Installing OpenSSH – less restrictive than ssh
OpenSSH is now part of the base system of FreeBSD. Don’t bother with this article unless
you really want to install the port. In which case, you’ll want to add the following line
to /etc/rc.conf
sshd_program="/usr/local/sbin/sshd"
This article talks about how I installed OpenSSH. SSH is a secure shell.
The
home page for OpenSSH is http://www.OpenSSH.com/.
OpenSSH is an implementation of the ssh protocol with a less restrictive license.
Read the full details at http://www.OpenSSH.com/features.html
but in short, OpenSSH "can be used for any and all purposes, and that explicitly
includes commercial use". So, if you want secure communcations, I recommend
OpenSSH.
OpenSSH uses the SSH protocol. SSH is more secure than telnet, which uses clear
text (even for your password!).
To see more about ssh, please read http://securityportal.com/direct.cgi?/research/ssh-part1.html.
Why OpenSSH?
The main reason is the license. I wanted the freedom to use SSH for commercial
purposes. I had previously installed ssh as my
secure shell. So I removed ssh and installed.
The removal
To remove ssh, I did the following:
cd /usr/ports/security/ssh make deinstall
The install
Remember, I have the entire ports tree installed. So
it was easy:
cd /usr/ports/security/openssh make make install
Running OpenSSH
This was very hard!
# ssh ducky The authenticity of host 'ducky.yourdomain.org' can't be established. Key fingerprint is 1024 be:2f:f5:17:b5:aa:c8:73:7d:18:10:d0:14:2e:3d:64. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'ducky.yourdomain.org,10.0.0.1' to the list of known hosts. root@ducky.yourdomain.org's password: Last login: Sat Dec 4 13:45:19 1999 from synergy.yourdomain.org Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 3.1-STABLE (IPFILTER3) #1: Tue Nov 16 00:49:44 NZDT 1999 Welcome to FreeBSD! If the doc distribution has been loaded on this machine, the FreeBSD Handbook will be in file:/usr/share/doc/handbook and the FAQ in file:/usr/share/doc/FAQ Type /stand/sysinstall to re-enter the installation and configuration utility. [root@ducky:~] #
OK. That works for outgoing connections. Now what about incoming
connections?
# ssh synergy Secure connection to synergy refused; reverting to insecure method. Using rsh. WARNING: Connection will not be encrypted. synergy.yourdomain.org: Connection refused
Well, that’s probably because sshd is not running on synergy. So let’s
check and see if it is running:
# ps -auwx | grep sshd root 20717 0.0 5.7 948 492 p0 S+ 12:50PM 0:00.10 grep sshd
No, it’s not running. So let’s start sshd.
[root@synergy:/usr/ports/security/openssh] # cd /usr/local/etc/rc.d [root@synergy:/usr/local/etc/rc.d] # ls 00ipf.sh innd.sh proftpd.sh.sample apache.sh proftpd.sh sshd.sh
Above you can see the scripts in the local startup directory.
So let’s use the one for sshd.
[root@synergy:/usr/local/etc/rc.d] # ./sshd.sh
We check again to see if sshd is now running..
[root@synergy:/usr/local/etc/rc.d] # ps -auwx | grep sshd root 20724 88.4 12.2 1624 1060 ?? Rs 12:51PM 0:08.08 /usr/local/sbin/sshd root 20728 0.0 5.7 948 492 p0 S+ 12:51PM 0:00.07 grep sshd
Trying connection again:
# ssh synergy -l dan Host key not found from the list of known hosts. Are you sure you want to continue connecting (yes/no)? yes Host 'synergy' added to the list of known hosts. dan@synergy's password: Last login: Sun Dec 5 11:44:48 1999 from ducky Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 3.3-RELEASE (SYNERGY) #0: Sat Dec 4 17:43:41 NZDT 1999
OK! There we go. Up and running just fine.
Configuration
I’ve not done any configuration of OpenSSH, but I did notice the following two files
during the install:
/usr/local/etc/ssh_config /usr/local/etc/sshd_config
My uneducated guess is these are for the ssh and sshd programs
respectively.
Klaus A. Brunner wrote to tell me about the blowfish option on OpenSSH. Klause
wrote:
I change the preferred ssh cipher to blowfish. By default, ssh uses 3DES, which
is MUCH slower and probably not safer anyway. If you’re doing lots of large scp
transfers over moderately fast networks, you’ll definitely notice a difference./usr/local/etc/ssh_config: ... Cipher blowfish ...
ssh clients
I’ve seen several Windows clients which do ssh.
SecureCRT: http://www.vandyke.com/ TTSSH: http://www.zip.com.au/~roca/ttssh.html PuTTY: http://www.chiark.greenend.org.uk/~sgtatham/putty.html SecureShell: http://public.srce.hr/~cigaly/ssh/
I have sshd running on an Intel Box loaded with RED HAT 7.3
When I try to ssh to this box from somw other box on the same network, I keep getting connection refused; reverting to insecure method. Please advise on how to eliminate this error.
regards
Dex
1 – This is really a FreeBSD resource
2 – This area is for comments / addenda.
3 – Questions should be asked in the <A HREF="/phorum/">Support Forum</A>