Openssh; Why Use Openssh; Configuring An Openssh Server - Red Hat ENTERPRISE LINUX 4 System Administration Manual

Chapter 20.

OpenSSH

OpenSSH is a free, open source implementation of the SSH (S ecure SH ell) protocols. It replaces
telnet, ftp, rlogin, rsh, and rcp with secure, encrypted network connectivity tools. OpenSSH
supports versions 1.3, 1.5, and 2 of the SSH protocol. Since OpenSSH version 2.9, the default
protocol is version 2, which uses RSA keys as the default.

20.1. Why Use OpenSSH?

If you use OpenSSH tools, you are enhancing the security of your machine. All communications using
OpenSSH tools, including passwords, are encrypted. Telnet and ftp use plain text passwords and
send all information unencrypted. The information can be intercepted, the passwords can be retrieved,
and your system could be compromised by an unauthorized person logging in to your system using
one of the intercepted passwords. The OpenSSH set of utilities should be used whenever possible to
avoid these security problems.
Another reason to use OpenSSH is that it automatically forwards the DISPLAY variable to the client
machine. In other words, if you are running the X Window System on your local machine, and you log
in to a remote machine using the ssh command, when you run a program on the remote machine that
requires X, it will be displayed on your local machine. This feature is convenient if you prefer graphical
system administration tools but do not always have physical access to your server.

20.2. Configuring an OpenSSH Server

To run an OpenSSH server, you must first make sure that you have the proper RPM packages
installed. The openssh-server package is required and depends on the openssh package.
The OpenSSH daemon uses the configuration file /etc/ssh/sshd_config. The default
configuration file should be sufficient for most purposes. If you want to configure the daemon in ways
not provided by the default sshd_config, read the sshd man page for a list of the keywords that can
be defined in the configuration file.
To start the OpenSSH service, use the command /sbin/service sshd start. To stop the
OpenSSH server, use the command /sbin/service sshd stop. If you want the daemon to start
Chapter 19, Controlling Access to Services
automatically at boot time, refer to for information on how
to manage services.
If you reinstall, the reinstalled system creates a new set of identification keys. Any clients who had
connected to the system with any of the OpenSSH tools before the reinstall will see the following
message:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
If you want to keep the host keys generated for the system, backup the /etc/ssh/ssh_host*key*
files and restore them after the reinstall. This process retains the system's identity, and when clients
try to connect to the system after the reinstall, they will not receive the warning message.
197