Print-friendly Version

Building and Deploying OpenSSH 4.3p2 Package for the Solaris 8 OS

Saad Alhammad, July 2007

Abstract

This article will lead you step by step in creating and configuring an OpenSSH 4.3p2 package; I built mine for the Solaris 8 OS on SPARC platforms. You can deploy it, along with your custom Secure Shell (SSH) configuration files, in one step, on architecturally similar systems.

The goal of this procedure is that you will need to run only the pkgadd command to install SSH on each system. There will be no need to install packages such as Perl, Zlib, gzip, libiconv, libintl, gcc, or OpenSSL on every system. You also will not need to create and link startup scripts, generate host keys, or edit SSH configuration files. This procedure is designed so you can just run pkgadd and have SSH installed on your systems.

Note: If you prefer to build the package with TCP Wrappers, you should not have any problem doing so. It's very easy to include TCP Wrappers in the package you're going to create. Refer to Building OpenSSH--Tools and Tradeoffs, Updated for OpenSSH 3.7.1p2 (a Sun BluePrints article in pdf) for information on how to do the necessary modification to include TCP Wrappers in the package.

Contents

• Requirements
• Building the Package
• Deploying the SSH Package
• Applying Patch 112438-xx Without Rebooting
• Differences in the makeOpenSSHPackage.ksh Script After the Modifications
• References
• About the Author

Requirements

The following items are required. The next section, Building the Package, explains how to confirm that you have them and how to acquire them if you do not have them.

• The build machine
• Perl
• Zlib
• An entropy source
• gzip
• libintl
• A C-language compiler
• OpenSSL
• OpenSSH

Building the Package

1. Ensure that the build machine is running the Solaris 8 Operating System.

It's preferable to use a freshly installed Solaris 8 OS with the latest recommended patches installed.

The build machine needs to have one of the following metaclusters installed:

• SUNWCprog (developer metacluster)
• SUNWCall (entire Solaris OS distribution)
• SUNWCXall (entire Solaris OS distribution plus OEM support)

Having SUNWCXall (entire Solaris OS distribution plus OEM support) is recommended, because having it will omit the need to install some of the packages needed to build the OpenSSH 4.3p2 package.

To check the installed metacluster, execute the following:

# cat /var/sadm/system/admin/CLUSTER

2. Ensure that Perl is installed:

Perl 5.005_03 is included with the Solaris 8 2/02 OS. Or, you can download the latest version of Perl from sunfreeware.com and install it. Use these commands to check the Perl version and path:

# perl -v
....
This is perl, v5.8.7 built for sun4-solaris
....
# which perl
/usr/local/bin/perl

3. Add /usr/local/bin:/usr/ccs/bin at the beginning of your path by adding the following lines in your profile:

PATH=/usr/local/bin:/usr/ccs/bin :$PATH

export PATH

4. Ensure that Zlib is installed.

Most likely you already have it installed in your system. To check for its existence, execute the following:

# pkginfo | grep zlib

If you don't have it, download the package from sunfreeware.com and install it.

Or, build it from the source code. It's very easy and straightforward to build, as described below:

a. Download the source code from zlib.net.

b. Extract the tarball.

c. Change to the zlib directory.

d. Configure, compile, and install it by executing the following:

# ./configure
# make
# make test
# make install
# ls -l /usr/local/lib/libz.a

5. Ensure you have an entropy source.

Kernel-level random number generators are the recommended entropy source. For the Solaris 8 OS, a kernel-level random number generator is provided in patch 112438-xx. Download the patch from SunSolve, install it, and then reboot. Or, see the Applying Patch 112438-xx Without Rebooting section for another way to install the patch without rebooting.

To check whether the patch is already installed, execute the following:

# showrev -p | grep 112438

Or, execute this:

# ls -l /dev/random

6. Ensure you have gzip installed.

gzip 1.2.4 is included with the Solaris 8 2/02 OS.

7. Ensure you have libiconv installed.

Download the package from sunfreeware.com and install it.

8. Ensure you have libintl installed.

Download the package from sunfreeware.com and install it.

9. Ensure you have a C compiler (such as gcc) installed.

I used gcc_small-3.4.2-sol8-sparc-local from sunfreeware.com.

10. Ensure you have OpenSSL installed.

Get the package from sunfreeware.com and install it.

11. Ensure you have OpenSSH installed:

a. Download the source code from sunfreeware.com.

b. Extract the source code.

c. Change to the OpenSSH directory.

d. Configure and compile using the following command:

# ./configure --with-pam --disable-suid-ssh  \
--without-rsh --with-lastlog=/var/adm/lastlog \
--prefix=/usr/local --without-privsep-user \
--without-privsep-path --without-prngd \
--without-rand-helper --sysconfdir=/etc/ssh \
--with-ssl-dir=/usr/local/ssl --with-pid-dir=/var/run

# make

Note: The default OpenSSH installation directory is /usr/local and the configuration files are in /etc/ssh. You can change those locations, but you'll need to reflect those changes in the makeOpenSSHPackage.ksh script.

