SSH Configuration

SSH Configuration
(openssh)

1/23/2006
Eric Low

SSH is the standard for secure communication, replacing things such as telnet, rlogin or ftp. OpenSSH 3.6p1 is installed with NW65 (although the Netware OpenSSH Administration Guide says it's 3.7p1), and can be configured by browsing to https://server.ip:2200/sshdadmin. Apparently Netware (Apache) uses LDAP to authenticate you here.

If you login and go to Server Preferences, it will show you the status of the sshd server (sshd.nlm). It is most likely not loaded by default. It will also show you the Configuration Storage Mode, which I am leaving at "File," since I am only managing SSH on the one server. The other option is "eDirectory," which will set the configuration for several servers at once.

Unfortunately, it looks as though certificates cannot actually be used! As David Bank commented in a section of Admin Guide:

Comment: The "Authentication" section fails to make clear that password-based authentication is the ONLY option for connecting to the NetWare server.

Personally, I spent 3 weeks trying to engineer a certificate-based login TO the NetWare server before someone in NTS was able to contact a developer who stated that it was not possible. While the documentation states that authentication is done using "LDAP", the ramifications of that are not clearly stated on the "Differences" page.

Additionally, the documentation of the sshd_config file should clearly state that AuthorizedKeyFile, PubKeyAuthentication and RSAAuthentication options have no effect on the NetWare server implementation of the SSH daemon. Again, their presence/mention without such a statement could easily lead someone to think they are supported.

To back that up, if you click on the Authentication option in the left-hand menu and then look at the help screen, it says the following:

Password Authentication uses a username and password to verify a user's identity. This is currently the only way to authenticate to a NetWare® server with OpenSSH. Even if you do not select Yes to enable Password Authentication, Password Authentication will be used for NetWare servers.

Here is an excellent document explaining why. Still, talk about insecure! I have never, ever used SSH before without certificates. Damn you, Netware!

First thing I did was change the options, essentially to look like the typical SSH settings on our Linux servers.

I did this by editing SYS:\etc\ssh\sshd_config directly rather than using the confusing web interface. Here is what my configuration looks like, with the lines that I changed in bold:

Port 45
Protocol 2
ListenAddress 0.0.0.0

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
LogLevel INFO
LogPath sys:/etc/ssh/logs
LogMaxRotateFiles 7
LogMaxFileSize 4
LogRotationInterval 24
# Authentication:
LoginGraceTime 600
#PermitRootLogin yes
#StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# Change to yes if you don't trust /etc/ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
IgnoreUserKnownHosts no
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
ClientAliveInterval 10
ClientAliveCountMax 6
KeepAlive yes
Compression yes
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp SYS:/SYSTEM/sftp-svr.nlm
#eDir (Novell Directory Services) specific options
eDirNameContext o=datastat

# SOURCE OBJECT: cn=S3,cn=NetWare Servers,cn=OpenSSH Servers,o=datastat

Now, under Server Status, I clicked on Start Server. I tried opening up PuTTY and connecting with a plain old user account, but could not authenticate. Perhaps the user was not in LDAP? I tried again with the admin account, and login worked just fine - I could see the console screen! I still cannot figure out how to determine which users can SSH into the console screen (I can only SSH in with the admin account, even though some of the other accounts can still access the console screen through NoRM!)

There are a number of hotkeys that can be sent in your SSH session to accomplish various tasks, such as ctrl-F to switch console screens. The Admin guide details these.

In the end, I decided to leave SSH disabled (by not putting sshd in the autoexec.ncf). It's really easy to get to the console screens through NoRM anyhow, through a normal web browser, and unless I can find a way to map drives through SCP, I see no real advantage to running SSH on Netware.