Ssh Install v24

download Ssh Install v24

of 115

Transcript of Ssh Install v24

  • 7/30/2019 Ssh Install v24

    1/115

    Version 2.4

    Bowden Systems Inc.Norcross, GA 30092

    http://www.bsi2.com

  • 7/30/2019 Ssh Install v24

    2/115

    Notice

    The information contained in this document is subject to change without notice.

    BOWDEN SYSTEMS MAKES NO WARRANTY OF ANY KIND WITH RE-GARD TO THIS MANUAL, INCLUDING, BUT NOT LIMITED TO, THE IM-PLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR APARTICULAR PURPOSE. Bowden Systems shall not be liable for errors con-tained herein or direct, indirect, special, incidental or consequential damages in connec-tion with the furnishing, performance, or use of this material.

    Warranty

    A copy of the specific warranty terms applicable to your BSI product can be obtainedfrom the BSI Corporate Office.

    Printing History

    The printing date will change when a new edition is printed. Minor changes may bemade at reprint without changing the printing date. The manual part number will changewhen extensive changes are made.

    Manual updates may be issued between additions to correct errors or document productchanges. To ensure that you receive these updates or new editions, contact the BSICorporate Office.

    October 2001 . . . Edition 1February 2002 . . . Edition 2June 2003....Editon 3July 2004...Edition4

    Feb 2008...Edition 5March 2008...Edition 5a

    Bowden Systems, Inc.3500 Parkway Lane, Suite 370Norcross, GA 30092, USAemail:[email protected]:www.bsi2.com

    2001- 2008 Bowden Systems, Inc.

    NSK-SSH, sftp-server-guardian, scmd is a trademark of Bowden Systems Inc. Nonstop, TEDIT, TACL,

    Guardian 90, 6530, PATHWAY are trademarks of HP. Mr-win6530 is a trademark of Conforte. Cail6530 is

    a trademark of Cail.

  • 7/30/2019 Ssh Install v24

    3/115

    This manual explains how to install, configure, and use NSK-SSH software for the HPNonStop server. This includes setting up the components of the software which are theipssh, sshd, and prngd.

    Audience and Prerequisites

    This manual is intended for system managers and assumes that the user has experi-ence with OSS, GUARDIAN, TCPIP, PTCPIP and SCF.

    Prerequisite Equipment

    This manual also assumes that the users host is S-Series running GUARDIAN G06.22or higher, GUARDIAN H-Series running H06.05 or higher, or GUARDIAN J-SeriesJ06.02 or higher. This software works with TCPIP V4 and TCPIP V6 tcpip stacks.

    Preface

    iii

  • 7/30/2019 Ssh Install v24

    4/115

    1. OVERVIEW. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

    2. INSTALLING THE SOFTWARE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

    3. BASIC SETUP OF SSH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54. ADVANCED SETUP OF SSH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 a. TELNET I SOLATION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 b. KERNEL SUBSYSEM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

    5. CHECKING YOUR SESSION ACCESS VIA PC CL IENT. . . . . . . . . . . . . . . . . . 17

    6. CHECKING YOUR SESSION ACCESS VIA UNIX CLIENT. . . . . . . . . . . . . . . . 19

    7. KNOWN PROBLEMS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

    8. INFORMATION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

    APPENDIX A - MAN PAGES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23prngd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23ipssh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27ssh-keygen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29ssh-keyscan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33sshd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37sftp-server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59sftp-server-guardian. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61scmd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63sftp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65scp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69ssh-add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71ssh-agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73ssh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

    APPENDI X B - REQUIRED FILES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97sshd_config FILE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97ssh_config FILE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

    APPENDI X C - TELNET ISOLATION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101start_ssh_2_cpu_2stack.sh - SSHD using two IP stacks. . . . . . . . . . . . . . . . . . . . 101

    APPENDIX D - ZZKRN FILES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103ipztc00a - IPSSH ON CPU 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103start_ipssh_ztc0a.sh - IPSSH ON CPU 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

  • 7/30/2019 Ssh Install v24

    5/115

    ipztc00b - IPSSH ON CPU 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104start_ipssh_ztc0b.sh - IPSSH ON CPU 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104ranztc0a -PRNGD ON CPU 0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105start_random_ztc00a.sh - PRNGD ON CPU 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . 105ranztc0a -PRNGD ON CPU 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

    start_random_ztc0b.sh - PRNGD ON CPU 01. . . . . . . . . . . . . . . . . . . . . . . . . . . . 106sdztc00a -SSHD ON CPU 0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107start_sshd_ztc00a.sh - SSHD ON CPU 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107sdztc00a -SSHD ON CPU 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108start_sshd_ztc00b.sh - SSHD ON CPU 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

  • 7/30/2019 Ssh Install v24

    6/115

    OVERVIEW

    This is a release of the NSK -SSH V2.4 that is based on OpenSSH 2.9.9p2 with 3.4.x

    security enhancements and PRNGD 0.9.15 for the G06.22/H06.05/J 06.02 operatingsystem. The NSK -SSH has been updated to fix various problem the the randomnumber generator and has move to using TCPIP for the communications betweenthe random number generator and the SSH process. Now you can have up to 4random number generators per TCPIP V4 OR V6 stack or up to 64 with PTCPIPusing the round-robin method of access . The random number generator does notrequire any external programs or files for generating its random numbers.

    In this release, we also added a new command to address problem with executingremote commands from the system. This new command is calledscmd and allowsyou to execute remote commands from the NonStop system. We also have added ansftp-server for the guardian file system. This allows you to access the guardian filesystem just like the unix file system. This provides compatibility with programssuch as FileZilla.

    This release has also been verified to work with Mr-Win6530. We now also have theability to set up all the components of this release in the KERNEL (ZZKRN)subsystem for full fault resilance. This also include the ability to access an isolatedTCPI P stack which has telnet running on it for the telnet requirment of SSH. Thiswas created do to the need of users that have PCI requirments of not having TEL-NET running on the system or FTP.

    This release will allow you to access the NonStop system in a secure manor forsession and ftp access. This software works with alias and standard GUARDIANusers. You should install this software using theSUPER.SUPER or root user id.

    This installation document assumes that you have OSS, and TCP/IP installed andconfigured on your system. You no longer need to have the OSS local socket pro-gram running.

    This document will tell you how to install and configure NSK -SSH software for

    access to the system and provide a reference for the MAN pages included with theNSK-SSH software. I f you require more detailed information on SSH, you shouldconsult SSH The Secure Shell by Daniel J . Barrett & Richard E. Silverman. Thiscan be purchased from the Oreilly web site (www.oreilly.com).

    NSK-SSH V2.4 Page 1 March 31, 2008

  • 7/30/2019 Ssh Install v24

    7/115

    Note: This page is left blank for double sided printing.

    NSK-SSH V2.4 Page 2 March 31, 2008

  • 7/30/2019 Ssh Install v24

    8/115

    INSTALLING THE SOFTWARE

    You must be theroot user or super.super to install this software.To install the software that was downloaded from the web site,do the following:

    For the S-Series:expor t PATH=$PATH: / bi n/ unsuppor t ed: / bi nzcat SSH_GO622_V24. t ar . Z | pax - r vf -

    For the H-Series and J -Series operating system:

    expor t PATH=$PATH: / bi n/ unsuppor t ed: / bi n

    zcat SSH_H0605_V24. t ar . Z | pax - r vf -

    Note that zcat is in the /bin/unsupported directory. Note that the abovetar file may have a version indicator on it.

    This will install the software into the following directories:

    / et c//e tc / s sh/ us r / l ocal / s sh

    / usr / l ocal / random

    Now you are ready to set up the, IPSSH, SSH and PRNGD software.

    NSK-SSH V2.4 Page 3 March 31, 2008

  • 7/30/2019 Ssh Install v24

    9/115

    Note: This page is left blank for double sided printing.

    NSK-SSH V2.4 Page 4 March 31, 2008

  • 7/30/2019 Ssh Install v24

    10/115

    BASIC SETUP OF SSH

    To set up your system so that you use the SSH software,you should do the following:

    1. You should have the following products installed on yoursystem:

    a. OSS Installed and Configured.b. TCPIP V4 or V6 Installed and Configuredc. OSS Sockets Started on each processor.d. TCPIP configure for OSS.e. TELNET servr running on the TCPIP stackf. LOCAL LOOP BACK STARTED for TCPIP stackg. REMOVE ANY OPENSSH ssh software on your system as this will cause

    problems with installing and startup up the Bowden Systems version ofSSH,

    You will need the following information:

    a. The ip address and stack process name you willuse for SSH access.

    b. Know how to use the text editor vi.

    c. SSH Client Software ( Mr-Win6530, Cail6530, Putty, Unix SSH)

    2. Verify that you have theservices and protocols file in the /etc directory.I f you do not have these files, then you can copy the files services.bsito services and protocols.bsi to protocols.

    IMPORTANT FOR TELNET ACCESS

    cd /etccp services.bsi services

    cp protocols.bsi protocols

    Note that the service that the sshd program is looking for is the telentservice. I f you alreay have a services file, then you need to make sure thathas the following line:telnet 23/tcp

    NSK-SSH V2.4 Page 5 March 31, 2008

  • 7/30/2019 Ssh Install v24

    11/115

    I f the services program does not have this line, then you need to add itusing vi.

    NOTE IF YOU DO NOT HAVE A /etc/services FILE, THE TELNET

    ACCESS TO SSH WILL NOT WORK.

    3. Set your PATH and MANPATH variables.

    export PATH=$PATH:/usr/local/ssh/bin:/usr/local/ssh/sbinexport PATH=$PATH:/usr/local/random/binexport PATH=$PATH:/usr/local/ssh/install

    export MANPATH=$MANPATH:/usr/local/ssh/manexport MANPATH=$MANPATH:/usr/local/random/man

    Note that these can be place in /etc/profileor in your privatehome directory file.profile.

    4. Set the correct file settings on the installed files.a. Move to the install directory

    cd /usr/local/ssh/install

    b. Execute a script to change the file settingsh -v ./ssh_install_chmod.sh

    5. Verify that the define =TCPIP PROCESS NAME is already set.I f you are using the default tcpip process name $ZTC0, then it is notnecessary to do this step. But if you are using some other tcpip process name,do the following:

    info_define all

    To add the define, do the following:

    add_define =TCPIP PROCESS NAME file=\ $ZTC1

    Note that this is an example. You should use what ever tcpip process nameis defined on your system, or that you want to random number generatorto use.

    NSK-SSH V2.4 Page 6 March 31, 2008

  • 7/30/2019 Ssh Install v24

    12/115

    6. Start up the Random number generator (PRNG). This must be started beforeany SSH software can be used.

    !!!! IMPORTANT STEP NOT TO FORGET !!!!

    a. Move to the install directorycd /usr/local/ssh/install

    b. Execute a script to startup the random number generator. sh -v ./start_random.sh

    This will start the random number generator on local sockets connection127.0.0.1 port 790. The script executes the following:

    run cpu=0 -gpri= 144 prngd t cp/ l ocal host : 790

    7. Generate the system keys. Note that this may take a while.

    Execute a script to generate the system wide keys.sh -v ./ssh_install_makekeys.sh

    This will generate the following files in the /etc/ssh/ directory:ssh_host_key - Host Private Keyssh_host_key.pub - Host Public Keyssh_host_rsa_key - RSA Private Key

    ssh_host_rsa_key.pub - RSA Public Keyssh_host_dsa_key - DSA Private Keyssh_host_dsa_key.pub - DSA Public Key

    8. Modify the system wide configuration to the specify the IP addressthat the SSHD program will use. This step is optional. This is only neededif you ssh to listen again a specific address.

    To make this change, do the following: vi / et c/ ssh/ sshd_conf i g

    Find the line:ListenAddress 0.0.0.0

    and change the 0.0.0.0 to the ipaddress of your system and savethe file. Note if you are using TCPIP V4 then you should set this to 127.0.0.1 forthe two cpu or greater configuraiton.