12. Now that you have prepared the build machine, the next step is to build the OpenSSH 4.3p2 package using the makeOpenSSHPackage.ksh script. First, acquire the makeOpenSSHPackage.ksh script, which is available from the Sun BluePrints Scripts and Tools web site in the bundled tools file named secureshell-tools.tar.Z.

13. Next, copy makeOpenSSHPackage.ksh and openssh.server to the source code directory of OpenSSH.

14. Edit makeOpenSSHPackage.ksh to make some modifications and to add some lines to the script, as described below:

a. Modify the installDir variable to be the following:

installDir=/usr/local

This is the directory where OpenSSH will be installed in.

b. Modify the initScript variable to be the following:

initScript=./openssh.server

This variable tells where the OpenSSH startup script is located.

c. Bundle the OpenSSL cryptographic library and the gcc library, which are required for the OpenSSH daemon to start. To do so, you need to create the following container directories inside the OpenSSH build directory:

.../ssl/lib
.../lib

To add the container directories, add the following lines after line 160:

mkdir -p $buildDir/$openSSHDir/ssl/lib
mkdir -p $buildDir/$openSSHDir/lib

To bundle the library file, add the following lines to the script after line 207:

# Copy OpenSSL cryptographic library
 print "Copying OpenSSL cryptographic library:\c"
 dir=$buildDir/$openSSHDir/ssl/lib
 file=libcrypto.so.0.9.8
 cp $openSSHDir/ssl/lib/$file $dir
 strip $dir/$file
 chmod 755 $dir/$file
 print " $file."

Note: In case the line numbers in the makeOpenSSHPackage.ksh script changed, refer to the Differences in the makeOpenSSHPackage.ksh Script After the Modifications section.

15. I also suggest changing the lines that create the package build directories (line 151 and lines 155 to 167) to assign directory mode 755 to all directories.

mkdir -pm 755  ...

By doing this, you will avoid the conflict messages about directory permissions that will appear when installing the OpenSSH package you create. You can also edit the package properties, the package name and version, and so on.

16. Edit the OpenSSH configuration files.

The makeOpenSSHPackage.ksh script uses the following files as templates for the default configuration files for the OpenSSH installation:

• sshd_config.out is the template file for the sshd_config SSH daemon configuration file.
• ssh_config.out is the template file for the ssh_config SSH client configuration file. It's your client configuration if you connect to another system using SSH.

The strategy used for options in those files is to specify options with their default value where possible, but leave them commented out. To change their default values, uncomment the options and change their values. For the sshd_config.out file, there isn't much to configure. Generally, the default options settings are fairly secure.

Change the template configuration files according to your preferences. I personally recommend editing the following options for both files to enhance security:

• Protocol 2: Protocol version 2 is more secure.
• MaxAuthTries 5: This is not a big change from the default value. I just wanted it to be as the default value of the Solaris 8 OS for the maximum tries to log in to the system.
• IgnoreUserKnownHosts yes: For security reasons, it is recommended that you not use rhosts or shosts files for authentication.
• ChallengeResponseAuthentication no: There have been vulnerabilities associated with this option being enabled in early versions of OpenSSH, so I prefer setting it to no.

These are important security measures that promote your system security, but they are not fully compatible with the Solaris Basic Security Module (BSM) audit subsystem, and Pluggable Authentication Modules (PAM) don't like them. Also, they will disable some features in OpenSSH if they are enabled.

• AllowTcpForwarding no
• PrintMotd no
• ClientAliveInterval 10
• MaxStartups 3
• UsePrivilegeSeparation no

17. Create the OpenSSH package by executing the makeOpenSSHPackage.ksh script, as follows:

# ksh ./makeOpenSSHPackage.ksh

18. Change the package name to include the architecture and version number:

# mv OBSDssh.pkg OBSDssh-4.3p2-`uname -p`-`uname -m`-`uname -r`.pkg

Deploying the OpenSSH Package

Deploying OpenSSH on your system is a major security enhancement, but it is not everything. As a complementary step, I recommend enabling authentication logging. The following steps explain how to deploy and enable authentication logging.

1. OpenSSH needs an entropy source to generate host keys. Kernel-level random number generators are the recommended entropy source. For the Solaris 8 OS, a kernel-level random number generator is provided in patch 112438-xx. Download the patch from the SunSolve web site.

Note: Patch 112438-xx requires a reboot. If rebooting is not an option, refer to the Applying Patch 112438-xx Without Rebooting section for information about how to apply the patch without rebooting.

Execute the following command inside the patch directory to install the patch:

# patchadd -d .

Reboot the system.

