Replace an Existing Secure Shell Program with Reflection for Secure IT UNIX Client or Server 7.0 or Higher
Technical Note 2282
Last Reviewed 09-Nov-2012
Reflection for Secure IT UNIX Client version 7.0 or higher
Reflection for Secure IT UNIX Server version 7.0 or higher
If you are installing on a system that is already running a Secure Shell client or server, you must uninstall the prior version before you install Reflection for Secure IT 7.0 or higher.
This requirement applies to versions of Reflection for Secure IT earlier than version 7.0, as well as F-Secure, OpenSSH, and other Secure Shell implementations.
To install on a system that is currently running Secure Shell, follow these steps:
- su to root.
- (Server only) Stop the sshd service.
- Uninstall your existing Secure Shell product.
- (AIX only) Check for the existence of a hidden .toc file in the directory from which you ran installp to uninstall your previous version. If present, remove or rename the .toc file.
- Install the Reflection for Secure IT 7.x or higher client or server.
For the command to install on each UNIX platform, see the Installation topic in the Reflection for Secure IT User Guide, available from http://support.attachmate.com/manuals/rsit_unix.html.
Note: The server installation package checks to see if an existing host key pair is already present. If no host key is found, the package creates a new host key pair and the server uses this pair for host authentication. If a host key already exists in /etc/ssh2, Reflection for Secure IT uses this key. If an OpenSSH host key is found in /etc/ssh, Reflection for Secure IT migrates the key to the correct format and location and uses the migrated key.
- If you use public key authentication, ensure that your files and directories are configured with correct permissions. Version 7.1 or higher of Reflection for Secure IT requires a greater degree of security than was required in previous releases. If files and directories are not sufficiently protected, public key authentication will fail.
- Key pairs that were created (in the.ssh2 directory) with a previous version of Reflection for Secure IT are compatible with Reflection for Secure IT 7.0 or higher. No conversion is necessary.
- The StrictModes setting affects the level of protection required for files and directories used for public key authentication. To ensure maximum security, this setting is now enabled by default. Some file permissions are enforced even when this setting is disabled. See Additional Information for more details.
- If you are upgrading to Reflection for Secure IT version 7.1 or higher from an earlier version or from F-Secure SSH, you can take advantage of the migration script that is included with Reflection for Secure IT 7.1 or higher.
If you made changes in the sshd2_config or ssh2_config file, and hence configured a non-default client or server configuration file, you will find a backup copy of your old config file in the configuration file directory (appended with “.rpmsave”).
Use these backup files to merge your non-default settings to the new configuration file. See Technical Note 2422 for details.
- (Optional) If you configured a non-default client or server configuration file, you will find a backup copy of your file in the configuration file directory. Use these backup files to merge your non-default settings to the new configuration file.
Locating the backup configuration files. The details of how backup configuration files are created vary with the associated operating system.
- On all platforms except AIX, if any changes were made to the default client and/or server configuration file, the installer backs up the file when you uninstall. (The file extension added to this backup depends on the native installer.)
- On AIX, no backup file is created when you uninstall; instead, a backup file is created if a non-default configuration file is present when you install Reflection for Secure IT.
Note the following:
- The StrictModes default value is “yes” for both client and server.
- ClientStrictModes specifies how the client checks file modes and ownership during public key authentication. When set to 'yes', the .ssh2 directory must not be group or world readable (permissions=700), and the private keys listed in the identification file must not be group or world readable (permissions=600).
When set to 'no', the private key restrictions are still enforced, but not those of the .ssh2 directory. If these conditions are not met, public key authentication fails. The allowed values are 'yes' and 'no'. The default is 'yes'.
- ServerStrictModes specifies how the server checks file modes and ownership during public key authentication. When set to 'yes', the user's .ssh2 directory must be group and world read-only (no less protected than permissions=744), and the authorization file and key files must have a mode no less protected than 644. Ownership must be by root or the current user. If these conditions are not met, public key authentication fails. The allowed values are 'yes' and 'no'. The default is 'yes'.
- If /etc/pam.d/ssh exists, it is backed up and a new file is put in place.
- Subconfiguration files, if present, are not touched.
For additional information about installing Reflection for Secure IT UNIX Client or Server, see the Installation topic in the Reflection for Secure IT User Guide available from: http://support.attachmate.com/manuals/rsit_unix.htnl.