    NSK-SSH V2.4 Page 7 March 31, 2008

  • 7/30/2019 Ssh Install v24

    13/115

    9. I f you are starting the Bowden NSK-SSH software on a system that has theComforte SSH software on it and configured to use the port 22 on $ztc0, thenyou need to stop this software, before you can startup the NSK -SSH software.

    scf> assume process $zzkrnscf>names

    You should look for #ssh-ztc0. I f this is running, then you need to stop it.

    scf> abort #ssh-ztc0

    This will abort the process and then you can start up the NSK-SSH software.

    10. I f you want to start SSHD on two cpus scipt to step 10. I f you want to

    start ssh on one cpu, then continue reading.

    To start thesshd program do the following:

    run -cpu=0 -gpri=125 /usr/local/ssh/sbin/sshd

    This will start thesshd server and it will listen on port 22 for anyconnection. I f you only run one SSHD server, then you should not change theListenAddress to 127.0.0.1 and change it to the real address of the stack. I fthere is more than one address associated with the stack then, you should

    leave it set to 0.0.0.0

    I f you want to start the program in the debug mode tosee what it is doing, do the following:

    /usr/local/ssh/sbin/sshd -d -d -d

    This will allow one session to be processed and then the program will exitwhen the request is finished.

    The sshd program will process all request (session, scp, ssh and sftp).

    NSK-SSH V2.4 Page 8 March 31, 2008

  • 7/30/2019 Ssh Install v24

    14/115

    10. Starting SSH on two cpus using regular TCPIP or P/TCPIP in Failover mode

    If you want to distribute the load of your SSH process over two cpus.You can execute the filestart_ssh_2_cpu.sh or do the following:

    1. Using the startup file:

    cd /usr/local/ssh/installsh -v ./start_ssh_2_cpu.sh

    2. Starting it manually.a. Start the SSHD process on port 700 and 701.

    run -cpu=0 -gpri=120 /usr/local/ssh/sbin/sshd -p 700run -cpu=1 -gpri=120 /usr/local/ssh/sbin/sshd -p 701

    b. Start the primary IPSSH ($ISX) process.run -cpu=0 /usr/local/ssh/sbin/ipsshsleep 5

    c. Start the backup IPSSH ($ISY) process.run -cpu=1 /usr/local/ssh/sbin/ipssh -wait 0

    11. Starting SSH on two cpus using P/TCPIP with round-robin configuration.

    I f you want to distribute the load of your SSH process over two cpus. Note thaton most systems, the TCPIP V6 software is configured in fail-over mode and notconfigurated for round-robin, we put this startup file in as example of how torun the SSHD server on a system that is uses that configuration.

    You can execute the file start_ssh_2_cpu.sh or do the following:

    1. Using the startup file:

    cd /usr/local/ssh/install

    sh -v ./start_ssh_ptcpip_2cpu.sh

    2. Starting it manually.a. Start the SSHD processes on port 22.

    run -cpu=0 /usr/local/ssh/sbin/sshdrun -cpu=1 /usr/local/ssh/sbin/sshd

    NSK-SSH V2.4 Page 9 March 31, 2008

  • 7/30/2019 Ssh Install v24

    15/115

    Note that you can use this configuraiton on TCPIP V4 if there is more than oneIP addres define to the TCPIP stack and it is not in the FAI L-OVERconfiguraiton.

    NSK-SSH V2.4 Page 10 March 31, 2008

  • 7/30/2019 Ssh Install v24

    16/115

    ADVANCED SETUP OF SSH

    In this section, we will talk about advanced set up of the SSH software including

    the KERNEL subsystem and TELNET isolation.

    TELNET ISOLATION

    For t hose of you t hat want t o st op al l of your t el net and f t ppr ocesses on t he syst em, we have a sol ut i on t hat al l ows you t o dot hi s execpt f or an i sol at ed TCPI P st ack wi t h t el net r unni ng ont he l oop back por t .

    The i dea i s t he r un t he TCPI P pr ocess on your syst ems t hat i s

    not at t ached t o any har dwar e and onl y use t he l oop back por t .Thi s #LOOP0 i s s t ar t ed and a TELSRV pr ocess i s s t ar t ed agai nstt hi s and no l i st ner pr ocess. Wi t h t hi s conf i gur at i on, our SSHDpr ocess can use t hi s i sol at ed st ack f or t el net access.

    To use t hi s f eat ur e, you need speci f y t he f ol l owi ng envi r onmentvar i abl e bef ore st art i ng t he SSHD pr ocess:

    TCPI P_TELNET_STACK

    Thi s i s equal t o t he pr ocess name of t he TCPI P st ack t hat i si sol at ed. I n our scr i pt cal l st ar t _sshd_2cpu_2st ack. sh, we use

    t he TCPI P pr ocess name $zt c99, so t hi s var i abl e i s set t o:

    expor t TCPI P_TELNET_STACK=\ $zt c99

    To do t hi s do t he f ol l owi ng ( Not e t hi s wor ks on al l r el ease of t heGuar di an OS i ncl udi ng H- ser i es and J - ser i es:

    1. St ar t up t he TCPI P V4 st ack at t acl :

    TCPI P/ name $ZTC99, PRI 190, CPU 0, TERM $ZHOME/ 0

    2. St ar t t he #LOOP0 por t on t he st ack.

    sc f > assume pr ocess $zt c99scf > al er subnet #l oop0, i paddr ess 127. 1scf > st art subnet *scf > exi t

    NSK-SSH V2.4 Page 11 March 31, 2008

  • 7/30/2019 Ssh Install v24

    17/115

    3. St ar t up t he TELSRV processadd def i ne =TCPI P PROCESS NAME, FI LE $ZTC99par am TCPI P PROCESS NAME $ZTC99par am ZTNT TRANSPORT NAME $ZTC99TELSERV/ NAME $ZTN99, CPU 0, NOWAI T, PRI 170/ 23

    Not e t hat t he 23 on t he TELSERV command i s t he por t t o l i st en t o.Now at t hi s poi nt , you shoul d be abl e t o access t he TELNET serverl ocal l y:

    TELNET 127. 0. 0. 1 23

    WELCOME TO t est . bsi 1. com [ PORT $ZTC99 #23 WI NDOW $ZTN99. #PTYAAAA]

    TELSERV - T9553D40 - ( 15SEP2000) - ( I PMADG)

    Avai l abl e Ser vi ces:

    TACL EXI TEnt er Choi ce>

    I f t hi s wor ks, now you ar e ready t o add t he TCPI P_TELNET_STACK, t o yourSSHD st art f i l e and rest art t he SSHD server s

    NSK-SSH V2.4 Page 12 March 31, 2008

  • 7/30/2019 Ssh Install v24

    18/115

    KERNEL SUBSYSTEM

    We have i ncl uded i n t hi s set up t he i nst al l di r ect or y t he scr i pt s

    f or set t i ng up t he SSHD sof t ware usi ng t he st andard TCPI P V4 orV6 sof t ware usi ng t he i pssh, pr ngd, and sshd pr ocess r unni ng asper si st ant pr ocesses i n t he ZZKRN f i l e.

    What you need t o do t hi s, i s t he f ol l owi ng:

    cd / us r / l ocal / s sh/ i ns tal l / z zkrncp ZZKRNSD. 100 / G/ sys t em/ nosubvol / ZZKRNSD

    gt acl >l ogon super. supervol ume / G/ syst em/ nosubvolf up al t er zzkr nsd, code 100r un zzkr nsd, $*. *. *, vol $syst em

    Thi s wi l l i nst al l t he subvol ume $syst em. zzkr nsd on your syst em.

    Now, you onl y need t o i nst al l t he f i l es i n t he zzkr n subsyst em.Not e t hat you need t o be root or super . super t o do t hi s andyou need t o change your / et c/ sshd. conf i g f i l e t o l i st en on por t127. 0. 0. 1. Thi s i s t he Li st enAddr ess conf i gur at i on l i ne.

    scf > assume pr oces $zzkr nscf > vol ume $syst em. zzkr nsd

    The obey f i l es adds t he pr ocess ser vi ce and st ar t s up t heser vi ce.

    scf > obey r anzt c0a - s t ar t up cpu 0 r andom generat or por t 790scf > obey r anzt c0b - s t ar t up cpu 1 r andom generat or por t 791scf > obey sdzt c0a - st ar t up cpu 0 sshd pr ocess por t 700scf > obey sdzt c0b - st ar t up cpu 1 sshd pr ocess por t 701scf > obey i pzt c00a - s t ar t up cpu 0 i pssh1 pr ocess por t 22scf > obey i pzt c00b - s t ar t up cpu 1 i pssh1 pr ocess por t 22

    Now check t he st at us of t he ser i vces

    scf > st at us

    They shoul d al l be r unni ng. I n t he zzkr n subsyst em, you have addedt he f ol l owi ng ser vi es:

    $ZZKRN. #I PSSH- ZTC00A $ZZKRN. #I PSSH- ZTC00B$ZZKRN. #RANDOM- ZTC00A $ZZKRN. #RANDOM- ZTC00B

    NSK-SSH V2.4 Page 13 March 31, 2008

  • 7/30/2019 Ssh Install v24

    19/115

    $ZZKRN. #SSHD- ZTC00A $ZZKRN. #SSHD- ZTC00B

    i f you want t o st op a ser vi ce, al l you need do i s t he f ol l owi ng:

    scf > assume pr ocess $zz kr nscf > abor t #I PSSH- ZTC00A

    scf > abor t #I PSSH- ZTC00Bscf > abor t #SSHD- ZTC00Ascf > abor t #SSHD- ZTC00Bscf > abor t #RANDOM- ZTC00Ascf > abor t #RANDOM- ZTC00B

    The pur pose of put t i ng t he f i l es under t hi s subsyst em i s t o rest ar tt he pr ocess i f one ever y st ops or a CPU di es. Not e t hat when you abor tt he sof t war e, t he pr ocess r unni ng i n t he scr i pt does not st op. I t i sonl y when you rest ar t t he sof t war e, t hat pr ocess wi l l be rest ar t ed.

    When your syst em i s st art ed up, you must have a scr i pt t o st art up t heSSH sof t war e i n t he cor r ect or der or i t wi l l not st ar t at syst emstartup.

    Thi s scr i pt i s t he f ol l owi ng:

    assume pr ocess $zz kr nst ar t #RANDOM- ZTC00Ast ar t #RANDOM- ZTC00Bst ar t #SSHD- ZTC00Ast ar t #SSHD- ZTC00Bst ar t #I PSSH- ZTC00A

    st ar t #I PSSH- ZTC00B

    For each st ar t up scr i pt , t here ar e t wo pr ocess names used, t hese namesar e the f ol l owi ng:

    #RANDOM- ZTC00 - scr i pt name $ob000 - pr ocess name $RD000#RANDOM- ZTC01 - scr i pt name $ob001 - pr ocess name $RD001

    #SSHD- ZTC00A - scr i pt name $ob020 - pr ocess name $sd000#SSHD- ZTC00B - scr i pt name $ob021 - pr ocess name $sd001

    #I PSSH- ZTC00A - sc r i pt name $ob10 - pr ocess name $i p000#I PSSH- ZTC00B - sc r i pt name $ob11 - pr ocess name $i p001

    NSK-SSH V2.4 Page 14 March 31, 2008

  • 7/30/2019 Ssh Install v24

    20/115

    Porting Differences

    This section will talk very briefly about the differences between this port of NSK-SSH and what you get would from Open Source.

    The major difference of this port from the standard SSH and Prngd port is howsessions are accessed and how we access the random number generator. This is nota part of the standard.

    We added a new command to handle remote command execution, because of prob-lem with the select function not support the tty device, and support for the guardianfile system via sftp. This was not a problem in standard SSH.

    Under the standard model of SSH, all sessions are accessed using the master/slave

    pty configurations. Since the OSS environment does not support ptys, we use thetelnet subsystem as the pty generator. When NSK-SSH request a pty, we requestaccess on the 127.0.0.1 port 23. We also have the ability to make this request toanother TCPIP stack that is not attached to any Ethernet hardware and is onlyrunning TELSRV. This allows all TELSRV services to be stop.

    If you request that a pty is not allocated, the sshd program will access the usersdefault shell script as the standard SSH port does.

    This port of SSH understands about AL IAS users and does it password authentica-

    tion against the safeguard database. The standard SSH software does not knowany thing about this.

