122 Blowfish The SSH implementation of Blowfish uses a 128-bit key and, next to IDEA, is considered one of the best ciphers to use with SSH. Its enabled by default in sshd. To turn it off, add the --without-blowfish flag when executing the configure script. IDEA The IDEA cipher is enabled by default in sshd, and is the one that ssh will try to use by default if another isnt specified. It uses a 128-bit key. Use --without-idea to turn it off. Its important to note that IDEA is patented in the United States and Europe, and although its available in the free version of SSH, it cannot be legally used for commercial purposes within those regions without a license. In fact, the commercial version of SSH comes with IDEA disabled by default, and a separate license must be obtained to use it. Licenses can be obtained from Ascom Systec AG of Switzerland see http:www.ascom.com . 3DES Triple-DES is automatically enabled and cant be disabled in SSH, because its also used to encrypt private keys. It uses a 112-bit key, and is the fallback cipher if the client requests one that the server doesnt support. DES DES uses a 56-bit key, which is considered too small for commercial purposes, so its disabled by default on the server. Use --with-des to turn it on. arcfour The arcfour cipher is supposed to be equivalent to RC4. It uses a 128-bit key length and is the fastest cipher SSH supports. Its disabled by default on the server because there is a security hole in the way its implemented in SSH 1.x. SSH 2.x does not have this problem. If the client specifies arcfour and the server doesnt support it, the server will automatically switch to Blowfish. To enable it on the server, use the --with- arcfour flag at configuration time. None This is no encryption, which is disabled by default. Its really used only for testing, so you shouldnt turn this capability on. To turn on no encryption, use --with-none when executing the configure script.

8.2 Building and Installing SSH

For most Unix systems, the installation of SSH is pretty straightforward. Simply download the gzipped tar file from one of the FTP mirror sites listed at http:www.ssh.fisshprotocols , for instance, ssh-1.2.25.tar.gz. Note: Typically theres a new version of SSH released every few months. In order to compile SSH, you need an ANSI C compiler such as gcc. The simplest way to build this software is to do the following: 123 .configure make make install The configure script should recognize your system type, discover important information about your build environment, and—if everything checks out—create a corresponding Makefile. The make program uses this Makefile to build the software. The make install directive installs the SSH components and manual pages in the right places, and generates the initial 1024-bit host key pair if it doesnt already exist. The last thing youll have to do is put sshd in an rc file, so it will launch at startup. On Linux, youll want to put it in etcrc.drc.local, with a syntax like this: Start SSH echo Starting SSH Daemon... usrlocalsbinsshd; There are other parameters you can use with sshd, and well look at some of them in Section 8.3 . Youll also want to enable the port on which youre running SSH. In our case, were going to use the default port of 22, so well have to edit our etcservices file and add a line like this: ssh 22tcp As of this writing, SSH has been known to compile on at least thirty-six different versions of Unix, so most of the time you should be able to build it without a hitch. We have built it on four different Unix systems without problems. If you have problems during the configuration, compilation, or installation stage, the configure utility may not have recognized your system type, you may need to make some minor configuration changes by hand, or you may need to upgrade some of the tools in your build environment to newer versions. Its a good idea to read the INSTALL text file to look for any specific problems with your system or environment. For example, there are problems compiling with gcc prior to release 2.7.2.3, or there may be a problem with schemes that arent standardized across Unix systems, such as shadow password implementations. If you encounter a problem not covered in the INSTALL text and are stumped, use some of the resources in Section 8.5.3 .

8.3 SSH Components

The SSH software is comprised of a small suite of utilities that perform different functions. Were not going to give you an overview of every feature of these utilities. Instead, were going to look at functions and parameters that you should know in order to operate an SSH VPN—both those you should use and those you might be better off not using. For other functionality, we suggest checking the manpages for each of these tools.

8.3.1 sshd

The SSH server daemon is called sshd. As shown in Section 8.2 , its normally started from an rc file. When launched, it generates the first instance of the server key pair. Because of this, its typically not recommended that you start sshd from inetd, because inetd will launch it each time somebody makes a connection. This server key generation adds additional time to the