EndRun Tempus LX GPS, User Manual, Page: 71 / 116

T e m p u s L X G P S U s e r M a n u a l 58
A P P E N D I X A
59 T e m p u s L X G P S U s e r M a n u a l
S E C U R I T Y
In the interest of conserving scarce system memory resources, only the secure shell server daemon,
sshd
and the secure copy utility,
scp
, are implemented in the Tempus LX. This means that users
on remote hosts may log in to the Tempus LX via an
ssh
client, but users logged in on the Tempus
LX are unable to log in to a remote host via
ssh
. Since
scp
runs in concert with an
ssh
client, the
same limitations exist for its use, i.e. users on remote hosts may transfer files to and from the Tempus
LX via
scp
over
ssh
but users logged in on the Tempus LX are unable to transfer files to and from a
remote host via
scp
over
ssh
.
The factory configuration contains a complete set of security keys for both SSH1 and SSH2 versions
of the protocol. RSA keys are supported by both versions, and DSA keys are supported when using
the SSH2 version.
In addition, the Tempus LX is factory configured with a set of public keys for passwordless, public
key authentication of the root user. To use this capability, the corresponding set of private keys for
each of the two SSH versions are provided in the /boot/root directory of the Tempus LX. Three files
contain these keys:
identity
(SSH1),
id_rsa
(SSH2) and
id_dsa
(SSH2). These must be copied to the
user’s ~/.ssh directory on their remote computer. (Be careful to maintain the proper ownership and
access permissions by using
cp -p
when copying the files. They MUST be readable only by
root
.)
The corresponding public keys are by factory default resident in the /root/.ssh directory of the Tem-
pus LX. Two files contain these keys:
authorized_keys
(SSH1) and
authorized_keys2
(SSH2).
Since the provided private keys are not passphrase protected, the user should create a new set of keys
after verifying operation with the factory default key sets. After creating the new keys, the public
keys should be copied to the /boot/root/.ssh directory of the Tempus LX. At boot time, the Tempus
LX will copy these to the actual
/root/.ssh
directory of the system ramdisk, thereby replacing the fac-
tory default set of public keys.
Advanced users wishing to modify the configuration of the
sshd
daemon should edit the
/etc/sshd_
config file and then copy it to the /boot/etc directory of the Tempus LX. Be careful to maintain the
proper ownership and access permissions by using
cp -p
when copying the file. At boot time, it will
be copied to the /etc directory of the system ramdisk, thereby replacing the factory default configura-
tion file.
Network Time Protocol
The NTP implementation in the Tempus LX is built from the standard distribution from the http:
//www.ntp.org site. By factory default, remote control of the NTP daemon
ntpd
is disabled. Query-
only operation is supported from the two NTP companion utilities
ntpq
and
ntpdc
.
Control via these two utilities is disabled in the
/etc/ntp.conf
file in two ways. First, MD5 authentica-
tion keys are not defined for control operation via a requestkey or controlkey declaration. Second,
this default address restriction line is present in the file:
restrict default nomodify
This line eliminates control access from ALL hosts. Query access is not affected by this restriction.
Knowledgable NTP users who would like to customize the security aspects of the configuration of
the NTP daemon in the Tempus LX should edit the
/etc/ntp.conf
file directly and then copy it to the
/boot/etc directory. Be sure to retain the ownership and permissions of the original file by using
cp
–p
when performing the copy.