How to install OpenSSH server in Xenial 7.5?

Booting, installing, newbie
Message
Author
@G@tA
Posts: 7
Joined: Thu 05 Apr 2018, 18:23

How to install OpenSSH server in Xenial 7.5?

#1 Post by @G@tA »

Hello!

I've been trying to install openssh server on xenial without any success! Day's wasted on that....

Gurus, please provide step by step guide HOW TO SETUP openSSH server on xenialpup.

Thank you!

PS. Searched forums but there is none step by step guide of installation and configuration ... rather than random discussion and suggestions of usage of old packages...
PSS. could you add button for installation of openSSH server to the quickpet menu in the next release?

Thank you in advance!

User avatar
don570
Posts: 5528
Joined: Wed 10 Mar 2010, 19:58
Location: Ontario

#2 Post by don570 »

I assume when you type 'ssh' in the terminal there is no response.

So I would look to an app in start menu that controls services or deamons.
It should turn ssh on (assuming it's installed.)
Then when you type ssh in terminal you will get some response.

ssh is often turned off initially because of security.
_________________________________________________________

@G@tA
Posts: 7
Joined: Thu 05 Apr 2018, 18:23

#3 Post by @G@tA »

hi don570,

yes there is a response as a a client. I can use ssh -l user@address.com sleep 9000 as an example to connect to my other machine but I need to setup a serer daemon with RSA keys generated etc. As In package manager I've found open ssh server package 7.2 something and installed it.

after that installation if i type in terminal "service ssh start I receive an error message that RSA DSA etc keys are not generated which means service cannot start properly.

What to confiugure and how to generate ... no clue ...

User avatar
rockedge
Posts: 1864
Joined: Wed 11 Apr 2012, 13:32
Location: Connecticut, United States
Contact:

#4 Post by rockedge »

I must do some work so I must make this short for now...
look here: https://www.ssh.com/ssh/keygen/
https://gist.github.com/briansmith/2ee4 ... 4d0f70180b

you only need to generate keys. I will look in later to see how your making out.

User avatar
don570
Posts: 5528
Joined: Wed 10 Mar 2010, 19:58
Location: Ontario

#5 Post by don570 »

after that installation if i type in terminal "service ssh start I receive an error message that RSA DSA etc keys are not generated which means service cannot start properly.
There is an app that generates the key . I would assume it was installed
when you install openSSH. You can check. It has an obvious name.
_______________________________________

I use ssh only as the root user , since this makes running linux simpler.

I use fatdog linux as my main OS and I often get an error message when trying to start ssh initially,
because the key was generated during another session.
Fortunately the error message in the terminal tells the location of the key
(I believe it's hidden somewhere in /etc)

So I delete this key file and then I start ssh again in the terminal
ssh root@192.168.1.XXX and I will connect automatically to 192.168.1.XXX
(I believe there is a password which is usually woofwoof)
Good luck . That's about all I know about ssh :roll:
_________________________________________________
_____________________________________________

@G@tA
Posts: 7
Joined: Thu 05 Apr 2018, 18:23

#6 Post by @G@tA »

Ok... now I have keys generated... and path of keys is corrected in the sshd_config file...

now when type in terminal:

root#service ssh start
/etc/init.d/ssh: init_is_upstart: command not found
Starting OpenBSD Secure shell server: sshd
root#

What does that mean?

User avatar
don570
Posts: 5528
Joined: Wed 10 Mar 2010, 19:58
Location: Ontario

#7 Post by don570 »

/etc/init.d/ssh: init_is_upstart: command not found
I looks like your version of linux wasn't set up to start SSH using that command???

However the line
Starting OpenBSD Secure shell server: sshd
is promising.
Simply starting the server should be all that is needed.
A key should be generated automatically.
What does terminal write when you type
ssh root@192.168.1.XXX
where 192.168.1.XXX is known address on network.
_________________________________

Also type 'top' in terminal to spot apps that have been launched.
___________________________________________________

jafadmin
Posts: 1249
Joined: Thu 19 Mar 2009, 15:10

#8 Post by jafadmin »

FOLKS: "ssh" is the client. "sshd" is the server. :shock:

@G@tA
Posts: 7
Joined: Thu 05 Apr 2018, 18:23

#9 Post by @G@tA »

jafadmin wrote:FOLKS: "ssh" is the client. "sshd" is the server. :shock:
exactly.... I think links a messed up somehow...

User avatar
don570
Posts: 5528
Joined: Wed 10 Mar 2010, 19:58
Location: Ontario

#10 Post by don570 »

I've noticed that dropbear is available . It is clone of SSH.
It is what I use in fatdog linux. It is easy to start and there is no
confusion about who is client and where the server is.
It uses the same command as SSH i.e.
ssh root@192.168.1.XXX

https://launchpad.net/ubuntu/xenial/amd ... /2016.72-1
____________________________________________________

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#11 Post by rufwoof »

Not sure about Xenial, but under OpenBSD at the end of /etc/ssh/sshd_config I include ...

