You are previewing Secure Shell in the Enterprise.
O'Reilly logo
Secure Shell in the Enterprise

Book Description

The best practices guide to building, scaling and deploying Open SSH for legacy Solaris (2.6, 7, and 8) and Solaris 9 OE systems.

  • Covers the new Solaris Secure Shell for all versions of Solaris.

  • Shows how to secure remote logins, integrate Secure Shell into existing scripts and avoid common problems.

  • Written by Jason Reid, a member of the Solaris System Test group at Sun Microsystems, Inc.

  • Table of Contents

    1. Copyright
    2. Acknowledgements
    3. Figures
    4. Table
    5. Preface
      1. Sun BluePrints Program
      2. Who Should Use This Book
      3. Before You Read This Book
      4. How This Book Is Organized
      5. Using UNIX Commands
      6. Typographic Conventions
      7. Shell Prompts
      8. Accessing Sun Documentation
      9. Sun Welcomes Your Comments
    6. 1. Introducing the Secure Protocols
      1. Security History and Protocols
        1. Secure Protocols
          1. Authentication
          2. Integrity
          3. Confidentiality
        2. Cryptographic Protocols
      2. Security Policy
      3. Tools
        1. Kerberos
        2. IPsec
        3. Virtual Private Networks
        4. Secure Shell
        5. Determining Which Tool to Use
          1. Tool Decision Example A
          2. Tool Decision Example B
      4. Secure Shell Choices
        1. Solaris Secure Shell Software
        2. OpenSSH
        3. Noncommercial Implementations
        4. Commercial Variants
        5. Determining Which Secure Shell Software to Use
          1. Secure Shell Software Decision Example A
          2. Secure Shell Software Decision Example B
      5. Consequences
    7. 2. Building OpenSSH
      1. Components
        1. Before Building OpenSSH
          1. Static Versus Dynamic Libraries
          2. Install Versus Build Location
          3. About $PATH
        2. Checking MD5 Hashes and GNU Privacy Guard Signatures
      2. Component Descriptions
        1. Solaris OE Build Machine
          1. Solaris OE Release
          2. Metaclusters
        2. Gzip
        3. Compilers
        4. Perl
        5. Zlib
          1. To Build Zlib
      3. Entropy Sources
        1. OpenSSH Internal Entropy Collection
        2. Kernel-Level Random Number Generators
        3. ANDIrand
        4. SUNWski
        5. Entropy-Gathering Daemon
        6. Pseudorandom Number Generator Daemon
        7. Recommendations
        8. Building PRNGD Software
          1. To Build PRNGD With the Forte C Compiler
          2. To Build PRNGD With the GNU C Compiler
        9. Manually Installing PRNGD
          1. To Install PRNGD
        10. Running PRNGD
          1. To Start the PRNGD Manually
          2. To Stop the PRNGD Manually
        11. Testing the Entropy Source
          1. Checking /dev/random
          2. Checking PRNGD
      4. TCP Wrappers
        1. Building TCP Wrappers
          1. To Build TCP Wrappers
          2. To Install TCP Wrappers
      5. OpenSSL
        1. To Build and Test OpenSSL
        2. To Install OpenSSL
      6. OpenSSH
        1. Configuring OpenSSH
          1. To Obtain the List of Arguments in the configure Script
          2. To Configure OpenSSH
        2. Building OpenSSH
          1. To Build OpenSSH
    8. 3. Configuring the Secure Shell
      1. Configuration Details
      2. Mechanics of Configuration Files
      3. Recommendations
        1. Server Recommendations
          1. Protocol Support
          2. Network Access
          3. Keep-Alives
          4. Data Compression
          5. Privilege Separation
          6. Login Grace Time
          7. Password and Public Key Authentication
          8. Superuser (root) Logins
          9. Banners, Mail, and Message-of-the-Day
          10. Connection and X11 Forwarding
          11. User Access Control Lists
          12. User File Permissions
          13. UseLogin Keyword
          14. Legacy Support
        2. Client Recommendations
          1. Host Option Assignment
          2. Data Compression
          3. Keep-Alives
          4. Protocol Support
          5. rlogin and rsh
          6. Server Identity
          7. User Identity
    9. 4. Deploying Secure Shell
      1. OpenSSH Deployment
        1. OpenSSH Packaging
          1. To Generate the OBSDssh Package
        2. MD5 Hashes
          1. To Generate the OpenSSH Package MD5 Hash
        3. Solaris Security Toolkit
      2. Solaris Secure Shell Software Deployment
        1. Custom Configuration File Distribution
        2. Solaris Fingerprint Database
    10. 5. Integrating Secure Shell
      1. Secure Shell Scripts
        1. rsh(1) Versus ssh(1)
        2. rcp(1) Versus scp(1)
        3. telnet(1) Versus ssh(1)
        4. Automated Logins
        5. Host Keys
      2. Proxies
      3. Role-Based Access Control
        1. To Use RBAC to Restrict a User to Only Copying Files
