OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. Additionally, OpenSSH provides solutions for secure tunneling capabilities, as well as authentication methods. OpenSSH is open source and is available for free. Information contained within this document is specific to Solaris 8.
*Random number generator: prngd OpenSSH requires a random number generator to be installed. PRNGD is a Pseudo Random Number Generator Daemon which installs in /usr/local. This is installed via a patch available at SunSolve Patch Access. Search for patch 112438-01.
Download and install the patch. Install the patch using the 'patchadd' command (man patchadd for more information):
patchadd /var/spool/patch/112438-01
You will need to reboot the server. Rebooting requires boot -r to create the new devices.
reboot -- -r
For a procedure to install the random generator, which does not require the server to be rebooted, try the following link: http://www.sunmanagers.org/pipermail/summaries/2002-April/002956.html.
Privilege separation, or privsep, is method in OpenSSH by which operations that require root privilege are performed by a separate privileged monitor process. Its purpose is to prevent privilege escalation by containing corruption to an unprivileged process. When privsep is enabled, during the pre-authentication phase sshd will chroot to "/var/empty" and change its privileges to the "sshd" user and its primary group. sshd is a pseudo-account that should not be used by other daemons, and must be locked and should contain a "nologin" or invalid shell.
As root:
mkdir /var/empty chown root:sys /var/empty chmod 755 /var/empty groupadd sshd useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
/var/empty should not contain any files.
If you do not do this and attempt to start up sshd, you will get error messages and the daemon will not start.
Install ssh keys and sshd start/stop script Each machine that you want to communicate with via the ssh client will need to have an sshd daemon running. But first, you need to run the following three lines to create the key information for the server machine. Make sure you have /usr/local/bin and /usr/local/sbin in your PATH. If you have been running sshd before and have keys in /usr/local/etc, runing these commands will overwrite them.
As root:
*ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key -N "" *ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key -N ""
*sshd init script Copy /etc/init.d/ssh and /etc/init.d/prngd on mgmt1 to the same directory on the new server. symlink them into rc2.d directory:
set permissions chown root /etc/init.d/sshd /etc/init.d/prngd chgrp sys /etc/init.d/sshd /etc/init.d/prngd chmod 544 /etc/init.d/sshd /etc/init.d/prngd ln -s /etc/init.d/ssh /etc/rc2.d/S99sshd ln -s /etc/init.d/prngd /etc/rc2.d/S99prngd
/etc/rc2.d/S99sshd start
You can check to see if the daemon is running with the ps command:
ps -e | grep sshd
useradd \x96u 100 \x96c "admin home account" \x96d /export/home/admin \x96m \x96s /bin/tcsh admin
Copy the following from mgmt1:~admin/etc_master/ into /etc/
Make the following system wide path change crle \x96l /usr/lib:/usr/local/lib:/usr/local/ssl/lib:/ -s /usr/lib/secure
For this server specific files are needed to run fusion and to offer failover solution for oracle-ias2 services.
The following directories (and sub directories) have been moved to /export/home/rhudson
Add the following to root's crontab. The -s logs the output to daemon syslog 0 0,8,16 * * * /usr/sbin/ntpdate -s time.gov.ns.ca # Set clock to time server
May need to use grpadd to make the grp first!! Go to another server and grep 2000 /etc/group groupadd \x96g gid \x96o group_name
fusion1-admin-~>sudo userdel ias fusion1-admin-~>sudo useradd -u 2000 -g 2000 -c "Oracle IAS User" -d /export/home/ias -m -s /bin/csh ias
fusion1-admin-~>sudo useradd -u 2001 -g 2000 -c "Oracle oraforms User" -d /export/home/oraform -m -s /bin/sh oraforms 6 blocks
fusion1-admin-~>sudo useradd -u 2002 -g 2000 -c "Tomcat User" -d / export/home/tomcat -m -s /bin/tcsh tomcat fusion1-admin-~>sudo useradd -u 2003 -g 2000 -c "Fusion User" -d /export/home/fusion -m -s /bin/tcsh fusion fusion1-admin-~>
Category: SolarisCategory