    This port of SSH uses the tcpip access to random number generator to increase per-formance, reliablity, and scalability. This also reduces connect time when performn-ing any action that requires a random number. Which in the case for all commandson SSH.

    This port of SSH and PRNGD has been fault tested to make sure that it workswhen a CPU fails. We also increase the capacity of the random number generator

    to handle large request loads.

    We added a distributor to the release so that it is possible to support round-robinaccess using the standard TCPIP software and scale the ssh software and randomnumber generator software across multiple cpus.

    NSK-SSH V2.4 Page 15 March 31, 2008

  • 7/30/2019 Ssh Install v24

    21/115

    Note: This page is left blank for double sided printing.

    NSK-SSH V2.4 Page 16 March 31, 2008

  • 7/30/2019 Ssh Install v24

    22/115

    CHECKING YOUR SESSION ACCESS VIA PC CLIENTAt this point, you have done the basic setup for the SSH software. In this section,we will be discussing how to access your system to establish session.

    You will need an SSH client for your PC, Mac, or Unix system to start a session.In this example we are using, MacSSH, but this will apply to Windowssoftware too.

    1. Select your host and select Secure Shell

    2. Enter your user name and password:

    NSK-SSH V2.4 Page 17 March 31, 2008

  • 7/30/2019 Ssh Install v24

    23/115

    3. Get the system access prompt.

    Note that depending on what type of system, you are executing thesshd software on, it may take a while for the session to connect. This

    has to do with the encryption of the session.

    At this point, you can access the NonStop as you always have. J ust login inan start working.

    NSK-SSH V2.4 Page 18 March 31, 2008

  • 7/30/2019 Ssh Install v24

    24/115

    CHECKING YOUR SESSION ACCESS VIA UNIX CLIENTI f you have other unix systems, that have SSH installed, you canaccess the HP NonStop using ssh.

    To start a session remotely on the HP NonSTop do the following:

    $ssh [email protected] password:

    WELCOME TO t est . bsi 1. com [ PORT $ZTC0 #23 WI NDOW $ZTN0. #PTYW1DX]TELSERV - T9553D40 - ( 15SEP2000) - ( I PMADG)

    Avai l abl e Ser vi ces:

    TACL EXI TEnt er Choi ce>

    I f you want to execute a remote commad, do the following:

    $ssh [email protected] /bin/lsjoshuas password:test.pltest1.pl

    test2.pltest3.pltest5.pltest_message$

    I f you want to copy a file from the unix system to the NSK,do the following:

    $scp test.pl [email protected]:test.pl

    joshuas password:

    NSK-SSH V2.4 Page 19 March 31, 2008

  • 7/30/2019 Ssh Install v24

    25/115

    I f you want to logon directly to TACL , do the following:

    $ssh [email protected] /bin/gtacljoshuas password:

    TACL 1>

    Note that you wil not beable to execute any oss commandswith this tacl session because you are not using the standardtelnet tty session attributes.

    NSK-SSH V2.4 Page 20 March 31, 2008

  • 7/30/2019 Ssh Install v24

    26/115

    KNOWN PROBLEMSWe added thescmd program to allow remote command access to a system. Thiscurrently only supports commands that do not require any interaction with the

    user. This will be fixed in next release.

    Should you find any problems with this software, you should send an emailmessage to [email protected].

    NSK-SSH V2.4 Page 21 March 31, 2008

  • 7/30/2019 Ssh Install v24

    27/115

    INFORMATIONI f you need any help with this, please send an email messageto [email protected].

    Any correspondence regarding this software can be sent tothe following address:

    Bowden Systems, I nc.3500 Parkway Lane, Suite 370Norcross, GA 30092USA+1 866-901-9450 toll free+1 770-441-9450 direct

    +1 770-441-9449 faxweb: www.bsi2.comemail:[email protected]

    Copyright (c) 2001-2008 Bowden Systems, Inc. All Rights Reserved

    NSK-SSH V2.4 Page 22 March 31, 2008

  • 7/30/2019 Ssh Install v24

    28/115

    APPENDIX A - MAN PAGES

    prngd

    PRNGD( 8) Syst em Ref er ence Manual PRNGD( 8)

    NAMEpr ngd - r andom number gener at or daemon

    SYNOPSI Spr ngd [ opt i ons] ( / pat h/ t o/ socket 1 |

    t cp/ l ocal host : por t | t cp/ i p: addr : por t )[ ( / pat h/ t o/ socket 2 | t cp/ l ocal hos t : por t | t cp/ i p: addr : por t ) ] . . .

    OPTI ONS- f or - f g

    do not f or k- d or - - debug

    debuggi ng on- c or - - cmdf i l e cmdpat h

    use cmdpat h f or ent r opy commands [ / et c/ prngd. conf ]- s or - - seedf i l e seedpat h

    use seedpat h as seedf i l e [ / et c/ pr ngd- seed]- n or - - no- seedf i l e

    no seedf i l e, keep pool i n memory onl y

    - m or - - mode modeuse mode f or socket s [ 0777]

    - k or - - ki l lki l l daemon on ot her si de

    - v or - - ver s i onpr i nt ver si on and exi t

    DESCRI PTI ONpr ngd i s a daemon t hat pr ovi des t he r andom number f unct i onal i t yon t he NonSt op system usi ng ei t her usi ng l ocal socket s or a t cpi pport connect i on.

    The def aul t por t t hat SSH uses f or port access i s 790 t o 793 andt he def aul t l ocal socket i s / dev/ egd- pool . The por t s 790 t o 793 ar eagai nst t he l ocal host ( 127. 0. 0. 1) and wi l l use t he def i ne=TCPI P PROCESS NAME t o get t he cur r ent l y def i ned TCPI P pr ocessst ack name. The opt i on t cp/ i p: addr : por t al l ows t he r andom numbergener at or t o l i st on on speci f i ed addr ess i nst ead of t he l oopbackaddress.

    NSK-SSH V2.4 Page 23 March 31, 2008

  • 7/30/2019 Ssh Install v24

    29/115

    STARTI NG DAEMON

    To st art t he pr ngd pr ogr am usi ng l ocal host por t 708:

    pr ngd - gpr i =144 t cp/ l ocal host : 790

    To st ar t t he pr ngd pr ogr am usi ng tcp/ i p opt i on por t 708:

    pr ngd - gpr i =144 t cp/ i p: 192. 168. 1. 210: 790

    To st art t he pr ngd pr ogr am usi ng t he l ocal socket / dev/ egd- pool

    prngd - gpr i =170 / dev/ egd- pool

    The SSH pr ogr am wi l l att empt t o use t he l ocal host por t s f i r stand t hen t r y t he l ocal socket next . You can conf i gur e one pr ngdpr ogr am t o ser vi ce bot h t cp and l ocal socket i f you l i ke:

    pr ngd / dev/ egd- pool t cp/ l ocal host : 790 t cp/ l ocal host : 791

    But you may want t o conf i gur e t he l ocal host por t 790 as t he pr i maryand 791 or / dev/ egd- pool as t he backup. I f you are r unni ng P/ TCPI Pt hen you can have mor e t han one r andom number gener at or usi ng onl yport 790. I f you are usi ng usi ng r egul ar TCPI P, t hen a pr i mary andback i s good choi ce.

    r un - cpu=0 - gpr i =144 pr ngd t cp/ l ocal host : 790r un - cpu=1 - gpr i =144 pr ngd t cp/ l ocal host : 791

    orr un - cpu=1 - gpr i =170 pr ngd / dev/ egd- pool

    You coul d run t he TCPI P r andom number gener at or por t 790 on cpu 0 andpor t 791 or t he Local Socket r andom number generat or on cpu 1. I f any oneof t he CPU' s f ai l , you wi l l st i l l have a r andom number gener at oravai l abl e on t he syst em.

    As a not e, i f t her e i s not a random number gener at or avai l abl e, mostof SSH f unct i ons wi l l not wor k.

    I f you ar e usi ng Par al l el TCPI P wi t h r ound r obi n, t hen you can st ar t

    up mul t i pl e r andom number gener at or s usi ng t he same por t number t ospead t he l aod t o mul t i pl e CPU' s.

    r un - cpu=0 - gpr i =144 pr ngd t cp/ l ocal host : 790r un - cpu=1 - gpr i =144 pr ngd t cp/ l ocal host : 790

    Thi s wi l l CPU 1 and CPU 0 t he l oad of t he r andom number gener at or .

    NSK-SSH V2.4 Page 24 March 31, 2008

  • 7/30/2019 Ssh Install v24

    30/115

    STOPPI NG DAEMONYou can st op t he pr ngd daemon wi t h t he f ol l owi ng command:

    I f TCPI P:

    prngd - - ki l l t cp/ l ocal host : 790

    I f Local Socket

    pr ngd - - ki l l / dev/ egd- pool

    Or j ust use t he ki l l command.

    SEEDI NG DAEMON

    The r andom number gener at or sof t war e i s l ocat e i n t he/ usr / l ocal / r andom di r ectory. I n t he di r ectory / usr / l ocal / r andom/ et ct her e i s a f i l e cal l pr ngd- seed. Thi s f i l e i s 1 megabyte r andom numbert hat can be used a t he f i r st seed when star t i ng pr ngd f or t he f i r st t i me.The cur r ent seed i n t he / et c di r ect or y i s base on t hi s f i l e, but hasbeen wr i t t en over by t he pr ngd pr ogr am. I t has been f ound t hat i fpr ngd i s not pr oper l y seed, i t wi l l st op gener at i ng r andom number s.To use t hi s seed f i l e:

    cp / usr / l ocal / r andom/ et c/ pr ngd- seed / et c/ pr ngd- seed

    and r est ar t t he pr ogr am.

    PERFORMANCEWe have not i ce t hat t he r andom number gener at or usi ng TCPI Pr equi r es l ess cpu over head t han one usi ng t he l ocal socket s i nt er f ace.The pr ogr am al so pr oduces an EMS message when cl osi ng a connect i on.

    NOTESpr ngd r uns as a named pr ocess .

    Do not use / G/ di r ect ori es f or ent r opy gener at i on. Thi s canr esul t i n syst em per f or mance pr obl ems and cause t he r andom numbergenerat or t o t ake excessi ve cpu t i me.

    pr ngd wi l l not r et ur n any r andom i nf or mat i on i f i t r uns out of ent r opy.Thi s wi l l r esul t i n pr ocesses wai t i ng on t hi s i nf or mat i on. SSHhas been pr ogr am t o t r y 5 t i mes and t hen wi l l go t o t he nextgener at or vi abl e and t r y 5 t i mes al so. I f t hi s f ai l s t he pr ogr amexecut i ng wi l l abend.

    NSK-SSH V2.4 Page 25 March 31, 2008

  • 7/30/2019 Ssh Install v24

    31/115

    Note: This page is left blank for double sided printing.

    NSK-SSH V2.4 Page 26 March 31, 2008

  • 7/30/2019 Ssh Install v24

    32/115

    ipssh

    IPSSH(1) IPSSH IPSSH(1)

    NAME

    IPSSH - TCPIP Multiplexer for SSH

    SYNOPSIS

    ipssh [-remote port] [-ports no] [-burst rate] [-interval rate]

    [-debug] [-wait no] [-D]

    DESCRIPTION

    The ipssh programs allows you to distribute ip traffic to multiple ports

    on a system. This much like the parrallel tcpip product execpt that it

    will exeucte on any Nonstop system. Ipssh listens on port 22 anddistributes its ip load to port 700 and 701. If you have more than two

    cpus, it is possible to distribute load to those also. Ipssh only

    forwards to the local 127.0.0.1 interface.

    The options are as follows:

    -remote port is the remote port to forward the connection.

    This defaults to 700.

    -ports number is the number of ports to connect to. Each port is

    of set by one. (e.g. port 700,701,702,..,etc).

    The default is 2.

    -burst rate connection rate for burst conditions. This is thenumber of connections that can be accepted during

    the interval. The default is 5.

    -interval rate interval in milliseconds. (1 = .01 seconds)

    The default is 100 or 1 sec.

    -instance no the instance of ipssh processes. If you have more

    one ipssh process on the system, you need to set

    this to number. The default is zero.

