Configuring the OpenSSH server on Solaris
How to configure the OpenSSH server on a Solaris machine.
About this task
To configure the OpenSSH server, follow these steps on each Tivoli® Netcool® Performance Manager system where SFTP is to be used:
Procedure
-
Log in to the system as
root
. -
Change your working directory to the location where the OpenSSH server was installed by using
the following command:
# cd /etc/ssh
By default, the location of OpenSSH files is in
/etc/ssh
. -
Check if OpenSSH is installed by using the following command.
For example,
# pkg mediator -a ssh MEDIATOR VER. SRC. VERSION IMPL. SRC. IMPLEMENTATION ssh vendor vendor sunssh ssh system system openssh
From the command output, OpenSSH and SunSSH are installed. - Optional:
Install OpenSSH if it's not present in your system by using the following command.
# pkg install -r openssh
- Run step 2 to verify that the OpenSSH has been successfully installed.
-
Set the mediator to OpenSSH to provide a secure encryption for both remote login and file
transfer by using the following command.
# pkg set-mediator -I openssh ssh Packages to change: 3 Mediators to change: 1 Services to change: 1 Create boot environment: No Create backup boot environment: Yes PHASE ITEMS Removing old actions 40/40 Updating modified actions 25/25 Updating package state database Done Updating package cache 0/0 Updating image state Done Creating fast lookup database Done Updating package cache 1/1
-
Verify that the OpenSSH is set by using the following command.
# pkg mediator ssh MEDIATOR VER. SRC. VERSION IMPL. SRC. IMPLEMENTATION ssh system local openssh
-
Check the version of the OpenSSH by using the following command.
For example,
# ssh -V OpenSSH_7.1p1, OpenSSL 1.0.1s 1 Mar 2016
-
Open the
sshd_config
file from /etc/ssh folder in editor mode. -
Add the following parameter:
AuthorizedKeysFile .ssh/authorized_keys
Note: Use tab between parameter and value when you're adding the parameter in thesshd_config
file.For example,#*************************************************************************** # Copyright (c) 2001, 2015, Oracle and/or its affiliates. All rights reserved. # Configuration file for sshd(1m) (see also sshd_config(4)) # # This file is used for the SunSSH and the OpenSSH versions of the sshd(1m) # daemon. Commented out entries should match the defaults of the running # sshd(1m) daemon. See the sshd(1m) man page for the defaults. Uncomment # entries that override the defaults. # # Listen port (the IANA registered port number for ssh is 22) #Port 22 # The default listen address is all interfaces, this may need to be changed # if you wish to restrict the interfaces sshd listens on for a multi homed host. # Multiple ListenAddress entries are allowed. # IPv4 only #ListenAddress 0.0.0.0 # SunSSH: IPv4 & IPv6, OpenSSH: IPv6 only! #ListenAddress :: # If port forwarding is enabled (default), specify if the server can bind to # INADDR_ANY. # This allows the local port forwarding to work when connections are received # from any remote host. #GatewayPorts no # X11 tunneling options #X11DisplayOffset 10 #X11UseLocalhost yes X11Forwarding yes # The maximum number of concurrent unauthenticated connections to sshd. # start:rate:full see sshd(1) for more information. #MaxStartups 10:30:100 # Banner to be printed before authentication starts. Banner /etc/issue # Should sshd print the /etc/motd file and check for mail. # On Solaris it is assumed that the login shell will do these (eg /etc/profile). PrintMotd no # KeepAlive specifies whether keep alive messages are sent to the client. # See sshd(1) for detailed description of what this means. # Note that the client may also be sending keep alive messages to the server. #KeepAlive yes # Syslog facility and level SyslogFacility auth LogLevel debug3 # # Authentication configuration # # Host private key files # Must be on a local disk and readable only by the root user (root:sys 600). HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key # sshd regenerates the key every KeyRegenerationInterval seconds. # The key is never stored anywhere except the memory of sshd. # The default is 1 hour (3600 seconds). #KeyRegenerationInterval 3600 # Ensure secure permissions on users .ssh directory. #StrictModes yes # Length of time in seconds before a client that hasn't completed # authentication is disconnected. # Default is 600 seconds. 0 means no time limit. #LoginGraceTime 120 # Maximum number of retries for authentication # Default is 6. #MaxAuthTries 6 # Are logins to accounts with empty passwords allowed. # If PermitEmptyPasswords is no, pass PAM_DISALLOW_NULL_AUTHTOK # to pam_authenticate(3PAM). #PermitEmptyPasswords no # To disable tunneled clear text passwords, change PasswordAuthentication to no. #PasswordAuthentication yes # Are root logins permitted using sshd. # Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user # maybe denied access by a PAM module regardless of this setting. # Valid options are yes, without-password, no. PermitRootLogin yes # sftp subsystem Subsystem sftp internal-sftp # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication. #IgnoreUserKnownHosts yes AuthorizedKeysFile .ssh/authorized_keys
-
Restart the ssh service by using the following command.
# svcadm restart ssh
-
Check the status of ssh by using the following command.
For example,
# svcs -xv ssh State: online since Fri May 11 00:56:37 2018 See: man -M /usr/share/man -s 1M sshd See: /var/svc/log/network-ssh:default.log Impact: None.
Note: If the state is in maintenance mode, check the log file referenced in the output for any error. If you log out when ssh is in maintenance mode, you may not be able to connect and will require IT technical-support to fix this issue.