SSH Quick Start Guide

Sammy says, 'Join the team and come in for the Big Win!'

Getting Started With SSH

Who | What | When | Where | Why?

Allows secure, easy connections
Auto-forwards X connections - convenient, secure
Offers compression - good for use over dialup connections
Includes ssh, the client, and sshd, a server.
Get OpenSSH from http://www.openssh.com. This is a free implementation of SSH protocols version 1 and 2.
Other platforms are supported too:
- Windows 95/98/NT:
  PuTTY is a simple but excellent ssh and telnet replacement. It also happens to be free. Installation is super-easy; you download putty.exe and put it somewhere convenient. That's it.
  TeraTerm Pro is a GPL Telnet client/terminal emulator. TTSSH is a plug-in for TeraTerm which enables SSH support.
  ssh-win32 is another free version of ssh that is rather more difficult to use than PuTTY. I can't speak for or against its functionality, as I just use PuTTY, but I suppose a 2.5 MB download has to be good for something. If you want to compile the included source yourself, you'll need the CygWin GNU tools for Win32.
- MacOS:
  NiftyTelnet SSH is the only currently available SSH client for Macintosh. It includes support for scp as well as terminal log in.
  MacSSH is BetterTelnet modified to support SSH protocol version 2.0.
  BetterTelnet 2.5, a GPL MacOS telnet client, will support SSH when it is released, whenever that happens.
- Other platforms
  Check www.freessh.org for the availability of free SSH clients and servers for your platform.

How?

The best way to install SSH is by using you distributions package manager. For Redhat, Mandrake, or any other system that uses RPM for packages, search RPMFind.net for "openssh". Install the resulting packages using rpm -i. You will need to download and install OpenSSL to support OpenSSH, as well.

For Debian, add the line

deb http://pandora.debian.org/debian-non-us woody non-US/main non-US/non-free non-US/contrib

to the file /etc/apt/sources.list (unless you already have a line for Debian non-US). Then run apt-get install ssh. Note that Debian defaults to disallowing X and Agent forwarding for security reasons. To change this (you will probably want to), add the lines:

Host *
  ForwardAgent yes
  ForwardX11 yes

to your /etc/ssh/ssh_config configuration file and reload SSH with /etc/init.d/ssh reload.

At this point, SSH should be up and working. If you are using a distribution which doesn't have an SSH package available, or would otherwise prefer to install SSH from scratch, read on.

First, a word of explanation: Installing the ssh package gives you both ssh, the client you actually use, and sshd, which is the program that handles incoming connections. Once you've downloaded and uncompressed ssh, you'll need to make some decisions before installing it. First, you should decide how you want to install it. The only difference in these two methods concerns how sshd handles incoming ssh connections. The options are as follows:

Running at startup
This will make sshd run at boot-time, which is potentially nice because whenever sshd runs, it has to perform a lengthy calculation, which can take awhile on slower machines. Therefore, running sshd only once means you don't have to wait for sshd to think every time you connect.
Note that you can run SSH with the full functionality of TCP Wrappers, including hosts.allow and hosts.deny, even when running this way. You need libwrap installed to use this (look for file libwrap.a in /usr/lib). This lets you restrict access to just Rice machines, fool with Sentry, whatever you like.
Running from inetd
On a PPro-200, the calculation time for sshd is only a second or two; on a P2-400, it's not even close to noticeable. Of course, for those without quite these resources, a Cyrix 6x86MX/233 takes over 23 seconds to run the calculations. Most functions are available running SSH via inetd can be accessed through libwrap. So unless you have a fast system or don't have libwrap installed, you probably don't want to run SSH this way.

Running sshd at Startup

First, compile ssh by going into the ssh source directory and doing this:

./configure

Or, if you want to compile libwrap in with SSH,

./configure --with-libwrap

And then,

make
make install

To get sshd to run on startup, you will need to edit your system's startup scripts to include sshd.

On RedHat boxes, you can save this script to in your /etc/rc.d/init.d directory and make symlinks to the appropriate runlevel directories. A good way to do that is to run chkconfig as follows (once you have the aforementioned script installed).

chkconfig --add sshd
chkconfig --level 35 sshd on

This will set sshd to start in runlevels 3 and 5; this is rational, but of course it's not the only way to do it.

Now, to get sshd running, do this:

/etc/rc.d/init.d/sshd start

On Debian boxes, save this script to your /etc/init.d directory. Then, use update-rc.d to create the symlinks to the appropriate runlevel directories.

update-rc.d -f ssh defaults 20

This will set sshd to start in multiuser runlevels. It also sets sshd to stop when the machine is going down or going to single-user mode. Now, to get sshd running, run:

/etc/init.d/ssh start

You're done. You haven't been this secure since Daddy bought you that nightlight.

Running With inetd

To run SSH from within inetd, go into your ssh source directory and do this:

./configure
make
make install

This sets up sshd properly; now you need to edit /etc/services. Since sshd runs on port 22 by default, you need to make sure the system knows port 22 is for ssh connections. On my system, this was not in /etc/services by default, so here's what I had to add (I just slipped it in between the entry for ftp (port 21) and telnet (port 23).):

ssh	22/tcp

When you're editing config files like this, a good habit to learn is to back up the files before you do anything. The best way I've yet seen is to copy the version of the file that was installed by default to foo.0 (here, I would copy services to services.0). Next time you want to edit the file, first copy it to foo.1, foo.2, and so on, such that you can fall back to a prior version of the file if you screw something up (which you almost certainly will, eventually).

Anyway, on with the story. Now you need to edit /etc/inetd.conf. Back it up as described above, then add a section somewhere in there that looks like this:

#
# SSH
ssh  stream  tcp  nowait  root   /usr/sbin/tcpd /usr/local/sbin/sshd -i

Note that sshd is started with the -i option to let sshd know that it's being started by inetd (this is mandatory). Then save and quit; you're done. Now, only one thing is left: you need to tell inetd to restart, so it will reread its config files and know what to do with ssh connections. This is easy. In Redhat:

/etc/rc.d/init.d/inet restart

In Debian:

/etc/init.d/inetd reload

Or, on all systems:

kill -HUP `cat /var/run/inetd.pid`

Done and done. You should be good to go at this point. Go home or read further about security.

Patrick Hearon

Algis Rudys

Last modified: Sat Sep 23 06:19:16 2000