Building zLib, OpenSSL and OpenSSH on Solaris 9 Notes: http://www.sun.com/blueprints/0701/openSSH.pdf Prequesites: Solaris 9 comes with an entropy device. /dev/random Compiling: Create our source workbench: # mkdir /build However before we compile OpenSSL it requires an open source compression library called zLib. zlib can be downloaded from www.zlib.org http://aleron.dl.sourceforge.net/sourceforge/libpng/zlib-1.1.4.tar.gz Make sure you use a minimum version of 1.1.4 due to an exploit. Building zlib: # cd /build/zlib-1.1.4 # cp Makefile Makefile.orig Edit Makefile that comes with zlib and change the line: CC=cc to CC=gcc # make # make install Building OpenSSL: Download the source from openssl.org Notes: http://inscoe.org/compilesun The INSTALL file in the source tree root. It says (as of OpenSSL 3.5): " To install OpenSSL, you will need: * make * Perl 5 * an ANSI C compiler * a development environment in form of development libraries and C header files * a supported Unix operating system" In Solaris 9 you have all of these things except gcc. You can download that from http://ws.harcourt.com/pub/soft/pkgs/sol9/gcc-3.2.3-sol9-sparc-local.gz or scp wsadmin01:/pub/soft/pkgs/sol9/gcc-3.2.3-sol9-sparc-local.gz However all source is always mastered on wsadmin01 where everything is "tuned" in a GNU/Solaris way. :-) I should also point out that the default Solaris make is /usr/ccs/bin/make (make sure this is in your path) however I much recommend installing gmake (GNU make) if possible. Look on http://sunfreeware.com or http://ftp.gnu.org/pub/gnu/make/ One last note: compile and build everything as root because you will have to install them that way. Uncompress, untar into source tree under /build directory. # cd /build/openssl-0.9.7b # ./config --prefix=/usr/local --openssldir=/usr/local/openssl no-shared Operating system: sun4u-whatever-solaris2 NOTICE! If you *know* that your GNU C supports 64-bit/V9 ABI and wish to build 64-bit library, then you have to invoke './Configure solaris64-sparcv9-gcc' *manually*. You have about 5 seconds to press Ctrl-C to abort. Despite this message. Don't build 64 bit even if you can support it. It is not needed and it's not any faster. # make # make test # make install # openssl version (Verify the correct version) Building OpenSSH: Download the source from openssh.org Uncompress, untar into source tree under /build directory. # cd /build/openssh-3.6p1 # ./configure --prefix=/usr/local --sysconfdir=/usr/local/etc --with-ssl-dir=/build/openssl-0.9.7b --with-privsep-user=sshd --with-privsep-path=/var/chroot/sshd --with-pam --disable-suid-ssh --without-rsh OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run Privilege separation chroot path: /var/chroot/sshd sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: man PAM support: yes KerberosIV support: no KerberosV support: no Smartcard support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: OpenSSL internal ONLY Host: sparc-sun-solaris2.9 Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized Preprocessor flags: -I/build/openssl-0.9.7b/include -I/usr/local/include Linker flags: -L/build/openssl-0.9.7b -R/build/openssl-0.9.7b -L/usr/local/lib -R/usr/local/lib Libraries: -lpam -ldl -lrt -lz -lsocket -lnsl -lcrypto PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory # make The results should look very similiar: OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run Privilege separation chroot path: /var/chroot/sshd sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: man PAM support: no KerberosIV support: no KerberosV support: no Smartcard support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: OpenSSL internal ONLY Host: sparc-sun-solaris2.8 Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized Preprocessor flags: -I/usr/local/ssl/include -I/usr/local/include Linker flags: -L/usr/local/ssl/lib -R/usr/local/ssl/lib -L/usr/local/lib -R/usr/local/lib Libraries: -lz -lsocket -lnsl -lcrypto Install OpenSSH: Note that as of OpenSSH 3.3 PrivilegeSeparation in user space is required: http://openssh.org/txt/preauth.adv First time on a machine after compiling: # /bin/mkdir /var/chroot # /bin/mkdir /var/chroot/sshd # /bin/chown root:sys /var/chroot # /usr/sbin/groupadd -g 5101 sshd # /usr/sbin/useradd -d /var/chroot/sshd -g sshd -u 5101 -m sshd (ignore the error "UX: /usr/sbin/useradd: WARNING: sshd has no permissions to use /var/chroot/sshd.") # /bin/chown root:sys /var/chroot/sshd # /bin/chmod 700 /var/chroot/sshd # /bin/chown sshd /var/chroot/sshd # /bin/chgrp sshd /var/chroot/sshd Verify # id sshd uid=5101(sshd) gid=5101(sshd) # make install Create start file: First stop and copy out the Sun version: # /etc/init.d/sshd stop # mv /etc/init.d/sshd /etc/init.d/sshd.sun # mv /etc/rc3.d/S89sshd /etc/rc3.d/_S89sshd Create /etc/init.d/sshd with the following lines: #!/sbin/sh # # start/stop the OpenSSH daemon # # Kevin P. Inscoe # conf=/usr/local/etc/ssh_config case "$1" in 'start') /usr/local/sbin/sshd & ;; 'stop') PID=`/bin/ps -ef | /bin/grep "/usr/local/sbin/sshd" | /bin/grep -v grep | /bin/tail -1 | /bin/awk '{ print $2 }'` if [ "x$PID" = "x" ]; then /bin/echo "sshd not running." else /bin/kill -5 $PID /bin/echo "$PID killed." fi ;; *) echo "Usage: $0 { start | stop }" exit 1 ;; esac exit 0 The execute the following commands: # chmod +x /etc/init.d/sshd # ln -s /etc/init.d/sshd /etc/rc2.d/S77sshd Now start up the server: # /etc/rc2.d/S77sshd start Finally building the install master: Login to wsadmin01 as a non-root user member of the staff group. Make sure your umask is set 002. $ umask 002 If not modify your login profile or cshrc to include the command: $ umask 002 Now run the master build script: $ /pub/soft/build/build-ssh-install.sh This will create a tar file /pub/soft/install/install-ssh-sol-8.tar Take this tar file and copy it over to the host in /tmp or pull it from http://wsadmin01.harcourt.com/pub/soft/install/install-ssh-sol-8.tar as root you MUST first cd to root (cd /) (the tar file is relative pathing) and execute # tar xvf /tmp/install-ssh-sol-8.tar then set the permissions # find /usr/local -exec chmod 755 {} \; Make sure that /usr/local/bin is in the path for all logins. Make sure that /usr/local/admin is in the path for root. There is a new method of creating Solaris package files: To install on individual servers refer to this document: http://ws.harcourt.com/cvs/viewcvs.cgi/docs/howtos/installing_ssh.txt (select "view" and scroll down to Solaris 8) Last updated: February 21, 2003 - K. Inscoe