).

+---+

Summaries:

+---+

Installation Summary

---Name Level Part Event Result

---freeware.zlib.rte 1.1.3.2 USR APPLY SUCCESS

freeware.perl.md5.rte 2.12.0.0 USR APPLY SUCCESS

freeware.openssl.rte 0.9.6.0 USR APPLY SUCCESS

freeware.openssl.rte 0.9.6.0 ROOT APPLY SUCCESS

freeware.egd.rte 0.8.0.0 USR APPLY SUCCESS

freeware.egd.rte 0.8.0.0 ROOT APPLY SUCCESS

freeware.openssh.rte 2.3.0.101 USR APPLY SUCCESS

freeware.openssh.rte 2.3.0.101 ROOT APPLY SUCCESS

# ps -ef|grep opensshd

root 24832 23074 0 11:21:09 pts/4 0:00 grep opensshd

root 26200 1 0 11:00:25 - 0:01 /usr/local/bin/opensshd -f /etc/openssh/sshd_config -h /etc/openssh/ssh_host_key

To enable port forwarding of X11 sessions over this secure SSH tunnel, comment the line “X11Forwarding” (in the previous screen) with the “yes”

value.

By default, the SSH server daemon listens on port 22. This port is configurable to another port number for security reasons. After the

reconfiguration of SSH server port has been done, you have to reconfigure the SSH client port. This is done in the SSH client configuration file. See

“SSH server access with AIX SSH client” on page 156 for the configuration of the SSH clients.

To automatically start the SSH daemon, this SSH installation adds /etc/rc.openssh to /etc/inittab and makes an entry in the /etc/rc.tcpip configuration file.

more /etc/openssh/sshd_config

# This is ssh server systemwide configuration file.

Port 22

# Don't read ~/.rhosts and ~/.shosts files IgnoreRhosts yes

# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication

#IgnoreUserKnownHosts yes

# For this to work you will also need host keys in /etc/openssh/ssh_known_hosts RhostsRSAAuthentication yes

#

RSAAuthentication yes ....

To manually start the OpenSSH daemon using /etc/openssh/shhd_config as the config file and /etc/openssh/ssh_host_key as the RSA host key file, use the following command:

#/usr/local/bin/opensshd -f /etc/openssh/sshd_config -h /etc/openssh/ssh_host_key

To manually stop the SSH daemon, use the following command:

#kill `cat /var/openssh/sshd.pid´

To restart the daemon, use the following command:

#kill -1 `cat /var/openssh/sshd.pid´

The SSH authentication is set by default in the configuration file

/etc/openssh/sshd_config to RSA authentication (RSAAuthentification yes).

This is the recommended authentication method, which we will describe in our redbook.

The RSA authentication is based on public/private key pair exchange between the SSH server and the client. To generate a public/private key for user authentication, use the OpenSSH program command:

#ssh-keygen

By default, this program generates an SSH RSA key pair with a key length of 1024 bit for every key. With the command flag -b 2048, you can generate keys with a length of 2048 bits. We generated a 2048 bit key pair in our test lab with the following command:

#ssh-keygen -b 2048

During the installation, you will be asked to enter a passphrase. A good passphrase is one that is 10-30 characters long. This is almost impossible to guess and has a hidden meaning only to the person generating it.

The other authentication methods, such as rhosts, rhosts combined with RSA, and password authentication, are also possible, but will not be further discussed in this redbook. See the OpenSSH man pages for more

information.

Note

By default, the generated public key will be stored in the

$HOME/.ssh/identity.pub file. Your private identification key will be stored in the $HOME/.ssh/identity file. During key generation, you can enter different locations for key storage.

The generated public key has to be sent to the SSH server location. It also needs to be added in the appropriate user file $HOME/.ssh/authorized_keys.

When these files do not exist, generate them and add your authorized public key.

The generated private key is stored on the SSH client. The following sections show the SSH client access with an AIX client and Windows client to the configured SSH server on the network management system.

SSH server access with AIX SSH client

The SSH client is integrated in the OpenSSH software package. The easiest way to install this client is to install the OpenSSH package on the client machine in the same way we described. You have to store your private key in the $HOME/.ssh/identity when generating the public/private key pair and storing the public key on the SSH server, as described previously. The client configuration is done in the file /etc/openssh/.

