HP World 2005 Securing your Unix environment with HP Secure Shell

1
HP World 2005 Securing your Unix environment with
HP Secure Shell

• Steven E Protter
• Senior Systems Administrator
• I.S.N. Corporation

2
Secure Shell Presentation Outline 1

• Presenter information
• Qualifications and experience.
• Warning ?!!
• How he got here.
• What is HP Secure Shell
• Advantages
• Challenges
• Components

3
Secure Shell Presentation Outline 2

• Where do I get HP Secure Shell
• How do I install HP Secure Shell
• Why should I use HP Secure Shell

4
Secure Shell Presentation Outline 3

• Step by step for installation and exchange of
  public keys.
• Downloading the software.
• Installation.
• Exchanging public keys.
• Questions and (hopefully) answers

5
Getting Started
6
Qualifications and Experience 1

• 10 years of systems administration work on HP-UX
  10.20, 11 and 11i v1
• Actual Experience with a disaster involving major
  loss of data.

• Five years of experience as a Linux administrator
• HP-UX CSA (Can pass a multiple choice
  examination)
• Two major Unix OS/Hardware conversions.

7
Qualifications and Experience 2

• 14 ½ Years _at_ the Jewish United Fund
• Experience as a programmer.
• Systems Analyst
• Software AG and Oracle DBA

• HP-UX Administrator
• Married 10 years to a Russian American
• Recently moved to Israel

8
Warning! Try this at your shop!

• I do not have complete knowledge on topic
• Nobody can, its two complex.
• Have made this work in a mixed HP-UX/Linux
  environment.
• Can only understand Russian accented English.
• This is something you want to try at home.

9
How Steve Protter Got here

• Found a call for presentations at
  http//forums.itrc.hp.com
• Sent in two suggestions
• Both were accepted
• Flew from Tel Aviv to Newark, NJ
• Drove from Connecticut to San Francisco
• Made several consulting stops in route

10
What is HP Secure Shell?

• Hewlett-Packards port of openssh
• Open source product
• More information _at_ http//www.openssh.org

11
More Information
12
Advantages of HP Secure Shell?

• Hewlett-Packards Port of openssh
• Some bugs were fixed prior to HP release.
• Released in depot format
• Port insures smooth operation with HP-UX
• Replaces insecure products such as rsh and remesh
• Session and passwords are encrypted

13
Challenges of HP Secure Shell?

• Sometimes you have to wait for it.
• The environment is slightly different than what
  it replaces.
• You can not completely remove the old protocols
  and still do Ignite Imaging.
• To be announced.

14
Secure Shell Components 1

• ssh Secure Shell
• Replaces rsh, rexec, remesh, telnet
• sftp Secure file transfer protocol
• Common command set with ftp
• Knows the difference between binary and ascii
  files
• No mput
• Scriptable

15
Secure Shell Components 2

• scp Secure copy
• Replaces rcp
• Can copy large file systems
• Makes my life easier

16
How to get HP Secure Shell

• Core OS It is/may be an install option
• Application CD Released every 6 months
• http//www.hp.com/go/software

17
http//www.hp.com/go/software
18
http//www.hp.com/go/software
19
How to get HP Secure Shell
20
How to get HP Secure Shell
21
How to get HP Secure Shell
22
How to get HP Secure Shell
23
How to get HP Secure Shell

• Use sftp to copy it to HP-9000 server or use a
  web browser on the box for download.
• Wed Jun 1 163746 2005/home/secsh
• 8460 ll
• total 16420
• -rw-r--r-- 1 root sys 8407040 Jun
  1 2348 T1471AA_A.04.00.000_HP-UX_B.11.11_3264.de
  pot

24
Before you install

• Read the installation instructions
• Not because you dont know how to swinstall.
• Because there may be patch recommendations and
  other helpful information.

25
Patches

• 11i version 1 patches
• Pam patch PHCO_30402
• OS patch PHCO_26466
• swlist l product grep PHCO_30402
• swlist l product grep PHCO_26466
• Why? It may still install but give trouble later.

