Answer

Example on how to setup SSH on a DMZ

Install the product

Install Connect? :Enterprise UNIX on an internal server.? This is the C? :E UNIX instance that will host the control daemon, mailbox daemon and other core deamons.? Additionally, any protocol daemons used for internal connections or used as outbound clients only may be hosted on this server.

?

Install on the remote server

On the remote server do the following:

?

1. Create a $CMUHOME directory on the remote server.? This directory name can be different from the $CMUHOME value specified on the internal server.


2. Under $CMUHOME, you will need the following:




1. ssh directory


2. ssh/system directory


3. ssh/system/moduli file


4. cpd ?a??a?? cmusshcust will create a cpd file for you.


5. etc


6. trace (if you want to run the sftp daemon with traces turned on)


7. <osplatform> (sun, hpux,? aix, linux, zlinux).? This is the os platform for the remote server.


8. <osplatform>/bin for the ssh binaries described later in this document


9. <osplatform>/lib for the sips shared libraries described later in this document

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i.? ? ? ? ? Note that sips encryption rules may also apply.? See the separate document describing how to run sips encryption on remote servers.

3. Copy the following files from the $CMUHOME/etc directory on the internal server to the $CMUHOME/etc directory on the remote server:




1. debug.sh


2. kshrc ?a??a?? modify this to have the correct $CMUHOME value for the remote server


3. ceustartup ?a??a?? modify this to start cmusshftpd only.


4. cmusshcust ?a??a?? this will be run to complete the remote ssh installation


5. ceupgrade_release_2


6. ceustartup.trace - modify this to start cmusshftpd only.


7. cshrc ?a??a?? modify this to have the correct $CMUHOME value for the remote server


8. hostid.sh


9. profile ?a??a?? modify this to have the correct $CMUHOME value for the remote server


4. Copy the following binary files from $CMUHOME/<osplatform>/bin on the internal server to $CMUHOME/<osplatform>/bin on the remote server.? Note that if the internal server and remote server have different operating systems (i.e. sun vs linux) then the binaries for the remote servers?a??a??s operating system will need to be obtained through other means.




1. Cmusshftpd


2. Cmusshkey


3. Sftp


4. sftp-server


5. ssh


6. sshd


7. ssh-rand-helper


5. Copy the following shared object from $CMUHOME/<osplatform>/lib on the internal server to $CMUHOME/<osplatform>/lib on the remote server.? Note that if the internal server and remote server have different operating systems (i.e. sun vs linux) then the binaries for the remote servers?a??a??s operating system will need to be obtained through other means.? Also note that the appropriate environment variables need to be set.? Again, see the separate document describing how to run sips encryption on remote servers for details on this.




1. libcmusips.so


6. Export the appropriate environment variable so the sips shared object can be found.? This step is required so that the binaries run bu cmusshcust can find this library.? For example:




1. $ export LD_LIBRARY_PATH=/CEUnix/cedist/psmil1/ceunix2200remote/zlinux/lib</SP AN>


7. When you run cmusshcust the following will happen:




1. Files cshrc, profile, and ssh_prng_cmds will be copied into $CMUHOME/ssh/etc


2. Files ssh_host_key, and ssh_host_key.pub will be created and copied into $CMUHOME/ssh/system


3. A users directory will be created under $CMUHOME/ssh.? This directory is not used and should remain empty.


4. An ssh cpd file will be created in the $CMUHOME/cpd directory.? This will contain the port number you specified in cmusshcust.


5. As part of the cmusshcust script, the system will be queried for a source of random data.? If cmusshcust detects /dev/urandom or other standard random data collection services used bu openssl, these will be used.? If such a device is present, it can be supplemented with a pseudo random number generator, entropy gathering device, or the random data collection functionality in ssh.? The choice of additional random data is optional.? If an openssl supported random data collection device is not found then one of the above three choices must be made.


8. At this point, cmusshftpd can be run from the remote server.? It will register with the internal C:E UNIX instance and will act as an sftp server for that C:E UNIX instance.

?

Verify the remote installation

Once the above steps are completed, you should be able to go to the internal C:E UNIX host and run cmusession.? You will see something like this:

?

$ cmusession

Date: 03/25/04? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Connect:Enterprise UNIX 2.2.00? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Page: 0001

Time: 16:41:45? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Session Utility

?

?

Command Line Parameters:

? ? ? ? ? ? cmusession

?

?

Name? ? ? ? ? ? ? ? ? ? ? Type? ? ? ? ? ? ? Host? ? ? ? ? ? ? ? ? PID? ? ? ? ? ? ? Trace? ? ? ? ? Resource? ? ? ? ? ? ? State? ? ? ? ? ? ? ? ? ? ? ? ? ? SID

?

?

REMOTE? ? ? ? ? ? ? ? Master? ? ? ? ? ? rh7231b? ? ? ? ? ? 24787? ? ? ? ? ? ? 0? ? ? ? ? ? 9991? ? ? ? ? ? ? ? ? ? ? ? Idle? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 16

ADMIN? ? ? ? ? ? ? ? ? Master? ? ? ? ? ? rh7231b? ? ? ? ? ? 24512? ? ? ? ? ? ? 0? ? ? ? ? ? 9994? ? ? ? ? ? ? ? ? ? ? ? Idle? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 10

SSHFTP? ? ? ? ? ? ? ? Master? ? ? ? ? ? rh7231b? ? ? ? ? ? 24523? ? ? ? ? ? ? 0? ? ? ? ? ? 9995? ? ? ? ? ? ? ? ? ? ? ? Idle? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 9

FTP? ? ? ? ? ? ? ? ? ? ? Master? ? ? ? ? ? rh7231b? ? ? ? ? ? 24521? ? ? ? ? ? ? 0? ? ? ? ? ? 9997? ? ? ? ? ? ? ? ? ? ? ? Idle? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 8

ACD? ? ? ? ? ? ? ? ? ? ? Master? ? ? ? ? ? rh7231b? ? ? ? ? ? 24499? ? ? ? ? ? ? 0? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? -? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 3

?

?

Max. Concurrent Sessions: 1

?

Where REMOTE is the name of the ?<? remote? ?> cmusshftpd instance.

?