    -maxload no this is maximumu number of ipssh processes that

    will be allowed exist at one time. When this

    maximum reach all, the main ipssh process waituntil a child completes before continuing.

    The default is 25.

    -debug displays debuging information.

    -wait no time to wait before checking if you can bind to

    the port. The default is 30 seconds. If you enter

    0, the time is set to 1 second

    NSK-SSH V2.4 Page 27 March 31, 2008

  • 7/30/2019 Ssh Install v24

    33/115

    -qlen no number of connection to listen for on the port.

    The default is 5.

    -D indicates that ipssh is to be run waited,

    so it will not fork and create a process name

    To change the default TCPIP process from $ZTC0, you must change the

    define =TCPIP^PROCESS^NAME.The primary process name is /G/ISX ($ISX)

    and the backup process name is /G/ISY ($ISY).

    NSK-SSH V2.4 Page 28 March 31, 2008

  • 7/30/2019 Ssh Install v24

    34/115

    ssh-keygen

    SSH- KEYGEN( 1) Syst em Ref er ence Manual SSH- KEYGEN( 1)

    NAMEssh- keygen - aut hent i cat i on key gener at i on, management and conver si on

    SYNOPSI Sssh- keygen [- q] [ - b bi t s] [ - t t ype] [ - N new_passphr ase] [ - C comment ] [ - f

    out put _keyf i l e]ssh- keygen - p [ - P ol d_passphr ase] [ - N new_passphr ase] [ - f keyf i l e]ssh- keygen - i [ - f i nput _keyf i l e]ssh- keygen - e [ - f i nput _keyf i l e]ssh- keygen - y [ - f i nput _keyf i l e]

    ssh- keygen - c [ - P passphr ase] [ - C comment ] [ - f keyf i l e]ssh- keygen - l [ - f i nput _keyf i l e]ssh- keygen - B [ - f i nput _keyf i l e]ssh- keygen - D r eaderssh- keygen - U r eader [ - f i nput _keyf i l e]

    DESCRI PTI ONssh- keygen generat es, manages and conver t s aut hent i cat i on keys f orssh( 1) . ssh- keygen def aul t s t o generat i ng a RSA1 key f or use by SSH pr ot -t ocol ver si on 1. Speci f yi ng t he - t opt i on i nst ead cr eat es a key f or useby SSH pr ot ocol ver si on 2.

    Nor mal l y each user wi shi ng t o use SSH wi t h RSA or DSA aut hent i cat i on r unst hi s once t o creat e t he aut hent i cat i on key i n $HOME/ . ssh/ i dent i t y,$HOME/ . ssh/ i d_dsa or $HOME/ . ssh/ i d_r sa. Addi t i onal l y, t he syst em admi ni s-t r at or may use thi s t o gener at e host keys, as seen i n / et c/ r c.

    Nor mal l y t hi s progr am gener at es t he key and asks f or a f i l e i n whi ch t ost or e t he pr i vat e key. The publ i c key i s st or ed i n a f i l e wi t h t he samename but ` `. pub' ' appended. The pr ogr am al so asks f or a passphr ase. Thepass phr ase may be empt y t o i ndi cat e no passphr ase ( host keys must have anempt y passphr ase) , or i t may be a st r i ng of ar bi t r ary l engt h. Goodpassphr ases ar e 10- 30 charact ers l ong and ar e not si mpl e sent ences orot her wi se easi l y guessabl e (Engl i sh pr ose has onl y 1- 2 bi t s of ent r opy

    per char act er, and pr ovi des very bad passphr ases) . The passphr ase can bechanged l at er by usi ng t he - p opt i on.

    Ther e i s no way t o r ecover a l ost passphr ase. I f t he passphr ase i s l ostor f or got t en, a new key must be gener at ed and copi ed t o t he cor r espondi ngpubl i c key t o ot her machi nes.

    For RSA1 keys, t her e i s al so a comment f i el d i n t he key f i l e t hat i s onl y

    NSK-SSH V2.4 Page 29 March 31, 2008

  • 7/30/2019 Ssh Install v24

    35/115

    f or conveni ence t o t he user t o hel p i dent i f y t he key. The comment cant el l what t he key i s f or , or what ever i s usef ul . The comment i s i ni t i al -i zed t o ``user@host ' ' when t he key i s cr eat ed, but can be changed usi ngt he - c opt i on.

    Af t er a key i s gener at ed, i nst r uct i ons bel ow det ai l wher e t he keys shoul d

    be pl aced t o be act i vat ed.

    The opt i ons are as f ol l ows:

    - b bi t sSpeci f i es t he number of bi t s i n t he key t o cr eat e. Mi ni mum i s512 bi t s. Gener al l y 1024 bi t s i s consi der ed suf f i ci ent , and keysi zes above t hat no l onger i mprove secur i t y but make t hi ngs sl ow-er . The def aul t i s 1024 bi t s.

    - c Request s changi ng t he comment i n t he pr i vat e and publ i c keyf i l es . The pr ogr am wi l l pr ompt f or t he f i l e cont ai ni ng t he pr i -vat e keys, f or t he passphr ase i f t he key has one, and f or t he new

    comment .

    - e Thi s opt i on wi l l r ead a pr i vat e or publ i c OpenSSH key f i l e andpr i nt t he key i n a `SECSH Publ i c Key Fi l e For mat ' t o st dout .Thi s opt i on al l ows expor t i ng keys f or use by sever al commerci alSSH i mpl ement at i ons.

    - f f i l enameSpeci f i es t he f i l ename of t he key f i l e.

    - i Thi s opt i on wi l l read an unencrypt ed pr i vat e ( or publ i c) key f i l ei n SSH2- compat i bl e f or mat and pr i nt an OpenSSH compat i bl e pr i vat e( or publ i c) key t o st dout . ssh- keygen al so r eads t he `SECSHPubl i c Key Fi l e For mat ' . Thi s opt i on al l ows i mport i ng keys f r omsever al commer ci al SSH i mpl ement at i ons.

    - l Show f i nger pr i nt of speci f i ed pr i vat e or publ i c key f i l e.

    - p Request s changi ng t he passphr ase of a pr i vat e key f i l e i nst ead ofcr eat i ng a new pr i vat e key. The pr ogr am wi l l pr ompt f or t he f i l econt ai ni ng t he pr i vat e key, f or t he ol d passphr ase, and t wi ce f or

    t he new passphrase.

    - q Si l ence ssh- keygen. Used by / et c/ r c when cr eat i ng a new key.

    - y Thi s opt i on wi l l r ead a pr i vat e OpenSSH f or mat f i l e and pr i nt anOpenSSH publ i c key t o st dout .

    - t t ype

    NSK-SSH V2.4 Page 30 March 31, 2008

  • 7/30/2019 Ssh Install v24

    36/115

    Speci f i es t he t ype of t he key t o cr eat e. The possi bl e val ues ar e``r sa1' ' f or pr ot ocol ver s i on 1 and ``r sa' ' or ` `dsa' ' f or prot o-col ver s i on 2. The def aul t i s ``r sa1' ' .

    - B Show t he bubbl ebabbl e di gest of speci f i ed pr i vat e or publ i c keyf i l e.

    - C commentPr ovi des t he new comment .

    - D r eaderDownl oad t he RSA publ i c key st ored i n t he smar t car d i n r eader.

    - N new_passphr asePr ovi des t he new passphr ase.

    - P passphr aseProvi des t he ( ol d) passphr ase.

    - U r eaderUpl oad an exi st i ng RSA pr i vat e key i nt o t he smart car d i n reader .

    FI LES$HOME/ . ssh/ i dent i t y

    Cont ai ns t he pr ot ocol ver si on 1 RSA aut hent i cat i on i dent i t y oft he user. Thi s f i l e shoul d not be r eadabl e by anyone but t he us-er . I t i s possi bl e t o speci f y a passphr ase when gener at i ng t hekey; t hat passphr ase wi l l be used t o encr ypt t he pr i vat e part oft hi s f i l e usi ng 3DES. Thi s f i l e i s not aut omat i cal l y accessed by

    ssh- keygen but i t i s of f er ed as t he def aul t f i l e f or t he pr i vat ekey. ssh( 1) wi l l r ead t hi s f i l e when a l ogi n at t empt i s made.

    $HOME/ . ssh/ i dent i t y. pubCont ai ns t he pr ot ocol ver si on 1 RSA publ i c key f or aut hent i ca-t i on. The cont ent s of t hi s f i l e shoul d be added t o$HOME/ . ssh/ aut hor i zed_keys on al l machi nes wher e t he user wi shest o l og i n usi ng RSA aut hent i cat i on. Ther e i s no need t o keep t he

    cont ent s of t hi s f i l e secret .

    $HOME/ . ssh/ i d_dsa

    Cont ai ns t he pr ot ocol ver si on 2 DSA aut hent i cat i on i dent i t y oft he user. Thi s f i l e shoul d not be r eadabl e by anyone but t he us-er . I t i s possi bl e t o speci f y a passphr ase when gener at i ng t hekey; t hat passphr ase wi l l be used t o encr ypt t he pr i vat e part oft hi s f i l e usi ng 3DES. Thi s f i l e i s not aut omat i cal l y accessed byssh- keygen but i t i s of f er ed as t he def aul t f i l e f or t he pr i vat ekey. ssh( 1) wi l l r ead t hi s f i l e when a l ogi n at t empt i s made.

    NSK-SSH V2.4 Page 31 March 31, 2008

  • 7/30/2019 Ssh Install v24

    37/115

    $HOME/ . ssh/ i d_dsa. pubCont ai ns t he pr ot ocol ver si on 2 DSA publ i c key f or aut hent i ca-t i on. The cont ent s of t hi s f i l e shoul d be added t o$HOME/ . ssh/ aut hor i zed_keys on al l machi nes wher e t he user wi shest o l og i n usi ng publ i c key aut hent i cat i on. Ther e i s no need t okeep t he cont ent s of t hi s f i l e secret.

    $HOME/ . ssh/ i d_r saCont ai ns t he pr ot ocol ver si on 2 RSA aut hent i cat i on i dent i t y oft he user. Thi s f i l e shoul d not be r eadabl e by anyone but t he us-er . I t i s possi bl e t o speci f y a passphr ase when gener at i ng t hekey; t hat passphr ase wi l l be used t o encr ypt t he pr i vat e part oft hi s f i l e usi ng 3DES. Thi s f i l e i s not aut omat i cal l y accessed byssh- keygen but i t i s of f er ed as t he def aul t f i l e f or t he pr i vat ekey. ssh( 1) wi l l r ead t hi s f i l e when a l ogi n at t empt i s made.

    $HOME/ . ssh/ i d_r sa. pubCont ai ns t he pr ot ocol ver si on 2 RSA publ i c key f or aut hent i ca-t i on. The cont ent s of t hi s f i l e shoul d be added t o$HOME/ . ssh/ aut hor i zed_keys on al l machi nes wher e t he user wi shest o l og i n usi ng publ i c key aut hent i cat i on. Ther e i s no need t okeep t he cont ent s of t hi s f i l e secret.

    DEFI NES SUPPORTED

    Thi s progr am suppor t s t he TCPI P PROCESS NAME def i ne. Thi s wi l l al l ow yout o execut e the sof t war e agai nst ot her t cpi p pr ocess st acks i n addi t i ont o t he st andard pr ocess st ack( $ZTCO) .

    SEE ALSOssh( 1) , ssh- add( 1) , ssh- agent ( 1) , sshd( 8)

    J . Gal br ai t h, and R. Thayer , SECSH Publ i c Key Fi l e For mat , dr af t - i et f -secsh- publ i ckeyf i l e- 01. t xt, Mar ch 2001, wor k i n pr ogr ess mat er i al .

