-- Eric Gatenby -=- raptor_at_mailhub.com -=- egatenby_at_mailhub.com http://www.netaxs.com/~raptor/ -=- PGP: Web page or key server #include <netinet/disclaimer.h> /* Standard Internet disclaimer */ "Windows NT can be administered by an idiot and usually is." --Unknown [ Part 2.3: "Re: ssh (secure shell) runtime problem and evaluation q" ] Date: Wed, 24 Jun 1998 09:03:42 -0700 From: Mike Iglesias <iglesias_at_draco.acs.uci.edu> To: Richard Bemrose <rb237_at_phy.cam.ac.uk> Subject: Re: ssh (secure shell) runtime problem and evaluation questions The problem you are having is that the LD_LIBRARY_PATH env variable is ignored for setuid programs, as per the following from the "loader" man page: Security also dictates that the loader will not allow library replacement for setuid and setgid programs unless the user is root. You should use the rpath option to the command that links ssh if you want to have shared libraries in some place other than /usr/shlib. The copy I built didn't create shared libraries so it's not a problem for me. > I would also appreciate any views on ssh: > 1) installation schemes > (should I disable rshd/rlogind from /etc/inetd.conf) That depends on how "paranoid" you want to be. I think we're eventually going to go that way here, but it will be a slow process. > 2) is ssh transparent to users? > (do all users have to generate a ssh key?) Pretty much, but there are some messages that may confuse your users, especially if the host key changes for some reason. > 3) does ssh involve large administration overheads > (for example running 'make-ssh-known-hosts') Only if you want to keep the /etc/ssh_known_hosts file up to date. > 4) general gotcha's or 'must read' Read the FAQs at http://www.cs.hut.fi/ssh/. I'm using ssh with X via ssh-agent under DU 4.0B with no problems. If you have any other questions, ask. Mike [ Part 2.4: "RE: ssh (secure shell) runtime problem and evaluation q" ] Date: Wed, 24 Jun 1998 14:01:00 -0500 From: Graham Allan <ALLAN_at_mnhep1.hep.umn.edu> To: rb237_at_phy.cam.ac.uk Subject: RE: ssh (secure shell) runtime problem and evaluation questions >Following on from Graham Allan <ALLAN_at_mnhep1.hep.umn.edu> and Eric Gatenby ><aptor_at_mailhub.com> questions regarding ssh (Secure Shell), I wish to >evaluate replacing rsh with ssh version 1.2.25. > >I configured ssh thus: >-- cut -- >./configure --prefix=/usr/apps --with-x --with-rsh=/usr/bin/rsh >-- cut -- > >However, ssh reports a runtime error when running ssh: >-- cut -- >$ ssh somehost >2>2387:/usr/apps/bin/ssh: /sbin/loader: Fatal Error: cannot map libz.so.1.0.4 >$ cd /usr/apps/lib >$ ls -la libz* >-rw-r--r-- 1 root system 208772 Jun 24 11:33 libz.a >lrwxrwxrwx 1 root system 13 Jun 6 15:02 libz.so_at_ -> libz.so.1.0.4 >-rw-r--r-- 1 root system 98304 Jan 26 18:10 libz.so.1.0.4 >$ setenv | grep LD_LIBRARY_PATH >LD_LIBRARY_PATH=/usr/apps/lib You could possibly try unsetting LD_LIBRARY_PATH? I once also had set it globally (for the freeware CD), and found many things failed to run properly. Tom Blinn (saviour of osf-managers) suggested unsetting it, which fixed everything. Just thinking aloud now - what did you use to compile ssh? I think I used gcc 2.8.1, and in previous versions also used DEC C (unix 4.0D version) with success. My switches were: ./configure --with-x --with-rsh=/usr/bin/rsh --program-transform-name='s/^s/^r/' --prefix=/usr/local --with-libwrap=/src/tcp_wrappers_7.6/libwrap.a >I would also appreciate any views on ssh: > 1) installation schemes > (should I disable rshd/rlogind from /etc/inetd.conf) Since my recent posting, i have left rsh/rlogin in /usr/bin, and set aliases for rsh->ssh and rlogin->slogin in /etc/csh.cshrc. This setup seems to work ok. I have not disabled rshd/rlogind, as I suspect some users would dislike that... though all such connections are logged using the tcp wrappers package. > 2) is ssh transparent to users? > (do all users have to generate a ssh key?) within your local systems, for which you've set up ssh host keys, it's pretty much a transparent drop-in replacement for rsh. > 3) does ssh involve large administration overheads > (for example running 'make-ssh-known-hosts') Not much. Any work involved is offset by the convenience of secure remote root access to systems you administer, I think. It's also useful for enabling things like rdist-based automatic software updates (again, you can do a lot more once given secure remote root access). Graham Physics, University of Minnesota [ Part 2.5: "RE: ssh (secure shell) runtime problem and evaluation q" ] Date: Wed, 24 Jun 1998 