OpenSSH
リモートからサーバの管理をするためにOpenSSHを導入する。
SSHはリモートログインをするという性質上、特にセキュリティには気をつける必要があるため、Privilege Separationを有効にする。
# /usr/sbin/groupadd -g 74 sshd # /usr/sbin/useradd -u 74 -g 74 -d /var/empty/sshd -s /sbin/nologinOpenSSHの公式サイトより最新のソースファイルを入手しインストールする。
$ wget ftp://ftp.iij.ad.jp/pub/OpenBSD/OpenSSH/portable/openssh-4.4p1.tar.gz $ tar xvzf openssh-4.4p1.tar.gz $ cd openssh-4.4p1 $ ./configure --prefix=/usr/local/openssh \ --with-privsep-user=sshd \ --with-privsep-path=/var/empty/sshd \ --without-zlib-version-check $ make # make installOpenSSHの設定を行う。
/usr/local/openssh/sshd_config
# $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/openssh/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. Port 22 Protocol 2 #AddressFamily any ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 #HostKey /usr/local/openssh/etc/ssh_host_key # HostKeys for protocol version 2 #HostKey /usr/local/openssh/etc/ssh_host_rsa_key #HostKey /usr/local/openssh/etc/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768 # Logging # obsoletes QuietMode and FascistLogging SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /usr/local/openssh/etc/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no # no default banner path #Banner /some/path # override default of no subsystems Subsystem sftp /usr/local/openssh/libexec/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server起動スクリプトを作成する。 サンプルがソースファイル内にあるのでコピーして使用する。
# cp {$SOURCE}/contrib/redhat/sshd.init /etc/rc.d/init.d/sshd
/etc/rc.d/init.d/sshd
#!/bin/bash
#
# Init file for OpenSSH server daemon
#
# chkconfig: 2345 55 25
# description: OpenSSH server daemon
#
# processname: sshd
# config: /etc/ssh/ssh_host_key
# config: /etc/ssh/ssh_host_key.pub
# config: /etc/ssh/ssh_random_seed
# config: /etc/ssh/sshd_config
# pidfile: /var/run/sshd.pid
# source function library
. /etc/rc.d/init.d/functions
# pull in sysconfig settings
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
RETVAL=0
prog="sshd"
# Some functions to make the below more readable
KEYGEN=/usr/local/openssh/bin/ssh-keygen
SSHD=/usr/local/openssh/sbin/sshd
RSA1_KEY=/usr/local/openssh/etc/ssh_host_key
RSA_KEY=/usr/local/openssh/etc/ssh_host_rsa_key
DSA_KEY=/usr/local/openssh/etc/ssh_host_dsa_key
PID_FILE=/var/run/sshd.pid
do_rsa1_keygen() {
if [ ! -s $RSA1_KEY ]; then
echo -n $"Generating SSH1 RSA host key: "
if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
chmod 600 $RSA1_KEY
chmod 644 $RSA1_KEY.pub
if [ -x /sbin/restorecon ]; then
/sbin/restorecon $RSA1_KEY.pub
fi
success $"RSA1 key generation"
echo
else
failure $"RSA1 key generation"
echo
exit 1
fi
fi
}
do_rsa_keygen() {
if [ ! -s $RSA_KEY ]; then
echo -n $"Generating SSH2 RSA host key: "
if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
chmod 600 $RSA_KEY
chmod 644 $RSA_KEY.pub
if [ -x /sbin/restorecon ]; then
/sbin/restorecon $RSA_KEY.pub
fi
success $"RSA key generation"
echo
else
failure $"RSA key generation"
echo
exit 1
fi
fi
}
do_dsa_keygen() {
if [ ! -s $DSA_KEY ]; then
echo -n $"Generating SSH2 DSA host key: "
if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
chmod 600 $DSA_KEY
chmod 644 $DSA_KEY.pub
if [ -x /sbin/restorecon ]; then
/sbin/restorecon $DSA_KEY.pub
fi
success $"DSA key generation"
echo
else
failure $"DSA key generation"
echo
exit 1
fi
fi
}
do_restart_sanity_check()
{
$SSHD -t
RETVAL=$?
if [ ! "$RETVAL" = 0 ]; then
failure $"Configuration file or keys are invalid"
echo
fi
}
start()
{
# Create keys if necessary
do_rsa1_keygen
do_rsa_keygen
do_dsa_keygen
echo -n $"Starting $prog:"
initlog -c "$SSHD $OPTIONS" && success || failure
RETVAL=$?
[ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd
echo
}
stop()
{
echo -n $"Stopping $prog:"
killproc $SSHD -TERM
RETVAL=$?
[ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd
echo
}
reload()
{
echo -n $"Reloading $prog:"
killproc $SSHD -HUP
RETVAL=$?
echo
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
reload)
reload
;;
condrestart)
if [ -f /var/lock/subsys/sshd ] ; then
do_restart_sanity_check
if [ "$RETVAL" = 0 ] ; then
stop
# avoid race
sleep 3
start
fi
fi
;;
status)
status $SSHD
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"
RETVAL=1
esac
exit $RETVAL
起動スクリプトを登録する。
# chmod 755 /etc/rc.d/init.d/sshd # /sbin/chkconfig --add sshd # /sbin/chkconfig --list sshd 0:off 1:off 2:off 3:on 4:on 5:on 6:offOpenSSHを起動する。
# /sbin/service sshd start sshd を起動中: [ OK ]起動確認をする。
# netstat -an |grep 22 Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN $ ps aux |grep ssh root 5235 0.0 0.3 4636 876 ? Ss 03:08 0:00 /usr/local/openssh/sbin/sshdサーバ稼働時のログ。
# tail /var/log/secure Sep 30 02:57:14 bruna sshd[4986]: Server listening on 0.0.0.0 port 22. Sep 30 03:00:25 bruna sshd[4986]: Received signal 15; terminating. # tail /var/log/boot.log Sep 30 02:57:14 bruna sshd: succeeded Sep 30 03:00:25 bruna sshd: sshd -TERM succeededPrivilege Separationが有効か確認するため一般ユーザでログインして確認する。
下記の通り、Privilege Separationが有効のときはユーザ権限でsshdが動いていることがわかる。
●Privilege Separation有効 $ ps aux |grep ssh root 5235 0.0 0.3 4636 876 ? Ss 03:08 0:00 /usr/local/openssh/sbin/sshd root 9279 0.0 0.6 6580 1740 ? Ss 10:36 0:00 sshd: user [priv] user 9281 0.0 0.4 6600 1108 ? S 10:37 0:00 sshd: user@pts/0 ●Privilege Separation無効 $ ps aux |grep ssh root 9542 0.0 0.3 4752 876 ? Ss 11:00 0:00 /usr/local/openssh/sbin/sshd root 9561 3.1 0.6 4608 1788 ? Ss 11:01 0:00 sshd: user@pts/1最後にRPMで導入されているOpenSSHを削除する。
※起動スクリプト(/etc/rc.d/init.d/sshd)とディレクトリ(/var/empty/sshd)が削除されてしまうので注意する。
# yum remove openssh Dependencies Resolved ============================================================================= Package Arch Version Repository Size ============================================================================= Removing: openssh i386 3.9p1-8.RHEL4.15 installed 807 k Removing for dependencies: openssh-clients i386 3.9p1-8.RHEL4.15 installed 625 k openssh-server i386 3.9p1-8.RHEL4.15 installed 357 k Transaction Summary ============================================================================= Install 0 Package(s) Update 0 Package(s) Remove 3 Package(s) Total download size: 0 Is this ok [y/N]: y Downloading Packages: Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction warning: /etc/ssh/sshd_config saved as /etc/ssh/sshd_config.rpmsave warning: /etc/rc.d/init.d/sshd saved as /etc/rc.d/init.d/sshd.rpmsave Removing : openssh-server ######################### [1/3] Removing : openssh-clients ######################### [2/3] Removing : openssh ######################### [3/3] Removed: openssh.i386 0:3.9p1-8.RHEL4.15 Dependency Removed: openssh-clients.i386 0:3.9p1-8.RHEL4.15 openssh-server.i386 0:3.9p1-8.RHEL4.15 Complete!/var/empty/sshdがないとき。
# /sbin/service sshd start
sshd を起動中:Missing privilege separation directory: /var/empty/sshd
[失敗]