Logo         Community
  Trog
Services
The Company
Community
Columns
Your Account
Contact Us
 
 
Secure Tunnelling With SSH
Use SSH to secure your Internet traffic through encrypted port forwarding.

| Kicking The Tyres |

If you're planning to use SSH, the first thing to do is make sure that it's available on both the client (usually your local system) and the server (the remote system).

The easiest way to check this is to telnet to port 22 of both hosts, which is the port the SSH daemon traditionally runs on. If SSH services are available, you'll be rewarded with an identification string containing the version number, like this:

''.preg_replace(array('/  /', '/ /'), array('  ', '   '), '
[me@olympus] $ telnet localhost 22
Connected to olympus.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.5p1
').'
'

Nothing? Well, you could politely ask your ISP/Web hosting service/friendly neighbourhood geek to install it for you - or, if you have super-user access to the system, and are comfortable with installing new software on your system, you could download and install it yourself.

This article uses OpenSSH, an open-source alternative to commercial SSH that does away with many of the licensing restrictions of SSH1 and SSH2. Drop by the official Web site at http://www.openssh.org/ and get yourself the latest stable release of the software (this tutorial uses OpenSSH 3.5). Note that you will also need a copy of the zlib library, available from http://www.gzip.org/zlib/ (this tutorial uses zlib 1.1.4) and the OpenSSL library, available from http://www.openssl.org/ (this tutorial uses OpenSSL 0.9.7).

Once you've downloaded the source code archive to your Linux box (mine is named "olympus"), log in as "root".

''.preg_replace(array('/  /', '/ /'), array('  ', '   '), '
[me@olympus] $ su -
Password: ****
').'
'

You'll first need to compile and install zlib. Extract the source to a temporary directory.

''.preg_replace(array('/  /', '/ /'), array('  ', '   '), '
[root@olympus] $ cd /tmp

[root@olympus] $ tar -xzvf zlib-1.1.4.tar.gz
').'
'

Next, configure the package using the provided "configure" script,

''.preg_replace(array('/  /', '/ /'), array('  ', '   '), '
[root@olympus] $ cd /tmp/zlib-1.1.4

[root@olympus] $ ./configure
').'
'

and compile and install it.

''.preg_replace(array('/  /', '/ /'), array('  ', '   '), '
[root@olympus] $ make

[root@olympus] $ make install
').'
'

Unless you specified a different path to the "configure" script, zlib will have been installed to the directory "/usr/local/lib".

Next up, OpenSSL. Extract the source to a temporary directory,

''.preg_replace(array('/  /', '/ /'), array('  ', '   '), '
[root@olympus] $ cd /tmp

[root@olympus] $ tar -xzvf openssl-0.9.7a.tar.gz
').'
'

configure it,

''.preg_replace(array('/  /', '/ /'), array('  ', '   '), '
[root@olympus] $ cd /tmp/openssl-0.9.7a

[root@olympus] $./config
').'
'

and compile and install it.

''.preg_replace(array('/  /', '/ /'), array('  ', '   '), '
[root@olympus] $ make

[root@olympus] $ make test

[root@olympus] $ make install
').'
'

The compilation process here is fairly involved and may take a few minutes - get yourself a cup of coffee while you're waiting for it to happen. By the time you get back, OpenSSL should be installed to the directory
"/usr/local/ssl".

Finally, it's time to install the OpenSSH package itself. Again, extract the source to a temporary directory,

''.preg_replace(array('/  /', '/ /'), array('  ', '   '), '
[root@olympus] $ cd /tmp

[root@olympus] $ tar -xzvf openssh-3.5p1.tar.gz
').'
'

and configure the software via the provided "configure" script. Remember to tell "configure" where it can find the libraries you just installed as well.

''.preg_replace(array('/  /', '/ /'), array('  ', '   '), '
[root@olympus] $ cd /tmp/openssh-3.5p1

[root@olympus] $ ./configure --with-ssl-dir=/usr/local/ssl/
--with-zlib=/usr/local/lib/ --prefix=/usr/local/ssh
').'
'

Once the software has been configured, you can compile and install it.

''.preg_replace(array('/  /', '/ /'), array('  ', '   '), '
[root@olympus] $ make

[root@olympus] $ make install
').'
'

In this case, since I specified an installation path to the "configure" script, OpenSSH would have been installed to the "/usr/local/ssh" directory.

During the install part of the cycle, you'll notice a set of host keys being generated - this is the private/public key pair for your system, and the two keys are usually stored in the files "/usr/local/ssh/etc/ssh_host_key" and "/usr/local/ssh/etc/ssh_host_key.pub" respectively.

Once the software has been installed, you need to start up the "sshd" daemon.

''.preg_replace(array('/  /', '/ /'), array('  ', '   '), '
[root@olympus] $ /usr/local/ssh/sbin/sshd
Privilege separation user "sshd" does not exist
').'
'

Oops! Something obviously went wrong somewhere...

Actually, the reason for the error above is fairly simple. As the OpenSSH manual puts it, "privilege separation is a method in OpenSSH by which operations that require root privilege are performed by a separate privileged monitor process [...] the purpose is to prevent privilege escalation by containing corruption to an unprivileged process."

You can correct this error by creating a user and group for the "sshd" daemon to run as, by executing the following commands:

''.preg_replace(array('/  /', '/ /'), array('  ', '   '), '
[root@olympus] $ mkdir /var/empty

[root@olympus] $ chown root:sys /var/empty

[root@olympus] $ chmod 755 /var/empty

[root@olympus] $ groupadd sshd

[root@olympus] $ useradd -g sshd -c 'sshd privsep' -d /var/empty -s
/bin/false sshd
').'
'

Now, try restarting the daemon,

''.preg_replace(array('/  /', '/ /'), array('  ', '   '), '
[root@olympus] $ /usr/local/ssh/bin/sshd
').'
'

and all should be well.

You can verify that the daemon is, in fact, alive via a telnet to port 22:

''.preg_replace(array('/  /', '/ /'), array('  ', '   '), '
[me@olympus] $ telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.5p1
').'
'

Remember that you need an OpenSSH daemon at both ends of the connection; in the absence of this, SSH will revert back to using insecure rsh mechanisms to perform a remote login.

Next, I'll be showing you how to generate your own public/private key pair, which you'll be using to authenticate your remote logins.


How to do Everything with PHP & MySQL
How to do Everything with PHP & MySQL, the best-selling book by Melonfire, explains how to take full advantage of PHP's built-in support for MySQL and link the results of database queries to Web pages. You'll get full details on PHP programming and MySQL database development, and then you'll learn to use these two cutting-edge technologies together. Easy-to-follow sample applications include a PHP online shopping cart, a MySQL order tracking system, and a PHP/MySQL news publishing system.

Read more, or grab your copy now!


previous page more like this  print this article  next page
 
Search...
 
In trog...
Logging With PHP
Building A Quick-And-Dirty PHP/MySQL Publishing System
Output Buffering With PHP
Date/Time Processing With PHP
Creating Web Calendars With The PEAR Calendar Class
more...
 
In the hitg report...
Crime Scenes
Animal Attraction
Lord Of The Strings
more...
 
In boombox...
Patience - George Michael
Think Tank - Blur
My Private Nation - Train
more...
 
In colophon...
Hostage - Robert Crais
The Dead Heart - Douglas Kennedy
Right As Rain - George Pelecanos
more...
 
In cut!...
American Chai
The Core
Possession
more...
 
Find out how you can use this article on your own Web site!


Copyright © 1998-2018 Melonfire. All rights reserved
Terms and Conditions | Feedback