Code: Select all

Match User user Address 192.168.1.4
        PasswordAuthentication yes
        X11Forwarding yes
So that only userid 'user' from IP 192.168.1.4 can access ssh, requiring they enter the password interactively and it supports X forwarding.

I restart that sshd daemon using /etc/rc.d/sshd -f restart (needs to be restarted after any configuration file changes). For regular startup its set to start in /etc/rc.conf however under Debian/Ubuntu its probably started via a systemD action/command/configuration.

The values higher up in our sshd_config are restrictive i.e. require keys, disallow root and X forwarding ...etc. i.e. is pretty much configured to disallow ssh by anyone else.

Perhaps??? of some use as a possible guide ???

From a cursory glance through https://help.ubuntu.com/community/SSH/O ... onfiguring things look relatively similar for Ubuntu (given how Ubuntu have bricked motherboards in the past after 'upgrades' personally I avoid it like the plague).

I have it set up that way as my main desktop PC (as per attached image) is pretty light, primarily just browser and web server (in OpenBSD the base system comes with X, web server and cwm window manager as part of the core/base system), as part of that we use dynamic dns so we have a static domain name that points to a dynamic (changing) IP value. Data and other binaries such as galculator are on our server, which is behind another router (isolation from browser/web server etc.). So to access data/run other programs ... they run over ssh (binaries/libs on server, X displayed on desktop PC). Using commands similar to

ssh -XC celeron galculator (where celeron is the name matched to the servers IP in /etc/hosts). The XC switch is to enable X-forwarding and uses compression.

To move/copy files I use scp - something like ...

scp somefile.txt user@celeron:/home/user/somefile.txt

Top right in the image shows installed programs (pkg_add and pkg_info are similar to Debians apt-get), in that there is no galculator program installed, the galculator on the desktop is being run off the server via ssh/X forwarding (as outlined above). Same applies to office programs ...etc.

On our main hub/router only http/https is port forwarded to my desktop PC (web pages). The server which sits behind a second router has only ssh port forwarded, so access from externally isn't possible and even from the first layer/router is pretty restricted as per the above.
Attachments
s600.jpg
(52.33 KiB) Downloaded 2219 times

User avatar
don570
Posts: 5528
Joined: Wed 10 Mar 2010, 19:58
Location: Ontario

#12 Post by don570 »

I tested 64bit xenial 7.5(frugal install to hard disk) and had no problems connecting with another computer using SSH.

I just made sure that I had the ethernet connection working to router
and then typed in terminal ...

Code: Select all

root# ssh root@192.168.1.104
The authenticity of host '192.168.1.104 (192.168.1.104)' can't be established.
RSA key fingerprint is SHA256:d5pJ+S782ys44Xl67YxIsAPFxQ1qnCXS8sj0JjhqvXw.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.104' (RSA) to the list of known hosts.
root@192.168.1.104's password: 
root:~# ls
Desktop   my-documents  puppy-reference  Startup
faq.html  network       spot             Tromboon-sample.ogg
I made the connection to my raspberry pi3 board which uses WIFI,
and could use the 'ls' command.
___________________________________________________

User avatar
soniabu
Posts: 162
Joined: Thu 01 Feb 2018, 21:24
Location: Paris

#13 Post by soniabu »

don570 wrote:I tested 64bit xenial 7.5(frugal install to hard disk) and had no problems connecting with another computer using SSH.
I just made sure that I had the ethernet connection working to router
and then typed in terminal ...

Code: Select all

root# ssh root@192.168.1.104
The authenticity of host '192.168.1.104 (192.168.1.104)' can't be established.
RSA key fingerprint is SHA256:d5pJ+S782ys44Xl67YxIsAPFxQ1qnCXS8sj0JjhqvXw.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.104' (RSA) to the list of known hosts.
root@192.168.1.104's password: 
root:~# ls
Desktop   my-documents  puppy-reference  Startup
faq.html  network       spot             Tromboon-sample.ogg
I made the connection to my raspberry pi3 board which uses WIFI,
and could use the 'ls' command.
___________________________________________________
Hi Don,
I have the same operating system, but only in memory. To install openssh I performed these steps:
1) PPM install openssh-clinet and openssh-server (7.2p) and their dependencies. No error.
2) I launch ssh I have this result:
service ssh start
/etc/init.d/ssh: line 37: init_is_upstart: command not found
Starting OpenBSD Secure Shell server: sshd/etc/ssh/sshd_config: No such file or directory
3) it doesn't create me either under etc/ssh/ or under etc/init.d/ the object shhd_config.
Create in etc/ssh/ only two objects: shh_ config and modules.

Do you understand why this is happening_
sonia

User avatar
don570
Posts: 5528
Joined: Wed 10 Mar 2010, 19:58
Location: Ontario

#14 Post by don570 »

You shouldn't install SSH. It's there inside the operating system.
Of course it needs to be running. That is done by turning on service.
I'm not sure how xenial does that. Maybe there is start script in /etc???

