NCSA OpenSSH Installation Guide
This document is for installing the OpenSSH server on machines in the NCSA environment. If you are only wanting to run the client, and need not install the server, then please refer to using SSH at NCSA. The commands shown below will need to be executed as "root". If there are any questions or problems with this document, or an installation, then please contact ssh@ncsa.uiuc.edu.
Installing binaries and configuration files
We first want to copy the sshd server process to local disk. This is because we still want sshd to run even if AFS does not start up or we lose contact with AFS. You may not need to create the /usr/local/sbin directory.
# mkdir /usr/local/sbinNow create the configuration directory.
# chmod 755 /usr/local/sbin
# cp /usr/ncsa/sbin/sshd /usr/local/sbin/sshd
# chmod 700 /usr/local/sbin/sshd
# mkdir /etc/opensshCopy the configuration files to local disk.
# cp /afs/ncsa/common/etc/openssh/ssh_config /etc/openssh/ssh_configCreate a key pair for the version 1 protocol.
# cp /afs/ncsa/common/etc/openssh/sshd_config /etc/openssh/sshd_config
# chmod 644 /etc/openssh/ssh_config
# chmod 644 /etc/openssh/sshd_config
Note:If you had a previous version of ssh running on the machine you will want to copy the old key into the new configuration directory so that users with the old key in their known_hosts file will not have problems.
Previous version 1 keys:
# cp /etc/ssh_host_key /etc/opensshIf you didn't have a previous version running then you will need to create new version 1 host keys.
# cp /etc/ssh_host_key.pub /etc/openssh
# chmod 600 /etc/openssh/ssh_host_key
# chmod 644 /etc/openssh/ssh_host_key.pub
New version 1 keys:
# /usr/ncsa/bin/ssh-keygen -t rsa1 -f /etc/openssh/ssh_host_key -N ""Now create key pairs for version 2 protocol on the host machine. Make sure you include the empty quotes at the end. This will create the keys with no pass phrase, which is required for the server keys.
# chmod 600 /etc/openssh/ssh_host_key
# chmod 644 /etc/openssh/ssh_host_key.pub
# /usr/ncsa/bin/ssh-keygen -t dsa -f /etc/openssh/ssh_host_dsa_key -N ""Lastly, if you want the sshd to accept connections if AFS connectivity is lost then you will need to have a local copy of the krb5.conf file.
# /usr/ncsa/bin/ssh-keygen -t rsa -f /etc/openssh/ssh_host_rsa_key -N ""
# chmod 600 /etc/openssh/ssh_host_dsa_key
# chmod 600 /etc/openssh/ssh_host_rsa_key
# chmod 644 /etc/openssh/ssh_host_dsa_key.pub
# chmod 644 /etc/openssh/ssh_host_rsa_key.pub
# cp /usr/local/krb5/etc/krb5.conf /etc/krb5.conf
# chmod 644 /etc/krb5.conf
Creating ssh user (for privsep)
In the most recent versions of OpenSSH they have enabled something called privilege separation. Privilege separation, or privsep, is a method in OpenSSH by which operations that require root privilege are performed by a separate privileged monitor process. Its purpose is to prevent privilege escalation by containing corruption to an unprivileged process. For this to work a sshd user and group needs to be created. Here are the steps:
# mkdir /var/emptyPrivilege separation does not work on HP-UX systems with a trusted system configuration.
# chown root:sys /var/empty
# chmod 755 /var/empty
# groupadd sshd
# useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
Startup scripts
In order to get the sshd to start on boot you will need to configure the startup script. The startup scripts are located at:
/afs/ncsa/common/etc/openssh/OS_VERwhere OS_VER is the version of operating system you are running. At the top of each of the startup scripts is instructions on installation.
You are now ready to start the sshd process:
# /etc/init.d/sshd start
'공부 이야기 > 컴퓨터 몽땅' 카테고리의 다른 글
| Frame Buffer 이야기 1~9 (0) | 2007/05/25 |
|---|---|
| GDB 매뉴얼~~ (0) | 2007/04/27 |
| OpenSSH에서 서버 키 생성 방법 (0) | 2007/04/27 |
| TPTP 프로파일링 Part 1 (0) | 2007/04/27 |
| 윈도우 화면 분할하는 프로그램 (0) | 2007/04/16 |
| 삼바(samba)설정 가이드 (2.X & 3.X) Linux (0) | 2007/03/15 |
