1. Procédure d'installation d'openSSH
Partons du principe que nous devons installer OpenSSH sur une station SUN en prod...1.1. Récupération des paquetages
Les paquetages à récupérer se trouvent sur le serveur FTP de sunfreeware (ftp://sunfreeware.cartel-securite.net/sunfreeware/sparc/8/) Les paquetages à récupérer sont les suivants : · Libgcc, · Openssh, · Openssl, · Zlib. (27/04/04) Les versions actuelles sont : libgcc-3.3, openssh-3.8p1, openssl-0.9.7d, zlib-1.2.1.1.2. Récupération du patch SUN
Le patch SUN nécessaire au bon fonctionnement d 'OpenSSH corrige un problème sur le générateur de nombres aléatoires. Le numéro du patch est « 112438 ». Pour récupérer le dernier patch, il suffit de se connecter sur la page suivante et de rentrer le numéro du patch dans la boîte « Patch Finder » : http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access La dernière version du patch est : 112438-03.zip1.3. Préparation de l'installation des paquetages et patch
Il faut transférer l'ensemble des fichiers sur la station SUN cible dans un répertoire donné, « SSH » par exemple. La première étape consiste à décompresser les fichiers :
~/SSH> ls 112438-03.zip openssl-0.9.7d-sol8-sparc-local.gz libgcc-3.3-sol8-sparc-local.gz zlib-1.2.1-sol8-sparc-local.gz openssh-3.8p1-sol8-sparc-local.gz ~/SSH> gzip -d *.gz ~/SSH> unzip 112438-03.zip |
~/SSH> pkgadd -d libgcc-3.3-sol8-sparc-local ..... Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: 1 Si l'installateur demande s'il faut créer un repertoire, répondre y ..... Processing package instance ..... Installation of ~/SSH> |
~/SSH> pkgadd -d zlib-1.2.1-sol8-sparc-local ..... ~/SSH> pkgadd -d openssl-0.9.7d-sol8-sparc-local ..... ~/SSH> pkgadd -d openssh-3.8p1-sol8-sparc-local ..... ~/SSH> |
~/SSH> patchadd 112438-03 Checking installed patches... Verifying sufficient filesystem capacity (dry run method)... Installing patch packages... Patch number 112438-03 has been successfully installed. See /var/sadm/patch/112438-02/log for details Executing postpatch script... Reboot client to install driver. .... |
# chmod +x ./setup_random.sh # ./setup_random.sh Checking for patch 112438... installed. Removing random device from name_to_major Adding driver to system Finished. You now have the following random devices: lrwxrwxrwx 1 root other 33 Sep 26 13:08 /dev/random -> ../devices/pseudo/random@0:random lrwxrwxrwx 1 root other 34 Sep 26 13:08 /dev/urandom -> ../devices/pseudo/random@0:urandom crw-r--r-- 1 root sys 266, 0 Sep 26 13:08 /devices/pseudo... /random@0:random crw-r--r-- 1 root sys 266, 1 Sep 26 13:08 /devices/pseudo... /random@0:urandom Répondre “y” à la question Do you want to test the new device? (y/n) y Running: dd if=/dev/random of=/tmp/.7003.10738 bs=512 count=1 1+0 records in 1+0 records out Running: strings /tmp/.7003.10738 You should see a few lines of random garbage: }LJZ oK+2; 7rN],R )k.^/ ,(8T !iXV NgxLX qe,g(S kq gU(%_ PrA| *r-$ # |
~/SSH> chmod +x /etc/init.d/sshd |
# cd /etc/rc3.d/ # ln -s /etc/init.d/sshd S40sshd # cd /etc/rc0.d/ # ln -s /etc/init.d/sshd K99sshd # |
# useradd sshd # mkdir /var/empty |
# $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. Port 22 Protocol 2 #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 #HostKey /usr/local/etc/ssh_host_key # HostKeys for protocol version 2 #HostKey /usr/local/etc/ssh_host_rsa_key #HostKey /usr/local/etc/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 3600 #ServerKeyBits 768 # Logging #obsoletes QuietMode and FascistLogging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin no #StrictModes yes #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # rhosts authentication should not be used #RhostsAuthentication no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #AFSTokenPassing no # Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no # Set this to 'yes' to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbdInt no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes PrintMotd yes #PrintLastLog yes KeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no Compression yes #MaxStartups 10 # no default banner path #Banner /some/path #VerifyReverseMapping no # override default of no subsystems Subsystem sftp /usr/local/libexec/sftp-server |
# /etc/init.d/sshd start Generating public/private rsa1 key pair. Your identification has been saved in /usr/local/etc/ssh_host_key. Your public key has been saved in /usr/local/etc/ssh_host_key.pub. The key fingerprint is: e5:16:1a:d6:7e:7f:af:1f:53:87:87:3f:48:32:18:3d root@hpov1wlan Generating public/private dsa key pair. Your identification has been saved in /usr/local/etc/ssh_host_dsa_key. Your public key has been saved in /usr/local/etc/ssh_host_dsa_key.pub. The key fingerprint is: 0f:b6:3b:33:3c:2c:2f:e5:f5:cf:9a:41:df:29:41:ec root@hpov1wlan Generating public/private rsa key pair. Your identification has been saved in /usr/local/etc/ssh_host_rsa_key. Your public key has been saved in /usr/local/etc/ssh_host_rsa_key.pub. The key fingerprint is: 9f:1b:e2:65:c8:2d:80:86:9a:92:95:6e:05:f4:24:cd root@hpov1wlan |
# /etc/init.d/sshd status Démon : root 7610 1 0 13:16:09 ? 0:00 /usr/local/sbin/sshd Port : *.22 *.* 0 0 24576 0 LISTEN Done. |
[~]: setenv | grep SSH SSH_CLIENT=81.254.0.246 2830 22 SSH_CONNECTION=81.254.0.246 2830 10.163.103.143 22 SSH_TTY=/dev/pts/9 |