135 • RhostsRSAAuthentication set to no means that rhosts authentication plus RSA host authentication isnt sufficient either. • Setting RSAAuthentication to yes which is the default means that RSA user authentication is allowed. • PasswordAuthentication set to no means that password authentication if RSA authentication fails isnt allowed. The AllowHosts option is usually commented out, but it can be enabled to allow SSH connections only from a specific host. In this case, the slave is allowing connections only from master.ora-vpn.com. On the master, you would set AllowHosts to allow slave.ora- vpn.com. This means that each machine will allow an SSH connection only from the other. Of course, if you disable telnet completely and allow the other VPN host to connect only via SSH, thats the only machine youll be able to connect for remote administration. Aside from the chosen remote host, all work will have to be done at the console. Alternatively, you can add other hosts, such as admin.ora-vpn.com in our example, or allow every host from your domain to connect with the wildcard .ora-vpn.com. At this point, you should be able to connect to the slave from the master as vpn1 using the SSH client. During this trial, you might want to keep a telnet session open on the slave in case there are problems. Try entering a command like this on the master, but with your slave in place of ours: ssh -l vpn1 slave-gw.ora-vpn.com It should log you in to the slave machine without asking for a password. If it fails, its probably due to an authentication error. Try running the same command, but add the -v option. That will give you excellent debugging output and show you whether its .rhosts, RSA host, or RSA user authentication thats failing.

8.4.2.5 Configuring sudo on the slave

The sudo program is set up much like the other programs, using configure, make, and make install. It is placed in usrlocalbin. In order to change the configuration file for sudo, called sudoers, you need to use the visudo tool, which can be run only as root. The visudo editor uses your selected editor vi by default, but will lock the file to make sure only one person is editing it, and will perform syntax checking against what the user is entering. It will automatically open sudoers when invoked. sudo only needs to be installed on the slave for the vpn1 account, since the VPN script will be run as root on the master. The reason is that vpn1 will have to eventually execute the route add command, which is privileged. Here are the lines to add to your sudoers file: Cmnd alias specification Cmnd_Alias VPN=usrsbinpppd,sbinroute User specification vpn1 ALL=NOPASSWD: VPN The lines beginning with the pound sign are comments and will be ignored. The first command sets up a command alias called VPN that contains the pppd and route programs. This parameter provides a convenient way to group multiple programs that you want to allow 136 users or groups to execute as superuser. The next entry in the file says that the user vpn1 can execute all of the commands in that alias from any host without a password. Normally, sudo requires that you enter your password before executing the command as root. You should now be able to test sudo on the slave as the user vpn1. Try the following command: sudo usrsbinpppd It should launch pppd for you as root, and youll see the PPP protocol garbage output again. If you have problems and you know that PPP already works, there might be something wrong with your sudoers file. Check the varadmsudo.log file for errors. If sudo worked, try the following line on the master, logged in as root: ssh -l vpn1 slave-gw.ora-vpn.com sudo usrsbinpppd Once again, you should see the garbage output. This time, its being delivered across your SSH connection to your local terminal.

8.4.2.6 Putting pty-redir on the master

The pty-redir program allows you to create a new pseudo-terminal on the master in order to run the PPP traffic through it. It comes with a Makefile, so all you should have to do is a make, then move the binary to your usrlocalbin directory. This file needs to be only on the master. Line 84 of pty-redir.c v0.1 controls the name of the pseudo terminals that pty-redir uses. This name must match the naming convention of your system. In the original source, the line looked like this: fprintfstderr,devptycc,a,b; For our Slackware Linux configuration, we had to change it to look like the line below in order for it to work: fprintfstderr,devttycc,a,b; For your particular flavor of Unix, you may have to make modifications as well. Now you should be able to run everything through pty-redir. pty-redir usrlocalbinssh -l vpn1 slave-gw.ora-vpn.com \ sudo usrsbinpppd You wont get any output here, so its probably best to watch the logs and do a ps on the slave to see if pppd is running. If you enter ps on the master, you should see your entire command.