Sammy says, 'Join the team and come in for the Big Win!'
Getting Started With SSH
May the flames of Linux consume your degenerate operating system

Who | What | When | Where | Why?


The best way to install SSH is by using you distributions package manager. For Redhat, Mandrake, or any other system that uses RPM for packages, search for "openssh". Install the resulting packages using rpm -i. You will need to download and install OpenSSL to support OpenSSH, as well.

For Debian, add the line

deb woody non-US/main non-US/non-free non-US/contrib
to the file /etc/apt/sources.list (unless you already have a line for Debian non-US). Then run apt-get install ssh. Note that Debian defaults to disallowing X and Agent forwarding for security reasons. To change this (you will probably want to), add the lines:
Host *
  ForwardAgent yes
  ForwardX11 yes
to your /etc/ssh/ssh_config configuration file and reload SSH with /etc/init.d/ssh reload.

At this point, SSH should be up and working. If you are using a distribution which doesn't have an SSH package available, or would otherwise prefer to install SSH from scratch, read on.

First, a word of explanation: Installing the ssh package gives you both ssh, the client you actually use, and sshd, which is the program that handles incoming connections. Once you've downloaded and uncompressed ssh, you'll need to make some decisions before installing it. First, you should decide how you want to install it. The only difference in these two methods concerns how sshd handles incoming ssh connections. The options are as follows:

Running sshd at Startup

First, compile ssh by going into the ssh source directory and doing this:

Or, if you want to compile libwrap in with SSH,
./configure --with-libwrap
And then,
make install

To get sshd to run on startup, you will need to edit your system's startup scripts to include sshd.

On RedHat boxes, you can save this script to in your /etc/rc.d/init.d directory and make symlinks to the appropriate runlevel directories. A good way to do that is to run chkconfig as follows (once you have the aforementioned script installed).

chkconfig --add sshd
chkconfig --level 35 sshd on

This will set sshd to start in runlevels 3 and 5; this is rational, but of course it's not the only way to do it.

Now, to get sshd running, do this:

/etc/rc.d/init.d/sshd start

On Debian boxes, save this script to your /etc/init.d directory. Then, use update-rc.d to create the symlinks to the appropriate runlevel directories.

update-rc.d -f ssh defaults 20
This will set sshd to start in multiuser runlevels. It also sets sshd to stop when the machine is going down or going to single-user mode. Now, to get sshd running, run:
/etc/init.d/ssh start

You're done. You haven't been this secure since Daddy bought you that nightlight.

Running With inetd

To run SSH from within inetd, go into your ssh source directory and do this:

make install

This sets up sshd properly; now you need to edit /etc/services. Since sshd runs on port 22 by default, you need to make sure the system knows port 22 is for ssh connections. On my system, this was not in /etc/services by default, so here's what I had to add (I just slipped it in between the entry for ftp (port 21) and telnet (port 23).):

ssh	22/tcp

When you're editing config files like this, a good habit to learn is to back up the files before you do anything. The best way I've yet seen is to copy the version of the file that was installed by default to foo.0 (here, I would copy services to services.0). Next time you want to edit the file, first copy it to foo.1, foo.2, and so on, such that you can fall back to a prior version of the file if you screw something up (which you almost certainly will, eventually).

Anyway, on with the story. Now you need to edit /etc/inetd.conf. Back it up as described above, then add a section somewhere in there that looks like this:

ssh  stream  tcp  nowait  root   /usr/sbin/tcpd /usr/local/sbin/sshd -i

Note that sshd is started with the -i option to let sshd know that it's being started by inetd (this is mandatory). Then save and quit; you're done. Now, only one thing is left: you need to tell inetd to restart, so it will reread its config files and know what to do with ssh connections. This is easy. In Redhat:

/etc/rc.d/init.d/inet restart
In Debian:
/etc/init.d/inetd reload
Or, on all systems:
kill -HUP `cat /var/run/`

Done and done. You should be good to go at this point. Go home or read further about security.

Patrick Hearon
Algis Rudys
Last modified: Sat Sep 23 06:19:16 2000