Replace an Existing Secure Shell Program with Reflection for Secure IT UNIX Client or Server 7.0 or Higher

If you are installing on a system that is already running a Secure Shell client or server, you must uninstall the prior version before you install Reflection for Secure IT 7.0 or higher.

This requirement applies to versions of Reflection for Secure IT earlier than version 7.0, as well as F-Secure, OpenSSH, and other Secure Shell implementations.

To install on a system that is currently running Secure Shell, follow these steps:

1. su to root.
2. (Server only) Stop the sshd service.
3. Uninstall your existing Secure Shell product.
4. (AIX only) Check for the existence of a hidden .toc file in the directory from which you ran installp to uninstall your previous version. If present, remove or rename the .toc file.
5. Install the Reflection for Secure IT 7.x or higher client or server.

6. If you use public key authentication, ensure that your files and directories are configured with correct permissions. Version 7.1 or higher of Reflection for Secure IT requires a greater degree of security than was required in previous releases. If files and directories are not sufficiently protected, public key authentication will fail.

• Key pairs that were created (in the.ssh2 directory) with a previous version of Reflection for Secure IT are compatible with Reflection for Secure IT 7.0 or higher. No conversion is necessary.
• The StrictModes setting affects the level of protection required for files and directories used for public key authentication. To ensure maximum security, this setting is now enabled by default. Some file permissions are enforced even when this setting is disabled. See Additional Information for more details.

7. If you are upgrading to Reflection for Secure IT version 7.1 or higher from an earlier version or from F-Secure SSH, you can take advantage of the migration script that is included with Reflection for Secure IT 7.1 or higher.

8. (Optional) If you configured a non-default client or server configuration file, you will find a backup copy of your file in the configuration file directory. Use these backup files to merge your non-default settings to the new configuration file.

• On all platforms except AIX, if any changes were made to the default client and/or server configuration file, the installer backs up the file when you uninstall. (The file extension added to this backup depends on the native installer.)
• On AIX, no backup file is created when you uninstall; instead, a backup file is created if a non-default configuration file is present when you install Reflection for Secure IT.

Note the following:

• The StrictModes default value is “yes” for both client and server.
  • Client—StrictModes specifies how the client checks file modes and ownership during public key authentication. When set to 'yes', the .ssh2 directory must not be group or world readable (permissions=700), and the private keys listed in the identification file must not be group or world readable (permissions=600).

• Server—StrictModes specifies how the server checks file modes and ownership during public key authentication. When set to 'yes', the user's .ssh2 directory must be group and world read-only (no less protected than permissions=744), and the authorization file and key files must have a mode no less protected than 644. Ownership must be by root or the current user. If these conditions are not met, public key authentication fails. The allowed values are 'yes' and 'no'. The default is 'yes'.

• If /etc/pam.d/ssh exists, it is backed up and a new file is put in place.
• Subconfiguration files, if present, are not touched.

Product Documentation

For additional information about installing Reflection for Secure IT UNIX Client or Server, see the Installation topic in the Reflection for Secure IT User Guide available from: https://support.microfocus.com/manuals/rsit_unix.html.

Legacy KB ID