Obtaining OpenSSH
webMethods does not provide any OpenSSH software. The sample Integration
Server OpenSSH package contains only wrapper flow services for invoking a
command line tool. Therefore, you must obtain and install an OpenSSH
implementation before using the package described in the rest of this document.
The package was developed using OpenSSH, available for most platforms at the
following location
http://www.openssh.org/downloads/
If you are running Linux or other Unix platform, it is very likely already installed.
Windows users may find the Cygwin installation easiest to use. It is available at
http://www.cygwin.com/. Several commercial command line implementations are
also available, although the package may have to be changed to accommodate their
use.
Security considerations
Configuring OpenSSH as a server is beyond the scope of this document. Please
see the References section for information on this. A couple of general guidelines
for configuration of the SSH server, see the sshd man page for details on how to set
these options:
- Disallow port forwarding unless specifically required by the application
- Create unprivileged users for connections. Never use the root or Administrator
account.
- Limit the command set allowed to be run by the client using the ‘command=’
option in the authorized_keys file.
Installing the IS OpenSSH package:
The OpenSSH package is available for download from the Advantage website under
Best Practices -> Product Security Information:
http://advantage.webmethods.com/
Copy the OpenSSH.zip file into the replicate/incoming directory in the Integration
Server’s root directory. Open the Administrator, click on the Manage Packages
menu item, select Install Inbound Packages, and install the package.
Go to the serverroot/packages/OpenSSH/config directory and edit the
openssh.properties file to reflect the path to each SSH command. The defaults are
listed below. If you need to change any of them, you must reload the OpenSSH
package to pick up the changes. To disable a command, comment out the line
completely. Note that due to the nature of the ‘ssh’ command, it is not enabled by
default.
# SCP command
openssh.scpcmd=scp
#openssh.scpcmd=d:\\cygwin\\bin\\scp.exe
# SSH command (disabled by default)
#openssh.sshcmd=ssh
#openssh.sshcmd=d:\\cygwin\\bin\\ssh.exe
#openssh.sshcmd=/usr/local/bin/ssh
# SFTP command
#openssh.sftpcmd=d:\\cygwin\\bin\\sftp.exe
openssh.sftpcmd=sftp
The options.properties file defines global and host specific options for the SSH
commands you run. The default options are as follows. You may override global
settings in this file or on the command line.
# See openssh_config for details
# Global defaults for Integration Server
Host *
PasswordAuthentication no
StrictHostKeyChecking yes
Compression yes
BatchMode yes
IdentityFile openssh/intserv.rsa
Configuring OpenSSH
The Integration Server should have its own protected directory to store the identify
file used to perform SSH operations. The follow steps show an example of how to
set up a separate identify file for the Integration Server. These steps are for a Unix
server, but similar steps can be taken on a Windows server.
In the samples below, the machine running Integration Server is considered the
client machine and is labeled ‘ishost’. The remote server running SSH is labeled
‘remotehost’. Commands you type are in italics.
Setup the OpenSSH directory
Switch to the Integration Server root directory and create a new directory called
‘openssh’. Set permissions on the directory so that only the Integration Server can
access it.
ishost$ cd /opt/webmethods6/IntegrationServer
ishost$ mkdir openssh
ishost$ chmod 700 openssh
Creating an identify file
The following command is used to generate an identify file for the Integration Server.
Do not set a passphrase for the key, as the Integration Server has no way to
interactively enter one. If you choose a different directory or default identity file
name, you must update the package’s options.properties file with the new location.
The following commands create a 1024 bit RSA keypair.
Note: The intserv.rsa file should be treated like a password.
ishost$ ssh-keygen -b 1024 -f openssh/intserv.rsa -t rsa
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in intserv.rsa.
Your public key has been saved in intserv.rsa.pub.
The key fingerprint is:
96:25:7a:2a:ba:7b:d6:f9:ad:42:5e:79:af:6d:d4:3b intserv@myserver
ishost $ ls openssh
intserv.rsa intserv.rsa.pub
Configuring key-based login to the remote server
In order to connect to the remote server using the identity key from the previous
step, you must make a couple of configuration changes to the remote server
machine.
