How Do I Install A SSH Relay Agent?
The SSH Relay Agent enables you to do agentless monitoring of your Unix machines using SSH.
Install packages are available for download for the following UNIX platforms by clicking here:
- SunOS 2.8 (Solaris 8) or later on SPARC hardware
- SUNOS 5.10 (Solaris 10) or later on Intel hardware
- HP-UX 11.x or later
- AIX 4.3 or later
- LINUX 2.4.7 or later
To install the SSH Relay Agent, do the following:
- Copy the installation tarball to the UNIX host
- Create /etc/argent by typing:
- Move the tarball into /etc/argent by typing:
mv ARGENT_GUARDIAN_SSH_RELAY_ver_yymm.TAR /etc/argent
- Change to the /etc/argent directory by typing:
- Extract the tar file by typing:
tar xfv ARGENT_GUARDIAN_SSH_RELAY_ver_yymm.TAR
- Create an empty tag_relay.log file by typing:
- Ensure the user running the SSH Relay Agent has Read and Execute permissions on tag_relay and run_ssh
Type the following:
chmod 755 tag_relay
chmod 755 run_ssh
(The user running the SSH Relay Agent must be the owner of these files, or at least be a member of the specified group.)
- Ensure the user running the SSH Relay Agent has read and write permissions on log files. Type:
chmod 666 *.log
- Verify the location of scp and ssh on the system. By default, these are /usr/bin/scp and /usr/bin/ssh, respectively.
However, any scp and ssh executables can be used. If not using /usr/bin/scp and /usr/bin/ssh, edit run_ssh to change the absolute path to these two executables.
- Insert the following line into /etc/services:
tag_relay 3062/tcp # The Argent SSH Relay Agent
Note: The SSH Relay Agent may be configured to listen on any TCP port. If desired, change the port number in the above line in /etc/services
- Insert the following line into /etc/inetd.conf, replacing [USER] with the user account that will run the SSH Relay Agent:
tag_relay stream tcp nowait [USER] /etc/argent/tag_relay tag_relay
Note: If the user wishes to secure the SSH Relay Agent, you should use TCP wrappers.
Add the following line to /etc/hosts.allow:
tag_relay: [allowed IP addresses or hostnames]
SSH Key Exchange
In order for the Argent SSH Relay Agent to communicate with the monitored Unix systems using SCP and SSH, a proper SSH key exchange must first take place.
This includes saving the key fingerprint of the monitored system, and transferring the public key from the SSH Relay Agent host to the monitored system.
By default, SSH tries to authenticate with the private/public key pair first. If this is unsuccessful, SSH then requests the password be entered manually.
These steps will allow the SSH Relay Agent to communicate with the monitored systems via SSH without a password. This allows the password for the account used to change periodically without you having to update Argent.
Logon to the SSH Relay Agent host as the account that will run the agent. Alternatively, logon to the host and type:
su – [USER]
Create the authentication keys by using ssh-keygen. RSA, DSA, or SSH1 keys can be generated with this utility.
To generate a DSA key, for example, type:
ssh-keygen -t dsa
This will create id_dsa and id_dsa.pub. (The latter file is the public DSA key.)
By default, the generated keys will be placed in $HOME/.ssh
If authentication keys already exist, this step may be skipped.
Copy the public key from the SSH Relay Agent host to each host to be monitored, appending it to $HOME/.ssh/authorized_keys for the account that runs the Argent agent.
If $HOME/.ssh does not exist on a monitored host, use ssh-keygen to create the host keys first. Use SCP to transfer the public key file.
scp $HOME/.ssh/id_dsa.pub [servername]:$HOME/.ssh/authorized_keys
If $HOME/.ssh/authorized_keys already exists, transfer the public key file to the monitored server as a different name, then append the contents of that file to the existing authorized_keys file.
If prompted to save the host key of the monitored server, answer “yes”. This will permanently save the key.
Test the SSH connection from the SSH Relay Agent by typing:
ssh [servername] hostname.
The hostname of the monitored server should be returned without additional input, such as a password.