Where to get RPM binary builds:
http://www.linux-mandrake.com/en/fcrypto.php3
From MandrakeUsers.org
http://mandrakeuser.org/secure/index.html
QUOTE:
SSH I - Installation
What Is SSH?
The traditional network services like ftp, pop or telnet are
convenient but inherently unsafe, since they all make you send a
password and data in clear text over an increasingly unsafe network.
It is almost a no-brainer to intercept these services and copy
transferred data. Furthermore the authentication of the server is
weak: the services are open to so-called 'man-in-the-middle' attacks,
where an intruder pretends to be the server and thus receives all
data the client is sending.
Enter SSH (Secure SHell). By using SSH, you encrypt the traffic and
you can make 'man-in-the-middle' attacks almost impossible. It also
protects you from DNS and IP spoofing. As a bonus, it offers the
possibility to compress the traffic and thus make transfers faster.
SSH is a very versatile tool: not only does it replace telnet, you
can also 'tunnel' services like ftp, pop and even ppp via it.
SSH implementations exist for almost all major operating systems.
The original SSH has been developed by a Finnish company. Due to
copyright restraints and patented algorithms, the Free Software world
now uses OpenSSH, a free SSH workalike.
SSH consists of a client-server pair like all the other services.
Every system administrator worth his money runs an SSH server. If
your remote host doesn't run SSH, you should really think about
switching to a host which does. A site which doesn't run an SSH
server shows a serious lack of interest in network security.
SSH comes in two major, partly incompatible versions, 1.x and 2.x.
You won't be able to connect to an SSH 1.x server with an SSH 2.x
client. OpenSSH 2.x supports both versions.
section index / top
How SSH Authentication Works
Seen from the client level, SSH provides two levels of authentication.
The first level allows you to connect from any machine to a SSH
server, as long as you know the password of the account on the remote
machine. This encrypts any traffic sent via SSH, but doesn't provide
a strong mechanism to authenticate the host you are connecting to.
Another host could intercept your connection by pretending to be the
host you want to connect to ('man-in-the-middle-attack').
The second level relies on the key mechanism: you create your own
keypair and put the public key onto the server. Now if you connect to
the SSH server, your client sends a request to the server for
authentication using your keys. The server looks up the public key in
your remote home directory, and compares both keys. Then it sends an
encrypted challenge to the client. This challenge is decrypted on the
local machine using the private key and sent back to the server.
Using this method, you will have to know the password of your key (if
you choose to use one). In contrast to level one, this password will
not be sent over the network. Level two authentication doesn't use
any passwords at all. This scheme not only encrypts any travel sent
via SSH, but also makes 'man-in-the-middle' attacks next to
impossible. This login process usually takes ten seconds.
section index / top
Installing And Testing OpenSSH
Due to U.S. restrictions on exporting strong cryptography, the
OpenSSH packages are not included in LM. You can download them from
one of the servers listed on LM's crypto apps page.
You will need these packages:
openssl openssh openssh-clients and, if you want to run an
ssh-server, openssh-server
Of course the truly paranoid will prefer building them from source,
but usually RPMs will do ;). Note that 7.1 OpenSSH RPMs will not
install on 7.0.
To test your installation, connect to a SSH server:
ssh -l [your accountname on the remote host] [address of the remote host]
If this works, you will receive a message like this:
The authenticity of host [hostname] can't be established. Key
fingerprint is 1024 5f:a0:0b:65:d3:82:df:ab:44:62:6d:98:9c:fe:e9:52.
Are you sure you want to continue connecting (yes/no)?
SSH tells you that it doesn't know this host, which is nothing to
worry about, since you are connecting for the first time. Type yes.
This will add the 'fingerprint' of this host to '~/.ssh/known_hosts'.
Future connects to the host will not display this message. Then SSH
will prompt you for your account password on the remote machine. Type
it, press ENTER et voila, you've established your first SSH
connection! Now proceed just like you would in a telnet session.
Installing an OpenSSH server is easy, too. Just install the RPM.
During the installation, you will get a message like this:
Generating RSA keys: .ooooooO..................ooooooO Key generation
complete. Your identification has been saved in
/etc/ssh/ssh_host_key. Your public key has been saved in
/etc/ssh/ssh_host_key.pub. The key fingerprint is:
5f:a0:0b:65:d3:82:df:ab:33:52:6f:89:9a:fe:e9:52 root@[local machine]
Generating DSA parameter and key. Your identification has been saved
in /etc/ssh/ssh_host_dsa_key. Your public key has been saved in
/etc/ssh/ssh_host_dsa_key.pub. The key fingerprint is:
64:85:4a:da:cf:74:94:0d:5a:93:cf:f2:62:ed:07:26 root@[local machine]
This message indicates that the key, which identifies your machine to
clients, has been generated. It is a very good idea to keep external
backup copies of these keys!
Start the server with
service sshd start
That's all. Now external ssh-clients can connect to the machine
(provided they have an account on your machine, naturally). If you
want the SSH server to be started every time you boot the machine, run
chkconfig --add sshd
section index / top
Now that you've got it running basically, learn how to set up SSH ...
UNQUOTE:
--
Come visit the Trailer Park of the Apocalypse...
we survived the Millennium.... or maybe we were LEFT BEHIND!
[EMAIL PROTECTED] --- http://www.users.uswest.net/~hsundt3/