16:28:38 -0500 From: Graham Allan <ALLAN_at_mnhep1.hep.umn.edu> To: rb237_at_phy.cam.ac.uk Subject: RE: ssh (secure shell) runtime problem and evaluation questions >I've also just found out that 'loader' ignores LD_LIBRARY_PATH on programs >which have the setsuid or setguid bits set. (See 'man loader' for >details). I actually resolved the problem by adding two more switches to >the configuration script. > ># ./configure --prefix=/usr/apps --x-includes=/usr/apps/include \ > --x-libraries=/usr/apps/lib ... etc etc Gosh, makes me worried that I didn't have all these switches added and yet it still works. Of course, that may well be because I installed in /usr/local, and most values probably default to that. >If you don't mind, I still can not get my head around the scheme of making >ssh a transparent replacement. At the admin level I started the 'sshd' on >two workstations: alpha5 and alpha6. As a user, I generated my key on >alpha6. I then tried to ssh to alpha5 but to no avail. It does take a while to get it all working. I think it may be best to set it up first without interfering with rsh/rlogin, then only replace those later when it's working smoothly. I think I did: installed ssh into /usr/local (nfs-shared by all my systems). then start sshd up at boot time with /sbin/init.d/sshd :- #!/sbin/sh PATH=/sbin:/usr/sbin:/usr/bin export PATH case "$1" in 'start') /usr/local/sbin/sshd echo "Started sshd" ;; 'stop') echo "sshd not stopped [lazy]" ;; *) echo "usage: $0 {start|stop}" ;; esac which is linked to by /sbin/rc3.d/S99sshd. No changes to inetd.conf required. Then I list all my local hosts in /etc/shosts.equiv, and in /.shosts (for remote root access). When sshd is running on all the systems (by executing "/sbin/init.d/sshd start"), the ssh_known_hosts file can be generated; I used: make-ssh-known-hosts hep.umn.edu > /etc/ssh_known_hosts you can either run this on each machine, or run it once and distribute the resulting file around somehow. I think this should be all that's needed to get ssh running, but if it doesn't, let me know, and I will try to remember what I missed out :-) I am still trying to do the rsh/rlogin replacement. So far I have added: alias rsh ssh alias rlogin slogin to /etc/csh.cshrc, and also in this file modified PATH so that /usr/local/bin is ahead of /bin and /usr/bin. This should mean that the rsh/rlogin links installed by ssh should be found ahead of the real rsh/rlogin. I haven't done anything for non-csh/tcsh users yet, so people with sh/ksh/bash are probably still getting the standard rsh/rlogin Hope this helps, Graham [ Part 2.6: "Re: ssh (secure shell) runtime problem and evaluation q" ] Date: Wed, 24 Jun 1998 14:55:52 -0700 From: Mike Iglesias <iglesias_at_draco.acs.uci.edu> To: Richard Bemrose <rb237_at_phy.cam.ac.uk> Subject: Re: ssh (secure shell) runtime problem and evaluation questions > > That depends on how "paranoid" you want to be. I think we're eventually > > going to go that way here, but it will be a slow process. > > True. But I go by the rule "Sure, I'm paranoid. But am I paranoid enough?" > We have had a wave of Denial of Service hacks on various Lynux boxes. I > don't really want to hide behind a firewall but I'm think of installing > various tcp-wrappers, tripwires and ssh etc. tcp wrappers are good - we run them here on lots of systems. > If you don't mind, I still can not get my head around the scheme of making > ssh a transparent replacement. At the admin level I started the 'sshd' on > two workstations: alpha5 and alpha6. As a user, I generated my key on > alpha6. I then tried to ssh to alpha5 but to no avail. Did you run ssh-keygen first, to generate a key for the host? What do you mean by "to no avail"? Having your own key will only work (as far as I can tell) if you either have the same home directory on both systems or your key in the ~/.ssh/authorized_keys file on both systems. Using "ssh -v" will help you figure out why you are having problems. Also, I think you'll need to have a copy of the public key for the system (/etc/ssh_host_key.pub) in the /etc/ssh_known_hosts file (alpha 5 needs alpha6's public key in that file, and vice versa). You can use the make-ssh-known-hosts script to do this, assuming you have perl around. This script depends on you being able to ssh to a host without having to type a password. > I don't fancy forcing all our users to generate personal keys. I assume > there's a way for root to add hosts to a list like the /etc/hosts.equiv > file. What I really want to a pain free rsh/rcp/rlogin replacement. It's /etc/ssh_known_hosts. > I looked at the FAQ and 'Getting started' (although admittedly quickly) > but I didn't find them very helpful. I would be extremely grateful if you > could list the installation steps (what daemons to run, modification to > /etc/inetd.conf, preference of aliasing ssh or direct replacement, how to > add hosts, crontab hosts updates). Here's what we do to setup a host to use ssh: THere's a hostinstall target in the Makefile that will setup a host to run sshd. You may want to run that once on one system so you have a copy of the /etc/sshd_config and /etc/ssh_config files to copy to other hosts. It will also do the ssh-keygen below. ssh-keygen -b 1024 -f /etc/ssh_host_key -N '' (generates the host key) sshd (start the daemon) The /etc/ssh_known_hosts file has entries that look like this (it's one long line in case some mailer breaks it up): draco,draco.acs,draco.acs.uci.edu,ntp2,ntp2.acs,ntp2.acs.uci.edu,128.200.34.12 <contents of /etc/ssh_host_key.pub go here> So it's basically the hostname and all aliases (the ip address is considered an alias) and the host's public key. You can make it up yourself if you can't run the make-ssh-known-hosts script for some reason. We have a directory with ssh in the user's path before /usr/bin, so we could install a link there to force people to use ssh unless the target host does not accept ssh connections, and then let it fall back to rsh or rlogin. We will probably do this at some time, along with forcing everyone to use ssh-agent when running X so that their X sessions are encrypted as well. Mike [ Part 2.7: "Re: ssh (secure shell) runtime problem and evaluation q" ] Date: Thu, 25 Jun 98 09:42:55 +1000 From: Ian Mortimer <ian_at_physics.uq.edu.au> To: Richard Bemrose <rb237_at_phy.cam.ac.uk> Subject: Re: ssh (secure shell) runtime problem and evaluation questions Hi Rich > I configured ssh thus: > -- cut -- > ./configure --prefix=/usr/apps --with-x --with-rsh=/usr/bin/rsh > -- cut -- > I seemed to have stumbled on the very first hurdle before I can evaluate > ssh! Can anybody suggest why ssh fails to find libz? Do I require further > switches while configuring ssh? The only thing I can offer on this is the config command I used to compile 1.2.22 which was: CC=cc CFLAGS='-std1 -O2' ./configure --with-libwrap=./ --with-none The with-libwraps is so that we can use tcp_wrappers to block ssh logins from all but selected sites and the with-none is so that we can make fast file transfers when we don't need encryption. > I would also appreciate any views on ssh: > 1) installation schemes > (should I disable rshd/rlogind from /etc/inetd.conf) I've disabled them here and haven't encountered any problems yet. The only problem that might occur is if I need to do a remote restore of a file system after booting from the OS CD. Since there's no ssh on the CD I'd have to enable rsh on the remote host in that case. No great problem but an extra step to remember. > 2) is ssh transparent to users? > (do all users have to generate a ssh key?) Yes they do but it's not difficult and best of all they can do it themselves without annoying the sys admin. > 3) does ssh involve large administration overheads > (for example running 'make-ssh-known-hosts') Nope. If a host is not in the known-hosts file ssh just asks if you want to add it and then proceeds if you answer yes. This only happens the first time you try to access a new host so it's no problem unless you're adding a lot of new hosts. Ian _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ _/ Ian Mortimer _/ _/ ian_at_physics.uq.edu.au ,-_|\ Department of Physics _/ _/ Tel: +61 7 3365 3436 / *\ University of Queensland _/ _/ Fax: +61 7 3365 1242 \_,-._/ St. Lucia, Brisbane _/ _/ v Queensland, Australia 4072 _/ _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Disclaimer: Speaking only for myself. ------------------------------- end ------------------------------- Regards, Rich /_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ _ \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\ /_/ Richard A Bemrose /_\ Polymers and Colloids Group \_\ /_/ email: rb237_at_phy.cam.ac.uk /_\ Cavendish Laboratory \_\ /_/ Tel: +44 (0)1223 337 267 /_\ University of Cambridge \_\ /_/ Fax: +44 (0)1223 337 000 /_\ Madingley Road \_\ /_/ (space for rent) / \ Cambridge, CB3 0HE, UK \_\ /_/_/_/_/_/_/ http://www.poco.phy.cam.ac.uk/~rb237 \_\_\_\_\_\_\ "Life is everything and nothing all at once" -- Billy Corgan, Smashing PumpkinsReceived on Fri Jun 26 1998 - 00:21:40 NZST
This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:38 NZDT