Building zLib, OpenSSL and OpenSSH Prequesites: First a couple of prequesites: You will need an entropy device for key seeding. In Solaris 8 and above we use /dev/random which is installed by Sun patch 112438-01. The patch individually can be obtained here: http://ws.harcourt.com/pub/soft/patches/112438-01.zip However that patch is part of the Solaris 8 Recommended patchset: http://ws.harcourt.com/pub/soft/patches/8_Recommended.zip In Solaris 2.5 through Solaris 7 I use prgnd: http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html Notes on installing prngd can be found here: http://www.kevininscoe.com/pub/howtos/building_ssh_on_solaris_2.txt Compiling: Now that we have a entropy device installed we are ready to compile source. However before we compile OpenSSL it requires an open source compression library called zLib. zlib can be downloaded from http://www.zlib.org or http://aleron.dl.sourceforge.net/sourceforge/libpng/zlib-1.1.4.tar.gz Make sure you use a minimum version of 1.1.4 due to an exploit. Building zlib: # cd /build/zlib-1.1.4 # cp Makefile Makefile.orig Edit Makefile that comes with zlib and change the line: CC=cc to CC=gcc # make # make install Building OpenSSL: Download the source from openssl.org Notes: http://inscoe.org/compilesun The INSTALL file in the source tree root. It says (as of OpenSSL 3.5): " To install OpenSSL, you will need: * make * Perl 5 * an ANSI C compiler * a development environment in form of development libraries and C header files * a supported Unix operating system" In Solaris 8 you have all of these things. However all source is always mastered on wsadmin01 where everything is "tuned" in a GNU/Solaris way. :-) I should also point out that the default Solaris make is /usr/ccs/bin/make (make sure this is in your path) however I much recommend installing gmake (GNU make) if possible. Look on http://sunfreeware.com. One last note: compile and build everything as root because you will have to install them that way. Uncompress, untar into source tree under /build directory. # cd /build/openssl-0.9.7b # ./config --prefix=/usr/local --openssldir=/usr/local/openssl no-shared # make # make test # make install # openssl version (Verify the correct version) Building OpenSSH: Download the source from openssh.org Uncompress, untar into source tree under /build directory. # cd /build/openssh-3.5p1 # ./configure --prefix=/usr/local --sysconfdir=/usr/local/etc --with-ssl-dir=/build/openssl-0.9.7a --with-privsep-user=sshd --with-privsep-path=/var/chroot/sshd # make # make install The results should look very similiar: OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run Privilege separation chroot path: /var/chroot/sshd sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: man PAM support: no KerberosIV support: no KerberosV support: no Smartcard support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: OpenSSL internal ONLY Host: sparc-sun-solaris2.8 Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized Preprocessor flags: -I/usr/local/ssl/include -I/usr/local/include Linker flags: -L/usr/local/ssl/lib -R/usr/local/ssl/lib -L/usr/local/lib -R/usr/local/lib Libraries: -lz -lsocket -lnsl -lcrypto Note that as of OpenSSH 3.3 PrivilegeSeparation in user space is required: http://openssh.org/txt/preauth.adv First time on a machine after compiling: # /bin/mkdir /var/chroot # /bin/mkdir /var/chroot/sshd # /bin/chown root:sys /var/chroot # /usr/sbin/groupadd -g 5101 sshd # /usr/sbin/useradd -d /var/chroot/sshd -g sshd -u 5101 -m sshd (ignore the error "UX: /usr/sbin/useradd: WARNING: sshd has no permissions to use /var/chroot/sshd.") # /bin/chown root:sys /var/chroot/sshd # /bin/chmod 755 /var/chroot/sshd # /bin/chown sshd /var/chroot/sshd # /bin/chgrp sshd /var/chroot/sshd Verify # id sshd uid=5101(sshd) gid=5101(sshd) Compile OpenSSH # make # make install Create start file: Create /etc/init.d/sshd with the following lines: #!/sbin/sh # # start/stop the OpenSSH daemon # # Kevin P. Inscoe # conf=/usr/local/etc/ssh_config case "$1" in 'start') /usr/local/sbin/sshd & ;; 'stop') PID=`/bin/ps -ef | /bin/grep "/usr/local/sbin/sshd" | /bin/grep -v grep | /bin/tail -1 | /bin/awk '{ print $2 }'` if [ "x$PID" = "x" ]; then /bin/echo "sshd not running." else /bin/kill -5 $PID /bin/echo "$PID killed." fi ;; *) echo "Usage: $0 { start | stop }" exit 1 ;; esac exit 0 The execute the following commands: # chmod +x /etc/init.d/sshd # ln -s /etc/init.d/sshd /etc/rc2.d/S77sshd Now start up the server: # /etc/rc2.d/S77sshd start Finally building the install master: Login to wsadmin01 as a non-root user member of the staff group. Make sure your umask is set 002. $ umask 002 If not modify your login profile or cshrc to include the command: $ umask 002 Now run the master build script: $ /pub/soft/build/build-ssh-install.sh This will create a tar file /pub/soft/install/install-ssh-sol-8.tar Take this tar file and copy it over to the host in /tmp or pull it from http://wsadmin01.harcourt.com/pub/soft/install/install-ssh-sol-8.tar as root you MUST first cd to root (cd /) (the tar file is relative pathing) and execute # tar xvf /tmp/install-ssh-sol-8.tar then set the permissions # find /usr/local -exec chmod 755 {} \; Make sure that /usr/local/bin is in the path for all logins. Make sure that /usr/local/admin is in the path for root. There is a new method of creating Solaris package files: To install on individual servers refer to this document: http://ws.harcourt.com/cvs/viewcvs.cgi/docs/howtos/installing_ssh.txt (select "view" and scroll down to Solaris 8) Last updated: February 21, 2003 - K. Inscoe