topic Re: Secure Shell and Security in Operating System - HP-UX

Secure Shell and Security

Mike Lappen — Tue, 23 Apr 2002 18:23:02 GMT

1. How can I enable SSH on HP-UX (10.20)
2. How can I find out all possible valid login names on my system (so I can limit who can/cannot log in)?

Re: Secure Shell and Security

John Payne_2 — Tue, 23 Apr 2002 18:25:34 GMT

You have to install secure shell. The commerical version can be found at www.ssh.org The non-commerical version can be found at one of the HP depots...

If you do a 'more /etc/passwd' you will get a list of all userid's on the system.

Hope it helps.

John

Re: Secure Shell and Security

Mark Fenton — Tue, 23 Apr 2002 18:31:04 GMT

One way to restrict logins in SSH is to require public key authentication -- thus only those who have an "authorized" public key on the HP-UX box would be able to log in via SSH.

After you've installed ssh/openssh2, (the latter can be found here http://gatekeep.cs.utah.edu/)

read the man for more details.

Best regards.

Mark

Re: Secure Shell and Security

Craig Rants — Tue, 23 Apr 2002 18:47:35 GMT

Michael,
Note that the current version on download from the hp porting site is a vulnerable version. You have to use 3.1 or higher to be free of vulnerabitlies.

This means you will need to compile, openssl, zlib, and openssh.

I've included my notes as a reference.
Install Perl5 ( only required for initial compile )
gzip -d /tmp/perl-5.6.1-sd-11.00.depot.gz
swinstall -s `hostname`:/tmp/perl-5.6.1-sd-11.00.depot \*

- Compile openssl
cd /tmp
gzip -d < openssl-0.9.6.tar.gz | tar xvf -
cd openssl-0.9.6
export PATH=/opt/perl5/bin:$PATH
./config --openssldir=/usr/local/openssl shared
make
make test
make install
cd ..
sh shlib/hpux11-cc.sh (had to create/modify this script with openssl)
sh shlib/hpux10-cc.sh (had to create/modify this script with ssl)

- Compile zlib
cd /tmp
gzip -d < zlib-1.1.4.tar.gz | tar xvf -
cd zlib-1.1.4
./configure -s --prefix=/usr
make test
make install

- Compile openssh
cd /tmp
gzip -d < openssh-3.1p1.tar.gz | tar xvf -
cd openssh-3.1p1
(11 version)
./configure --prefix=/opt/openssh2 --sysconfdir=/opt/openssh2/etc --with-pam
--with-ssl-dir=/usr/local/openssl/lib --with-default-path=/bin:/usr/bin:/opt/openssh2/bin
(10 version)
./configure --prefix=/opt/openssh2 --sysconfdir=/opt/openssh2/etc
--with-ssl-dir=/usr/local/ssl/lib --with-default-path=/bin:/usr/bin:/opt/openssh2/bin
make
make install

- Configure ssh and sshd (Already done in the tar, just for information )
vi /etc/openssh2/etc/sshd_config (verify these settings)
Port 22
HostKey /opt/openssh2/etc/ssh_host_key /etc for 10.20
KeyRegenerationInterval 3600
SyslogFacility AUTH
LogLevel INFO
PermitRootLogin yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
RhostsAuthentication no
IgnoreRhosts yes
IgnoreUserKnownHosts no
PasswordAuthentication yes
PermitEmptyPasswords no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
PrintMotd yes
PrintLastLog yes
Subsystem sftp /opt/openssh2/libexec/sftp-server

vi /etc/openssh2/etc/ssh_config (verify these settings)
ForwardAgent yes
ForwardX11 yes

C

Re: Secure Shell and Security

Justin Willoughby — Wed, 24 Apr 2002 12:30:06 GMT

Craig,

I have the 3.1 version and I got it from an HP depot.

root# swlist | grep -i ssh
openssh 3.1p1 openssh

http://hpux.cs.utah.edu/ is where I go to.

- Justin

Re: Secure Shell and Security

Steven Sim Kok Leong — Wed, 24 Apr 2002 12:42:30 GMT

Hi,

There is also the SSH Communications distribution found at:

ftp://ftp.ssh.fi/pub/ssh/ssh-3.1.0.tar.gz

Compilation steps:
# gtar zxvf ssh-3.1.0.tar.gz
# cd ssh-3.1.0
# ./configure
# make
# make install

Remember to update your startup scripts in /sbin/init.d and create the link in /sbin/rc2.d so that your SSHD daemon will automatically run during system reboot or startup.

There are the AllowUsers and DenyUsers directives in /etc/ssh2/sshd2_config for you to restrict who can and cannot logon via secure shell. There is also the AllowHosts and DenyHosts directives to restrict access by IP addresses.

Hope this helps. Regards.

Steven Sim Kok Leong

Re: Secure Shell and Security

Craig Rants — Wed, 24 Apr 2002 13:13:46 GMT

Justin,
You are correct, they do have depot now (as of March 22). I had done my reinstall due to the vulnerability a week prior and it had not been released yet. I have now been enlightened.

C