NCSA: OpenSSH RPM Installation Guide

NCSA OpenSSH RPM Installation Guide

This document is for installing the OpenSSH RPM on RedHat Linux machines in the NCSA environment. If you want to use the client binaries installed in AFS then you can refer to the OpenSSH Install Guide The commands shown below will need to be executed as "root". If there are any questions or problems with this document, or an installation, then please contact ssh@ncsa.uiuc.edu.

The RedHat Linux OpenSSH rpm's are located in:

   /afs/ncsa/packages/openssh/rpms

You will want to install the following rpm's from that directory:

   openssh
   openssh-clients
   openssh-server

There is also a source rpm in the directory if you want to build from source.

If you currently have an openssh version installed you may be able to just update them with the versions above. However, if you have the openssh-askpass or openssh-askpass-gnome rpms installed, they will need to be removed before you update.

Creating ssh user (for privsep)

In the most recent versions of OpenSSH they have enabled something called privilege separation. Privilege separation, or privsep, is a method in OpenSSH by which operations that require root privilege are performed by a separate privileged monitor process. Its purpose is to prevent privilege escalation by containing corruption to an unprivileged process. For this to work a sshd user and group needs to be created. Here are the steps:

  # mkdir /var/empty
  # chown root:sys /var/empty 
  # chmod 755 /var/empty
  # groupadd sshd
  # useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd

Privilege separation does not work on HP-UX systems with a trusted system configuration.

SSH Kerberos PAM configuration

To configure PAM to do kerberos password authentication you can refer to the Kerberos PAM Configuration web page.