[HPADM] Summary: Running OpenSSH as a Daemon on HP-UX 11.11

From: Joan Millington (j.millington@chester.ac.uk)
Date: Wed Jan 18 2006 - 06:46:42 EST

Hi Admins,

Thanks to everyone who responded. The choices we made are summarized below:

>> I want to run OpenSSH 4.1 as a daemon (sshd) rather than via inetd, on a
>> HP-UX 11.11 server.

We chose OpenSSH instead of HP's SSH program because our main application
supplier prefers it (they run on a number of platforms and want the consistency).

>> I have compiled ssh to /opt/sbin/sshd with config at /etc/ssh/sshd_config.
>> Does this sound okay or can you foresee problems with /opt? (I don't
>> want /usr/local/bin in the $PATH).

I have recompiled to /opt/sshd (the sbin made little sense) and kept the config files
in /etc/ssh (although, now I think of it, they should be in /etc/opt/ssh - will fix next
time).

>> What run level do you start sshd at (rc?.d) and can you email me a copy of
>> your start-up script? (/sbin/init.d/ssh).

We are starting in rc2.d:
lrwxr-xr-x 1 root sys 16 Jan 14 13:02 S393ssh -> /sbin/init.d/ssh

And stopping in rc1.d:
lrwxr-xr-x 1 root sys 16 Jan 14 13:02 K393ssh -> /sbin/init.d/ssh

With /sbin/init.d/ssh permissions:
-r-xr-xr-x 1 bin bin 6002 Jan 16 10:19 ssh

The script is:

#!/usr/bin/sh
#
# @(#)B.11.11_LR
#

#
# OpenSSH init.d script
#

# Allowed exit values:
# 0 = success; causes "OK" to show up in checklist.
# 1 = failure; causes "FAIL" to show up in checklist.
# 2 = skip; causes "N/A" to show up in the checklist.
# Use this value if execution of this script is overridden
# by the use of a control variable, or if this script is not
# appropriate to execute for some other reason.
# 3 = reboot; causes the system to be rebooted after execution.
# 4 = background; causes "BG" to show up in the checklist.
# Use this value if this script starts a process in background mode.

# Input and output:
# stdin is redirected from /dev/null
#
# stdout and stderr are redirected to the /etc/rc.log file
# during checklist mode, or to the console in raw mode.

PATH=/usr/sbin:/usr/bin:/sbin
export PATH

openSSHDir=/opt
configDir=/etc/ssh

# NOTE: If your script executes in run state 0 or state 1, then /usr might
# not be available. Do not attempt to access commands or files in
# /usr unless your script executes in run state 2 or greater. Other
# file systems typically not mounted until run state 2 include /var
# and /opt.

rval=0

DSAKeyFile=$configDir/ssh_host_dsa_key
RSA2KeyFile=$configDir/ssh_host_rsa_key
RSA1KeyFile=$configDir/ssh_host_key
keyGenerator=$openSSHDir/bin/ssh-keygen

sshdConfig=$configDir/sshd_config
sshdPIDFile=sshd.pid
sshdCmd=$openSSHDir/sshd
sshdCmdOptions=""

#
# Checks for the existence of the host DSA key (protocol version 2)
#
DSAKeyExists() {
    [ -f "$DSAKeyFile" ] && return 0
    return 1
}

#
# Checks for the existence of the host RSA key (protocol version 2)
#
RSA2KeyExists() {
    [ -f "$RSA2KeyFile" ] && return 0
    return 1
}

#
# Checks for the existence of the RSA host key (protocol version 1)
#
RSA1KeyExists() {
    [ -f "$RSA1KeyFile" ] && return 0
    return 1
}

#
# Generates DSA (protocol version 2) key
#
generateDSAKey() {
    echo "Generating OpenSSH server DSA (protocol version 2) key...\c"
    if $keyGenerator -q -t dsa -f $DSAKeyFile -N ''; then
        echo "done."
    else
        echo "failed!"
    fi
}

#
# Generates RSA (protocol version 2) key
#
generateRSA2Key() {
    echo "Generating OpenSSH server RSA (protocol version 2) key...\c"
    if $keyGenerator -q -t rsa -f $RSA2KeyFile -N ''; then
        echo "done."
    else
        echo "failed!"
    fi
}

