HP-UX Secure Shell: Part 4: Using the Reflection OpenSSH Client
By Chris Wong
This series of articles has focused on implementing HP-SSH. However, HP-SSH does not include a client for the PC. Since a large number of HP customers use Reflection for terminal emulation, I have dedicated this article to explaining how to use the SSH client included with WRQ’s Reflection version 10. There are other client solutions such as putty (http://www.chiark.greenend.org.uk/~sgtatham/putty/) that may be implemented. When investigating a client solution, consider the features of the terminal emulation (especially when running SAM), the user’s existing familiarity, the company’s investment in licensing, and the level of support needed.
So, let’s get started. This example assumes that you do not have any SSH keys configured on the PC or in the authorized_keys file on the host. First, you must be running Reflection 10 or higher. If you have a current maintenance agreement, the upgrade is free. Next, from their website follow the links to download the Security Components and install:
Start a Reflection session. From the Connection menu select Connection Setup:
Select the connection type of Network and OPENSSH. In the connection options section, put in the hostname or IP. For the user name, enter the UNIX login name. Click on the Security button to get the next screen.
Change the Protocol type to “2 only”. Any new sites should start with the SSH-2 protocol as the SSH-1 protocol is not secure. If your site is running the SSH-1 protocol, leave the setting for both “1 and 2”.
Press the “Generate User Key” to create the client public/private key pair.
Select the key type you want to generate. This example will use RSA. The following screen will appear.
The default directory for storing the SSH files is displayed with the default file name for the key type. Select “Save” to continue.
You will be prompted twice to enter the passphrase for the private key. Do not share the passphrase. Press OK to exit the configuration and start the connection.
The above screen is shown asking the user if they want to authenticate the host. Check the RSA fingerprint with the fingerprint provided by the system administrator to verify that this is the correct server. Select YES and the host’s public key will be copied to the known_hosts file in the client’s .ssh directory. At this point, the host is authenticated and the session is encrypted. The user is prompted to enter their UNIX password for the user name they used in the connection setup.
Enter the UNIX password and the user will be logged in. There are three user authentication methods used for SSH.
1). rhosts and hosts.equiv
2). Public/Private Keys
3). PAM (default being UNIX)
The use of rhosts is discouraged as your environment is only as secure as the weakest host in the trusted environment. This authentication method is disabled by default. The second authentication method, Public/Private keys is what we want to use. We created the key pair when we setup the Reflection configuration, but we must add the client’s public key to the authorized_keys file. If the SSH environment does not exist on the host user’s account, create it:
$ umask 077
$ mkdir .ssh
$ cd .ssh
Copy the id_rsa.pub file from the client (C:\Documents and Settings\”client name”\My Documents\Reflection\.ssh\id_rsa.pub) to the authorized_keys file in the .ssh directory on the host. If the authorized_keys file did not exist, you can FTP the public key file up and simply copy it to the authorized_keys file:
•$ cp id_rsa.pub authorized_keys
If the authorized_keys file already exists, you would want to append the new public key to this file. Before exiting, select File from the Reflection menu and Save the connection setup. Exit the session. Start a new session and this time a prompt will appear for the user to enter their passphrase:
After entering the passphrase the user will be logged on. They will not be prompted for their UNIX password as they passed the public key authentication. The user is now logged on to the HP-UX server from their client using SSH:
root 15578 25104 0 11:08:16 ? 0:00 sshd: cwong@0
cwong 15580 15578 0 11:08:28 pts/0 0:00 –sh
cwong - pts/0 Oct 25 11:08 . 15580 pcclient
Setting up the SSH connection from the PC client to the HP host is very important. For example, if only SSH is set-up between multiple HP hosts (say as a replacement for Berkeley services and/or to encrypt the sessions), if the user originates from a PC to the first HP-UX host they are connecting to, all future traffic generated by the user (even that between 2 HP-UX servers running SSH) will still be in clear text between the PC and the first HP host.
Once the SSH connection has been established between the PC and the HP host, the user can implement the usage of the authorization agent between additional SSH connections from HP-UX to HP-UX systems (giving single-sign on – see http://searchhp.techtarget.com/tip/1,289483,sid6_gci853582,00.html). Currently, Reflection does not offer its own key authorization agent. This will be available in the future. In the next issue we will examine Reflection/X.
Chris Wong is a technical consultant and trainer for Cerius Technology Group, Inc. in Bellevue, WA. She is the author of the HP Press book “HP-UX 11i Security”. http://newfdawg.com
© 2007 NEWFDAWG.COM All rights reserved. Last modified: