Chapter 20.197OpenSSHOpenSSH is a free, open source implementation of the SSH (S ecure SH ell) protocols. It replacestelnet, ftp, rlogin, rsh, and rcp with secure, encrypted network connectivity tools. OpenSSHsupports versions 1.3, 1.5, and 2 of the SSH protocol. Since OpenSSH version 2.9, the defaultprotocol is version 2, which uses RSA keys as the default.20.1. Why Use OpenSSH?If you use OpenSSH tools, you are enhancing the security of your machine. All communications usingOpenSSH tools, including passwords, are encrypted. Telnet and ftp use plain text passwords andsend all information unencrypted. The information can be intercepted, the passwords can be retrieved,and your system could be compromised by an unauthorized person logging in to your system usingone of the intercepted passwords. The OpenSSH set of utilities should be used whenever possible toavoid these security problems.Another reason to use OpenSSH is that it automatically forwards the DISPLAY variable to the clientmachine. In other words, if you are running the X Window System on your local machine, and you login to a remote machine using the ssh command, when you run a program on the remote machine thatrequires X, it will be displayed on your local machine. This feature is convenient if you prefer graphicalsystem administration tools but do not always have physical access to your server.20.2. Configuring an OpenSSH ServerTo run an OpenSSH server, you must first make sure that you have the proper RPM packagesinstalled. The openssh-server package is required and depends on the openssh package.The OpenSSH daemon uses the configuration file /etc/ssh/sshd_config. The defaultconfiguration file should be sufficient for most purposes. If you want to configure the daemon in waysnot provided by the default sshd_config, read the sshd man page for a list of the keywords that canbe defined in the configuration file.To start the OpenSSH service, use the command /sbin/service sshd start. To stop theOpenSSH server, use the command /sbin/service sshd stop. If you want the daemon to startautomatically at boot time, refer to Chapter 19, Controlling Access to Services for information on howto manage services.If you reinstall, the reinstalled system creates a new set of identification keys. Any clients who hadconnected to the system with any of the OpenSSH tools before the reinstall will see the followingmessage:@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!Someone could be eavesdropping on you right now (man-in-the-middle attack)!It is also possible that the RSA host key has just been changed.If you want to keep the host keys generated for the system, backup the /etc/ssh/ssh_host*key*files and restore them after the reinstall. This process retains the system's identity, and when clientstry to connect to the system after the reinstall, they will not receive the warning message.
