Securing and Optimizing Linux: RedHat Edition -A Hands on Guide
PrevChapter 15. Software -SecuritiesNext

15.1. OpenSSH

The official [OpenSSH README] file says:

Ssh Secure Shell is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels. It is intended as a replacement for rlogin, rsh, rcp, and rdist.

In our configuration we have configured OpenSSH to support tcp-wrappers; the inetd super server, to improve the security of this already secure program and to avoid always running its daemon in the background of the server. This way, the program will run only when client connections arrive and will redirect them through the TCP-WRAPPERS daemon for authentication and authorization before allowing the connection in the server.

OpenSSH is a free replacement and improvement of SSH1 with all patent-encumbered algorithms removed to external libraries, all known security bugs fixed, new features reintroduced and many other clean-ups. It is recommended that you use OpenSSH free and security bug fixed instead of SSH1 free, buggy, and old or SSH2 that was originally free but now under a commercial license. For peoples that use SSH2 from Datafellows Company, we'll provide in this book both versions, beginning with OpenSSH, since it is the new SSH program which everyone, we suggest, must move to in the future.

These installation instructions assume:

These are the Packages you can download from OpenSSH Homepage:http://www.openssh.com and be sure to download: openssh-1.2.3.tar.gz as of this writing

There are some Prerequisites you need to take care of before installing OpenSSH since it requires that the zlib-devel package, which contains the header files and libraries needed to develop programs that use the zlib compression and decompression library, be already installed on your system. If this is not the case, you must install it from your Red Hat Linux 6.1 or 6.2 CD-ROM. To verify that the zlib-devel package is installed on your Linux system, use the following command: 

         [root@deep] /#rpm -qi zlib-devel

package zlib-devel is not installed

To install the zlib-devel package on your Linux system, use the following command: 

         [root@deep] /#mount /dev/cdrom /mnt/cdrom/
         [root@deep] /#cd /mnt/cdrom/RedHat/RPMS/
         [root@deep ]/RPMS#rpm -Uvh zlib-devel-version.i386.rpm

gd ################################################## 


         [root@deep ]/RPMS#rpm -Uvh gd-devel-version.i386.rpm

zlib-devel ################################################## 


         [root@deep ]/RPMS# cd /; umount /mnt/cdrom/

Important: OpenSSL, which enables support for SSL functionality, must already be installed on your system to be able to use the OpenSSH software.For more information on OpenSSL server, see its related chapter in this book. Even if you don't need to use OpenSSL software to create or hold encrypted key files, it's important to note that OpenSSH program require its libraries files to be able to work properly on your system.

you need to decompress and unpack the Tarballs but it is a good idea to make a list of files on the system before you install OpenSSH, and one afterwards, and then compare them using diff to find out what files it placed where. Simply run find/* > OpenSSH1 before and find/* > OpenSSH2 after you install the software, and use diff OpenSSH1 OpenSSH2 > OpenSSH-Installed to get a list of what changed.

To Compile,Decompress the tarball tar.gz and: 

         [root@deep] /#cp openssh-version.tar.gz /var/tmp
         [root@deep] /#cd /var/tmp
         [root@deep ]/tmp#tar xzpf openssh-version.tar.gz

You need to Compile and Optimize:

  1. Move into the new OpenSSH directory and type the following commands on your terminal: 
    
         CC="egcs" \
         CFLAGS="-O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions" \
         ./configure \
         --prefix=/usr \
         --sysconfdir=/etc/ssh \
         --with-tcp-wrappers \
         --with-ipv4-default \
         --with-ssl-dir=/usr/include/openssl
    This tells OpenSSH to set itself up for this particular hardware setup with:

    - Compiled-in libwrap and enabled TCP Wrappers /etc/hosts.allow|deny support.
    - Disabled long delays in name resolution under Linux/glibc-2.1.2 to improve connection time.
    - Specified locations of OpenSSL libraries required by OpenSSH program to work.

  2. Now, we must compile and install OpenSSH on the Server: 
    
         [root@deep ]/openssh-1.2.3#make
         [root@deep ]/openssh-1.2.3#make install
         [root@deep ]/openssh-1.2.3#make host-key
         [root@deep ]/openssh-1.2.3#install -m644 contrib/redhat/sshd.pam /etc/pam.d/sshd

    make

    command will compile all source files into executable binaries,

    make install

    will install the binaries and any supporting files into the appropriate locations.

    make host-key

    command will generate a host key.

    install

    command will install the PAM support for Red Hat Linux, which is now more functional than the popular packages of commercial ssh-1.2.x.

  3. please do a Cleanup later: 
    
         [root@deep] /#cd /var/tmp
         [root@deep ]/tmp#rm -rf openssh-version/ openssh-version.tar.gz
    The rm command as used above will remove all the source files we have used to compile and install OpenSSH. It will also remove the OpenSSH compressed archive from the /var/tmp directory.

PrevHomeNext
Software -SecuritiesUpConfigure and optimise Openssh