    NSK-SSH V2.4 Page 32 March 31, 2008

  • 7/30/2019 Ssh Install v24

    38/115

    ssh-keyscan

    SSH- KEYSCAN( 1) Syst em Ref er ence Manual SSH- KEYSCAN( 1)

    NAMEssh- keyscan - gat her ssh publ i c keys

    SYNOPSI Sssh- keyscan [ - v46] [ - p por t ] [ - T t i meout ] [ - t t ype] [ - f f i l e] [ host |

    addr l i s t namel i s t ] [ . . . ]

    DESCRI PTI ONssh- keyscan i s a ut i l i t y f or gat her i ng the publ i c ssh host keys of a num-ber of host s. I t was desi gned t o ai d i n bui l di ng and ver i f yi ngssh_known_host s f i l es. ssh- keyscan pr ovi des a mi ni mal i nt er f ace sui t abl e

    f or use by shel l and per l scr i pt s.

    ssh- keyscan uses non- bl ocki ng socket I / O t o cont act as many host s as pos-s i bl e i n par al l el , so i t i s ver y ef f i c i ent . The keys f r om a domai n of 1, 000 host s can be col l ect ed i n t ens of seconds, even when some of t hosehost s are down or do not r un ssh. For scanni ng, one does not need l ogi naccess t o t he machi nes t hat ar e bei ng scanned, nor does t he scanni ng pro-cess i nvol ve any encr ypt i on.

    The opt i ons are as f ol l ows:

    - p por t

    Por t t o connect t o on t he remot e host .

    - T t i meoutSet t he t i meout f or connect i on at t empt s. I f t i meout seconds haveel apsed si nce a connect i on was i ni t i at ed to a host or si nce t hel ast t i me anyt hi ng was r ead f r om t hat host , t hen t he connect i oni s cl osed and t he host i n quest i on consi der ed unavai l abl e. De-f aul t i s 5 seconds.

    - t t ypeSpeci f i es t he t ype of t he key t o f et ch f r om t he scanned host s.The possi bl e val ues ar e ``r sa1' ' f or pr ot ocol ver si on 1 and

    ``r sa' ' or ``dsa' ' f or pr ot ocol ver si on 2. Mul t i pl e val ues maybe speci f i ed by separat i ng t hem wi t h commas. The def aul t i s` `r s a1' ' .

    - f f i l enameRead host s or addr l i st namel i st pai r s f r om t hi s f i l e, one perl i ne. I f - i s suppl i ed i nst ead of a f i l ename, ssh- keyscan wi l lr ead host s or addr l i st namel i st pai r s f r om t he standar d i nput .

    NSK-SSH V2.4 Page 33 March 31, 2008

  • 7/30/2019 Ssh Install v24

    39/115

    - v Ver bose mode. Causes ssh- keyscan t o pr i nt debuggi ng messagesabout i t s pr ogr ess.

    - 4 For ces ssh- keyscan t o use I Pv4 addr esses onl y.

    - 6 For ces ssh- keyscan t o use I Pv6 addr esses onl y.

    DEFI NES SUPPORTED

    Thi s progr am suppor t s t he TCPI P PROCESS NAME def i ne. Thi s wi l l al l ow yout o execut e the sof t war e agai nst ot her t cpi p pr ocess st acks i n addi t i ont o t he st andard pr ocess st ack( $ZTCO) .

    SECURI TYI f a ssh_known_host s f i l e i s const r uct ed usi ng ssh- keyscan wi t hout ver i -f yi ng t he keys, users wi l l be vul ner abl e t o at t acks. On t he ot her hand,i f t he secur i t y model al l ows such a r i sk, ssh- keyscan can hel p i n t he de-t ect i on of t ampered keyf i l es or man i n t he mi ddl e at t acks whi ch have be-gun af t er t he ssh_known_host s f i l e was creat ed.

    EXAMPLESPr i nt t he r sa1 host key f or machi ne host name:

    ssh- keyscan host name

    Fi nd al l host s f r om t he f i l e ssh_host s whi ch have new or di f f er ent keysf r om t hose i n t he sor t ed f i l e ssh_known_host s:

    ssh- keyscan - t r sa, dsa - f ssh_host s | \sort - u - ssh_known_host s | di f f ssh_known_host s -

    FI LESI nput f ormat :

    1. 2. 3. 4, 1. 2. 4. 4 name. my. domai n, name, n. my. domai n, n, 1. 2. 3. 4, 1. 2. 4. 4

    Out put f ormat f or r sa1 keys:

    host - or- namel i st bi t s exponent modul us

    Out put f or mat f or r sa and dsa keys:

    host - or - namel i st keyt ype base64- encoded- key

    Wher e keyt ype i s ei t her ``ssh- r sa' ' or ``ssh- dsa' ' .

    / et c/ ssh/ ssh_known_host s

    NSK-SSH V2.4 Page 34 March 31, 2008

  • 7/30/2019 Ssh Install v24

    40/115

    BUGSI t gener at es "Connect i on cl osed by r emot e host " messages on t he consol esof al l t he machi nes i t scans i f t he ser ver i s ol der t han ver si on 2. 9.Thi s i s because i t opens a connect i on t o t he ssh port , r eads t he publ i ckey, and dr ops t he connect i on as soon as i t get s t he key.

    SEE ALSOssh( 1) , sshd( 8)

    AUTHORSDavi d Mazi eres wr ot e t he i ni t i al ver si on, and WayneDavi son added suppor t f or pr ot ocol ver si on2.

    NSK-SSH V2.4 Page 35 March 31, 2008

  • 7/30/2019 Ssh Install v24

    41/115

    Note: This page is left blank for double sided printing.

    NSK-SSH V2.4 Page 36 March 31, 2008

  • 7/30/2019 Ssh Install v24

    42/115

    sshd

    SSHD( 8) Syst em Manager ' s Manual SSHD( 8)

    NAMEsshd - NSK- SSH SSH daemon

    SYNOPSI Ssshd [ - dei qt D46] [ - b bi t s ] [ - f conf i g_ f i l e] [ - g l ogi n_gr ace_t i me] [ - h

    host _key_f i l e] [ - k key_gen_t i me] [ - p por t ] [ - u l en]

    DESCRI PTI ONsshd ( SSH Daemon) i s t he daemon progr am f or ssh( 1) . Toget her t hese pro-grams r epl ace r l ogi n and r sh, and provi de secure encr ypt ed communi cat i onsbet ween t wo unt r ust ed host s over an i nsecur e net wor k. The progr ams ar e

    i nt ended t o be as easy t o i nst al l and use as possi bl e.

    sshd i s t he daemon t hat l i st ens f or connect i ons f r om cl i ent s. I t i s nor -mal l y start ed at l oad t i me f r om / usr / l ocal / ssh/ . I t f or ks a new daemonf or each i ncomi ng connect i on. The f or ked daemons handl e key exchange,encr ypt i on, aut hent i cat i on, command execut i on, and dat a exchange. Thi si mpl ement at i on of sshd suppor t s bot h SSH pr ot ocol ver si on 1 and 2si mul t aneousl y. sshd works as f ol l ows.

    SSH pr ot ocol ver si on 1

    Each host has a host - speci f i c RSA key ( normal l y 1024 bi t s) used t o i den-

    t i f y t he host . Addi t i onal l y, when t he daemon st ar t s, i t gener at es aserver RSA key ( normal l y 768 bi t s) . Thi s key i s normal l y r egener at ed ev-er y hour i f i t has been used, and i s never st ored on di sk.

    Whenever a cl i ent connect s t he daemon r esponds wi t h i t s publ i c host andser ver keys. The cl i ent compares t he RSA host key agai nst i t s owndat abase t o ver i f y t hat i t has not changed. The cl i ent t hen gener at es a256 bi t r andom number . I t encr ypt s t hi s random number usi ng bot h t hehost key and t he ser ver key, and sends t he encr ypt ed number t o t he ser v-er. Bot h si des t hen use t hi s r andom number as a sessi on key whi ch i sused t o encr ypt al l f ur t her communi cat i ons i n t he sessi on. The r est oft he sessi on i s encr ypt ed usi ng a convent i onal ci pher , cur r ent l y Bl owf i sh

    or 3DES, wi t h 3DES bei ng used by def aul t . The cl i ent sel ect s t he encr yp-t i on al gor i t hm t o use f r om t hose of f er ed by t he ser ver .

    Next , t he ser ver and t he cl i ent ent er an aut hent i cat i on di al og. Thec l i ent t r i es t o aut hent i cat e i t sel f us i ng . rhosts aut hent i cat i on, . rhostsaut hent i cat i on combi ned wi t h RSA host aut hent i cat i on, RSA chal l enge- r e-sponse aut hent i cat i on, or password based aut hent i cat i on.

    NSK-SSH V2.4 Page 37 March 31, 2008

  • 7/30/2019 Ssh Install v24

    43/115

    Rhost s aut hent i cat i on i s nor mal l y di sabl ed because i t i s f undament al l yi nsecur e, but can be enabl ed i n t he ser ver conf i gur at i on f i l e i f desi r ed.Syst em secur i t y i s not i mpr oved unl ess r shd( 8) , r l ogi nd( 8) , and r ex-ecd( 8) ar e di sabl ed ( t hus compl et el y di sabl i ng r l ogi n( 1) and r sh( 1) i nt ot he machi ne) .

    SSH pr ot ocol ver si on 2

    Ver si on 2 works si mi l arl y: Each host has a host - speci f i c key ( RSA or DSA)used t o i dent i f y t he host . However, when t he daemon st ar t s, i t does notgenerat e a server key. For ward secur i t y i s pr ovi ded t hr ough a Di f f i e-Hel l man key agr eement . Thi s key agr eement r esul t s i n a shared sessi onkey.

    The r est of t he sessi on i s encr ypt ed usi ng a symmet r i c ci pher , cur r ent l y128 bi t AES, Bl owf i sh, 3DES, CAST128, Ar cf our , 192 bi t AES, or 256 bi tAES. The cl i ent sel ect s the encrypt i on al gor i t hm t o use f r om t hose of -f er ed by t he ser ver . Addi t i onal l y, sessi on i nt egr i t y i s pr ovi ded t hr ougha cr ypt ogr aphi c message aut hent i cat i on code ( hmac- sha1 or hmac- md5) .

    Prot ocol ver si on 2 pr ovi des a publ i c key based user ( PubkeyAut hent i ca-t i on) or cl i ent host ( Host basedAut hent i cat i on) aut hent i cat i on met hod,convent i onal passwor d aut hent i cat i on and chal l enge r esponse based met h-ods.

    Command execut i on and dat a f or war di ng

    I f t he c l i ent successf ul l y aut hent i cat es i t sel f , a di al og f or pr epar i ngt he sessi on i s ent er ed. At t hi s ti me t he cl i ent may r equest t hi ngs l i ke

    al l ocat i ng a pseudo- t t y, f or war di ng X11 connect i ons, f or war di ng TCP/ I Pconnect i ons, or f orwardi ng t he aut hent i cat i on agent connect i on over t hesecure channel .

    Fi nal l y, t he cl i ent ei t her r equest s a shel l or execut i on of a command.The si des t hen ent er sessi on mode. I n t hi s mode, ei t her s i de may senddat a at any t i me, and such dat a i s f or warded t o/ f r om t he shel l or commandon t he ser ver si de, and t he user t er mi nal i n t he cl i ent si de.

    When t he user progr am t ermi nat es and al l f or war ded X11 and ot her connec-t i ons have been cl osed, t he ser ver sends command exi t st at us t o t hecl i ent , and bot h si des exi t .

    sshd can be conf i gur ed usi ng command- l i ne opt i ons or a conf i gur at i onf i l e. Command- l i ne opt i ons over r i de val ues speci f i ed i n t he conf i gur a-t i on f i l e.

    sshd r er eads i t s conf i gur at i on f i l e when i t r ecei ves a hangup si gnal ,SI GHUP, by execut i ng i t sel f wi t h t he name i t was st ar t ed as, i . e. ,/ us r / l ocal / ssh/ sbi n/ sshd.

    NSK-SSH V2.4 Page 38 March 31, 2008

  • 7/30/2019 Ssh Install v24

    44/115

    The opt i ons are as f ol l ows:

    - b bi t sSpeci f i es t he number of bi t s i n t he ephemer al pr ot ocol ver si on 1ser ver key ( def aul t 768) .

    - d Debug mode. The ser ver sends verbose debug out put t o t he sys t eml og, and does not put i t sel f i n t he backgr ound. The ser ver al sowi l l not f or k and wi l l onl y pr ocess one connect i on. Thi s opt i oni s onl y i nt ended f or debuggi ng f or t he ser ver . Mul t i pl e - d op-t i ons i ncr ease t he debuggi ng l evel . Maxi mum i s 3.

