forked from openssh/openssh-portable
-
-
Notifications
You must be signed in to change notification settings - Fork 46
/
Copy pathHPNSSHInstallation.txt
354 lines (281 loc) · 12.3 KB
/
HPNSSHInstallation.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
HPN-SSH Installation
The process of installing HPN-SSH from source is a relatively painless process
but does have some nuances. This document will go through the process step by
step to help you get the most from your installation. If you find any errors
please contact us at [email protected].
Step 1: Get the source code.
The official repository for HPN-SSH is found at
https://github.com/rapier1/hpn-ssh. Get a copy with
"git clone https://github.com/rapier1/hpn-ssh”.
Step 2: Install dependencies.
What you need to install is dependent on your distribution but will include:
* OpenSSL development package
* Debian: libssl-dev
* Fedora: openssl-devel
* Alternatively you can use LIbreSSL
* However, in this case we suggest compiling and installing libressl manually as
there are few maintained linux packages for LibreSSL.
* Also, LibreSSL v3.5 and v3.6 do not support the threaded AES-CTR cipher.
If that’s important to you then you should use OpenSSL.
* Z compression library
* Debian: zlib1g-dev
* Fedora: zlib-devel
* Autoconf
* Automake
Step 3: Install optional dependencies.
This optional libraries will extend the functionality of HPN-SSH to allow the use of PAM
authentication, Kerberos, graphical password tools, etc.
* PAM
* Kerberos
* GTK
Step 4: Build the configure file
generate ./configure with “autoreconf -f -i”
Step 5: Configuration
Configure the installation. You can get detailed information on how to do this by
issuing “./configure --help”. However, commonly you will want to change the default installation
location of the binaries. This can be done with “--prefix=/[desired_path]”. For example,
if you want the binaries installed into /usr/bin as opposed to the default of
/usr/local/bin you’d use “./configure --prefix=/usr”. Other common options would be to
incorporate pam, kerberos, alternative SSL libraries, and so forth. However, for most users
either no additional configuration options or modifying the prefix will suffice.
Step 6: Make
Make the application with “make -j[num cores]”. So if you have an 8 core system
you’d use “make -j8”
Step 7: Set up the hpnsshd user.
This user is part of the privilege separation routines used in the
pre-authentication sandbox. I suggest using the following command:
sudo useradd --system --shell /usr/sbin/nologin --comment="Privilege separated HPNSSH User" \
--home=/run/hpnsshd hpnsshd
Alternatively, you can use vipw to add the user manually.
Step 8: Installation
After HPN-SSH successfully builds, install it with “sudo make install”. This will install the
binaries, configuration files, and generate the unique host keys used. At this point you can
make changes to the ssh client and server default configuration. These files are
found, generally, in /etc/hpnssh/ssh_config and sshd_config respectively. You may want to
change the default port from 2222 to some other value. You may also want to enable the
NoneCipher and NoneMac options. For more information use “man hpnsshd_config” and
“man hpnssh_config”. Note: The hpnssh client expects the server to be on port 2222 but will
fallback to 22 if it’s not found there. So if you do change the default port you’ll need to
make sure the clients point at the correct port.
Step 9: Finishing up.
At this point you can start hpnsshd manually by running “sudo /usr/sbin/hpnsshd”
or whatever the full path to the hpnsshd binary might be. However, this won’t
restart automatically on reboot. To do this you’ll need to install an appropriate
systemd configuration file. If that seems like a good idea to you then following steps may be
of help. Otherwise, you are done. Enjoy!
Step 10: Installing a systemd startup file.
The correct systemd startup file depends on the distribution you are using. For system
using systemd (you start a service with systemctl) create a file at /lib/systemd/system/hpnsshd.service
with the following contents NB: you may need to update the paths to match your installation:
[Unit]
Description=HPN/OpenBSD Secure Shell server
Documentation=man:hpnsshd(8) man:hpnsshd_config(5)
After=network.target auditd.service
ConditionPathExists=!/etc/hpnssh/sshd_not_to_be_run
[Service]
EnvironmentFile=-/etc/default/hpnssh
ExecStartPre=/usr/sbin/hpnsshd -t
ExecStart=/usr/sbin/hpnsshd -D $SSHD_OPTS
ExecReload=/usr/sbin/hpnsshd -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
RuntimeDirectory=hpnsshd
RuntimeDirectoryMode=0755
[Install]
WantedBy=multi-user.target
Alias=hpnsshd.service
Alternatively, the ./configure command will generate a hpnsshd.service file from
hpnsshd.service.in. You can use this file by copying it to
/libsystemd/system/hpnsshd.service instead of copying the above text.
