Protocol 2 Subsystem sftp /usr/libexec/sftp-server
Slackware does bare minimum configuration of the sshd server. The whole '/etc/ssh/sshd_config' file only contains the following 2 line if all the comments are removed:
Protocol 2 Subsystem sftp /usr/libexec/sftp-server
To ensure maximum security while leaving enough freedom for yourself, add the following line to the bottom of the '/etc/ssh/sshd_config' file:
StrictModes yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes KeepAlive yes # Logging SyslogFacility AUTH LogLevel INFO # Don't read ~/.rhosts and ~/.shosts files IgnoreRhosts yes #RhostsAuthentication RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # To disable tunneled clear text passwords PasswordAuthentication no PermitEmptyPasswords no
The above leaves only the 'Public Key Authentication' open. You may authenticate to the server only with your private key.
Note: drop your key in authorized_keys and try to login by doing "ssh -i key.file user@your.hostname.here". Once you have this working you can disable other authentication methods.
documented on: 2008-06-05, xpt
sshd
It is the server program run on the server machine. It listens for connections from client machines, and whenever it receives a connection, it performs authentication and starts serving the client.
ssh server need to be installed before use:
chaos:# sshd /etc/sshd_config: No such file or directory error: fatal: Could not load host key: /etc/ssh_host_key. Check path and permissions.
In a networked environment with shared binary directory, it is enough to do "make install" on one machine, and then "make hostinstall" on others to generate host keys and install configuration files.
chaos:/shared/installs/ssh-1.2.27# make hostinstall chaos:/shared/installs/ssh-1.2.27# sshd
— Ok, after server install
$HOME/.ssh/rc
If this file exists, it is run with the user's shell after reading the environment files but before starting the user's shell or command. If X11 spoofing is in use, this will receive the "proto cookie" pair in standard input (and DISPLAY in environment). This must call xauth in that case.
The primary purpose of this file is to run any initialization routines which may be needed before the user's home directory becomes accessible; AFS is a particular example of such an environment.
This file will probably contain some initialization code followed by something similar to:
if read proto cookie; then echo add $DISPLAY $proto $cookie | xauth -q -; fi
If this file does not exist, /etc/sshrc is run, and if that does not exist either, xauth is used to store the cookie.
This file should be writable only by the user, and need not be readable by anyone else.
Newsgroups: comp.security.ssh
> i don't find searching through all the information in > /var/log/messages to be a good use of my time.
% grep sshd /var/log/messages
Or, use the SyslogFacility directive to log SSH messages to a currently unused facility (e.g. LOCALn), and reconfigure syslog (/etc/syslog.conf) to place those in a separate file.
Richard Silverman
debug: Trying rhosts or /etc/hosts.equiv with RSA host authentication. debug: Remote: Bad file modes for /export/home/tong/.rhosts debug: Remote: Rhosts/hosts.equiv authentication refused: client user 'tong', server user 'tong', client host 'sunny.acadiau.ca'. debug: Server refused our rhosts authentication or host key. debug: Doing password authentication.
It's ok that ~/.rhosts is a link, but make sure what it points to is owned by the user and mod is 600:
$ dir bin/tdat/.rhosts.iit -rw------- 1 299 tong 265 Dec 14 23:49 bin/tdat/.rhosts.iit
Same error, but given by the client in iitrc while trying to auto-login
iitrc: Trying rhosts or /etc/hosts.equiv with RSA host authentication. iitrc: Remote: Accepted by .shosts. iitrc: Remote: Your host key cannot be verified: unknown or invalid host key. iitrc: Server refused our rhosts authentication or host key. iitrc: No agent. iitrc: Trying RSA authentication with key 'tong@iitrc.acadiau.ca' iitrc: Server refused our key. iitrc: Doing password authentication.
After I fix the above problem, the auto-login also works.
zlib 1.1.3 is a general purpose data compression library. All the code is thread safe.
http://www.freesoftware.com/pub/infozip/zlib/ ftp://ftp.freesoftware.com/pub/infozip/zlib/zlib-1.1.3.tar.gz
For Unix: "configure; make test; make install" should work for most machines.
configure; make test
*** zlib test OK ***
pkg=zlib make -n install | tee ../../logs/$pkg.log.0 make install | tee ../../logs/$pkg.log.1
PAM is standard on Redhat and Debian Linux and on Solaris.
First thing to do (I assume you have successfully unpacked it!) is to run:
make check
# dir default.defs lrwxrwxrwx 1 500 group1 16 Sep 28 11:49 default.defs -> defs/redhat.defs
Next, check the above symbolic link points to the file that best describes your system. Yes.
Second, try to compile it.
make
The first time you type make, it is likely to complain. This is to remind you to remove any libraries from previous versions of the distribution that are likely to confuse this make… Type 'make' again.
make
dir /etc/pam.conf
— not exist! so go ahead
pkg=pam make -n install | tee ../../logs/$pkg.log.0 make install | tee ../../logs/$pkg.log.1
Redhat rpm file. Need source installation.
openssl-devel-0.9.5a-3.i386.rpm can't be installed.
Use: openssl-0.9.5a-3.i386.rpm!
Warning: Remote host denied X11 forwarding, perhaps xauth program could not be run on the server side.
X11 forwarding was disabled in /usr/local/etc/ssh_config.
root@sunny:/usr/local/etc# diff -wu ssh_config.org ssh_config
--- ssh_config.org Fri Sep 29 17:23:17 2000
+++ ssh_config Mon Oct 30 20:48:48 2000
@@ -33,5 +33,5 @@
# Be paranoid by default
Host *
ForwardAgent no
- ForwardX11 no
+ ForwardX11 yes
FallBackToRsh no
Remote host denied X11 forwarding,
Thought the xauth was not reachable from the PATH:
$ which xauth /opt/gnu/bin/xauth
ok, got it, no "xauth" found *during* compile:
debug: Requesting X11 forwarding with authentication spoofing. debug: Remote: Client requested X11 forwarding, but the server has no xauth program. debug: Remote: This is usually caused by "xauth" not being in PATH during compile. Warning: Remote host denied X11 forwarding.
Newsgroups: comp.security.ssh
> Setup: > MachA= HomeDSL connected linux box openssh-2.5.2p2-5 > MachB=Internet connected running FreeBSD SSH Version 1.2.21 > MachC=Sparcbox Solaris 2.6 Not internet connected but accessable > from MachB via ftp/telnet - no ssh > > > INTERNET > / | > / | > home A/ MachB| > \ > \ > MachC (NO internet but accesable from MachB > > I want to connect to MachC from home (MachA) > I have root on MachA and MachC > How can I port forwar?(tunnel?) this connection? > > I can ssh either direction from A to B, and I can telnet/ftp from > Machb to MachC.
Rather than port forwarding, why not just:
A% ssh -t B telnet C
If you really want to use port forwarding:
A% ssh -L 1234:C:23 B A% telnet localhost 1234
Richard Silverman
documented on: 2000.03.04