1830054 Members
6834 Online
109998 Solutions
New Discussion

Querry on HP Secure SSH

 
SOLVED
Go to solution
Vic006
Frequent Advisor

Querry on HP Secure SSH

We are upgrading from version A.04.70.009. When I installed the 5.20.004, the log contained the following messages.

: A new version of "/opt/ssh/etc/ssh_config" has been placed on
the system. The new version is located at
"/opt/ssh/newconfig/opt/ssh/etc/ssh_config".

Do I need to move the new config files to /opt/ssh/etc and apply the configuration changes that were previously done? Once I do this will it allow me to use the new chroot functionality described in section 1.9 part F(configuring SFTP) of the /opt/ssh/README.hp file. Once the line sshd_config is change so the line Subsystem sftp /opt/ssh/libexec/sftp-server is replaced by Subsystem sftp internal-sfp and ChrootDirectory /opt/anonftp, can users that do not have /opt/anonftp as their home directory still use sftp and scp to the server?

Here is the Full log

* Installing bundle "T1471AA,r=A.05.20.004" .
* Installing fileset "Secure_Shell.SECURE_SHELL,r=A.05.20.004"
(1 of 1).
NOTE: A new version of "/etc/rc.config.d/sshd" has been installed on
the system.
NOTE: A new version of "/opt/ssh/etc/ssh_config" has been placed on
the system. The new version is located at
"/opt/ssh/newconfig/opt/ssh/etc/ssh_config".
The existing version of "/opt/ssh/etc/ssh_config" is not being
overwritten since it appears that it has been modified by the
administrator since it was delivered.
NOTE: A new version of "/opt/ssh/etc/sshd_config" has been placed on
the system. The new version is located at
"/opt/ssh/newconfig/opt/ssh/etc/sshd_config".
The existing version of "/opt/ssh/etc/sshd_config" is not
being overwritten since it appears that it has been modified
by the administrator since it was delivered.
NOTE: A new version of "/opt/ssh/etc/moduli" has been installed on
the system.
* Running install clean command /usr/lbin/sw/install_clean.
NOTE: tlinstall is searching filesystem - please be patient
NOTE: Successfully completed

* Beginning the Configure Execution Phase.

* Summary of Execution Phase:
* 1 of 1 filesets had no Errors or Warnings.
* The Execution Phase succeeded.

7 REPLIES 7
Steven E. Protter
Exalted Contributor

Re: Querry on HP Secure SSH

Shalom,

If you did customization, you may need to make those changes again.

Not sure, but that is my interpretation of the message.

Though Secure Shell install is pretty smart, and I've never had to make customization more than once.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Vic006
Frequent Advisor

Re: Querry on HP Secure SSH

will it allow me to use the new chroot functionality?

Once the line sshd_config is change so the line Subsystem sftp /opt/ssh/libexec/sftp-server is replaced by Subsystem sftp internal-sfp and ChrootDirectory /opt/anonftp, can users that do not have /opt/anonftp as their home directory still use sftp and scp to the server?

Please advice....
Steven E. Protter
Exalted Contributor

Re: Querry on HP Secure SSH

Secure Shell ships with a chroot script.

I find it to be a big hassle to configure, but it can be made to work.

HP-UX Secure shell and chroot environments.
http://docs.hp.com/en/T1471-90026/ch01s14.html

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Roopesh Francis_1
Trusted Contributor

Re: Querry on HP Secure SSH

You can do configuration changes on your newly installed configuration file and add it to PATH variable. It should work most of the cases. If it not worked then you need move these new configuration files to old location.
Thanks
SANTOSH S. MHASKAR
Trusted Contributor

Re: Querry on HP Secure SSH

Hi,

As far as config files are concerned u can use
command line option -f while
starting sshd. Also if it is starting automatically
u can pass parameter "-f " to

SSHD_ARGS variable in file /etc/rc.config.d/sshd.

The default location is /opt/ssh/etc/sshd_config

Regards

-Santosh
Vic006
Frequent Advisor

Re: Querry on HP Secure SSH

Well i still get a precise answer for this..


1) When I installed the new version of secure SSH it put the new versions of the ssh_config and sshd_config into the directory /opt/ssh/newconfig/opt/ssh/etc/ instead of into /opt/ssh/etc. Am I suppose to apply the changes made previously to these files and leave them in /opt/ssh/newconfig/opt/ssh/etc or do I need to copy them to /opt/ssh/etc before I restart sshd. The logfiles produced from the install of the software does not specify.

2) Do not want to run the use /opt/ssh/utils/ssh_chroot_setup.sh to create a chrooted environment. It is too messy and is an adminstration nightmare as it copies in a bunch of system files that need to be updated into the environment. Was hoping to use the new functionality specified in section 1.9 part F(configuring SFTP) of the /opt/ssh/README.hp file to jail the user. Need to know whether implementing this only allows the chrooted users to use sftp.

Doug O'Leary
Honored Contributor
Solution

Re: Querry on HP Secure SSH

Hey;

1. If you want to use the new configuration files, then you should move them into /opt/ssh/etc and update them for your environment. As previous posters have pointed out, you don't absolutely have to do this, but if you don't, you'll also be editing init scripts to tell sshd where to find the configuration file.

2. Don't know the answer to this one; you'll have to experiment. I do know that locking users down to scp/sftp only in ssh tends to be a mite difficult. I know of a way using forced commands and ssh/public key authentication but tends to be a bit kludgey. Even then, I'm not sure of sftp. You can either google search or post another question if your experiments don't show you a valid method.

Doug O'Leary

------
Senior UNIX Admin
O'Leary Computers Inc
linkedin: http://www.linkedin.com/dkoleary
Resume: http://www.olearycomputers.com/resume.html