-
Title
Encryption via ssh and Configuring Shareplex with ssh tunel -
Description
SharePlex uses the SSH® Secure ShellTM utility to provide encryption for network services such as secure remote login and other services over an insecure network. Using SSH with SharePlex requires the use of local port forwarding (also known as tunneling) within the SSH configuration.
Configuring shareplex to use the ssh tunnel. This solution includes: Brief quick start guide, setup and install package sshd, install package ssh, Establishing ssh tunnel between source and target, and configuring shareplex to use this tunnel
-
Resolution
Here is brief procedure of establishing tunnel:
===========================================
On the Target Machine
OS
As root or another OS user with appropriate permissions:
% sshd &
This sets up the sshd daemon process on the target.
On the Source Machine
OS
As root or another OS user with appropriate permissions:
% sshd &
This sets up the sshd daemon process on the source.
On source run the below ssh command to target machine
% ssh -L 2100:target machine:2100 target machine
This may prompt you for the root password on the target. Always leave this connection/window open.
Now ssh tunnel on port 2100 will be between source and target.
NOTE: IMPORTANT: keep this shell window open, if this shell disconnects the tunnel will no longer is established.
This will indicate the OS that all TCP/IP traffic to this port will be encrypted using SSH. This is called tunneling or port forwarding. Export loops back to the local host and then the SSH picks it up and talks to import on the target.
SharePlex (on source)
sp_ctrl> set param SP_XPT_USE_LOCALHOST 1
At target restart sp_cop after the tunnel establishment
Now export is connect to ssh tunnel between source and target.
=======================================================
Here is the detail procedure to setting up ssh tunnel from grounds up:
=======================================================
Refer www.sunfreeware.com for ssh/sshd installation:
Step Zero: Getting the random patches for Solaris 8
You CANNOT skip this step. This version of openssh requires that the /dev/random patches be installed. If you are running a system where in rebooting the server to have the patch apply cannot be done, it is possible to do with without rebooting.
To obtain the patches, go to
SunSolve Patch Access <http://sunsolve.Sun.COM/pub-cgi/show.pl?target=patches/patch-access>
To find the SPARC/Solaris 8 patch 112438-01, type 112438-01 into the Enter a PatchID search window and click the Find Patch button. This will take you to the page where the patch is described and where the patch download links are. Download the patch and install it as indicated in the instructions. You will probably need to reboot your system to have the patch applied. Rebooting requires boot -r to create the new devices.
For the Intel/Solaris 8 patch look for 112439-01 instead and follow the same instructions. There are many posts in newsgroups on the net about these patches. Go to Google Groups <http://groups.google.com> and search for patch 112438-01 or 112439-01 and you will find a number of discussions that may be of help.
Step One: Getting the packages
To install the version of openssh from sunfreeware.com, go to the main page and select the files for SPARC/Solaris 8 at the right.
Or, here are the files you need to download for SPARC:
openssh-3.8p1-sol8-sparc-local.gz <http://www.sunfreeware.com/programlistsparc8.html>
openssl-0.9.7d-sol8-sparc-local.gz <http://www.sunfreeware.com/programlistsparc8.html>
tcp_wrappers-7.6-sol8-sparc-local.gz <http://www.sunfreeware.com/programlistsparc8.html>(optional, but recommended)
(unless you are using IPV6 - see the tcp_wrappers listing for details on this issue)
zlib-1.2.1-sol8-sparc-local.gz <http://www.sunfreeware.com/programlistsparc8.html>
libgcc-3.3-sol8-sparc-local.gz <http://www.sunfreeware.com/programlistsparc8.html>
perl-5.8.3-sol8-sparc-local.gz <http://www.sunfreeware.com/programlistsparc8.html> (optional)
prngd-0.9.25-sol8-sparc-local.gz <http://www.sunfreeware.com/programlistsparc8.html> (optional)
egd-0.8-sol8-sparc-local.gz <http://www.sunfreeware.com/programlistsparc8.html> (optional)
Step Two: Installing the packages
With the files downloaded, go to the directory where you put them and run (with the Intel files replacing the SPARC files for the Intel packages):
# gunzip openssh-3.8p1-sol8-sparc-local.gz
# gunzip openssl-0.9.7d-sol8-sparc-local.gz
# gunzip zlib-1.2.1-sol8-sparc-local.gz
# gunzip libgcc-3.3-sol8-sparc-local.gz (if you don't already have gcc 3.3.2 installed)
# gunzip tcp_wrappers-7.6-sol8-sparc-local.gz (again optional)
and optionally for the other packages. Then run as root
# pkgadd -d openssh-3.8p1-sol8-sparc-local
# pkgadd -d openssl-0.9.7d-sol8-sparc-local
# pkgadd -d prngd-0.9.25-sol8-sparc-local
# pkgadd -d zlib-1.2.1-sol8-sparc-local
# pkgadd -d libgcc-3.3-sol8-sparc-local (if you don't already have gcc 3.3.2 installed)
# pkgadd -d tcp_wrappers-7.6-sol8-sparc-local (optional)
Once you have installed the packages above, you will have files in various subdirectories of /usr/local. The default location for the ssl files is in /usr/local/ssl. While these files were compiled to avoid the need to put directories like /usr/local/lib and /usr/local/ssl/lib in your LD_LIBRARY_PATH, it is possible that you may need to set this. You should now find ssh in /usr/local/bin and sshd in /usr/local/sbin. Make sure you have /usr/local/bin and /usr/local/sbin in your PATH environment variable. The perl scripts in the optional egd package (with .pl extensions) will look for perl in /usr/local/bin. If you are using the Sun perl, then the Perl programs will need to have /usr/bin at the beginning, while the sunfreeware Perl goes in /usr/local/bin.