    - e When t hi s opt i on i s speci f i ed, sshd wi l l send t he out put t o t hest andar d er r or i nst ead of t he system l og.

    - f conf i gur at i on_ f i l eSpeci f i es the name of t he conf i gur at i on f i l e. The def aul t i s/ et c/ ssh/ sshd_conf i g. sshd r ef uses t o st ar t i f t her e i s noconf i gurat i on f i l e.

    - g l ogi n_gr ace_t i meGi ves t he gr ace t i me f or cl i ent s t o aut hent i cat e t hemsel ves ( de-f aul t 600 seconds) . I f t he cl i ent f ai l s t o aut hent i cat e t he userwi t hi n t hi s many seconds, t he server di sconnect s and exi t s. Aval ue of zer o i ndi cat es no l i mi t .

    - h host_key_f i l eSpeci f i es t he f i l e f r om whi ch t he host key i s r ead ( def aul t

    / et c/ ssh/ ssh_host _key). Thi s opt i on must be gi ven i f sshdi s not r un as r oot ( as t he nor mal host f i l e i s nor mal l y notr eadabl e by any one but r oot ) . I t i s possi bl e t o have mul t i pl ehost key f i l es f or t he di f f er ent pr ot ocol ver si ons and host keyal gori t hms.

    - i Speci f i es t hat sshd i s bei ng r un f r om i net d. sshd i s nor mal l ynot r un f r om i net d because i t needs t o gener at e t he ser ver keybef ore i t can r espond t o t he cl i ent , and t hi s may t ake t ens ofseconds. Cl i ent s woul d have t o wai t t oo l ong i f t he key was r e-gener at ed ever y t i me. However , wi t h smal l key si zes ( e. g. , 512)usi ng sshd f r om i net d may be f easi bl e.

    - k key_gen_t i meSpeci f i es how of t en t he ephemeral pr ot ocol ver si on 1 ser ver keyi s regenerat ed ( def aul t 3600 seconds, or one hour ) . The mot i va-t i on f or r egener at i ng t he key f ai r l y of t en i s t hat t he key i s notst ored anywhere, and af t er about an hour , i t becomes i mpossi bl et o recover t he key f or decrypt i ng i nt ercept ed communi cat i ons eveni f t he machi ne i s cr acked i nt o or physi cal l y sei zed. A val ue of

    NSK-SSH V2.4 Page 39 March 31, 2008

  • 7/30/2019 Ssh Install v24

    45/115

    zero i ndi cat es t hat t he key wi l l never be r egenerat ed.

    - p por tSpeci f i es t he por t on whi ch t he ser ver l i st ens f or connect i ons( def aul t 22) .

    - q Qui et mode. Not hi ng i s sent t o t he syst em l og. Normal l y t he be-gi nni ng, aut hent i cat i on, and t er mi nat i on of each connect i on i sl ogged.

    - t Test mode. Onl y check t he val i di t y of t he conf i gur at i on f i l e andsani t y of t he keys. Thi s i s usef ul f or updat i ng sshd r el i abl y asconf i gur at i on opt i ons may change.

    - u l en Thi s opt i on i s used t o speci f y t he si ze of t he f i el d i n t he ut mpst r uct ur e t hat hol ds t he r emot e host name. I f t he r esol ved hostname i s l onger t han l en, t he dot t ed deci mal val ue wi l l be usedi nst ead. Thi s al l ows host s wi t h ver y l ong host names t hat over -f l ow t hi s f i el d t o s t i l l be uni quel y i dent i f i ed. Spec i f yi ng - u0i ndi cat es t hat onl y dot t ed deci mal addr esses shoul d be put i nt ot he ut mp f i l e. - u0 i s al so be used t o pr event sshd f r om maki ngDNS r equest s unl ess t he aut hent i cat i on mechani sm or conf i gur at i onr equi r es i t . Aut hent i cat i on mechani sms t hat may r equi r e DNS i n-cl ude Rhost sAut hent i cat i on, Rhost sRSAAut hent i cat i on,Host basedAut hent i cat i on and usi ng a f r om="pat t er n- l i st " opt i on i na key f i l e.

    - D When t hi s opt i on i s speci f i ed sshd wi l l not det ach and does notbecome a daemon. Thi s al l ows easy moni t or i ng of sshd.

    - 4 For ces sshd t o use I Pv4 addr esses onl y.

    - 6 For ces sshd t o use I Pv6 addr esses onl y.

    RANDOM NUMBER GENERATOR

    SSHD r equi r es t he use of a random number generat or f or i t s operat i on.I t cur r ent l y l ooks on the por t s of 790 to 793 of addr ess 127. 0. 0. 1f or a r andom number gener at or . I f i t does not f i nd t hi s, i t t henl ooks f or t he name pi pe / dev/ egd- pool . I f i t does not f i nd t hat , i tf ai l s t he r andom number r equest .

    TCP_RND_ADDRTCP_ RND_PORT0TCP_ RND_PORT1

    These envi r onment var i abl es al l ow you t o change t he st ar t i ng andendi ng port and t he def aul t I P addr ess t o access f or t he randomnumber generat or r equest . I n general , you need at l east one

    NSK-SSH V2.4 Page 40 March 31, 2008

  • 7/30/2019 Ssh Install v24

    46/115

    generat or f or each TCPI P st ack t hat SSHD i s r unni ng on. I f yoursyst em i s heavl y used f or SSH r equest , t hen you mi ght need mor et han one and you can ass i gn t he ext r a ones t o por t 791 t o 793.

    TELNET I SOLATI ON

    For t hose of you t hat want t o st op al l of your t el net and f t ppr ocesses on t he syst em, we have a sol ut i on t hat al l ows you t o dot hi s execpt f or an i sol at ed TCPI P st ack wi t h t el net r unni ng ont he l oop back por t .

    The i dea i s t he r un t he TCPI P pr ocess on your syst ems t hat i snot at t ached t o any har dwar e and onl y use t he l oop back por t .Thi s #LOOP0 i s s t ar t ed and a TELSRV pr ocess i s s t ar t ed agai nstt hi s and no l i st ner pr ocess. Wi t h t hi s conf i gur at i on, our SSHDpr ocess can use t hi s i sol at ed st ack f or t el net access.

    To use t hi s f eat ur e, you need speci f y t he f ol l owi ng envi r onmentvar i abl e bef ore st art i ng t he SSHD pr ocess:

    TCPI P_TELNET_STACK

    Thi s i s equal t o t he pr ocess name of t he TCPI P st ack t hat i si sol at ed. I n our scr i pt cal l st ar t _sshd_2cpu_2st ack. sh, we uset he TCPI P pr ocess name $zt c99, so t hi s var i abl e i s set t o:

    expor t TCPI P_TELNET_STACK=\ $zt c99

    ZZKRN PERSI STANT PROCESS SETUP

    We have i ncl uded i n t hi s set up t he i nst al l di r ect or y t he scr i pt sf or set t i ng up t he SSHD sof t ware usi ng t he st andard TCPI P V4 orV6 sof t ware usi ng t he i pssh, pr ngd, and sshd pr ocess r unni ng asper si st ant pr ocesses i n t he ZZKRN f i l e.

    What you need t o do t hi s, i s t he f ol l owi ng:

    cd / us r / l ocal / s sh/ i ns tal l / z zkrncp ZZKRNSD. 100 / G/ sys t em/ nosubvol / ZZKRNSD

    gt acl >

    vol ume / G/ syst em/ nosubvolf up al t er zzkr nsd, code 100r un zzkr nsd, $*. *. *, vol $syst em

    Thi s wi l l i nst al l t he subvol ume $syst em. zzkr nsd on your syst em.

    Now, you onl y need t o i nst al l t he f i l es i n t he zzkr n subsyst em.Not e t hat you need t o be root or super . super t o do t hi s and

    NSK-SSH V2.4 Page 41 March 31, 2008

  • 7/30/2019 Ssh Install v24

    47/115

    you need t o change your / et c/ sshd. conf i g f i l e t o l i st en on por t127. 0. 0. 1. Thi s i s t he Li st enAddr ess conf i gur at i on l i ne.

    scf > assume pr oces $zzkr nscf > vol ume $syst em. zzkr nsd

    The obey f i l es adds t he pr ocess ser vi ce and st ar t s up t heser vi ce.

    scf > obey r anzt c0a - s t ar t up cpu 0 r andom generat or por t 790scf > obey r anzt c0b - s t ar t up cpu 1 r andom generat or por t 791scf > obey sdzt c0a - st ar t up cpu 0 sshd pr ocess por t 700scf > obey sdzt c0b - st ar t up cpu 1 sshd pr ocess por t 701scf > obey i pzt c00a - s t ar t up cpu 0 i pssh1 pr ocess por t 22scf > obey i pzt c00b - s t ar t up cpu 1 i pssh1 pr ocess por t 22

    Now check t he st at us of t he ser i vces

    scf > st at us

    They shoul d al l be r unni ng. I n t he zzkr n subsyst em, you have addedt he f ol l owi ng ser vi es:

    $ZZKRN. #I PSSH- ZTC00A $ZZKRN. #I PSSH- ZTC00B$ZZKRN. #RANDOM- ZTC00A $ZZKRN. #RANDOM- ZTC00B$ZZKRN. #SSHD- ZTC00A $ZZKRN. #SSHD- ZTC00B

    i f you want t o st op a ser vi ce, al l you need do i s t he f ol l owi ng:

    scf > assume pr ocess $zz kr nscf > abor t #I PSSH- ZTC00Ascf > abor t #I PSSH- ZTC00Bscf > abor t #SSHD- ZTC00Ascf > abor t #SSHD- ZTC00Bscf > abor t #RANDOM- ZTC00Ascf > abor t #RANDOM- ZTC00B

    The pur pose of put t i ng t he f i l es under t hi s subsyst em i s t o rest ar tt he pr ocess i f one ever y st ops or a CPU di es.

    CONFI GURATI ON FI LE

    sshd reads conf i gur at i on dat a f r om / et c/ ssh/ sshd_conf i g (or t he f i l especi f i ed wi t h - f on t he command l i ne) . The f i l e cont ai ns keyword-argument pai r s, one per l i ne. Li nes st art i ng wi t h `#' and empt y l i nesar e i nt erpret ed as comment s.

    NSK-SSH V2.4 Page 42 March 31, 2008

  • 7/30/2019 Ssh Install v24

    48/115

    The possi bl e keywords and t hei r meani ngs ar e as f ol l ows ( not e t hat key-words are case- i nsensi t i ve and argument s ar e case- sensi t i ve) :

    AFSTokenPassi ngSpeci f i es whet her an AFS t oken may be f or war ded t o t he ser ver .

    Def aul t i s ``yes ' ' .

    Al l owGr oupsThi s keyword can be f ol l owed by a l i st of gr oup names, separat edby spaces. I f speci f i ed, l ogi n i s al l owed onl y f or user s whosepr i mary gr oup or suppl ement ary group l i st mat ches one of t he pat -t er ns. `*' and `?' can be used as wi l dcar ds i n t he pat t er ns.Onl y gr oup names are val i d; a numeri cal gr oup I D i s not r ecog-ni zed. By def aul t l ogi n i s al l owed r egar dl ess of t he gr oup l i st .

    Al l owTcpFor wardi ngSpeci f i es whet her TCP f or war di ng i s per mi t t ed. The def aul t i s`` yes' ' . Not e t hat di sabl i ng TCP f orwardi ng does not i mpr ove se-cur i t y unl ess user s are al so deni ed shel l access, as t hey can al -ways i nst al l t hei r own f or war der s.

    Al l owUser sThi s keyword can be f ol l owed by a l i st of user names, separat edby spaces. I f speci f i ed, l ogi n i s al l owed onl y f or user s namest hat mat ch one of t he pat t er ns. `* ' and `?' can be used as wi l d-cards i n t he pat t erns. Onl y user names are val i d; a numeri caluser I D i s not r ecogni zed. By def aul t l ogi n i s al l owed r egar d-l ess of t he user name. I f t he pat t ern t akes t he f orm USER@HOST

    t hen USER and HOST are separat el y checked, r est r i ct i ng l ogi ns t opar t i cul ar user s f r om par t i cul ar host s .

