topic Re: Querry on HP Secure SSH in Operating System - HP-UX

Querry on HP Secure SSH

Vic006 — Tue, 07 Jul 2009 13:18:01 GMT

We are upgrading from version A.04.70.009. When I installed the 5.20.004, the log contained the following messages.

: A new version of "/opt/ssh/etc/ssh_config" has been placed on
the system. The new version is located at
"/opt/ssh/newconfig/opt/ssh/etc/ssh_config".

Do I need to move the new config files to /opt/ssh/etc and apply the configuration changes that were previously done? Once I do this will it allow me to use the new chroot functionality described in section 1.9 part F(configuring SFTP) of the /opt/ssh/README.hp file. Once the line sshd_config is change so the line Subsystem sftp /opt/ssh/libexec/sftp-server is replaced by Subsystem sftp internal-sfp and ChrootDirectory /opt/anonftp, can users that do not have /opt/anonftp as their home directory still use sftp and scp to the server?

Here is the Full log

* Installing bundle "T1471AA,r=A.05.20.004" .
* Installing fileset "Secure_Shell.SECURE_SHELL,r=A.05.20.004"
(1 of 1).
NOTE: A new version of "/etc/rc.config.d/sshd" has been installed on
the system.
NOTE: A new version of "/opt/ssh/etc/ssh_config" has been placed on
the system. The new version is located at
"/opt/ssh/newconfig/opt/ssh/etc/ssh_config".
The existing version of "/opt/ssh/etc/ssh_config" is not being
overwritten since it appears that it has been modified by the
administrator since it was delivered.
NOTE: A new version of "/opt/ssh/etc/sshd_config" has been placed on
the system. The new version is located at
"/opt/ssh/newconfig/opt/ssh/etc/sshd_config".
The existing version of "/opt/ssh/etc/sshd_config" is not
being overwritten since it appears that it has been modified
by the administrator since it was delivered.
NOTE: A new version of "/opt/ssh/etc/moduli" has been installed on
the system.
* Running install clean command /usr/lbin/sw/install_clean.
NOTE: tlinstall is searching filesystem - please be patient
NOTE: Successfully completed

* Beginning the Configure Execution Phase.

* Summary of Execution Phase:
* 1 of 1 filesets had no Errors or Warnings.
* The Execution Phase succeeded.

Re: Querry on HP Secure SSH

Steven E. Protter — Tue, 07 Jul 2009 13:20:31 GMT

Shalom,

If you did customization, you may need to make those changes again.

Not sure, but that is my interpretation of the message.

Though Secure Shell install is pretty smart, and I've never had to make customization more than once.

SEP

Re: Querry on HP Secure SSH

Vic006 — Tue, 07 Jul 2009 14:17:45 GMT

will it allow me to use the new chroot functionality?

Once the line sshd_config is change so the line Subsystem sftp /opt/ssh/libexec/sftp-server is replaced by Subsystem sftp internal-sfp and ChrootDirectory /opt/anonftp, can users that do not have /opt/anonftp as their home directory still use sftp and scp to the server?

Please advice....

Re: Querry on HP Secure SSH

Steven E. Protter — Tue, 07 Jul 2009 14:22:38 GMT

Secure Shell ships with a chroot script.

I find it to be a big hassle to configure, but it can be made to work.

HP-UX Secure shell and chroot environments.
http://docs.hp.com/en/T1471-90026/ch01s14.html

SEP

Re: Querry on HP Secure SSH

Roopesh Francis_1 — Wed, 08 Jul 2009 02:19:56 GMT

You can do configuration changes on your newly installed configuration file and add it to PATH variable. It should work most of the cases. If it not worked then you need move these new configuration files to old location.
Thanks

Re: Querry on HP Secure SSH

SANTOSH S. MHASKAR — Wed, 08 Jul 2009 05:05:58 GMT

Hi,

As far as config files are concerned u can use
command line option -f while
starting sshd. Also if it is starting automatically
u can pass parameter "-f " to

SSHD_ARGS variable in file /etc/rc.config.d/sshd.

The default location is /opt/ssh/etc/sshd_config

Regards

-Santosh

Re: Querry on HP Secure SSH

Vic006 — Wed, 08 Jul 2009 12:53:02 GMT

Well i still get a precise answer for this..

1) When I installed the new version of secure SSH it put the new versions of the ssh_config and sshd_config into the directory /opt/ssh/newconfig/opt/ssh/etc/ instead of into /opt/ssh/etc. Am I suppose to apply the changes made previously to these files and leave them in /opt/ssh/newconfig/opt/ssh/etc or do I need to copy them to /opt/ssh/etc before I restart sshd. The logfiles produced from the install of the software does not specify.

2) Do not want to run the use /opt/ssh/utils/ssh_chroot_setup.sh to create a chrooted environment. It is too messy and is an adminstration nightmare as it copies in a bunch of system files that need to be updated into the environment. Was hoping to use the new functionality specified in section 1.9 part F(configuring SFTP) of the /opt/ssh/README.hp file to jail the user. Need to know whether implementing this only allows the chrooted users to use sftp.

Re: Querry on HP Secure SSH

Doug O'Leary — Wed, 08 Jul 2009 13:22:03 GMT

Hey;

1. If you want to use the new configuration files, then you should move them into /opt/ssh/etc and update them for your environment. As previous posters have pointed out, you don't absolutely have to do this, but if you don't, you'll also be editing init scripts to tell sshd where to find the configuration file.

2. Don't know the answer to this one; you'll have to experiment. I do know that locking users down to scp/sftp only in ssh tends to be a mite difficult. I know of a way using forced commands and ssh/public key authentication but tends to be a bit kludgey. Even then, I'm not sure of sftp. You can either google search or post another question if your experiments don't show you a valid method.

Doug O'Leary