Step Three: Setting up the sshd user and the /var/empty directory
In openssh 3.8p1, a new security method is setup called privilege separation. The details can be found in the <README.privsep> file in the openssh source distribution. This method is now the default in openssh. Before doing anything else, you should read the above document and if you agree, implement these steps as root:
# mkdir /var/empty
# chown root:sys /var/empty
# chmod 755 /var/empty
# groupadd sshd
# useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
/var/empty should not contain any files.
If you do not do this and attempt to start up sshd, you will get error messages and the daemon will not start.
Step Four: Setting up tcp_wrappers
The next step is to setup tcp_wrappers. First read the <README.tcpwrappers> so that you know what tcp_wrappers does and how. Basically, tcp_wrappers is used to restrict to some limited group of machines access to your communication ports such as the port 22 that the sshd program uses. If you have tcp_wrappers running already, then you will only need to make sure that the sshd daemon entry is placed in the /etc/hosts.allow and /etc/hosts.deny files in a way that is appropriate to your setup. If you are not currently running tcp_wrappers, you can first create the file /etc/hosts.deny and put the single line
sshd: ALL
in it. Then, create the file /etc/hosts.allow file and put a line, for example, like
sshd: ... a list of the IP numbers of machine you want to be able to communicate with your machine separated by commas ...
in the file. We will test these entries later.
Step Five: Installing ssh and sshd
This is the final step. You should have read the <README.openssl> and <INSTALL.openssl> documents and you should also have read the openssh documents <README.openssh> and <INSTALL.openssh>.
Each machine that you want to communicate with via the ssh client will need to have an sshd daemon running. But first, you need to run the following three lines to create the key information for the server machine. Again, make sure you have /usr/local/bin and /usr/local/sbin in your PATH. If you have been running sshd before and have keys in /usr/local/etc, running these commands will overwrite them. As root, enter
# ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N ""
# ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key -N ""
# ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key -N ""
and wait until each is done - this may take a few minutes depending on the speed of your machine.
You might also want to study the /usr/local/etc/ssh_config and /usr/local/etc/sshd_config files to see if there is anything you want to configure differently. The Sun version of ssh and sshd have configuration and key files in /etc/ssh which you may want to study also, though the packages here will not use them.
Now we can set up scripts to start the sshd daemon. Use the script called sshd and place it in the /etc/init.d directory (as root):
1) Then start /usr/local/sbin/sshd on both source and target
1.1) if you get prng error you could create these symbolic links :
ln -s /kernel/drv/random /dev/random
ln -s /kernel/drv/random /dev/urandom
when you do ls -lr /dev |grep random you should see these links on /dev
lrwxrwxrwx 1 root other 18 Mar 28 13:14 random -> /kernel/drv/random
lrwxrwxrwx 1 root other 18 Mar 28 13:15 urandom -> /kernel/drv/random
2) Establish the tunnel on separate window and leave this shell alone
# /usr/local/bin/ssh -L 8989:irvsupu16:8989 irvsupu16
root@irvsupu16's password:
Last login: Fri Mar 19 11:30:01 2004 from irvsupu15
Sun Microsystems Inc. SunOS 5.8 Generic Patch October 2001
Sun Microsystems Inc. SunOS 5.8 Generic Patch October 2001
You have new mail.Configure SharePlex to work with SSH port forwarding:
3) Then set the flag on the source:
SharePlex (on source)
sp_ctrl> set param SP_XPT_USE_LOCALHOST 1if there is multiple target
sp_ctrl(sysA)> set param SP_XPT_USE_LOCALHOST to hostname 1
This parameter below sets the tunnel port number, which overrides the default SharePlex port.
sp_ctrl > set param SP_XPT_PORT_OVERRIDE <SSH port>
SP_XPT_PORT_OVERRIDE — This parameter sets the tunnel port number, which overrides the default SharePlex port.
Notes:- Does not work for Peer-peer replication. Should look for alternate solutions.
- Killing the shell where tunnel was running stops the replication.
- Re-establishing the tunnel starts the replication.