    Aut hor i zedKeysFi l eSpeci f i es t he f i l e t hat cont ai ns t he publ i c keys t hat can be usedf or user aut hent i cat i on. Aut hori zedKeysFi l e may cont ai n t okensof t he f orm %T whi ch are subst i t ut ed dur i ng connect i on set - up.The f ol l owi ng t okens are def i ned: %% i s r epl aced by a l i t er al' %' , %h i s r epl aced by t he home di r ect ory of t he user bei ng au-t hent i cat ed and %u i s r epl aced by t he user name of t hat user . Af -t er expansi on, Aut hori zedKeysFi l e i s t aken t o be an absol ut e pat hor one r el at i ve t o t he user ' s home di r ect or y. The def aul t i s

    ``. ssh/ aut hor i zed_keys' '

    Banner I n some j ur i sdi ct i ons, sendi ng a warni ng message bef ore aut hent i -cat i on may be r el evant f or get t i ng l egal pr ot ect i on. The con-t ent s of t he speci f i ed f i l e ar e sent t o t he r emote user bef or eaut hent i cat i on i s al l owed. Thi s opt i on i s onl y avai l abl e f orpr ot ocol ver si on 2.

    NSK-SSH V2.4 Page 43 March 31, 2008

  • 7/30/2019 Ssh Install v24

    49/115

    Chal l engeResponseAut hent i cat i onSpeci f i es whet her chal l enge r esponse aut hent i cat i on i s al l owed.Al l aut hent i cat i on st yl es f r om l ogi n. conf ( 5) are suppor t ed. Thedef aul t i s ` `yes ' ' .

    Ci pher s

    Speci f i es t he ci pher s al l owed f or pr ot ocol ver si on 2. Mul t i pl eci pher s must be comma- separ at ed. The def aul t i s``aes128- cbc, 3des- cbc, bl owf i sh- cbc, cast 128- cbc, ar cf our . ' '

    Cl i ent Al i veI nt er valSet s a t i meout i nt er val i n seconds af t er whi ch i f no dat a hasbeen r ecei ved f r om t he cl i ent , sshd wi l l send a message t hr ought he encr ypt ed channel t o r equest a r esponse f r om t he cl i ent . Thedef aul t i s 0, i ndi cat i ng t hat t hese messages wi l l not be sent t ot he cl i ent . Thi s opt i on appl i es t o pr ot ocol ver si on 2 onl y.

    Cl i ent Al i veCount MaxSet s t he number of cl i ent al i ve messages ( see above) whi ch may besent wi t hout sshd r ecei vi ng any messages back f r om t he cl i ent . I ft hi s t hr eshol d i s r eached whi l e cl i ent al i ve messages are bei ngsent , sshd wi l l di sconnect t he cl i ent , t er mi nat i ng t he sessi on.I t i s i mpor t ant t o not e t hat t he use of cl i ent al i ve messages i sver y di f f er ent f r om Keepal i ve ( bel ow) . The cl i ent al i ve messagesare sent t hr ough t he encr ypt ed channel and t her ef ore wi l l not bespoof abl e. The TCP keepal i ve opt i on enabl ed by Keepal i ve i sspoof abl e. The cl i ent al i ve mechani sm i s val uabl e when t he cl i entor ser ver depend on knowi ng when a connect i on has become i nac-t i ve.

    The def aul t val ue i s 3. I f Cl i ent Al i veI nt er val ( above) i s set t o15, and Cl i ent Al i veCount Max i s l ef t at t he def aul t , unr esponsi ve

    ssh cl i ent s wi l l be di sconnect ed af t er appr oxi mat el y 45 seconds.

    DenyGr oupsThi s keywor d can be f ol l owed by a number of group names, separat -ed by spaces. User s whose pr i mar y group or suppl ement ar y groupl i st mat ches one of t he pat t er ns ar en' t al l owed t o l og i n. `*'and `?' can be used as wi l dcar ds i n t he pat t er ns. Onl y gr oupnames are val i d; a numeri cal group I D i s not r ecogni zed. By de-

    f aul t l ogi n i s al l owed r egar dl ess of t he gr oup l i s t .

    DenyUser sThi s keywor d can be f ol l owed by a number of user names, separat edby spaces. Logi n i s di sal l owed f or user names t hat mat ch one oft he pat t er ns. `* ' and `?' can be used as wi l dcards i n t he pat -t er ns. Onl y user names ar e val i d; a numer i cal user I D i s notr ecogni zed. By def aul t l ogi n i s al l owed r egar dl ess of t he user

    NSK-SSH V2.4 Page 44 March 31, 2008

  • 7/30/2019 Ssh Install v24

    50/115

    name.

    Gat ewayPor t sSpeci f i es whet her r emot e host s ar e al l owed t o connect t o por t sf or war ded f or t he cl i ent . By def aul t , sshd bi nds r emot e por tf orwardi ngs t o t he l oopback addr esss. Thi s pr event s ot her r emot e

    host s f r om connect i ng t o f orwarded port s. Gat ewayPor t s can beused t o speci f y t hat sshd shoul d bi nd remot e port f orwardi ngs t ot he wi l dcar d addr ess, t hus al l owi ng r emot e host s t o connect t of orwarded por t s. The argument must be `` yes' ' or `` no' ' . The de-f aul t i s `` no' ' .

    Host basedAut hent i cat i onSpeci f i es whet her r host s or / et c/ host s. equi v aut hent i cat i on to-get her wi t h successf ul publ i c key cl i ent host aut hent i cat i on i sal l owed ( host based aut hent i cat i on) . Thi s opt i on i s s i mi l ar t oRhost sRSAAut hent i cat i on and appl i es t o pr ot ocol ver si on 2 onl y.The def aul t i s ``no' ' .

    Host KeySpeci f i es t he f i l e cont ai ni ng t he pr i vat e host keys ( def aul t/ et c/ ssh/ ssh_host _key) used by SSH pr ot ocol ver si ons 1 and 2.Not e t hat sshd wi l l re fuse t o use a f i l e i f i t i sgr oup/ wor l d- accessi bl e. I t i s possi bl e t o have mul t i pl e hostkey f i l es. ``r sa1' ' keys ar e used f or ver si on 1 and ``dsa' ' or``r sa' ' ar e used f or ver si on 2 of t he SSH pr ot ocol .

    I gnor eRhost sSpeci f i es t hat . r host s and . shost s f i l es wi l l not be used i n

    Rhost sAut hent i cat i on, Rhost sRSAAut hent i cat i on orHost basedAut hent i cat i on.

    / et c/ host s . equi v and / et c/ ssh/ shost s . equi v ar e st i l l used.The def aul t i s ``yes ' ' .

    I gnor eUser KnownHost sSpeci f i es whet her sshd shoul d i gnore t he user' s$HOME/ . ssh/ known_host s dur i ng Rhost sRSAAut hent i cat i on orHost basedAut hent i cat i on. The def aul t i s ``no' ' .

    KeepAl i ve

    Speci f i es whet her t he syst em shoul d send keepal i ve messages t ot he ot her si de. I f t hey ar e sent , deat h of t he connect i on orcr ash of one of t he machi nes wi l l be pr operl y not i ced. However,t hi s means t hat connect i ons wi l l di e i f t he r out e i s down t em-porar i l y, and some peopl e f i nd i t annoyi ng. On t he ot her hand,i f keepal i ves are not sent , sessi ons may hang i ndef i ni t el y on t heserver , l eavi ng `` ghost ' ' users and consumi ng server r esour ces.

    NSK-SSH V2.4 Page 45 March 31, 2008

  • 7/30/2019 Ssh Install v24

    51/115

    The def aul t i s ``yes' ' ( t o send keepal i ves) , and t he ser ver wi l lnot i ce i f t he net work goes down or t he cl i ent host r eboot s. Thi savoi ds i nf i ni t el y hangi ng sessi ons.

    To di sabl e keepal i ves, t he val ue shoul d be set t o ``no' ' i n bot h

    t he ser ver and t he cl i ent conf i gur at i on f i l es.

    Ker ber osAut hent i cat i onSpeci f i es whet her Ker ber os aut hent i cat i on i s al l owed. Thi s canbe i n t he f or m of a Ker ber os t i cket , or i f Passwor dAut hent i cat i oni s yes, t he password pr ovi ded by t he user wi l l be val i dat edt hr ough t he Kerber os KDC. To use t hi s opt i on, t he ser ver needs aKer ber os servt ab whi ch al l ows t he ver i f i cat i on of t he KDC' s i den-t i t y . Def aul t i s ` `yes ' ' .

    Kerber osOr Local PasswdI f set t hen i f passwor d aut hent i cat i on t hr ough Ker ber os f ai l st hen the passwor d wi l l be val i dat ed vi a any addi t i onal l ocalmechani sm such as / et c/ passwd. Def aul t i s ``yes' ' .

    KerberosTgt Passi ngSpeci f i es whet her a Kerber os TGT may be f or war ded t o t he ser ver .Def aul t i s `` no' ' , as t hi s onl y works when t he Ker ber os KDC i sact ual l y an AFS kaserver .

    KerberosTi cket Cl eanupSpeci f i es whet her t o aut omat i cal l y dest r oy the user ' s t i cketcache f i l e on l ogout . Def aul t i s ``yes ' ' .

    KeyRegenerat i onI nt ervalI n pr ot ocol ver si on 1, t he ephemer al ser ver key i s aut omat i cal l yr egener at ed af t er t hi s many seconds ( i f i t has been used) . Thepur pose of r egener at i on i s t o pr event decr ypt i ng capt ur ed ses-si ons by l at er br eaki ng i nt o t he machi ne and st eal i ng t he keys.The key i s never s t ored anywhere. I f t he val ue i s 0, t he key i snever regenerat ed. The def aul t i s 3600 ( seconds) .

    Li st enAddr essSpeci f i es the l ocal addr esses sshd shoul d l i st en on. The f ol l ow-i ng f or ms may be used:

    Li st enAddr ess host | I Pv4_addr | I Pv6_addrLi st enAddr ess host | I Pv4_addr : por tLi st enAddr ess [ host | I Pv6_addr ] : por t

    I f por t i s not speci f i ed, sshd wi l l l i s t en on t he addr ess and al lpr i or Por t opt i ons speci f i ed. The def aul t i s to l i s t en on al l l o-cal addr esses. Mul t i pl e Li st enAddr ess opt i ons ar e per mi t t ed. Ad-

    NSK-SSH V2.4 Page 46 March 31, 2008

  • 7/30/2019 Ssh Install v24

    52/115

    di t i onal l y, any Por t opt i ons must pr ecede t hi s opt i on f or nonpor t qual i f i ed addr esses.

    Logi nGr aceTi meThe ser ver di sconnect s af t er t hi s t i me i f t he user has not suc-cessf ul l y l ogged i n. I f t he val ue i s 0, t her e i s no t i me l i mi t .

    The def aul t i s 600 ( seconds) .

    LogLevelGi ves t he ver bosi t y l evel t hat i s used when l oggi ng messages f r omsshd. The possi bl e val ues ar e: QUI ET, FATAL, ERROR, I NFO, VERBOSEand DEBUG. The def aul t i s I NFO. Loggi ng wi t h l evel DEBUG vi o-l at es t he pr i vacy of user s and i s not r ecommended.

    MACs Speci f i es t he avai l abl e MAC ( message aut hent i cat i on code) al go-r i t hms. The MAC al gor i t hm i s used i n pr ot ocol ver si on 2 f or dat ai nt egr i t y pr ot ect i on. Mul t i pl e al gori t hms must be comma- separat -ed. The def aul t i s ``hmac- md5, hmac- sha1, hmac- r i pemd160, hmac-sha1- 96, hmac- md5- 96' ' .

    MaxSt ar t upsSpeci f i es t he maxi mum number of concur r ent unaut hent i cat ed con-nect i ons t o t he sshd daemon. Addi t i onal connect i ons wi l l bedr opped unt i l aut hent i cat i on succeeds or t he Logi nGr aceTi me ex-pi r es f or a connect i on. The def aul t i s 10.

    Al t er nat i vel y, r andom ear l y dr op can be enabl ed by speci f yi ng thet hree col on separated val ues ``s ta r t : ra te: f ul l ' ' ( e. g. ," 10: 30: 60" ) . sshd wi l l r ef use connect i on at t empt s wi t h a pr oba-

    bi l i t y of `` ra te/ 100' ' ( 30%) i f t here are cur r ent l y ``s tar t ' '( 10) unaut hent i cat ed connect i ons. The pr obabi l i t y i ncr eases l i n-earl y and al l connect i on at t empt s ar e r ef used i f t he number ofunaut hent i cat ed connect i ons reaches ``f ul l ' ' ( 60) .

    PAMAut hent i cat i onVi aKbdI ntSpeci f i es whet her PAM chal l enge response aut hent i cat i on i s al -l owed. Thi s al l ows t he use of most PAM chal l enge r esponse aut hen-t i cat i on modul es, but i t wi l l al l ow passwor d aut hent i cat i on r e-gardl ess of whet her PasswordAut hent i cat i on i s di sabl ed. The de-f aul t i s `` no' ' .

    PasswordAut hent i cat i onSpeci f i es whet her password aut hent i cat i on i s al l owed. The de-f aul t i s ` `yes ' ' .

    Per mi t Empt yPasswor dsWhen password aut hent i cat i on i s al l owed, i t speci f i es whet her t heserver al l ows l ogi n t o account s wi t h empt y password st r i ngs. Thedef aul t i s ` `no' ' .

    NSK-SSH V2.4 Page 47 March 31, 2008

  • 7/30/2019 Ssh Install v24

    53/115

    Per mi t Root Logi nSpeci f i es whet her r oot can l ogi n usi ng ssh( 1) . The argument mustbe ``yes' ' , ``wi t hout - passwor d' ' , ``f or ced- commands- onl y' ' or``no' ' . The def aul t i s ``yes ' ' .

    I f t hi s opt i on i s set t o ``wi t hout - passwor d' ' passwor d aut hent i -cat i on i s di sabl ed f or r oot .

    I f t hi s opt i on i s set t o ``f or ced- commands- onl y' ' r oot l ogi n wi t hpubl i c key aut hent i cat i on wi l l be al l owed, but onl y i f t hecommand opt i on has been speci f i ed ( whi ch may be usef ul f or t aki ngr emot e backups even i f r oot l ogi n i s nor mal l y not al l owed) . Al lot her aut hent i cat i on met hods are di sabl ed f or r oot .

    I f t hi s opt i on i s set t o ``no' ' root i s not al l owed t o l ogi n.

    Pi dFi l eSpeci f i es t he f i l e t hat cont ai ns t he pr ocess i dent i f i er of t hesshd daemon. The def aul t i s / var / r un/ sshd. pi d.

    Por t Speci f i es t he por t number t hat sshd l i st ens on. The def aul t i s22. Mul t i pl e opt i ons of t hi s t ype ar e per mi t t ed. See al soLi st enAddr ess.

    Pr i nt Last LogSpeci f i es whet her sshd shoul d pr i nt t he dat e and t i me when t heuser l ast l ogged i n. The def aul t i s ``yes ' ' .

    Pr i nt Mot dSpeci f i es whet her sshd shoul d pr i nt / et c/ mot d when a user l ogs i ni nt er act i vel y. ( On some systems i t i s al so pr i nt ed by t he shel l ,

    / et c / prof i l e, or equi val ent . ) The def aul t i s ``yes ' ' .

    Prot ocolSpeci f i es t he pr ot ocol ver si ons sshd shoul d suppor t . The possi -bl e val ues ar e ``1' ' and `` 2' ' . Mul t i pl e ver si ons must be comma-separ at ed. The def aul t i s ``2, 1' ' .

    PubkeyAut hent i cat i onSpeci f i es whet her publ i c key aut hent i cat i on i s al l owed. The de-f aul t i s ``yes ' ' . Not e t hat t hi s opt i on appl i es t o pr ot ocol ver -si on 2 onl y.

    Rever seMappi ngCheckSpeci f i es whet her s shd shoul d t r y t o veri f y t he remot e host nameand check t hat t he r esol ved host name f or t he r emot e I P addr ess

    NSK-SSH V2.4 Page 48 March 31, 2008

  • 7/30/2019 Ssh Install v24

    54/115

    maps back t o t he ver y same I P addr ess. The def aul t i s ``no' ' .

    Rhost sAut hent i cat i onSpeci f i es whet her aut hent i cat i on usi ng r host s or / et c/ host s. equi vf i l es i s suf f i c i ent . Nor mal l y, t hi s met hod shoul d not be per mi t -t ed because i t i s i nsecur e. Rhost sRSAAut hent i cat i on shoul d be

    used i nst ead, because i t per f orms RSA- based host aut hent i cat i oni n addi t i on t o nor mal r host s or / et c/ host s. equi v aut hent i cat i on.The def aul t i s ``no' ' . Thi s opt i on appl i es t o pr ot ocol ver si on 1onl y.

    Rhost sRSAAut hent i cat i onSpeci f i es whet her r host s or / et c/ host s. equi v aut hent i cat i on to-get her wi t h successf ul RSA host aut hent i cat i on i s al l owed. Thedef aul t i s ``no' ' . Thi s opt i on appl i es t o pr ot ocol ver si on 1 on-l y.

    RSAAut hent i cat i onSpeci f i es whet her pur e RSA aut hent i cat i on i s al l owed. The de-f aul t i s ``yes ' ' . Thi s opt i on appl i es t o pr ot ocol ver s i on 1 onl y.

    Ser ver KeyBi t sDef i nes t he number of bi t s i n t he ephemeral pr ot ocol ver si on 1ser ver key. The mi ni mum val ue i s 512, and t he def aul t i s 768.

    St r i ct ModesSpeci f i es whet her sshd shoul d check f i l e modes and owner shi p oft he user ' s f i l es and home di r ect or y bef or e accept i ng l ogi n. Thi si s nor mal l y desi r abl e because novi ces somet i mes acci dent al l y

    l eave t hei r di r ectory or f i l es wor l d- wr i t abl e. The def aul t i s` `yes ' ' .

    Subsyst emConf i gur es an exter nal subsyst em ( e. g. , f i l e t r ansf er daemon) .Ar gument s shoul d be a subsys t em name and a command t o execut e up-on subsyst em r equest . The command sf t p- ser ver ( 8) i mpl ement s t he``sf t p' ' f i l e t r ansf er subsyst em. By def aul t no subsystems ar edef i ned. Not e t hat t hi s opt i on appl i es t o pr ot ocol ver si on 2 on-l y.

    Sys l ogFac i l i t y

    Gi ves t he f aci l i t y code t hat i s used when l oggi ng messages f r omsshd. The poss i bl e val ues ar e: DAEMON, USER, AUTH, LOCAL0, LO-CAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de-f aul t i s AUTH.

    UseLogi nSpeci f i es whet her l ogi n( 1) i s used f or i nt er act i ve l ogi n ses-si ons. The def aul t i s ``no' ' . Not e t hat l ogi n( 1) i s never used

    NSK-SSH V2.4 Page 49 March 31, 2008

  • 7/30/2019 Ssh Install v24

    55/115

    f or r emot e command execut i on. Not e al so, t hat i f t hi s i s en-abl ed, X11For wardi ng wi l l be di sabl ed because l ogi n( 1) does not

    know how t o handl e xaut h( 1) cooki es.

    X11Di spl ayOf f set

    Speci f i es t he f i r st di spl ay number avai l abl e f or sshd' s X11 f or -war di ng. Thi s pr event s sshd f r om i nt er f er i ng wi t h r eal X11ser ver s. The def aul t i s 10.

    X11For war di ngSpeci f i es whet her X11 f orwardi ng i s per mi t t ed. The def aul t i s`` no' ' . Not e t hat di sabl i ng X11 f orwardi ng does not i mpr ove secu-r i t y i n any way, as user s can al ways i nst al l t hei r own f or -war der s. X11 f or war di ng i s aut omat i cal l y di sabl ed i f UseLogi n i senabl ed.

    XAut hLocat i onSpeci f i es t he l ocat i on of t he xaut h( 1) progr am. The def aul t i s/ usr / bi n/ X11/ xaut h.

    Ti me For mat s

    sshd command- l i ne ar gument s and conf i gur at i on f i l e opt i ons t hat speci f yt i me may be expr essed usi ng a sequence of t he f orm: t i me[ qual i f i er] ,wher e t i me i s a posi t i ve i nt eger val ue and qual i f i er i s one of t he f ol -l owi ng:

    seconds

    s | S secondsm | M mi nut esh | H hour sd | D daysw | W weeks

    Each member of t he sequence i s added t oget her t o cal cul at e t he t ot al t i meval ue.

    Ti me f or mat exampl es:

    600 600 seconds ( 10 mi nut es)

    10m 10 mi nut es1h30m 1 hour 30 mi nut es ( 90 mi nut es)

    NSK-SSH V2.4 Page 50 March 31, 2008

  • 7/30/2019 Ssh Install v24

    56/115

    LOGI N PROCESSWhen a user successf ul l y l ogs i n, sshd does t he f ol l owi ng:

    1. I f t he l ogi n i s on a t t y, and no command has been speci f i ed,pr i nt s l ast l ogi n t i me and / et c/ mot d ( unl ess pr event ed i n t heconf i gur at i on f i l e or by $HOME/ . hushl ogi n; see t he FI LES sec-

    t i on) .

    2. I f t he l ogi n i s on a t t y, r ecor ds l ogi n t i me.

    3. Checks / et c/ nol ogi n; i f i t exi st s , pr i nt s cont ent s and qui t s( unl ess root ) .

    4. Changes t o r un wi t h normal user pr i vi l eges.

    5. Set s up basi c envi r onment .

    6. Reads $HOME/ . ssh/ envi r onment i f i t exi st s.

    7. Changes t o user ' s home di r ect ory.

    8. I f $HOME/ . ssh/ rc exi s ts , r uns i t ; el se i f / et c / ssh/ sshrcexi st s , r uns i t ; other wi se r uns xaut h. The ``r c ' ' f i l es ar egi ven t he X11 aut hent i cat i on pr ot ocol and cooki e i n st andardi nput .

    9. Runs user ' s shel l or command.

    AUTHORI ZED_KEYS FI LE FORMAT

    $HOME/ . ssh/ aut hor i zed_keys i s t he def aul t f i l e t hat l i st s t he publ i c keyst hat ar e per mi t t ed f or RSA aut hent i cat i on i n pr ot ocol ver si on 1 and f orpubl i c key aut hent i cat i on ( PubkeyAut hent i cat i on) i n pr ot ocol ver si on 2.Aut hor i zedKeysFi l e may be used to speci f y an al t er nat i ve f i l e.

    Each l i ne of t he f i l e cont ai ns one key ( empt y l i nes and l i nes st ar t i ngwi t h a `#' are i gnored as comment s) . Each RSA publ i c key consi st s of t hef ol l owi ng f i el ds, separ at ed by spaces: opt i ons, bi t s, exponent , modul us,comment . Each pr ot ocol ver si on 2 publ i c key consi st s of : opt i ons, key-t ype, base64 encoded key, comment . The opt i ons f i el ds are opt i onal ; i t spr esence i s det ermi ned by whet her t he l i ne st ar t s wi t h a number or not( t he opt i on f i el d never s t art s wi t h a number ) . The bi t s, exponent , modu-

    l us and comment f i el ds gi ve t he RSA key f or pr ot ocol ver si on 1; t he com-ment f i el d i s not used f or anyt hi ng ( but may be conveni ent f or t he usert o i dent i f y t he key) . For protocol ver si on 2 t he keyt ype i s ``ssh- dss' 'or ` `ssh- r sa' ' .

    Not e that l i nes i n t hi s f i l e ar e usual l y sever al hundr ed byt es l ong ( be-cause of t he si ze of t he RSA key modul us) . You don' t want t o t ype t hemi n; i nst ead, copy t he i dent i t y. pub, i d_dsa. pub or t he i d_r sa. pub f i l e and

    NSK-SSH V2.4 Page 51 March 31, 2008

  • 7/30/2019 Ssh Install v24

    57/115

    edi t i