Then create the defaults file at /etc/default/hpnsshd with the following content:
# Default settings for openssh-server.
# Options to pass to sshd
SSHD_OPTS=
Enter any runtime options you want on the SSHD_OPTS line. If you can’t think of any, simply
leave it blank. A sample /etc/defauls/hpnssh file may be found in defaults.hpnsshd.
You must then reload the systemd service to make it aware of this new service with
sudo systemctl daemon-reload
If you are using an init.d (you start a service with ‘system’) then you need to install an
init.d. Create the file /etc/init.d/hpnssh and copy the following into it. NB: The following is
for where hpnsshd is found at /usr/sbin/hpnsshd. If it is not in that location you’ll need to
update the paths.
Alternatively, you may use the hpnsshd.init file created during configure. This will be
prepopulated with the correct paths by the configure script.
#! /bin/sh
### BEGIN INIT INFO
# Provides: hpnsshd
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop:
# Short-Description: OpenBSD Secure Shell server with HPN
### END INIT INFO
set -e
# /etc/init.d/hpnssh: start and stop the OpenBSD "secure shell(tm)" daemon
test -x /usr/sbin/hpnsshd || exit 0
( /usr/sbin/hpnsshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0
umask 022
if test -f /etc/default/hpnssh; then
. /etc/default/hpnssh
fi
. /lib/lsb/init-functions
if [ -n "$2" ]; then
SSHD_OPTS="$SSHD_OPTS $2"
fi
# Are we running from init?
run_by_init() {
([ "$previous" ] && [ "$runlevel" ]) || [ "$runlevel" = S ]
}
check_for_no_start() {
# forget it if we're trying to start, and /etc/hpnssh/sshd_not_to_be_run exists
if [ -e /etc/hpnssh/sshd_not_to_be_run ]; then
if [ "$1" = log_end_msg ]; then
log_end_msg 0 || true
fi
if ! run_by_init; then
log_action_msg "HPN/OpenBSD Secure Shell server not in use (/etc/hpnssh/sshd_not_to_be_run)" || true
fi
exit 0
fi
}
check_dev_null() {
if [ ! -c /dev/null ]; then
if [ "$1" = log_end_msg ]; then
log_end_msg 1 || true
fi
if ! run_by_init; then
log_action_msg "/dev/null is not a character device!" || true
fi
exit 1
fi
}
check_privsep_dir() {
# Create the PrivSep empty dir if necessary
if [ ! -d /run/hpnsshd ]; then
mkdir /run/hpnsshd
chmod 0755 /run/hpnsshd
fi
}
check_config() {
if [ ! -e /etc/hpnssh/sshd_not_to_be_run ]; then
# shellcheck disable=SC2086
/usr/sbin/hpnsshd $SSHD_OPTS -t || exit 1
fi
}
export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
case "$1" in
start)
check_privsep_dir
check_for_no_start
check_dev_null
log_daemon_msg "Starting HPN/OpenBSD Secure Shell server" "hpnsshd" || true
# shellcheck disable=SC2086
if start-stop-daemon --start --quiet --oknodo --chuid 0:0 --pidfile /run/hpnsshd.pid --exec /usr/sbin/hpnsshd -- $SSHD_OPTS; then
log_end_msg 0 || true
else
log_end_msg 1 || true
fi
;;
stop)
log_daemon_msg "Stopping HPN/OpenBSD Secure Shell server" "hpnsshd" || true
if start-stop-daemon --stop --quiet --oknodo --pidfile /run/hpnsshd.pid --exec /usr/sbin/hpnsshd; then
log_end_msg 0 || true
else
log_end_msg 1 || true
fi
;;
reload|force-reload)
check_for_no_start
check_config
log_daemon_msg "Reloading HPN/OpenBSD Secure Shell server's configuration" "hpnsshd" || true
if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /run/hpnsshd.pid --exec /usr/sbin/hpnsshd; then
log_end_msg 0 || true
else
log_end_msg 1 || true
fi
;;
restart)
check_privsep_dir
check_config
log_daemon_msg "Restarting HPN/OpenBSD Secure Shell server" "hpnsshd" || true
start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /run/hpnsshd.pid --exec /usr/sbin/hpnsshd
check_for_no_start log_end_msg
check_dev_null log_end_msg
# shellcheck disable=SC2086
if start-stop-daemon --start --quiet --oknodo --chuid 0:0 --pidfile /run/hpnsshd.pid --exec /usr/sbin/hpnsshd -- $SSHD_OPTS; then
log_end_msg 0 || true
else
log_end_msg 1 || true
fi
;;
try-restart)
check_privsep_dir
check_config
log_daemon_msg "Restarting HPN/OpenBSD Secure Shell server" "hpnsshd" || true
RET=0
start-stop-daemon --stop --quiet --retry 30 --pidfile /run/hpnsshd.pid --exec /usr/sbin/hpnsshd || RET="$?"
