HPE Community
Operating System - HP-UX
1834811 Members
2499 Online
110070 Solutions
New Discussion

Re: OpenSSH

 
SOLVED
Go to solution
Jon Talbot
Occasional Advisor

‎06-16-2003 05:04 AM

‎06-16-2003 05:04 AM

OpenSSH

I administer a HP-UX 11.00 machine and have been asked by a user for OpenSSH to be installed. This will enable a 3rd party to log in & configure an application. I have not used this before and am a bit worried about the security implications. Can anyone offer any advice please.

Thanks, Gary.
0 Kudos
Reply
8 REPLIES 8
Jarle Bjorgeengen
Trusted Contributor

‎06-16-2003 05:07 AM

‎06-16-2003 05:07 AM

Re: OpenSSH

Hi,

receive for free from
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA

Rgds Jarle
0 Kudos
Reply
Bill Douglass
Esteemed Contributor

‎06-16-2003 05:18 AM

‎06-16-2003 05:18 AM

Solution

Re: OpenSSH

As delivered, HP's OpenSSH is very secure. The default config only accepts Protocol 2 connections, as there are some concerns about Protocol 1 being vunerable to attack.

Also, ssh in general is much safer than telnet or rlogin connections. All communications, including passwords, are encrypted between the two hosts.

One thing you can do is change the default config file (/opt/ssh/etc/sshd_config) to remove root login capability:

PermitRootLogin no

ANother is to modify the /opt/ssh/etc/ssh_prng_cmds file to include only valid hp-ux commands. This file defines what commands to run to generate entropy, and having invalid system commands and result in a poorer source of random numbers, and slower connect times. I've included my ssh_prng_cmds file as an example; hopefully others will do the same.
Reply
Christian Gebhardt
Honored Contributor

‎06-16-2003 05:25 AM

‎06-16-2003 05:25 AM

Re: OpenSSH

Using ssh is always more secure then using no ssh.

The advantage of using ssh with third party application support

- you can use a passphrase to connect and must not change your password of your application-user
- lan traffic is encrypted

It does not protect against errors of the support.

Chris
0 Kudos
Reply
Jarle Bjorgeengen
Trusted Contributor

‎06-16-2003 05:52 AM

‎06-16-2003 05:52 AM

Re: OpenSSH

Hi again,

using ssh is safe as long as the password and keys is handled properly. (I.e. only users with the appropriate clearance have keys/passwords to the respective access level. Use ssh-agent for automatic password handling.

And of course forcing enforcing good passwords, deleting inactive accounts, locking the rack, the room, and so on) But that not ssh's responsibility though...

Also subscribe to security bulletins, to get alerts about ssh security bugs, as soon as they are discovered.

If you are really paranoid, you can even implement NIDS (Network Intrusion Detection systems SNORT/IDS 9000) , or HIDS (host based intrusion detection systems (IDS 9000/tripwire))

Rgds Jarle

Reply
John Bolene
Honored Contributor

‎06-16-2003 05:56 AM

‎06-16-2003 05:56 AM

Re: OpenSSH

just be sure and disable telnet and ftp

there is a secure ftp client also

I am sure that you have the remote commands already disabled such as rcp, rsh, rlogin, etc
It is always a good day when you are launching rockets! http://tripolioklahoma.org, Mostly Missiles http://mostlymissiles.com
Reply
Chris Vail
Honored Contributor

‎06-16-2003 05:57 AM

‎06-16-2003 05:57 AM

Re: OpenSSH

Installing & using SSH is easy and straightforward. It raises the security level of your systems fairly high. The only caveat is that on 11.0 (and earlier) systems, the initial handshake can be lengthy. But once established, its just as fast as ftp and remsh. On 11i and later versions, the handshaking is much faster.
I've attached my usual document on how to install and use ssh/scp. Its a little confusing at first, but like most things sysadminish, its really just a matter of getting used to it.



Chris
Reply
Andrew Cowan
Honored Contributor

‎06-16-2003 09:02 PM

‎06-16-2003 09:02 PM

Re: OpenSSH

You should remember that SSH only protects your data whilst "in flight". It does not protect it whilst at rest, therefore it is still vital that you rigorously enforce file access permissions.

A common mistake is to use a pc client such as Exceed that stores passwords, and automates logins.

I hope this helps.

0 Kudos
Reply
Jon Talbot
Occasional Advisor

‎06-17-2003 03:50 AM

‎06-17-2003 03:50 AM

Re: OpenSSH

Thanks guys,

Gary.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.