26
How to install HP Secure Shell

• swinstall -s /home/secsh/T1471AA_A.04.00.000_HP-UX
  _B.11.11_3264.depot \

27
The command line is the Systems Administrators
best friend. Steven E Protter Senior Systems
Administrator ISN Corporation
28
Because someday it may be all you
have. Steven E Protter Senior Systems
Administrator ISN Corporation
29
Situations with no GUI tools

• Single User Mode (hpux is)
• LM mode (hpux lm)

30
Public Key Exchange

• Advantages
• Ease of administration
• More secure than typing passwords
• You dont have to remember passwords
• Works over multiple operating systems

31
Public Key Exchange

• Challenges
• You may someday boot the wrong system
• If a root password is compromised on one system
  root access is granted on all systems with public
  key exchange.

32
Public Key Exchange

• Tricks (ways to stay out of trouble)
• Change the prompt to include system name
• Set terminal color in the environment profile

33
Public Key Exchange Change prompt

• PS1
• 8476 echo PS1
• Wed Jun 1 163746 2005PWD !
• In /etc/profile
• ENV/.kshrc

34
Public Key Exchange Change prompt

• vi /.kshrc
• PS1date -u c echo LOGNAME_at_hostname
  PWD
• ! '

35
Public Key Exchange Change prompt

• A prompt that lets you know where you are
• Thu Jun 2 135010 2005root_at_eilat /root/
• 1158

36
Public Key Exchange Generate keys

• ssh-keygen -t dsa.
• Press ltENTERgt for the next 3 questions
• This creates a directory called .ssh
• cd .ssh

37
Public Key Exchange

• ls la
• -rw------- 1 root sys 668 Jun
  2 0903 id_dsa
• -rw-r----- 1 root sys 600 Jun
  2 0903 id_dsa.pub
• cat id_dsa.pub (just taking a look)

38
Public Key Exchange Home directory permissions

• 1168 env grep HOME
• HOME/root/
• Thu Jun 2 135010 2005root_at_eilat /root/.ssh
• 1169 chmod 755 HOME
• Thu Jun 2 135010 2005root_at_eilat /root/.ssh

39
Public Key Exchange Host setup

• ssh hpweb
• The authenticity of host 'hpweb (192.168.0.70)'
  can't be established.
• RSA key fingerprint is 971dcbbfb3549f5412
  8f2f3aaab9107c.
• Are you sure you want to continue connecting
  (yes/no)?
• yes ltentergt
• Warning Permanently added 'hpweb,192.168.0.70'
  (RSA) to the list of known hosts.
• Password

40
Public Key Exchange Host setup

• cd .ssh
• scp p eilat/PWD/id_dsa.pub authorized_keys
• ltGenerate a public key on second hostgt
• cat id_dsa.pub gtgt authorized_keys
• chmod 644 authorized_keys ltoptional depending on
  umaskgt
• scp p authorized_keys eilat/PWD

41
Public Key Exchange Host setup

• ls la before and after
• -rw-r----- 1 root sys 600 Jun
  2 0903 authorized_keys
• -rw-r----- 1 root sys 2020 Nov
  21 2004 id.dat
• -rw------- 1 root sys 668 Apr
  26 0456 id_dsa
• -rw-r--r-- 1 root sys 600 Apr
  26 0456 id_dsa.pub
• -rw-r--r-- 1 root sys 3339 May
  8 0034 known_hosts
• -rw------- 1 root sys 1024 Feb
  13 2004 prng_seed
• 8494 cat id_dsa.pub gtgt authorized_keys
• Thu Jun 2 142020 2005/root/.ssh
• -rw-r----- 1 root sys 1200 Jun
  2 0921 authorized_keys
• -rw-r----- 1 root sys 2020 Nov
  21 2004 id.dat
• -rw------- 1 root sys 668 Apr
  26 0456 id_dsa
• -rw-r--r-- 1 root sys 600 Apr
  26 0456 id_dsa.pub
• -rw-r--r-- 1 root sys 3339 May
  8 0034 known_hosts
• -rw------- 1 root sys 1024 Feb
  13 2004 prng_seed

42
Public Key Exchange Host setup

• scp p authorized_keys eilat/PWD
• You will be prompted for a password.
• Try it again, you should not be prompted for a
  password.
• DONE! ?

43
Public Key Exchange Summary

• Permissions are crucial.
• If prompted for a password when you think you
  should not be prompted, go back and check
  permissions

44
Questions (Hopefully) Answers
45
More Information

• http//forums.itrc.hp.com
• http//docs.hp.com
• http//itrc.hp.com
• http//www.hp.com/go/software

46
(No Transcript)