The best way to install SSH is by using you distributions package manager. For Redhat, Mandrake, or any other system that uses RPM for packages, search RPMFind.net for "openssh". Install the resulting packages using rpm -i. You will need to download and install OpenSSL to support OpenSSH, as well.
For Debian, add the line
deb http://pandora.debian.org/debian-non-us woody non-US/main non-US/non-free non-US/contribto the file /etc/apt/sources.list (unless you already have a line for Debian non-US). Then run apt-get install ssh. Note that Debian defaults to disallowing X and Agent forwarding for security reasons. To change this (you will probably want to), add the lines:
Host * ForwardAgent yes ForwardX11 yesto your /etc/ssh/ssh_config configuration file and reload SSH with /etc/init.d/ssh reload.
At this point, SSH should be up and working. If you are using a distribution which doesn't have an SSH package available, or would otherwise prefer to install SSH from scratch, read on.
First, a word of explanation: Installing the ssh package gives you both ssh, the client you actually use, and sshd, which is the program that handles incoming connections. Once you've downloaded and uncompressed ssh, you'll need to make some decisions before installing it. First, you should decide how you want to install it. The only difference in these two methods concerns how sshd handles incoming ssh connections. The options are as follows:
Note that you can run SSH with the full functionality of TCP Wrappers, including hosts.allow and hosts.deny, even when running this way. You need libwrap installed to use this (look for file libwrap.a in /usr/lib). This lets you restrict access to just Rice machines, fool with Sentry, whatever you like.
Running sshd at Startup
First, compile ssh by going into the ssh source directory and doing this:
./configureOr, if you want to compile libwrap in with SSH,
./configure --with-libwrapAnd then,
make make install
To get sshd to run on startup, you will need to edit your system's startup scripts to include sshd.
On RedHat boxes, you can save this script to in your /etc/rc.d/init.d directory and make symlinks to the appropriate runlevel directories. A good way to do that is to run chkconfig as follows (once you have the aforementioned script installed).
chkconfig --add sshd chkconfig --level 35 sshd on
This will set sshd to start in runlevels 3 and 5; this is rational, but of course it's not the only way to do it.
Now, to get sshd running, do this:
On Debian boxes, save this script to your /etc/init.d directory. Then, use update-rc.d to create the symlinks to the appropriate runlevel directories.
update-rc.d -f ssh defaults 20This will set sshd to start in multiuser runlevels. It also sets sshd to stop when the machine is going down or going to single-user mode. Now, to get sshd running, run:
You're done. You haven't been this secure since Daddy bought you that nightlight.
Running With inetd
To run SSH from within inetd, go into your ssh source directory and do this:
./configure make make install
This sets up sshd properly; now you need to edit /etc/services. Since sshd runs on port 22 by default, you need to make sure the system knows port 22 is for ssh connections. On my system, this was not in /etc/services by default, so here's what I had to add (I just slipped it in between the entry for ftp (port 21) and telnet (port 23).):
When you're editing config files like this, a good habit to learn is to back up the files before you do anything. The best way I've yet seen is to copy the version of the file that was installed by default to foo.0 (here, I would copy services to services.0). Next time you want to edit the file, first copy it to foo.1, foo.2, and so on, such that you can fall back to a prior version of the file if you screw something up (which you almost certainly will, eventually).
Anyway, on with the story. Now you need to edit /etc/inetd.conf. Back it up as described above, then add a section somewhere in there that looks like this:
# # SSH ssh stream tcp nowait root /usr/sbin/tcpd /usr/local/sbin/sshd -i
Note that sshd is started with the -i option to let sshd know that it's being started by inetd (this is mandatory). Then save and quit; you're done. Now, only one thing is left: you need to tell inetd to restart, so it will reread its config files and know what to do with ssh connections. This is easy. In Redhat:
/etc/rc.d/init.d/inet restartIn Debian:
/etc/init.d/inetd reloadOr, on all systems:
kill -HUP `cat /var/run/inetd.pid`
Done and done. You should be good to go at this point. Go home or read further about security.