First, login to the remote server. The first time you log in, you will likely get an
authenticity warning regarding an unknown host. SSH does this each time a host it
has never encountered before. You should verify this key out of band, a phone call
or email, with the remote server administrator. This check is to prevent man in the
middle attacks against SSH.
ishost$ ssh remotehost
The authenticity of host remotehost (10.1.1.1)' can't be established.
RSA key fingerprint is 9d:08:b5:00:9c:41:31:ed:ee:f5:4c:5f:85:de:3e:8d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ' remotehost, 10.1.1.1' (RSA) to the list of known
hosts.
Add the intserv.rsa.pub key to the .ssh/authorized_keys file on the remote host.
Create the file if it does not exist. The key must be on a single line. It will not be
recognized otherwise. Also, you must protect this file from access by others in order
for authentication to work.
Copy the public key to the remote system
ishost$ scp openssh/intserv.rsa.pub remotehost:.ssh/.
user@host password:
intserv.rsa.pub 100% ***************************** 243 00:00
ishost$ ssh remotehost
user@remotehost password:
remotehost $ vi .ssh/authorized_keys
remotehost $ chmod 400 .ssh/authorized_keys
remotehost $ cat .ssh/authorized_keys
ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEAyqqWc0QoaGx/ixCx9UUQt3N+/zZQ3rJcPZt6V2FVp8F2jJbOZlJS
dfEfvuQvv5wqI2mH3DOcduB6G6InTRiiNbInqla9cglBM8eptyrSSP6BHTX+Kak4ZtCzCp7MDuOegDFl
yDVTiL0ePJhJsoHkIIZTRBQe8opvd8UAAXU/7ys= user@ishost
remotehost $ exit
You should now be able to log in without a password.
ishost$ ssh –F packages/OpenSSH/config/options.properties remotehost
If you are still prompted for a password or the login fails, it may be helpful to set the
‘-v’ option to enable debugging. This option is available on the server side as well.
Services
The following is a summary of the services in the OpenSSH package. All services
return the following three strings:
status – return code from program, 0 is normal
error – error string from program
output – output from command
pub.openssh:scp
This service securely copies a file or group of files from the server running
Integration Server to a remote server.
Parameters:
Name Description
filename Name of local file to copy
remotehost Name of remote host
remotefile Name of remote file
extraparms Additional parameters to scp command, see manual page for
details. ‘-v’ is useful for debugging
timeout Amount of time to wait for command to complete (default = 30).
This will not be adequate for very large files.
pub.openssh:sftp
This service runs a batch mode sftp script. A sample script file to create a remote
directory called testdoc and copy the document to the remote server is as follows.
The ‘-‘ before the mkdir command tells the sftp server to ignore errors on directory
creation.
-mkdir testdocs
cd testdocs
put mydoc testdocs
This script copies the contents of remote directory ‘remotedir’ to ‘newdir’ on the
Integration Server host. If newdir exists, the copy fails. Prefix the ‘lmkdir’ command
with a ‘-‘ to ignore the directory creation error.
lmkdir newdir
lcd newdir
cd remotedir
mget *
Parameters:
Name Description
Remotehost Name of remote host
Batchcommands Batch script to run, see manual page
Extraparms Additional parameters to sftp command
Timeout Amount of time to wait for command to complete (default = 30)
See the man page for sftp for complete details on available sftp commands. It is not
currently possible to interactively script the sftp command.
pub.openssh:ssh
This service runs a command on the remote server.
This command is effectively a command shell on the remote server. You must
exercise great care in the commands you allow to execute on the remote
server as well as the permissions of the remote account. By default, the ssh
command is disabled.
Parameters:
Name Description
remotehost Name of remote host
remotecommand Remote command to run (e.g., ls)
extraparms Additional parameters to the ssh command
timeout Amount of time to wait for command to complete (default = 30)
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment