AmigaOS Port of OpenSSH 3.0.2 Updated 1/10/2002 Introduction I work at a company that allows VPN-like access to the coporate Intranet via an SSH gateway. While the available SSH1 ports to AmigaOS worked quite well, I was constantly worred that the company would shut off SSH Version 1 access and effectively lock out my Amiga...so I tried and tried until I got and SSH2 client to compile, which brings us to OpenSSH 3.0.1 on the Amiga. This was made possible by Michael Trebilcock's port of OpenSSL to AmigaOS, and I thank him for his work on this. Included in this archive are the OpenSSH client, a Perl script needed to generate random numbers for the client and some configuration files. The server/daemon is not included as it doesn't seem to work quite right. Special thanks to Sigbjørn Skjæret for his help with the SSHD portion of this archive. Requirements I have basically everything available in binary form from ftp.geekgadgets.org installed on my Amiga, and so I am not *really* sure what the bare minimum requirements are, but here is a preliminary list: o Ixemul.library v48.0 or better o Perl 5.6.0 o A gg: assign with gg:/sys/s/gg-startup (or equivalent) being called in your user-startup. o The OpenSSL v0.9.6 port from Aminet -- the one in /dev/gg Since this is a fairly large program, I would recommend a 68040 or better to run this. Installation Simply unpack the Tar file into gg: so that the contents of bin are placed into gg:bin and the contents of etc are placed into gg:etc (Yes, this means that an additional require is a tar or untar command.). Usage To connect to a remote server: ssh -l USERNAME SERVER_HOSTNAME To get a listing/explanation of all options: ssh -h I like to port-forward from the remote machine to my box, so that instead of just having a secure terminal, I have secure Web/Telnet/FTP access to and from my company's network (yes, I do all of my work on my Amiga). You can read all about this on the Web, just search Google for 'SSH port forward' or 'SSH tunnel'. My favorite method is to forward the SOCKS port from my company's gateway back to my box, and then enable the SOCKS client in MiamiDx so that ALL the ports are forwarded and I have total access (minus UDP stuff like NFS) -- this makes FTP a cinch and it also allows me to have telnet/ftp access to any host at work. I am sure that this requires a special SOCKS daemon be installed on the SSH server at work, but I know nothing of that, as I do not maintain it. More information on OpenSSH: www.openssh.org What About SSHD? SSHD compiles and runs fine, however, I seem to be unable to get it to authenicate users agains the Password tables of AmiTCP or MiamiDX, and not even against a passwd file in gg:etc. I have *heard* that it will authenticate against AmiTCP 4.0, but have been unable to test that. SSHD also doesn't seem to want to use keys as authentication -- though I may be missing something there. It is possible to set up SSHD to accept no authentication method and just log the user in, but then SSHD tries to give you a tty from /dev/ttyp0 and immediately fails, as nothing like that exists in AmigaOS. Therefore, it becomes impossible to use SSHD alone to log into your machine. But wait! There is a workaround -- an extremely messy workaround. You can set up SSHD so that you can create an encrtpyed and secure telent channel between a client and your Amiga, and then log in through you Amiga's telnet server -- knowing that the channel is safe from snoopers who want your password. Here's how to set up SSHD to do this: Copy 'sshd_config' from the 'untested' directory of this archive into gg:local/etc. Then copy 'sshd' from the 'untested' directory of this archive to gg:sbin. Edit this sshd_config files to replace 'YOUR.IP.GOES.HERE' on the 5th line with your Amiga's IP address. Add a line in AmiTCP's/Miami's Services file/area as follows: ssh 22 tcp Add a line in AmiTCP's/Miami's InetD file/area as follows: ssh stream tcp nowait root gg:sbin/sshd ssh Set up a telnet server on your Amiga. I recommend the MiamiTelnetD that comes with MiamiDX. To use this, just add this line in MiamiDX's InetD area: telnet stream tcp nowait nobody miami:miamitelnetd MiamiTelnetD Add a user to AmiTCP/MiamiDX with an empty password -- make certain that user has