#
# Generates RSA (protocol version 1) key
#
generateRSA1Key() {
    echo "Generating OpenSSH server RSA (protocol version 1) key...\c"
    if $keyGenerator -q -t rsa1 -f $RSA1KeyFile -N ''; then
        echo "done."
    else
        echo "failed!"
    fi
}

#
# Checks for keys and generates them if necessary
#
generateKeys() {
    if DSAKeyExists; then
        echo "OpenSSH DSA key exists: $DSAKeyFile"
    else
        generateDSAKey
    fi

    if RSA2KeyExists; then
        echo "OpenSSH RSA2 key exists: $RSA2KeyFile"
    else
        generateRSA2Key
    fi

    if RSA1KeyExists; then
        echo "OpenSSH RSA1 key exists: $RSA1KeyFile"
    else
        generateRSA1Key
    fi
}

#
# Start the OpenSSH server process
#
startSSHD() {
    # check for configuration file
    if [ ! -f "$sshdConfig" ]; then
        echo "OpenSSH is not configured. Missing file $sshdConfig."
        exit 1
    fi

    # check for all of the keys
    if DSAKeyExists && RSA2KeyExists && RSA1KeyExists; then
        :
    else
        generateKeys
    fi

    $sshdCmd $sshdCmdOptions
}

#
# Stop the OpenSSH server process
#
stopSSHD() {
    realPIDFile=""
    if [ -r "/etc/$sshdPIDFile" ]; then
        realPIDFile=/etc/$sshdPIDFile
    elif [ -r "/var/run/$sshdPIDFile" ]; then
        realPIDFile=/var/run/$sshdPIDFile
    else
        echo "OpenSSH server process ID (PID) file cannot be located."
    fi

    [ -n "$realPIDFile" ] && kill -TERM `cat $realPIDFile`
}

# Check the exit value of a command run by this script. If non-zero, the
# exit code is echoed to the log file and the return value of this script
# is set to indicate failure.

set_return() {
        x=$?
        if [ $x -ne 0 ]; then
                echo "EXIT CODE: $x"
                rval=1 # script FAILed
        fi
}

# Kill the named process(es).
# $1=<search pattern for your process>

killproc() {
        pid=`ps -el | awk '( ($NF ~ /'"$1"'/) && ($4 != mypid) && ($5 != mypid) )
{ print $4 }' mypid=$$ `
        if [ "X$pid" != "X" ]; then
                if kill "$pid"; then
                        echo "$1 stopped"
                else
                        rval=1
                        echo "Unable to stop $1"
                fi
        fi
}

case $1 in
'start_msg')
        # Emit a _short_ message relating to running this script with
        # the "start" argument; this message appears as part of the checklist.
        echo "Starting the SSH daemon"
        ;;

'stop_msg')
        # Emit a _short_ message relating to running this script with
        # the "stop" argument; this message appears as part of the checklist.
        echo "Stopping the SSH daemon"
        ;;

'start')

        # source the system configuration variables
        if [ -f /etc/rc.config ] ; then
                . /etc/rc.config
        else
                echo "ERROR: /etc/rc.config defaults file MISSING"
        fi

        # Check to see if this script is allowed to run...
        if [ "$RUN_SSH" != 1 ]; then
                rval=2
        else

        # Execute the commands to start your subsystem
        startSSHD
        fi
        ;;

'stop')
        # source the system configuration variables
        if [ -f /etc/rc.config ] ; then
                . /etc/rc.config
        else
                echo "ERROR: /etc/rc.config defaults file MISSING"
        fi

        # Check to see if this script is allowed to run...
        if [ "$RUN_SSH" != 1 ]; then
                rval=2
        else
         
        # Execute the commands to stop your subsystem
        stopSSHD
        fi
        ;;

*)
        echo "usage: $0 {start|stop|start_msg|stop_msg}"
        rval=1
        ;;
esac

exit $rval

Thanks again!

Joan Millington

University of Chester, England
j.millington@chester.ac.uk 

--
             ---> Please post QUESTIONS and SUMMARIES only!! <---
        To subscribe/unsubscribe to this list, contact majordomo@dutchworks.nl
       Name: hpux-admin@dutchworks.nl     Owner: owner-hpux-admin@dutchworks.nl
 
 Archives:  ftp.dutchworks.nl:/pub/digests/hpux-admin       (FTP, browse only)
            http://www.dutchworks.nl/htbin/hpsysadmin   (Web, browse & search)

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 11:02:51 EDT