AI3 logo     SSH for Unix
AI3 teammAI3 eventsAI3 researchAI3 publicationsAI3 reports

Download and install SSH on AI³ routers

SSH server bug fix 1.2.32 New

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.

SSH2 vs. SSH1

SSH2 protocol is too different from SSH1 protocol to provide backward compatibility. But instead SSH2 can be installed in a way that will forward old SSH1 streams to an SSH1 server.

In the case you want to use Windows clients, SSH1 compatibility has to be installed too.

Download SSH

Install SSH

Install SSH version 1.2.32 (optional)

Uncompress the tar.gz file you've just downloaded:
	% gzip -dc ssh-1.2.32.tar.gz | tar fvp -
Configure and compile SSH:
	% cd ssh-1.2.32
	% ./configure
	% make
Install it:
	% su
	# make install

Install SSH version 2.4.0

Note: SSH version 2 must be installed after SSH version 1 has been installed.

Uncompress the tar.gz file you've just downloaded:

	% gzip -dc ssh-2.4.0.tar.gz | tar fvp -
Configure and compile SSH:
	% cd ssh-2.4.0
	% ./configure
There is a bug in the Makefile for our (AI³) configuration of machine (BSDi 2.1 and gcc

Modify the apps/ssh/Makefile to add the library libipc:

LIBS = -ltermcap -L/usr/local/lib -ltermcap  -lutil -lipc
Then compile it:
	% make
Install it:
	% su
	# make install
To add the compatibility with SSH version 1, add the following to the file /etc/ssh2/sshd2_config:
	Ssh1Compatibility	yes
	Sshd1Path		/usr/local/sbin/sshd1
and add the following lines to /etc/ssh2/ssh2_config:
	Ssh1Compatibility	yes
	Ssh1Path		/usr/local/bin/ssh1
Note: the servers (sshdx) are in /usr/local/sbin while the clients (sshx) are in /usr/local/bin.


SSH server can be started with the command:
	% /usr/local/sbin/sshd
It will be automatically started at boot time if you add the following lines to /etc/rc.local:
if [ -x /usr/local/sbin/sshd2 ]
        /usr/local/sbin/sshd2; echo "Starting Secure Shell daemon"

Secure the router

Now that the Secure SHell has been installed, unsecure protocols should be disabled.

  1. Comment out every line in /etc/inetd.conf to disable telnet, ftp, etc.
  2. In /etc/rc comment out the following:
  3. Reboot the machine
  4. As a result, the command netstat -a should give a very short list, for example:
    	Active Internet connections (including servers)
    	Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
    1)	tcp        0    232        bazooka.37180          ESTABLISHED
    2)	tcp        0      0  ESTABLISHED
    3)	tcp        0      0   ESTABLISHED
    4)	tcp        0      0   ESTABLISHED
    5)	tcp        0      0       ESTABLISHED
    6)	tcp        0      0  *.179                  *.*                    LISTEN
    7)	tcp        0      0  *.22                   *.*                    LISTEN
    8)	tcp        0      0  *.80                   *.*                    LISTEN
    	udp        0      0  *.*                    *.*                   
    	udp        0      0  *.syslog               *.*                   
    	udp        0      0  *.*                    *.*                   
    Where lines are as follow:
    1) is the conection over SSH I have established between the router (IP the machine called bazooka in order to prepare the examples included here
    2) to 5) are connections used by BGP
    6) is waiting BGP connections
    7) is waiting SSH connections
    8) is waiting HTTP connections.

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole AI3    CSIM    SET    AIT Last update: Nov 2001