Secure Global Desktop 4.40 Administration Guide > Security > Using SSH with SGD

Using SSH with SGD

SSH (Secure SHell) is a package that lets you securely execute commands on network hosts. It offers a more secure alternative to the standard UNIX or Linux system commands for this purpose.

SSH provides the following benefits:

• All communication between application servers and SGD servers using SSH is encrypted, including the X protocol if you are running X applications
• User names and passwords are always encrypted before being transmitted over the network

SGD can use SSH to provide secure communications between SGD servers and application servers.

SGD works with SSH version 2.x or later.

To use SSH with SGD

1. Install SSH. If SSH is already installed, you might need to configure SGD to find it.
2. Enable X11 forwarding for X applications.
3. Configure the SGD applications to use SSH.
4. Additional configuration might be needed for the following:
   • Command-line arguments for the SSH Client
   • The X Security extension
   • X authorization
   • Advanced SSH functions, such as client keys

Installing SSH

To use SSH, it must be installed on the SGD host and on the application server.

SGD can automatically detect that SSH is installed on the SGD host if SSH is installed in one of the following directories:

• /usr/local/bin
• /usr/bin
• /usr/sbin
• /usr/lbin
• /bin
• /sbin

Note If SSH is installed in a different location, you can configure the location of the SSH client.

If SSH is not already installed, download it and install it as follows:

1. Obtain SSH.

   Download the packages for your operating system or download OpenSSH. SGD works with SSH version 2.x or later.

2. Install SSH.

   Install SSH on every UNIX or Linux system application server you want to provide secure access to.

   Install SSH on every SGD host in one of the directories listed above.

   Note Because of SSH version compatibility problems, use the same major version of SSH (either version 2 or version 3) on all SGD hosts and application servers.

3. Start the SSH daemon.
4. Restart all the SGD servers in the array.

Enabling X11 Forwarding

To support X applications that SSH, you must enable X11 forwarding. On each SGD host:

1. Edit the SSH daemon configuration file (sshd_config) and include the following line:

   X11Forwarding yes

   Note If the SSH daemon is already running, you must restart it after making changes to the sshd_config file.

2. Either:
   • Edit the SSH client configuration file (ssh_config) and include the following line:

     ForwardAgent yes
     ForwardX11 yes

   • Configure the SSH client to use the -X command-line argument.
3. Restart the SSH daemon.

Configuring the SGD applications to use SSH

To use SSH to secure the communication between an application server and an SGD server, the application object must be configured as follows:

1. In the SGD Administration Console, click the Applications tab and select the application.
2. Click the Launch tab.
3. Select the ssh option for the Connection Method.
4. Click Save.

Alternatively, use the following command:

$ tarantella object edit --name obj --method ssh

Configuring the SSH Client

When using SSH with SGD, you can configure the command-line arguments used by the SSH client. The arguments can be configured globally, for individual applications, or a combination of both.

Global SSH Client Configuration

Use the global SSH client configuration in the following situations:

• SSH is not installed in one of the default locations
• To use the same SSH client command-line arguments for all applications

You configure the global options for the SSH client by setting the TTASSHCLIENT environment variable as follows:

1. Log on as superuser (root) on the the SGD host.
2. Stop the SGD server.
3. Set the environment variable TTASSHCLIENT to the full path to the SSH program and any required command-line arguments.

   For example:

   # TTASSHCLIENT="/usr/local/bin/ssh -q -X"; export TTASSHCLIENT

   Note If you only want to set command-line arguments for the SSH client, you have to include the full path to the SSH program, even if the SSH program is in a location where SGD can detect it.

4. Restart the SGD server.

Application SSH Client Configuration

You can specify the command-line arguments to use for the SSH client for individual applications as follows:

1. In the SGD Administration Console, click the Applications tab and select the application.
2. Click the Launch tab.
3. Ensure that the ssh option is selected for the Connection Method.
4. In the SSH Arguments field, type the SSH arguments you want to use for the application.
5. Click Save.

Alternatively, use the following command:

$ tarantella object edit --name obj --ssharguments args

Using Global and Application SSH Client Configuration Together

You can combine the global and application SSH client configuration to set the path to the SSH client and set the command-line arguments.

Note If you do this, any global command-line arguments are ignored.

The following table shows the effect of global and application configuration on the ssh command used.

SSH and the X Security Extension

SGD supports the X Security extension. The X Security extension only works with versions of SSH that support -Y option. For OpenSSH, this is version 3.8 or later.

You enable the X security extension for individual applications as follows:

1. In the SGD Administration Console, click the Applications tab and select the application.
2. Click the Launch tab.
3. Ensure that the ssh option is selected for the Connection Method.
4. Select the X Security Extension check box.
5. Click Save.

Alternatively, use the following command:

$ tarantella object edit --name obj --securityextension 1

Using SSH and X Authorization

If SSH connections fail when X authorization is enabled, you might have to run the SSH daemon in ipv4-only mode because SGD might not support the xsecurity extension used on your server. You enable ipv4-only mode by editing your system SSH configuration file. For example:

• On SUSE Linux, edit the /etc/sysconfig/ssh file and add a SSHD_OPTS="-4" line.
• On Red Hat Enterprise Linux, edit the /etc/sysconfig/sshd file and add a OPTIONS="-4" line.

Note If the SSH configuration file does not exist on your system, you can create it.

You must restart the SSH daemon after making this change.

Using Advanced SSH Functions

Certain SSH functionality, such as client keys, requires that the SSH client process runs as a specific user. In previous releases of SGD, the server process ran as the UNIX or Linux system root user and had unlimited access to the server. However, from version 4.0 the SGD server processes and the SSH client process run as a non-privileged user. This is for security reasons. To restore the previous behavior, you must make the SGD ttasshhelper application a setuid root process. You do this as follows:

1. Log in as superuser (root) on the SGD host.
2. Use the following commands:

   # chmod 4510 /opt/tarantella/bin/bin/ttasshhelper
   # chown root /opt/tarantella/bin/bin/ttasshhelper

If you make these changes, you must take particular care to protect your SGD servers from unauthorized access.

Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.