123 .configure make make install The configure script should recognize your system type, discover important information about your build environment, and—if everything checks out—create a corresponding Makefile. The make program uses this Makefile to build the software. The make install directive installs the SSH components and manual pages in the right places, and generates the initial 1024-bit host key pair if it doesnt already exist. The last thing youll have to do is put sshd in an rc file, so it will launch at startup. On Linux, youll want to put it in etcrc.drc.local, with a syntax like this: Start SSH echo Starting SSH Daemon... usrlocalsbinsshd; There are other parameters you can use with sshd, and well look at some of them in Section 8.3 . Youll also want to enable the port on which youre running SSH. In our case, were going to use the default port of 22, so well have to edit our etcservices file and add a line like this: ssh 22tcp As of this writing, SSH has been known to compile on at least thirty-six different versions of Unix, so most of the time you should be able to build it without a hitch. We have built it on four different Unix systems without problems. If you have problems during the configuration, compilation, or installation stage, the configure utility may not have recognized your system type, you may need to make some minor configuration changes by hand, or you may need to upgrade some of the tools in your build environment to newer versions. Its a good idea to read the INSTALL text file to look for any specific problems with your system or environment. For example, there are problems compiling with gcc prior to release 2.7.2.3, or there may be a problem with schemes that arent standardized across Unix systems, such as shadow password implementations. If you encounter a problem not covered in the INSTALL text and are stumped, use some of the resources in Section 8.5.3 .

8.3 SSH Components

The SSH software is comprised of a small suite of utilities that perform different functions. Were not going to give you an overview of every feature of these utilities. Instead, were going to look at functions and parameters that you should know in order to operate an SSH VPN—both those you should use and those you might be better off not using. For other functionality, we suggest checking the manpages for each of these tools.

8.3.1 sshd

The SSH server daemon is called sshd. As shown in Section 8.2 , its normally started from an rc file. When launched, it generates the first instance of the server key pair. Because of this, its typically not recommended that you start sshd from inetd, because inetd will launch it each time somebody makes a connection. This server key generation adds additional time to the 124 login, sometimes on the order of tens of seconds, depending upon the speed of your machine, its load, and the size of the server key you choose. In some cases this delay will be unacceptable, or at the very least annoying. sshd has a configuration file called etcsshd_config, which lets you set a number of default runtime and security parameters, including port, server key bits, and the types of authentication allowed.

8.3.1.1 Useful sshd parameters for our purposes

No parameters are normally needed to launch the SSH daemon, but there are a few that can be useful in making modifications. -b bits You can set the length of the server key with this option. The default server key is 768 bits, but this option can be used to set it higher if youre concerned about security at that level. Even though 768 bits is considered relatively safe, key lengths of 1024 bits are generally thought to be safe for the next several years. Using a key length that is shorter than 768 bits is also possible. If you really wanted to start the SSH daemon from inetd, you could shorten the key length to shorten the generation time, thereby shortening the login time. Key lengths of less than 512 bits, however, are often considered insufficient for business transactions over the Internet. The server key can also be set with the ServerKeyBits parameter in the sshd_config file. -k seconds Another option you might want to change is the -k option, which will adjust the time to live of the server key. Normally, this key is regenerated every 3600 seconds one hour, but it can be adjusted to shorter or longer regeneration times. A setting of means that the key will never be regenerated, which isnt recommended, as server key regeneration is an important security feature of SSH. This can also be modified with the KeyRegenerationInterval parameter in the SSH daemon configuration file. -p port sshd is normally run as root on Unix systems on TCP port number 22, but it is possible to launch it as another user if you use the -p option to have it listen on a non- privileged port ports above 1023, and if you specify a different location for the host key file the default host key file, etcssh_host_key, can be read only by root. For VPN applications, there shouldnt be any need to run the daemon as anyone other than root, though it may be useful in other situations, such as making a secure connection to a system that you dont have superuser privileges on, and that isnt already running the daemon. The Port parameter in the sshd_config file can also set the default port. The types of authentication allowed—password, .rhosts, host key, or user key—can be controlled from the sshd_config file. Well go into these settings more when we create a VPN in Section 8.4 .