HPE Community
Operating System - HP-UX
1834267 Members
77661 Online
110066 Solutions
New Discussion

Secure Shell and Security

 
SOLVED
Go to solution
Mike Lappen
Occasional Contributor

‎04-23-2002 11:23 AM

‎04-23-2002 11:23 AM

Secure Shell and Security

1. How can I enable SSH on HP-UX (10.20)
2. How can I find out all possible valid login names on my system (so I can limit who can/cannot log in)?
Unix for Dummies was written for me
0 Kudos
Reply
6 REPLIES 6
John Payne_2
Honored Contributor

‎04-23-2002 11:25 AM

‎04-23-2002 11:25 AM

Solution

Re: Secure Shell and Security

You have to install secure shell. The commerical version can be found at www.ssh.org The non-commerical version can be found at one of the HP depots...

If you do a 'more /etc/passwd' you will get a list of all userid's on the system.

Hope it helps.

John
Spoon!!!!
Reply
Mark Fenton
Esteemed Contributor

‎04-23-2002 11:31 AM

‎04-23-2002 11:31 AM

Re: Secure Shell and Security

One way to restrict logins in SSH is to require public key authentication -- thus only those who have an "authorized" public key on the HP-UX box would be able to log in via SSH.

After you've installed ssh/openssh2, (the latter can be found here http://gatekeep.cs.utah.edu/)

read the man for more details.

Best regards.

Mark
Reply
Craig Rants
Honored Contributor

‎04-23-2002 11:47 AM

‎04-23-2002 11:47 AM

Re: Secure Shell and Security

Michael,
Note that the current version on download from the hp porting site is a vulnerable version. You have to use 3.1 or higher to be free of vulnerabitlies.

This means you will need to compile, openssl, zlib, and openssh.

I've included my notes as a reference.
Install Perl5 ( only required for initial compile )
gzip -d /tmp/perl-5.6.1-sd-11.00.depot.gz
swinstall -s `hostname`:/tmp/perl-5.6.1-sd-11.00.depot \*

- Compile openssl
cd /tmp
gzip -d < openssl-0.9.6.tar.gz | tar xvf -
cd openssl-0.9.6
export PATH=/opt/perl5/bin:$PATH
./config --openssldir=/usr/local/openssl shared
make
make test
make install
cd ..
sh shlib/hpux11-cc.sh (had to create/modify this script with openssl)
sh shlib/hpux10-cc.sh (had to create/modify this script with ssl)

- Compile zlib
cd /tmp
gzip -d < zlib-1.1.4.tar.gz | tar xvf -
cd zlib-1.1.4
./configure -s --prefix=/usr
make test
make install

- Compile openssh
cd /tmp
gzip -d < openssh-3.1p1.tar.gz | tar xvf -
cd openssh-3.1p1
(11 version)
./configure --prefix=/opt/openssh2 --sysconfdir=/opt/openssh2/etc --with-pam
--with-ssl-dir=/usr/local/openssl/lib --with-default-path=/bin:/usr/bin:/opt/openssh2/bin
(10 version)
./configure --prefix=/opt/openssh2 --sysconfdir=/opt/openssh2/etc
--with-ssl-dir=/usr/local/ssl/lib --with-default-path=/bin:/usr/bin:/opt/openssh2/bin
make
make install

- Configure ssh and sshd (Already done in the tar, just for information )
vi /etc/openssh2/etc/sshd_config (verify these settings)
Port 22
HostKey /opt/openssh2/etc/ssh_host_key /etc for 10.20
KeyRegenerationInterval 3600
SyslogFacility AUTH
LogLevel INFO
PermitRootLogin yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
RhostsAuthentication no
IgnoreRhosts yes
IgnoreUserKnownHosts no
PasswordAuthentication yes
PermitEmptyPasswords no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
PrintMotd yes
PrintLastLog yes
Subsystem sftp /opt/openssh2/libexec/sftp-server

vi /etc/openssh2/etc/ssh_config (verify these settings)
ForwardAgent yes
ForwardX11 yes


C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
Justin Willoughby
Regular Advisor

‎04-24-2002 05:30 AM

‎04-24-2002 05:30 AM

Re: Secure Shell and Security

Craig,

I have the 3.1 version and I got it from an HP depot.

root# swlist | grep -i ssh
openssh 3.1p1 openssh


http://hpux.cs.utah.edu/ is where I go to.

- Justin

0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎04-24-2002 05:42 AM

‎04-24-2002 05:42 AM

Re: Secure Shell and Security

Hi,

There is also the SSH Communications distribution found at:

ftp://ftp.ssh.fi/pub/ssh/ssh-3.1.0.tar.gz

Compilation steps:
# gtar zxvf ssh-3.1.0.tar.gz
# cd ssh-3.1.0
# ./configure
# make
# make install

Remember to update your startup scripts in /sbin/init.d and create the link in /sbin/rc2.d so that your SSHD daemon will automatically run during system reboot or startup.

There are the AllowUsers and DenyUsers directives in /etc/ssh2/sshd2_config for you to restrict who can and cannot logon via secure shell. There is also the AllowHosts and DenyHosts directives to restrict access by IP addresses.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
Craig Rants
Honored Contributor

‎04-24-2002 06:13 AM

‎04-24-2002 06:13 AM

Re: Secure Shell and Security

Justin,
You are correct, they do have depot now (as of March 22). I had done my reinstall due to the vulnerability a week prior and it had not been released yet. I have now been enlightened.

C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.