slogin, which is secure remote login — a secure equivalent to the UNIX rlogin. It behaves the same as ssh without the specified command option and actually is a symbolic link to the ssh program. 2. It is also fair to mention sftp — the secure FTP — which is a secure equivalent to the regular file transfer FTP. 19.3.1.3 The sshd Daemon The sshd daemon listens at the SSH server side for connections from ssh clients. It is normally started at boot time within the corresponding rc startup script created during the SSH installation. It forks a new daemon for each incoming connection. The forked daemons handle key exchange, encryption, authentication, command execution, and data exchange. The following example is from the Solaris 2.x platform: ps −ef | grep ssh | grep −v grep root 1434 1 0 May 09 ? 46:28 sharelocalbinsshd Each host has a host−specific RSA key normally 1024 bits long. Additionally, when the sshd daemon starts, it generates a server−specific RSA key normally 768 bits long; this key is regenerated every hour if it has been used and is never stored on a disk. Whenever a client connects to the server, the sshd daemon sends its host and server public keys to the client. The client compares the host key against its own database to verify that it has not changed. In return, the client then generates a 256−bit random number; it encrypts this random number using both keys, the host and the server ones, and sends the encrypted generated number to the server. Both sides then start to use this random number as a session encryption key for all further communication in the session; it is the client who selects among several supported encryption algorithms the default algorithm is IDEA. Afterward an authentication dialog follows. The client tries to authenticate itself by using one of the supported authentication methods. Upon the successful clients authentication, a dialog for preparing the session is entered. Once the session is established, the client requests a shell or execution of a command. The exchange of encrypted data continues until the user program terminates and all connections are closed. The server then sends the command exit status to the client and both sides exit. The sshd daemon can be configured using command−line options or a configuration file; command−line options override values specified in the configuration file. If the configuration data are changed, the sshd daemon must be recycled forced to reread its configuration data by sending HUP signal to the daemon.

19.3.2 SSH Configuration

SSH offers many options in its use; obviously, an appropriate configuration is required. Both sides, server and client, must be configured properly. Even the default configuration which is, by the way, sufficient for most sites involves setting the configuration file supplied during the SSH installation. 449 cat etcsshd_config File: sshd_config Purpose: sshd configuration file. Description: Controls the behavior of the sshd server Used by: sshd Port 22 ListenAddress 0.0.0.0 HostKey etcssh_host_key RandomSeed etcssh_random_seed ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin nopwd StrictModes yes QuietMode no X11Forwarding yes PrintMotd no KeepAlive yes SyslogFacility DAEMON RhostsAuthentication no RhostsRSAAuthentication no RSAAuthentication yes PasswordAuthentication no PermitEmptyPasswords no UseLogin no FascistLogging yes IdleTimeout 15m CheckMail no IgnoreRhosts yes Umask 022 Most of the configuration entries are self−explanatory; nevertheless we will briefly describe them in the order of their appearance. Configuration Entry Meaning Port • Specifies the port number that sshd listens on default is 22. ListenAddress • Specifies the IP address of the interface where the sshd server socket is bound 0.0.0.0 means any IP address. HostKey • Specifies the file containing the private host key the default is etcssh_host_key. RandomSeed • Specifies the file containing the random seed for the server. The file is updated regularly the default is etcssh_random_seed. 450 LoginGraceTime • After this time in seconds the server disconnects if the user has not successfully logged in 0 means indefinitely, the default is 600. KeyRegenerationInterval • If the server key has been used, it is automatically regenerated after this time period in seconds 0 means never, the default is 3600. PermitRootLogin • Specifies whether the root can login using ssh; yes allows login with the password authentication, while no or nopwd disables password authentication for root the default is yes. StrictModes • Specifies whether ssh should check file mode and ownership of the users home directory and .rhosts file before accepting login the default is yes. QuietMode • Specifies if the logging in the system log is required the default is no. X11Forwarding • Specifies whether X11 forwarding is permitted, i.e., X session forwarded through the encrypted channel the default is yes. PrintMotd • Specifies whether sshd should print message of day from the etcmotd file the default is yes. KeepAlive • Specifies whether keepalive messages should be sent to another side, and is instrumental in maintaining the connection properly the default is yes. SyslogFacility • Specifies the facility entry in the system log file for sshd logging the default is DAEMON. RhostsAuthentication • Specifies whether authentication using the rhosts or etchosts.equiv files is sufficient the default is no. RhostsRSAAuthentication • Specifies whether rhosts and etchosts.equiv authentication combined with RSA host authentication is allowed the default is yes. RSAAuthentication • Specifies whether pure RSA authentication challenge−response is allowed the default is yes. PasswordAuthentication • Specifies whether password authentication is allowed the default is yes. PermitEmptyPasswords • If password authentication is allowed, it specifies whether the server allows login to accounts with empty password fields the default is yes. FascistLogging • Specifies if verbose logging is used, which violates users privacy the default is no. IdleTimeout • Sets idle timeout limit s, m, h, d, or w to terminate an idle child sshd process. CheckMail • Specifies whether sshd should print information about new e−mail when a user logs in the default is yes. IgnoreRhosts • Specifies that rhosts and shosts files will not be used in authentication, while etchosts.equiv and etcshosts.equiv are still in use the default is no. Umask • Sets default umask for sshd and its children — must be an octal number the default is 000. The client configuration file is etcssh_config. The file structure is the same as for the server configuration. Here is an example: cat etcssh_config 451 ssh_config Purpose: ssh client configuration file. Description: Provides defaults for users, and the values could be changed in per−user configuration files or on the command line. Directions: Configuration data is parsed as follows: 1. command line options 2. user−specific file 3. system−wide file Any configuration value is only changed the first time it is set. Thus, host−specific definitions should be at the beginning of the configuration file, and defaults at the end. Used by: ssh, scp, slogin, sdist Compression yes CompressionLevel 9 ConnectionAttempts 3 FallBackToRsh no ForwardAgent yes ForwardX11 yes GlobalKnownHostsFile etcssh_known_hosts UserKnownHostsFile etcssh_known_hosts KeepAlive yes RhostsAuthentication no RhostsRSAAuthentication no RSAAuthentication yes TISAuthentication no PasswordAuthentication yes UseRsh no StrictHostKeyChecking no BatchMode no StrictHostKeyChecking no IdentityFile ~ .sshidentity Some of the listed configuration entries are identical to those in the previously presented server configuration file. Others are quite self−explanatory, so we will not elaborate on them separately.

19.3.3 SSH Installation and User Access Setup