Installing ssh on Solaris 2.x (2.5 & 2.6) IMPORTANT! You must first install the prgnd random number generator entropy device driver. If you are building this for the first time follow these instructions other wise jump ahead to "Installing PRGND". Building PRGND: Notes: http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html Download the source from ftp://kinscoe.harcourt.com/pub/soft/src/prngd-0.9.26.tar.gz or from the distribution site at ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls/related/prngd/prngd-0.9.26.tar.gz uncompress and untar into /tmp/build Notes: 00README Edit the Makefile and make the following changes (based on version of Solaris): Uncomment out the following lines: Solaris 2.6 So they end up: # Solaris 7 or 8 or 9 CFLAGS=-O3 -DSOLARIS CC=gcc # Solaris 2.6 CFLAGS=-xO4 -KPIC -DSOLARIS26 -D__EXTENSIONS__ CC=gcc SYSLIBS=-lsocket -lnsl # Solaris 2.5.1 CC=cc or gcc CFLAGS=-O -DSOLARIS_251 -D__EXTENSIONS__ SYSLIBS=-lsocket -lnsl Compile: # make Installing PRGND: # mkdir -p /usr/local/sbin # mkdir -p /var/run # cp prngd /usr/local/sbin/prngd Create /etc/prngd.conf # cp contrib/Solaris-2.6/prngd.conf.solaris-26 /etc/prngd.conf It should look like this: # cat /etc/prngd.conf # entropy gathering commands # Solaris 2.6, contributed by Louis LeBlanc # Format is: "program-name args" path rate # The "rate" represents the number of bits of usuable entropy per # byte of command output. Be conservative. "ls -alni /var/log" /usr/bin/ls 0.02 "ls -alni /var/adm" /usr/bin/ls 0.02 "ls -alni /var/mail" /usr/bin/ls 0.02 "ls -alni /proc" /usr/bin/ls 0.02 "ls -alni /tmp" /usr/bin/ls 0.02 "netstat -an" /usr/bin/netstat 0.05 "netstat -in" /usr/bin/netstat 0.05 "netstat -rn" /usr/bin/netstat 0.02 "netstat -s" /usr/bin/netstat 0.02 "arp -a -n" /usr/sbin/arp 0.02 "ifconfig -a" /sbin/ifconfig 0.02 "ps -al" /usr/bin/ps 0.03 "ps -efl" /usr/bin/ps 0.03 "w" /usr/bin/w 0.05 "who -a" /usr/bin/who 0.01 "last" /usr/bin/last 0.01 "df" /usr/bin/df 0.01 "df -a" /usr/bin/df 0.01 "vmstat" /usr/bin/vmstat 0.01 "uptime" /usr/bin/uptime 0.01 "ipcs -a" /usr/bin/ipcs 0.01 "tail -200 /var/adm/messages" undef 0.01 Create the initial seed file: # cat /var/adm/messages /var/adm/utmp /var/adm/utmpx > /etc/prngd-seed # chmod 700 /etc/prngd-seed This step is only relevant before the first start. You can remove /etc/prngd-seed after prngd has been shutdown and rebooted at least once. Create the startup script /etc/init.d/prngd #!/sbin/sh # # start/stop the prngd daemon # # Kevin P. Inscoe # case "$1" in 'start') /usr/local/sbin/prngd /var/run/egd-pool & ;; 'stop') PID=`/bin/ps -ef | /bin/grep "/usr/local/sbin/prngd" | /bin/grep -v grep | /bin/tail -1 | /bin/awk '{ print $2 }'` if [ "x$PID" = "x" ]; then /bin/echo "prngd not running." else /bin/kill -5 $PID /bin/echo "$PID killed." fi ;; *) echo "Usage: $0 { start | stop }" exit 1 ;; esac exit 0 Make it exectuable: # chmod +x /etc/init.d/prngd Create a rc2.d startup: # ln -s /etc/init.d/prngd /etc/rc2.d/S30prngd Start prngd: # /etc/rc2.d/S30prngd start (from 00README) This will create the socket at /var/run/egd-pool for you. If there is already an unused socket, it will be removed automatically in order to put the new one. If another file or directory with this name exists, prngd will stop. prngd needs 'write' permission in the directory within which the socket file-descriptor must be written. It might take a moment to read the initial seed, if you provided large files. Reboot and verify correct restart of prngd. # /usr/sbin/shutdown -y -g0 -i6 After reboot is complete and prngd has restarted: # rm /etc/prngd-seed Compile zlib: Download from www.zlib.org ftp://swrinde.nde.swri.edu/pub/png/src/zlib-1.1.4.tar.gz # ./configure --prefix=/usr/local # make # make test hello world uncompress(): hello, hello! gzread(): hello, hello! gzgets() after gzseek: hello! inflate(): hello, hello! large_inflate(): OK after inflateSync(): hello, hello! inflate with dictionary: hello, hello! *** zlib test OK *** # make install Compile Perl 5 http://www.perl.com/CPAN/src/stable.tar.gz # ./Configure Use defaults except the following: Use which C compiler? [cc] gcc Directories to use for library searches? [/usr/local/lib /usr/lib /usr/ccs/lib] /usr/local/lib /usr/lib /usr/ccs/lib /usr/local/lib /usr/local/openssl/lib Installation prefix to use? (~name ok) [/usr/local] What installation prefix should I use for installing files? (~name ok) [/usr/local] # make # make test Make sure you see the message "All tests successful." # make install Test the install: # which perl /usr/local/bin/perl # perl -v This is perl, v5.8.0 built for sun4-solaris Compile OpenSSL (openssl.org) Download from openssl.org http://www.openssl.org/source/openssl-0.9.6g.tar.gz # ./Configure --prefix=/usr/local --openssldir=/usr/local/ssl solaris-sparcv7-gcc # make # make test Check for any errors. # make install Compile OpenSSH (openssh.org) Download from http://www.openssh.org/portable.html ftp://rt.fm/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz From the OpenSSH directory: # ./configure --prefix=/usr/local --with-ssl-dir=/usr/local/ssl --with-privsep-user=sshd --with-privsep-path=/var/chroot/sshd The results should look very similiar: OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run Privilege separation chroot path: /var/chroot/sshd sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: man PAM support: no KerberosIV support: no KerberosV support: no Smartcard support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: ssh-rand-helper ssh-rand-helper collects from: Unix domain socket "/var/run/egd-pool" Host: sparc-sun-solaris2.5.1 Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized Preprocessor flags: -I/usr/local/ssl/include -I/usr/local/include Linker flags: -L/usr/local/ssl/lib -R/usr/local/ssl/lib -L/usr/local/lib -R/usr/local/lib Libraries: -lz -lsocket -lnsl -lcrypto Note that as of OpenSSH 3.3 PrivilegeSeparation in user space is required: http://openssh.org/txt/preauth.adv First time build add the sshd user to the build system: # /bin/mkdir /var/chroot # /bin/mkdir /var/chroot/sshd # /bin/chown root:sys /var/chroot # /usr/sbin/groupadd -g 5101 sshd # /usr/sbin/useradd -d /var/chroot/sshd -g sshd -u 5101 -m sshd (ignore the error "UX: /usr/sbin/useradd: WARNING: sshd has no permissions to use /var/chroot/sshd.") # /bin/chown root:sys /var/chroot/sshd # /bin/chmod 755 /var/chroot/sshd # /bin/chown sshd /var/chroot/sshd # /bin/chgrp sshd /var/chroot/sshd Verify # id sshd uid=5101(sshd) gid=5101(sshd) Compile OpenSSH # make # make install Create start file: Create /etc/init.d/sshd with the following lines: #!/sbin/sh # # start/stop the OpenSSH daemon # # Kevin P. Inscoe # conf=/usr/local/etc/ssh_config case "$1" in 'start') /usr/local/sbin/sshd & ;; 'stop') PID=`/bin/ps -ef | /bin/grep "/usr/local/sbin/sshd" | /bin/grep -v grep | /bin/tail -1 | /bin/awk '{ print $2 }'` if [ "x$PID" = "x" ]; then /bin/echo "sshd not running." else /bin/kill -5 $PID /bin/echo "$PID killed." fi ;; *) echo "Usage: $0 { start | stop }" exit 1 ;; esac exit 0 The execute the following commands: # chmod +x /etc/init.d/sshd # ln -s /etc/init.d/sshd /etc/rc2.d/S77sshd Now start up the server: # /etc/rc2.d/S77sshd start This step makes the master build for other Solaris 2.x servers Run /pub/soft/build/build-ssh-install.sh on kinscoe.harcourt.com This will create a tar file /pub/soft/install/install-ssh-sol-2.tar Take this tar file and copy it over to the host in /tmp ftp://kinscoe.harcourt.com/pub/soft/install/install-ssh-sol-2.tar or # scp guest@kinscoe.harcourt.com:/pub/soft/install/install-ssh-sol-2.tar /tmp/install-ssh-sol-2.tar (guest is the password) Since kinscoe.harcourt.com is an internal network and not on the DMZ you will need to push the files to the DMZ machine from kinscoe.harcourt.com. In that case ssh to kinscoe.harcourt.con as login "guest" password "guest". guest@kinscoe:/export/home/guest> scp /pub/soft/install/install-ssh-sol-2.tar mylogin@machine.harcourt.com:/tmp/install-ssh-sol-2.tar as root you MUST first cd to root (cd /) (the tar file is relative pathing) and execute # tar xvf /tmp/install-ssh-sol-2.tar One of the files extracted will be /tmp/install-ssh.sh Run this script from root. It will setup your permissions and generates your new SSH keys if needed. # /tmp/install-ssh.sh Now that you are all done you are ready to start the server: # /etc/rc2.d/S77sshd start