Quick Start -- Installing and configuring NetWare OpenSSH

  • 7004511
  • 23-Sep-2009
  • 25-Jun-2012

Environment

Novell NetWare 6.5
Quickstart

Situation

The purpose of this document is to be a brief description of how to get NetWare 6.5 OpenSSH installed and running.  It does not cover all aspects of configuration and usage, nor is it a comprehensive troubleshooting guide for OpenSSH.

Resolution

Installation:
 
NetWare OpenSSH is an optional part of the NetWare install.  During the installation of NetWare, the box next to "OpenSSH" can be checked to add this product.
 
If NetWare was installed without OpenSSH, you can add it using the following steps:
 
1.  Insert the NetWare Product ("Prod") CD (or the NetWare Install DVD).
2.  Go into the X Server Graphical Console (execute "startx" if the Graphical Console is not already loaded).
3.  From the "Novell" menu, select "Install."
4.  Click Add.  In the Source Path pop-up box, browse to the NW65PROD volume and double-click on it.
5.  In the right hand column, select (highlight) the POSTINST.NI file.  Click OK, then click OK again.
6.  When the list of components comes up, click "Clear All" and then check the box for "OpenSSH".
7.  Click "Next," then click "Copy files."
 
Note:  The install will add the necessary NLMs and configuration files, but it will not modify the AUTOEXEC.NCF to start the SSH Server (SSHD.NLM) upon boot.  This is because some administrators install OpenSSH to get the client pieces, rather that because they wish to run the SSH server.  If desired, edit AUTOEXEC.NCF and add the command "LOAD SSHD" near the end.  It is not necessary to reboot the server after installing OpenSSH.  SSHD.NLM can be executed manually to start the service. 
 
Updates:
 
NetWare OpenSSH is updated in each NetWare 6.5 Support Pack, and sometime separately afterwards.  The latest (and expected last) update is in downloadable file "nwsshd8b.zip".
 
If you wish to get the latest updates without applying a support pack, there are two possible methods:
 
1.  Search at https://support.novell.com/patches.html for sshd.nlm.  SSHD patches are typically available in a file named with the format:  NWsshd8b.zip, where 8b means that the patch is the second patch released for NetWare OpenSSH after SP8 was released.
 
2.  A support pack could be downloaded and just the SSHD updates retrieved and installed.  The SSHD materials are found in the support pack at path:  ./products/ssh/sshcore.zip
Unzip the contents of that file into the sys:/system directory.  Note that a "system" sub-directory is already built into that zip file, so align the extraction appropriately.
 
NOTE:  It is always best to have a similar level of LIBC updates in place if you are moving to a newer level of SSHD updates.  LIBC downloads are typically found in files named in the format:  libcsp6b.zip, where "sp6b" indicates this is the second libc update, after NetWare 6.5 SP6.  Incidentally, libcsp6b.zip contains the same LIBC modules that went into NetWare 6.5 SP7.  The current (and recommended) level of LIBC is that which is supplied by NetWare 6.5 SP8.
 
General Setup and Configuration:
 
1.  OpenSSH expects to be able to contact an LDAP service running on the same system.  So NLDAP.NLM should be loaded on any system which will be running SSHD.NLM.  This is usually present by default, but if necessary can be added to the AUTOEXEC.NCF just before SSHD is loaded.
 
Note:  There is a way to tell SSHD to use a remote LDAP server.  That method is not 100% supported, but is documented in KB 3783350.  Novell recommends getting SSHD functioning fully with a local (same machine) LDAP server before attempting to configure it to use a remote LDAP server.
 
2.  The configuration parameters for the OpenSSH server are found in SYS:\ETC\SSH\SSHD_CONFIG .  There are comments in that file to describe some of their usage.
 
3.  By default, SSHD does it's LDAP searches with anonymous bind.  In a default NetWare environment, anonymous bind will rely on the rights of [PUBLIC] and those rights should be sufficient.  However, if it is preferred that SSHD use a specific "proxy user", that can be configured in SYS:\ETC\SSH\SSHD_CONFIG, with the ProxyName and ProxyPassword settings.  The name should be in LDAP format, including commas as delimiters.  For example:
 
ProxyName cn=ldapuser,o=company
ProxyPassword  ldappass
 
4.  Check the sshd_config for any occurrences of "eDirNameContext".  This setting is very important, as it will control what portion of the tree will be searched for users as well as the servers/volumes they can access through SSH.  This parameter can be used repeatedly, to search multiple contexts.  It can also be used to search entire subtrees instead of just the one specific level.  For example:
 
eDirNameContext  ou=detroit.o=company
eDirNameContext  ou=sacramento.o=company?scope=subtree
 
The above example will cause SSHD to search the "detroit" container itself, then search the "sacramento" container and every container underneath the "sacramento" container.  These searches will be done for various purposes, several times during the authentication process.
 
5.  If the SSHD_CONFIG file is modified, put the changes into effect by restarting the service, by executing the following at the console prompt:
 
UNLOAD SSHD
LOAD SSHD
 
6.  If LDAP searching is working correctly, users doing standard keyboard / password logins should only need to submit their simple username, such as:   bob
 
However, if it is desired to try a fully qualified name, use ldap format, including comma delimiters, such as:
 
cn=bob,ou=sacramento,o=company
 
7.  If public / private keypairs are desired for authentication, see KB 3297445,
 
8.  If troubleshooting is necessary, it is usually best to set the LogLevel parameter to:
 
LogLevel DEBUG3
 
This will cause the sys:/etc/ssh/logs/sshd.log to be as verbose as possible.