no password. Set the shell of this user to c:false so that if someone tries to telnet into your Amiga and login as this user, they will be immediately kicked out. SSHD sometimes causes an alert to 'mount /gg:' (as gg: is my user's home dir), so sometimes I have to do a messy hack: assign /gg: gg: Your mileage may vary on this. How to connect On the client machine, enter this command: ssh -L23:YOUR.IP.GOES.HERE:23 -l USERNAME -N YOUR.IP.GOES.HERE Replace 'YOUR.IP.GOES.HERE' with your Amiga's IP address and replace 'USERNAME' with the user you created without a password. Give this command about 15 seconds to execute (nothing will happen, it'll just hang there because of the -N, which is what we want it to do instead of trying to open an tty that it can't find). Open another terminal/cli on the client machine and telnet to your Amiga through the secure channel with this command: telnet localhost Presto! You are telnetting with a secure channel. When you want to kill the SSH connection, return to the terminal/CLI with the connection hanging there, and just hit CTRL-C, which will break the connection. But that kind of stinks, doesn't it? Well, yes. The good news is that we are using SSH's port-forwarding capabilities that allow us to forward ports on an SSH server to ports on the client's localhost, so that these ports because secure channels. You could, theoretically, set up a VNC server on your Amiga, and forward port 5900 on the client, so that you could have full-screen access to your Amiga via a secure channel. You CAN set SSHD to require a password by modifying it's source code to hard-set a password. To do this, download the source code as described in the 'Compiling OpenSSH 3.0.2' section and adit the auth-passwd.c file in the OpenSSH archive to change line 220 to be as follows: return (strcmp("MyPassword", password) == 0); Change 'MyPassword' to be the password you want SSHD to require, but leave the quote marks. Then compile OpenSSH as instructed below, and when you try to open a secure channel with SSH, use any valid username and the password you hard-set in auth-passwd.c. I am sorry that I lack the time and knowledge to make it work any better than this. Please let me know if you can take this project farther. What About SCP AND SFTP? SCP and SFTP compiled fine when I compiled the OpenSSH distro, however, I do not have much use for them and haven't really tested them out. Hence, they are in the 'untested' directory of this archive. SFTP and SCP can go into gg:bin. Compiling OpenSSH 3.0.2 If you want to compile this program for your self, follow these steps: 1. Download and Install OpenSSL from Aminet: http://wuarchive.wustl.edu/pub/aminet/dev/gg/openssl-bin.lha 2. Download Portable OpenSSH from here: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable 3. Gunzip and untar the openssh-3.0.2p1.tar.gz archive (duh). 4. Copy rand.pl from the 'unpack_into_gg_directory.tar' Tar file in this archive -- you must have Perl installed for this to work. 5. Edit the defines.h file in the openssh-3.0.2p1 directory. Uncomment line 466 so that it just has this: #define USE_PIPES 1 6. Set the CFLAGS environmental variable to "-Dfork=vfork" like so: setenv CFLAGS="-Dfork=vfork" 7. Make sure that you have UnixDirs3 running. 8. CD into the newly-created 'openssh-3.0.1p1' directory (duh) 9. Configure using this command: sh configure --with-random=/gg/bin/rand.pl --with-ssl-dir=/gg/ssl 10. Compile and install using these commands: make make install The magic is in the 'configure' command, not much is needed to get the client to compile. The server side will compile, but not run quite right. This requires a full GeekGadgets install. IMPORTANT: Beta Status Of course, I will not be blamed for any problem this software causes you, nor do I offer any kind of warranty at all. Use at your own risk. This software was compiled on my Amithlon system, and I have not run it on any 'true' Amiga, so there is no telling how it will work in a native system. Since Amithlon emulates a 68040, it should work, but I am interested to see what happens. This software is totally freeware. I made it for my own use and post it in hopes that someone else gets some use from it. Who Am I? Eric Chernoff eric@chernoff.org http://www.chernoff.org