$ /usr/local/bin/ssh-keygen -b 2048

Generating RSA keys: Key generation complete.

Enter file in which to save the key (/home/netview/.ssh/identity):

Created directory '/home/netview/.ssh'.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /home/netview/.ssh/identity.

Your public key has been saved in /home/netview/.ssh/identity.pub.

The key fingerprint is:

In the configuration file, you can configure, for example, which default port will be used for SSH connection or configure permission for X-Windows forwarding for the client).

Start the SSH client on your AIX console with following command:

ssh -X hostname

The command flag -X allows secure X-Windows forwarding over the ssh client’s connection.

# more /etc/openssh/ssh_config

# This is ssh client systemwide configuration file. This file provides

# defaults for users, and the values can be changed in per-user configuration

# files or on the command line.

# Configuration data is parsed as follows:

# 1. command line options

# 2. user-specific file

# 3. system-wide file

# Any configuration value is only changed the first time it is set.

# Thus, host-specific definitions should be at the beginning of the

# configuration file, and defaults at the end.

# Site-wide defaults for various options

# Host *

After establishing the connection, you can work with this SSH session as usual with telnet or a xterm session. Now you can start a secure remote session of your network management graphical user interface. The handling of the $DISPLAY variable is done by the ssh server on NetView and the ssh client on your remote AIX system.

SSH server access with the Windows SSH client

The are different SSH clients for Windows NT available. We used the SSH client of the well known freeware Tera Term, a very comfortable terminal emulation program for telnet, ssh and serial connections. Tera Term is available at:

http://www.download.com/

The SSH function is an add on program for Tera Term, which you can download from:

http://www.zip.com.au/~roca/ttssh.html/

Install the Tera Term program with the installation program. After finishing the installation, extract the SSH client binaries in the Tera Term directory.

Start the Tera Term SSH client ttsh.exe. The configuration of SSH

authentication in done in the menu Setup->SSH Authentication (Figure 75 on page 159).

netview@itso8 > /usr/local/bin/ssh mlm2 Enter passphrase for RSA key 'netview@itso8':

Last unsuccessful login: Tue Feb 6 11:00:56 2001 on /dev/pts/1 from itso7 Last login: Tue Feb 20 17:10:25 2001 on ssh from itso8

*******************************************************************************

* *

* *

* Welcome to AIX Version 4.3! *

* *

* *

* Please see the README file in /usr/lpp/bos for information pertinent to *

* this release of the AIX Operating System. *

* *

* *

*******************************************************************************

# nv6000

Figure 75. SSH authentication setup

Store the generated private key on your Windows NT client and select the filename in the RSA key field. Chose the connection username and apply the configuration. Configure your X-Windows forwarding option in the menu Setup->Forwarding Setup (Figure 76).

Figure 76. SSH port forwarding setup

The SSH port forwarding dialog allows (besides X-Windows forwarding) other port forwarding configurations. For example, you can allow the configuration of secure connections for tftp, database connections, or other unsecure protocols from secure network in the unsecure network.

The SSH session can be started from the Tera Term menu File>-New Connection. See Figure 77 for details.

Figure 77. SSH session startup

Enter the hostname of the SSH server and select the SSH service. In the dialog box, you can choose your SSH server port when it is different from the default SSH port 22. After a successful authentication on the SSH server, you will see the secure shell dialog on your Windows NT client. Now you have a secure channel to communicate with the network management server. See Figure 78 for details.

Figure 78. Running SSH session

Firewall configuration

Table 25 shows the required firewall configuration for the secure SSH connection from the secure network to the unsecure network. Now you only have to open the SSH port between unsecure and secure network and can transfer all required network protocols, such as X-Windows, telnet, and database protocols, through this tunnel.

Table 25. Firewall rule for SSH test lab

Function Source Destination Protocol Src- Port

The transport of X-Windows applications over the SSH tunnel requires an active X-Server (Exceed or Windows NT XFree porting) on your Windows NT server. Then you can direct your NetView graphical user interface over the secure SSH connection.

Note

In document Extending Network Management Through Firewalls (Page 172-185)