Secure Global Desktop Administration Guide > Security > Installing and using SSH with Secure Global Desktop
SSH (Secure SHell) is a package that lets you securely execute commands on network hosts. It offers a more secure alternative to the standard UNIX commands for this purpose.
SSH provides the following benefits over the standard UNIX commands:
Secure Global Desktop can use SSH to provide secure communications between Secure Global Desktop servers and application servers.
Secure Global Desktop works with SSH version 2.x or later.
Secure Global Desktop automatically detects that SSH is installed if SSH is installed in one of the following directories:
/usr/local/bin/usr/bin/usr/sbin/usr/lbin/bin/sbinIf SSH isn't already installed, download and install it in one of the directories listed above:
Note Because of SSH version compatibility problems, we recommend that you use the same major version of SSH (either version 2 or version 3) on all Secure Global Desktop hosts and application servers for them to communicate securely.
tarantella restart.If SSH is not installed in one of the locations listed above or you want to use an SSH command-line argument, you have to set an environment variable to handle this:
tarantella stop
TTASSHCLIENT to the
full pathname of the SSH program and any required command-line arguments, for example:
TTASSHCLIENT="/usr/local/bin/ssh -q -X"; export TTASSHCLIENT
Note If you just want to set command-line arguments, you have to include the pathname to the SSH program, even if the SSH program is in a location where Secure Global Desktop can detect it.
/etc/services and add the following line:
ssh 22/tcp
Note This assumes you've configured the SSH daemon on the application server to use the default port (22/tcp).
tarantella start
To support X applications through OpenSSH, enable X11 forwarding in the OpenSSH configuration file. On each Secure Global Desktop host:
sshd_config file and include the following:
X11Forwarding yes
ssh_config file and include the following:
ForwardAgent yes ForwardX11 yes
If SSH connections fail, when X authorization is enabled, you may have to run the SSH daemon in ipv4-only mode because Secure Global Desktop may not support the xsecurity extension used on your server. You enable ipv4-only mode by editing your system SSH configuration file. For example:
/etc/sysconfig/ssh file and add a SSHD_OPTS="-4" line./etc/sysconfig/sshd file and add a OPTIONS="-4" line.Note If the SSH configuration file does not exist on your system, you can create it.
You must restart the SSH daemon after making this change.
Certain SSH functionality, such as client keys, requires that the SSH client
process runs as a specific user. In previous releases of Secure Global Desktop,
the server process ran as the UNIX root user and had unlimited access to the server.
However, from version 4.0 the Secure Global Desktop server processes and the SSH client process
run as a non-privileged user. This is for security reasons. To restore the previous behavior,
you must make the Secure Global Desktop ttasshhelper application a setuid
root process:
chmod 4510 /opt/tarantella/bin/bin/ttasshhelper chown root /opt/tarantella/bin/bin/ttasshhelper
If you make these changes, you must take particular care to protect your Secure Global Desktop servers from unauthorized access.
Configure your applications to use the SSH protocol. Using Object Manager, set the Connection Method attribute to SSH for each character or X application object that requires a secure connection.
Copyright © 1997-2005 Sun Microsystems, Inc. All rights reserved.