Installing OpenSSH – less restrictive than ssh

 Security, Shells,, ssh  Add comments
Dec 051999
 

Installing OpenSSH – less restrictive than ssh

OpenSSH is now part of the base system of FreeBSD. Don’t bother with this article unless you really want to install the port. In which case, you’ll want to add the following line to /etc/rc.conf

sshd_program="/usr/local/sbin/sshd"
This article talks about how I installed OpenSSH.  SSH is a secure shell.

The home page for OpenSSH is http://www.OpenSSH.com/.

OpenSSH is an implementation of the ssh protocol with a less restrictive license.   Read the full details at http://www.OpenSSH.com/features.html but in short, OpenSSH "can be used for any and all purposes, and that explicitly includes commercial use".  So, if you want secure communcations, I recommend OpenSSH.

OpenSSH uses the SSH protocol.  SSH is more secure than telnet, which uses clear text (even for your password!).

To see more about ssh, please read http://securityportal.com/direct.cgi?/research/ssh-part1.html.

Why OpenSSH?

The main reason is the license.  I wanted the freedom to use SSH for commercial purposes.  I had previously installed ssh as my secure shell.  So I removed ssh and installed.

The removal

To remove ssh, I did the following: 
cd /usr/ports/security/ssh
make deinstall

The install

Remember, I have the entire ports tree installed.  So it was easy:
cd /usr/ports/security/openssh
make
make install

Running OpenSSH

This was very hard!
# ssh ducky
The authenticity of host 'ducky.yourdomain.org' can't be established.
Key fingerprint is 1024 be:2f:f5:17:b5:aa:c8:73:7d:18:10:d0:14:2e:3d:64.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ducky.yourdomain.org,10.0.0.1' to the 
                                                     list of known hosts.
root@ducky.yourdomain.org's password: 
Last login: Sat Dec  4 13:45:19 1999 from synergy.yourdomain.org
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
      The Regents of the University of California.   All rights reserved.

FreeBSD 3.1-STABLE (IPFILTER3) #1: Tue Nov 16 00:49:44 NZDT 1999

Welcome to FreeBSD!

If the doc distribution has been loaded on this machine, the FreeBSD
Handbook will be in file:/usr/share/doc/handbook and the FAQ in
file:/usr/share/doc/FAQ 

Type /stand/sysinstall to re-enter the installation and 
                                                   configuration utility.

[root@ducky:~] #

OK.  That works for outgoing connections.  Now what about incoming connections?

# ssh synergy
Secure connection to synergy refused; reverting to insecure method.
Using rsh.  WARNING: Connection will not be encrypted.
synergy.yourdomain.org: Connection refused

Well, that’s probably because sshd is not running on synergy.  So let’s check and see if it is running:

#  ps -auwx | grep sshd
root   20717  0.0  5.7   948  492  p0  S+   12:50PM   0:00.10 grep sshd

No, it’s not running. So let’s start sshd.

[root@synergy:/usr/ports/security/openssh] # cd /usr/local/etc/rc.d
[root@synergy:/usr/local/etc/rc.d] # ls
00ipf.sh                innd.sh                 proftpd.sh.sample
apache.sh               proftpd.sh              sshd.sh

Above you can see the scripts in the local startup directory.   So let’s use the one for sshd.

[root@synergy:/usr/local/etc/rc.d] # ./sshd.sh

We check again to see if sshd is now running..

[root@synergy:/usr/local/etc/rc.d] #  ps -auwx | grep sshd
root 20724 88.4 12.2 1624 1060 ?? Rs 12:51PM 0:08.08 /usr/local/sbin/sshd
root 20728  0.0  5.7  948  492 p0 S+ 12:51PM 0:00.07 grep sshd

Trying connection again:

# ssh synergy -l dan
Host key not found from the list of known hosts.
Are you sure you want to continue connecting (yes/no)? yes
Host 'synergy' added to the list of known hosts.
dan@synergy's password: 
Last login: Sun Dec  5 11:44:48 1999 from ducky
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
       The Regents of the University of California.  All rights reserved.
FreeBSD 3.3-RELEASE (SYNERGY) #0: Sat Dec  4 17:43:41 NZDT 1999

OK!  There we go.  Up and running just fine.

Configuration

I’ve not done any configuration of OpenSSH, but I did notice the following two files during the install:
/usr/local/etc/ssh_config
/usr/local/etc/sshd_config

My uneducated guess is these are for the ssh and sshd programs respectively.

Klaus A. Brunner wrote to tell me about the blowfish option on OpenSSH.  Klause wrote:

I change the preferred ssh cipher to blowfish.  By default, ssh uses 3DES, which is MUCH slower and probably not safer anyway.  If you’re doing lots of large scp transfers over moderately fast networks, you’ll definitely notice a difference.

/usr/local/etc/ssh_config:

...
Cipher blowfish
...

ssh clients

I’ve seen several Windows clients which do ssh.

  2 Responses to “Installing OpenSSH – less restrictive than ssh”

  1. dex says:
    October 10, 2002 at 4:57 pm

    I have sshd running on an Intel Box loaded with RED HAT 7.3
    When I try to ssh to this box from somw other box on the same network, I keep getting connection refused; reverting to insecure method. Please advise on how to eliminate this error.

    regards
    Dex

    • Dan Langille says:
      October 10, 2002 at 5:29 pm

      1 – This is really a FreeBSD resource
      2 – This area is for comments / addenda.
      3 – Questions should be asked in the <A HREF="/phorum/">Support Forum</A>