      4. Port Forwarding
        1. To Secure WebNFS Mounts With Port Forwarding
      5. Insecure Service Disablement
        1. To Disable Insecure Services
    11. 6. Managing Keys and Identities
      1. Host Keys
      2. User Identities
        1. To Create an Identity
        2. To Register an Identity
        3. To Revoke an Identity
      3. Agents
        1. Common Desktop Environment Support
        2. Removing Agents
        3. Agent Risks
    12. 7. Auditing
      1. Auditing Overview and Basic Procedures
        1. To Configure Auditing to Audit a Systemwide Event
        2. To Configure Auditing to Audit Commands Run by a Particular User
        3. To Enable Auditing
        4. To Audit the System
        5. To Audit a User
        6. To Disable Auditing
      2. OpenSSH
        1. cron(1M)
        2. Patching
      3. Logging
        1. To Enable Secure Shell Logging
    13. 8. Measuring Performance
      1. Bandwidth Performance
        1. Interactive Sessions
        2. File Transfers
      2. Symmetric Cipher Performance
      3. Identity Generation
      4. Performance Problems
        1. Slow Connections
        2. Slow Client Startup
        3. Slow Server Startup
      5. Sizing
    14. 9. Examining Case Studies
      1. A Simple Virtual Private Network
        1. To Set Up the Destination Side
        2. To Set Up the Originating Side
        3. To Initiate the Link
      2. Linking Networks Through a Bastion Host
        1. To Set Up the Destination Side
        2. To Set Up the Originating Side
    15. 10. Resolving Problems and Finding Solutions
      1. Problems
        1. Server Does Not Produce Log File Output
        2. Public Key Authentication Is Not Working
        3. Trusted Host Authentication Is Not Working
        4. X Forwarding Is Not Working
        5. Wildcards and Shell Variables Fail on the scp(1) Command Line
        6. Superuser (root) Is Unable to Log In
        7. Startup Performance Is Slow
        8. Protocol 1 Clients Are Unable to Connect to Solaris Secure Shell Systems
        9. Privilege Separation Does Not Work in the Solaris Secure Shell Software
        10. cron(1M) Is Broken
        11. Message-of-the-Day Is Displayed Twice
      2. Problem Reports
        1. OpenSSH
        2. Solaris Secure Shell Software
      3. Patches
        1. OpenSSH
        2. Solaris Secure Shell Software
      4. Solutions
        1. Debugging a Secure Shell Connection
        2. Understanding Differences in OpenSSH and Solaris Secure Shell Software
        3. Integrating Solaris Secure Shell and SEAM (Kerberos)
        4. Forcing Remote X11 Users to Use Secure Shell Sessions
        5. Determining the Server Version String
        6. Altering the Server Version String
        7. CERT Advisory CA-2002-18
    16. A. Secure Shell Usage
      1. Client Usage
        1. Connecting to a Host
        2. Executing a Command on a Remote Host
        3. Copying a File
        4. Using Identity Keys
          1. Generating an Identity
          2. Registering an Identity
          3. Using the Identity
        5. Using Agents
          1. Setting Up Agents
          2. Loading Agents
          3. Listing Agent Identities
          4. Removing Agent Identities
          5. Stopping the Agent
        6. Forwarding Ports
          1. Setting Up Local Forwarding
          2. Setting Up Remote Forwarding
          3. Enabling X Forwarding
        7. Checking the $DISPLAY Variable
        8. Using Proxies
        9. Locating Client Configuration Files
      2. Server Usage
        1. Starting the Server
        2. Stopping the Server
        3. Locating Server Configuration Files
        4. Generating New Server Host Keys
        5. Supporting TCP Wrappers
    17. B. Server Configuration Options
    18. C. Client Configuration Options
    19. D. Performance Test Methodology
      1. Bandwidth Performance
      2. Identity Generation
      3. Symmetric Cipher Performance
    20. E. Scripts and Configuration Files
      1. init Script
        1. Automatic Installation
        2. Manual Installation
          1. To Manually Install the init Script
        3. Contact
        4. init Script Sample
      2. Code Example for Packaging Script
        1. Usage
        2. Contact
        3. Packaging Script Sample
      3. Code Example for PRNGD Sanity Check
      4. Server Configuration Files
        1. DMZ-Bastion Host Server
        2. Legacy Support
        3. Workstation Server
      5. Client Configurations
        1. Remote Worker Configuration File
        2. Workstation Configuration File
    21. F. Resources
      1. Solaris Secure Shell Software Documentation
      2. OpenSSH Documentation
      3. Software
    22. Bibliography
      1. Sun BluePrints OnLine Articles
      2. External Articles
      3. Books
      4. Bug Reports
      5. FAQs
      6. Man Pages
      7. Presentations
      8. Security Information