Installing ssh on Solaris 8

IMPORTANT!

You must first install Sun patch 112438-01 which will
create /dev/random which is required by ssh entropy.
Remember to reboot after applying the patch.


Build (on kinscoe):

Compile zlib (zlib.org)

Compile OpenSSL (openssl.org)

# ./Configure --prefix=/usr/local --openssldir=/usr/local/ssl solaris-sparcv9-gcc 
Configured for solaris-sparcv9-gcc.
# make
# make install

Test it

# openssl version
OpenSSL 0.9.6g 9 Aug 2002

Compile OpenSSH (openssh.org)

From the OpenSSH directory:

# ./configure --prefix=/usr/local --with-ssl-dir=/usr/local/ssl --with-privsep-user=sshd --with-privsep-path=/var/chroot/sshd

The results should look very similiar:

OpenSSH has been configured with the following options:
                     User binaries: /usr/local/bin
                   System binaries: /usr/local/sbin
               Configuration files: /usr/local/etc
                   Askpass program: /usr/local/libexec/ssh-askpass
                      Manual pages: /usr/local/man/manX
                          PID file: /var/run
  Privilege separation chroot path: /var/chroot/sshd
            sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
                    Manpage format: man
                       PAM support: no
                KerberosIV support: no
                 KerberosV support: no
                 Smartcard support: no
                       AFS support: no
                     S/KEY support: no
              TCP Wrappers support: no
              MD5 password support: no
       IP address in $DISPLAY hack: no
          Use IPv4 by default hack: no
           Translate v4 in v6 hack: no
                  BSD Auth support: no
              Random number source: OpenSSL internal ONLY

              Host: sparc-sun-solaris2.8
          Compiler: gcc
    Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized
Preprocessor flags: -I/usr/local/ssl/include  -I/usr/local/include
      Linker flags: -L/usr/local/ssl/lib -R/usr/local/ssl/lib  -L/usr/local/lib -R/usr/local/lib
         Libraries:   -lz -lsocket -lnsl  -lcrypto  


Note that as of OpenSSH 3.3 PrivilegeSeparation in user space is required:

http://openssh.org/txt/preauth.adv

First time build add the sshd user to the build system:

# /bin/mkdir /var/chroot
# /bin/mkdir /var/chroot/sshd
# /bin/chown root:sys /var/chroot
# /usr/sbin/groupadd -g 5101 sshd
# /usr/sbin/useradd -d /var/chroot/sshd -g sshd -u 5101 -m sshd
(ignore the error "UX: /usr/sbin/useradd: WARNING: sshd has no permissions to use /var/chroot/sshd.")
# /bin/chown root:sys /var/chroot/sshd
# /bin/chmod 755 /var/chroot/sshd
# /bin/chown sshd /var/chroot/sshd
# /bin/chgrp sshd /var/chroot/sshd

Verify

# id sshd
uid=5101(sshd) gid=5101(sshd)

Compile OpenSSH

# make
# make install

Create start file:

Create /etc/init.d/sshd with the following lines:

#!/sbin/sh
#
# start/stop the OpenSSH daemon
#
# Kevin P. Inscoe
#

conf=/usr/local/etc/ssh_config
case "$1" in
'start')
        /usr/local/sbin/sshd  &
        ;;

'stop')
        PID=`/bin/ps -ef | /bin/grep "/usr/local/sbin/sshd" | /bin/grep -v grep | /bin/tail -1 |
/bin/awk '{ print $2 }'`
        if [ "x$PID" = "x" ]; then
                /bin/echo "sshd not running."
        else
                /bin/kill -5 $PID
                /bin/echo "$PID killed."
        fi
        ;;
*)
        echo "Usage: $0 { start | stop }"
        exit 1
        ;;
esac
exit 0

The execute the following commands:

# chmod +x /etc/init.d/sshd
# ln -s /etc/init.d/sshd /etc/rc2.d/S77sshd

Now start up the server:

# /etc/rc2.d/S77sshd start

This step makes the master build for other Solaris 8 servers

Run /pub/soft/build/build-ssh-install.sh on kinscoe.harcourt.com

This will create a tar file /pub/soft/install/install-ssh-sol-8.tar

Take this tar file and copy it over to the host in /tmp

ftp://kinscoe.harcourt.com/pub/soft/install/install-ssh-sol-8.tar

or

# scp guest@kinscoe.harcourt.com:/pub/soft/install/install-ssh-sol-8.tar /tmp/install-ssh-sol-8.tar

(guest is the password)

Since kinscoe.harcourt.com is an internal network and not on the DMZ you will need to push the files to the DMZ machine from kinscoe.harcourt.com. In that case ssh to kinscoe.harcourt.con as login "guest" password "guest".


guest@kinscoe:/export/home/guest> scp /pub/soft/install/install-ssh-sol-8.tar mylogin@machine.harcourt.com:/tmp/install-ssh-sol-8.tar 

as root you MUST first cd to root (cd /) (the tar file is 
relative pathing) and execute

# tar xvf /tmp/install-ssh-sol-8.tar

One of the files extracted will be /tmp/install-ssh.sh

Run this script from root. It will setup your permissions
and generates your new SSH keys if needed.

# /tmp/install-ssh.sh

Now that you are all done you are ready to start the server:

# /etc/rc2.d/S77sshd start