2. Install the OpenSSH package:

# pkgadd -d OBSDssh-4.3p2-sparc-sun4u-5.8.pkg

3. Enable logging, if it is not already enabled, by removing the comment from the following line in the /etc/syslog.conf file.

auth.info    ifdef(`LOGHOST', /var/log/authlog, @loghost)

4. Restart the syslogd daemon:

# pkill -1 syslogd

5. Start the OpenSSH daemon:

/etc/init.d/openssh.server start

Note: The first time you start the OpenSSH daemon, the script takes a while to generate the necessary keys before it starts.

Applying Patch 112438-xx Without Rebooting

There is another way to add patch 112438-xx, which does not require you to reboot the system. You can use the setup_random.ksh script found at http://linbox.free.fr/scripts/setup_random.ksh.

Differences in the makeOpenSSHPackage.ksh Script After the Modifications

See number 12 above for information on where to find this script.

# diff My-makeOpenSSHPackage.ksh makeOpenSSHPackage.ksh
64,65c64,65
< #installDir=/opt
< installDir=/usr/local
---
> installDir=/opt
> #installDir=/usr/local
95c95
< initScript=./openssh.server
---
> initScript=../openssh.server
151c151
< mkdir -pm 755 $buildDir $packageDir
---
> mkdir -p $buildDir $packageDir
155,169c155,167
< mkdir -pm 755 $buildDir/$openSSHDir/bin
< mkdir -pm 755 $buildDir/$openSSHDir/docs/OpenSSH
< mkdir -pm 755 $buildDir/$openSSHDir/libexec
< mkdir -pm 755 $buildDir/$openSSHDir/man/cat1
< mkdir -pm 755 $buildDir/$openSSHDir/man/cat8
< mkdir -pm 755 $buildDir/$openSSHDir/sbin
< mkdir -pm 755 $buildDir/$openSSHDir/ssl/lib
< mkdir -pm 755 $buildDir/$openSSHDir/lib
< mkdir -pm 755 $buildDir/$configDir
< mkdir -pm 755 $buildDir/etc/init.d
< mkdir -pm 755 $buildDir/etc/rc0.d
< mkdir -pm 755 $buildDir/etc/rc1.d
< mkdir -pm 755 $buildDir/etc/rc2.d
< mkdir -pm 755 $buildDir/etc/rc3.d
< mkdir -pm 755 $buildDir/etc/rcS.d
---
> mkdir -p $buildDir/$openSSHDir/bin
> mkdir -p $buildDir/$openSSHDir/docs/OpenSSH
> mkdir -p $buildDir/$openSSHDir/libexec
> mkdir -p $buildDir/$openSSHDir/man/cat1
> mkdir -p $buildDir/$openSSHDir/man/cat8
> mkdir -p $buildDir/$openSSHDir/sbin
> mkdir -p $buildDir/$configDir
> mkdir -p $buildDir/etc/init.d
> mkdir -p $buildDir/etc/rc0.d
> mkdir -p $buildDir/etc/rc1.d
> mkdir -p $buildDir/etc/rc2.d
> mkdir -p $buildDir/etc/rc3.d
> mkdir -p $buildDir/etc/rcS.d
207,224d204
< # copy OpenSSL cryptographic library
< print "Copying OpenSSL cryptographic library:\c"
< dir=$buildDir/$openSSHDir/ssl/lib
< file=libcrypto.so.0.9.8
< cp $openSSHDir/ssl/lib/$file $dir
< strip $dir/$file
< chmod 755 $dir/$file
< print " $file."
<
<# copy gcc library file libgcc_s.so.1
< print "Copying gcc library:\c"
< dir=$buildDir/$openSSHDir/lib
< file=libgcc_s.so.1
< cp $openSSHDir/lib/$file $dir
< strip $dir/$file
< chmod 644 $dir/$file
< print " $file."
<
349c329
< NAME=OpenSSH for Solaris 8
---
> NAME=OpenSSH for Solaris
351,352c331
< VERSION=4.3p2
< PSTAMP=$(date '+m%e %H:%M:%S')
---
> VERSION="$(grep SSH_VERSION $srcDir/version.h | sed -e 's/.*_\([0-9]\)/\1/g')
356,357d334
< EMAIL=Your_Email@Your_Domain.com
<
#

References

Building OpenSSH--Tools and Tradeoffs, Updated for OpenSSH 3.7.1p2 (pdf), Sun BluePrints article

Sun BluePrints Scripts and Tools web site

About the Author

Saad Alhammad is a Senior System Administrator who has worked with the Solaris OS since 2001. He worked for an ISP company in Riyadh, Saudi Arabia, as a System Engineer designing, deploying, maintaining, and supporting Solaris and all ISP-related services, in an environment with over 80 servers running the Solaris OS. Currently he works as Storage Specialist for a telecom company. He may be reached at ssh4solaris@gmail.com.

Unless otherwise licensed, code in all technical manuals herein (including articles, FAQs, samples) is provided under this License.