case $RET in
0)
# old daemon stopped
check_for_no_start log_end_msg
check_dev_null log_end_msg
# shellcheck disable=SC2086
if start-stop-daemon --start --quiet --oknodo --chuid 0:0 --pidfile /run/hpnsshd.pid --exec /usr/sbin/hpnsshd -- $SSHD_OPTS; then
log_end_msg 0 || true
else
log_end_msg 1 || true
fi
;;
1)
# daemon not running
log_progress_msg "(not running)" || true
log_end_msg 0 || true
;;
*)
# failed to stop
log_progress_msg "(failed to stop)" || true
log_end_msg 1 || true
;;
esac
;;
status)
status_of_proc -p /run/hpnsshd.pid /usr/sbin/hpnsshd hpnsshd && exit 0 || exit $?
;;
*)
log_action_msg "Usage: /etc/init.d/hpnssh {start|stop|reload|force-reload|restart|try-restart|status}" || true
exit 1
esac
exit 0
Step 10: Working with SELinux.
If you are using SELinux you’ll need to run a few more commands in order to grant hpnssh the
necessary exceptions to open sockets, files, read keys, and so forth. Run the following commands
to allow this. Note, I’m not sure every single one of these is needed so if someone knows better
please let me know. Again, double check the paths of the files being updated.
semanage fcontext -a -f f -t sshd_key_t /etc/hpnssh/ssh_host_dsa_key
semanage fcontext -a -f f -t sshd_key_t /etc/hpnssh/ssh_host_rsa_key
semanage fcontext -a -f f -t sshd_key_t /etc/hpnssh/ssh_host_ecdsa_key
semanage fcontext -a -f f -t sshd_key_t /etc/hpnssh/ssh_host_ed25519_key
semanage fcontext -a -f f -t sshd_key_t /etc/hpnssh/ssh_host_dsa_key.pub
semanage fcontext -a -f f -t sshd_key_t /etc/hpnssh/ssh_host_rsa_key.pub
semanage fcontext -a -f f -t sshd_key_t /etc/hpnssh/ssh_host_ecdsa_key.pub
semanage fcontext -a -f f -t sshd_key_t /etc/hpnssh/ssh_host_ed25519_key.pub
semanage fcontext -a -f f -t sshd_exec_t /usr/sbin/hpnsshd
semanage fcontext -a -f f -t sshd_keygen_exec_t /usr/libexec/hpnssh/hpnsshd-keygen
semanage fcontext -a -f f -t bin_t /usr/libexec/hpnssh/hpnsftp-server
semanage fcontext -a -f f -t ssh_exec_t /usr/bin/hpnssh
semanage fcontext -a -f f -t ssh_agent_exec_t /usr/bin/hpnssh-agent
semanage fcontext -a -f f -t ssh_keygen_exec_t /usr/bin/hpnssh-keygen
semanage fcontext -a -f f -t etc_t /etc/pam.d/hpnsshd
semanage port -a -t ssh_port_t -p tcp 2222
restorecon /usr/sbin/hpnsshd
restorecon /etc/hpnssh/ssh*_key
restorecon /etc/hpnssh/ssh*_key\.pub
restorecon /usr/libexec/hpnssh/hpnsshd-keygen
restorecon /usr/libexec/hpnssh/hpnsftp-server
restorecon /usr/bin/hpnssh
restorecon /usr/bin/hpnssh-agent
restorecon /usr/bin/hpnssh-keygen
restorecon /etc/pam.d/hpnsshd