topic Re: OpenSSH in Operating System - HP-UX

OpenSSH

Jon Talbot — Mon, 16 Jun 2003 12:04:54 GMT

I administer a HP-UX 11.00 machine and have been asked by a user for OpenSSH to be installed. This will enable a 3rd party to log in & configure an application. I have not used this before and am a bit worried about the security implications. Can anyone offer any advice please.

Thanks, Gary.

Re: OpenSSH

Jarle Bjorgeengen — Mon, 16 Jun 2003 12:07:17 GMT

Hi,

receive for free from
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA

Rgds Jarle

Re: OpenSSH

Bill Douglass — Mon, 16 Jun 2003 12:18:10 GMT

As delivered, HP's OpenSSH is very secure. The default config only accepts Protocol 2 connections, as there are some concerns about Protocol 1 being vunerable to attack.

Also, ssh in general is much safer than telnet or rlogin connections. All communications, including passwords, are encrypted between the two hosts.

One thing you can do is change the default config file (/opt/ssh/etc/sshd_config) to remove root login capability:

PermitRootLogin no

ANother is to modify the /opt/ssh/etc/ssh_prng_cmds file to include only valid hp-ux commands. This file defines what commands to run to generate entropy, and having invalid system commands and result in a poorer source of random numbers, and slower connect times. I've included my ssh_prng_cmds file as an example; hopefully others will do the same.

Re: OpenSSH

Christian Gebhardt — Mon, 16 Jun 2003 12:25:05 GMT

Using ssh is always more secure then using no ssh.

The advantage of using ssh with third party application support

- you can use a passphrase to connect and must not change your password of your application-user
- lan traffic is encrypted

It does not protect against errors of the support.

Chris

Re: OpenSSH

Jarle Bjorgeengen — Mon, 16 Jun 2003 12:52:37 GMT

Hi again,

using ssh is safe as long as the password and keys is handled properly. (I.e. only users with the appropriate clearance have keys/passwords to the respective access level. Use ssh-agent for automatic password handling.

And of course forcing enforcing good passwords, deleting inactive accounts, locking the rack, the room, and so on) But that not ssh's responsibility though...

Also subscribe to security bulletins, to get alerts about ssh security bugs, as soon as they are discovered.

If you are really paranoid, you can even implement NIDS (Network Intrusion Detection systems SNORT/IDS 9000) , or HIDS (host based intrusion detection systems (IDS 9000/tripwire))

Rgds Jarle

Re: OpenSSH

John Bolene — Mon, 16 Jun 2003 12:56:32 GMT

just be sure and disable telnet and ftp

there is a secure ftp client also

I am sure that you have the remote commands already disabled such as rcp, rsh, rlogin, etc

Re: OpenSSH

Chris Vail — Mon, 16 Jun 2003 12:57:04 GMT

Installing & using SSH is easy and straightforward. It raises the security level of your systems fairly high. The only caveat is that on 11.0 (and earlier) systems, the initial handshake can be lengthy. But once established, its just as fast as ftp and remsh. On 11i and later versions, the handshaking is much faster.
I've attached my usual document on how to install and use ssh/scp. Its a little confusing at first, but like most things sysadminish, its really just a matter of getting used to it.

Chris

Re: OpenSSH

Andrew Cowan — Tue, 17 Jun 2003 04:02:46 GMT

You should remember that SSH only protects your data whilst "in flight". It does not protect it whilst at rest, therefore it is still vital that you rigorously enforce file access permissions.

A common mistake is to use a pc client such as Exceed that stores passwords, and automates logins.

I hope this helps.

Re: OpenSSH

Jon Talbot — Tue, 17 Jun 2003 10:50:54 GMT

Thanks guys,

Gary.