Secure Global Desktop 4.31 Administration Guide > Security > Installing and using SSH with Secure Global Desktop

Installing and using SSH with Secure Global Desktop

SSH (Secure SHell) is a package that lets you securely execute commands on network hosts. It offers a more secure alternative to the standard UNIX commands for this purpose.

SSH provides the following benefits over the standard UNIX commands:

• All communication between hosts using SSH is encrypted, including the X protocol if you're running X applications.
• Usernames and passwords are always encrypted before being transmitted over the network.

Secure Global Desktop can use SSH to provide secure communications between Secure Global Desktop servers and application servers.

Secure Global Desktop works with SSH version 2.x or later.

Secure Global Desktop automatically detects that SSH is installed if SSH is installed in one of the following directories:

• /usr/local/bin
• /usr/bin
• /usr/sbin
• /usr/lbin
• /bin
• /sbin

Note If SSH is installed in a different location, you can configure the location of the SSH client.

Installing SSH

If SSH is not already installed, download and install it in one of the directories listed above:

1. Obtain SSH. Download the packages for your operating system or download OpenSSH. Secure Global Desktop works with SSH version 2.x or later.
2. Install SSH on every UNIX application server you want to provide secure access to, and on every Secure Global Desktop host.

   Note Because of SSH version compatibility problems, use the same major version of SSH (either version 2 or version 3) on all Secure Global Desktop hosts and application servers for them to communicate securely.

3. Enable X11 forwarding.
4. Start the SSH daemon.
5. Restart your Secure Global Desktop servers using tarantella restart.

Enabling X11 forwarding

To support X applications that SSH, you must enable X11 forwarding. On each Secure Global Desktop host:

1. Edit the SSH daemon configuration file (sshd_config) and include the following:

   X11Forwarding yes

   Note If the SSH daemon is already running, you must restart it after making changes to the sshd_config file.

2. Either:
   • Edit the SSH client configuration file (ssh_config) and include the following:

     ForwardAgent yes
     ForwardX11 yes

   • Configure the SSH client to use the -X command-line argument.

Configuring the SSH client

When using SSH with Secure Global Desktop, you can configure the command-line arguments used by the SSH client. The arguments can be configured globally, for individual applications or a combination of both.

Global SSH client configuration

Use the global SSH client configuration in the following situations:

• SSH is not installed in one of the default locations.
• To use the same SSH client command-line arguments for all applications.

You configure the global options for the SSH client by setting the TTASSHCLIENT environment variable as follows:

1. Stop the Secure Global Desktop server:

   tarantella stop

2. Set the environment variable TTASSHCLIENT to the full path to the SSH program and any required command-line arguments, for example:

   TTASSHCLIENT="/usr/local/bin/ssh -q -X"; export TTASSHCLIENT

   Note If you only want to set command-line arguments for the SSH client, you have to include the full path to the SSH program, even if the SSH program is in a location where Secure Global Desktop can detect it.

3. Restart the Secure Global Desktop server:

   tarantella start

Application SSH client configuration

You can use the SSH Arguments (--ssharguments) attribute on an application object to specify the SSH command line arguments to be used.

Using global and application SSH client configuration together

You can combine the global and application SSH client configuration to set the path to the SSH client and set the command-line arguments.

Note If you do this, any global command-line arguments are ignored.

The following table shows the effect of global and application configuration on the ssh command used.

SSH and the X Security extension

Secure Global Desktop supports the X Security extension. The X Security extension only works with versions of SSH that support -Y option. For OpenSSH, this is version 3.8 or later.

You enable support for X Security for an application using the Enable X Security Extension attribute.

Using SSH and X authorization

If SSH connections fail when X authorization is enabled, you may have to run the SSH daemon in ipv4-only mode because Secure Global Desktop may not support the xsecurity extension used on your server. You enable ipv4-only mode by editing your system SSH configuration file. For example:

• On SUSE Linux, edit the /etc/sysconfig/ssh file and add a SSHD_OPTS="-4" line.
• On Red Hat Enterprise Linux, edit the /etc/sysconfig/sshd file and add a OPTIONS="-4" line.

Note If the SSH configuration file does not exist on your system, you can create it.

You must restart the SSH daemon after making this change.

Using advanced SSH functions

Certain SSH functionality, such as client keys, requires that the SSH client process runs as a specific user. In previous releases of Secure Global Desktop, the server process ran as the UNIX root user and had unlimited access to the server. However, from version 4.0 the Secure Global Desktop server processes and the SSH client process run as a non-privileged user. This is for security reasons. To restore the previous behavior, you must make the Secure Global Desktop ttasshhelper application a setuid root process:

1. Log in as root on the Secure Global Desktop host.
2. Run the following commands:

   chmod 4510 /opt/tarantella/bin/bin/ttasshhelper
   chown root /opt/tarantella/bin/bin/ttasshhelper

If you make these changes, you must take particular care to protect your Secure Global Desktop servers from unauthorized access.

Configuring applications to use SSH

Configure your applications to use the SSH protocol. Using Object Manager, set the Connection Method attribute to SSH for each character or X application object that requires a secure connection.

Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.