I don't have an internet connection so I always use the software in the ISO
or the ibiblio repository.

SSH is always in the ISO (or fatdog64 use dropbear clone) so there shouldn't be a difficult install process .

James Bond put dropbear in Raspberry pi3 operating system. I had no problems contacting my raspberry pi3 board
with a simple command in the terminal of fatdog64. Read my experiences.
http://murga-linux.com/puppy/viewtopic. ... 75#1000775

______________________________________________________-

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#15 Post by rufwoof »

To reiterate, the OP is looking to get ssh server (sshd) up and running, not ssh (client).

I'd guess you might need to install openssh-server in Xenial and have at least

PermitRootLogin yes

in /etc/ssh/sshd_config if you intent to ssh into that server as root. Also perhaps use

PasswordAuthentication yes

initially so you can log in as root using a userid (root) and password (beforehand run 'passwd' command as root to enter a password of your choosing for root over that of leaving it at the woofwoof ... or whatever default)

Later when you can log in using userid/password you can flip PasswordAuthentication to no and activate/configure using keys based access.

You'll probably also need to Port Forward port 22 in your router/ISP hub if you want to access your box remotely ... but that's best left turned off/disabled until your setup is relatively tightly configured.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
soniabu
Posts: 162
Joined: Thu 01 Feb 2018, 21:24
Location: Paris

#16 Post by soniabu »

All right, I'll try to understand. :?
thanks to both of you
sonia

User avatar
rockedge
Posts: 1864
Joined: Wed 11 Apr 2012, 13:32
Location: Connecticut, United States
Contact:

#17 Post by rockedge »

all that must be in /etc/ssh/sshd_config for basic functions is :

Code: Select all

X11Forwarding yes
XAuthLocation /usr/bin/xauth
# override default of no subsystems
Subsystem	sftp	/usr/libexec/sftp-server

one must open the Puppy Package Manager,l search for and install xauth if it is not present.

this set up will allow X11 being forwarded...sometimes I run rox-filer through ssh or use palemoon and tunnel the IP through the router....so if I am in Germany I can see US content through my machine in the basement in Connecticut which the world thinks my IP is..when in fact I am in Germany using a machine as a terminal.

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#18 Post by rufwoof »

Xforwarding and xauth through ssh are only moderately secure, incorrect setting/testing of DISPLAY for instance can leave you as good as wide open.

Reasonable practice is to ensure you set a password when you generate a ssh key, so if that device is stolen there's a barrier (password) involved to ssh into a host/server. Also on the server use both key and password authentication ... typically by including AuthenticationMethods publickey,password ... as that first authenticates using keys that as good as mitigates man in middle attacks, which having authenticated the key also requires you know the password - i.e. protection in the event of the private key having been compromised/stolen.

Leaving port 22 open/port forwarded as the ssh port is also a common attack vector. Even if they don't get in your system can become overloaded with a barrage of brute force attack attempts. Shifting the port up to a high port number, 2222 or whatever is less inclined to be found/attacked. Even then however ideally your firewall will be set to blacklist attacks. I use pf for my firewall and have a blacklist table along with a rule ...

Code: Select all

pass inet proto tcp from any to any port ssh \
flags S/SA keep state \
(max-src-conn 5, max-src-conn-rate 5/30, \
overload <badhosts> flush global)
so that brute force attacks are quickly blacklisted.

Permitting root ssh access isn't a good choice as that requires cracking just a password alone to gain root access, better to restrict ssh to a specific userid, as they then have to 'guess' both the userid and password to get in, and then have to know the root password to su into root.

This is all secondary however to the OP's problem of getting sshd (server) working in the first place.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
don570
Posts: 5528
Joined: Wed 10 Mar 2010, 19:58
Location: Ontario

#19 Post by don570 »

I was able to get SSH to work in both directions i.e.

Raspberry pi3 to a PC with Xenial 7.5 and Xenial 7.5 to raspberry pi3

Here is how I did it...

1) Raspberry pi3 has dropbear (SSH clone) already installed
2) I installed dropbear in Xenial 7.5 with barry's pet package
http://distro.ibiblio.org/quirky/quirky ... br-x86.pet

3) open boot manager from start menu and go to service tab(see image)
Tick dropbear so that it will run automatically at boot time.

4) reboot . SSH will be running automatically

If you get warning that there is a wrong authorization number
when trying to get into a computer with SSH
then erase the corresponding line in file in /root/.ssh/
________________________________________________
Attachments
capture3128.png
(18.96 KiB) Downloaded 314 times

User avatar
soniabu
Posts: 162
Joined: Thu 01 Feb 2018, 21:24
Location: Paris

#20 Post by soniabu »

Sonia, are we clear?
Guys, I'm going through the drawers to find the revolver... :lol:

Post Reply