Build OpenSSH 4.3p2 Package for Solaris 8 Without TCP Wrappers
By Eng. Saad Alhammad
Abstract: This article will take you in a very easy step by step to create, configure and deploy an OpenSSH 4.3p2 package that you can deploy in one step in every architecture-alike systems you have with your custom ssh configuration files. If you succeeded to follow these steps will not need to do more than a pkgadd to have ssh in your system.
No more installation of packages like Perl, Zlib, gzip, libiconv, libintl, gcc or OpenSSL in every system are necessary any more. You will not also need to create and link startup scripts, generate host keys , or edit ssh configuration files.
Note: If like to build the package with TCP Wrappers please refere to Sun BluePrints: Building OpenSSH—Tools and Tradeoffs, Updated for OpenSSH 3.7.1p2 at: http://www.sun.com/blueprints/0404/817-6261.pdf in order to do the necessary modification to include TCP Wrappers in the package.
You need the following to build the SSH package:
1. Solaris 8 OS build machine:
It's preferable to use fresh installed OS Solaris 8 with recommended patches installed.
The build machine needs to have one of the following metaclusters installed:
- SUNWCprog (developer metacluster)
- SUNWCall (entire Solaris OS distribution)
- SUNWCXall (entire Solaris OS distribution plus OEM support)
$ cat /var/sadm/system/admin/CLUSTER
2. Perl: Perl 5.005_03 included with the Solaris 8 2/02 OE.
Note: Or if you want get the latest version from http://sunfreeware.com/ and install the package.
3. Add /usr/local/bin:/usr/ccs/bin in the beginning of your path.
Use these command to check the Perl version and path:
$ perl –v
…
This is perl, v5.8.7 built for sun4-solaris
…
$which perl
/usr/local/bin/perl
4. Zlib: Most likely you already have it installed in your system. To check for it's existence execute the following:
$ pkginfo gerp zlib
In case you don't have it get the package and install it from http://sunfreeware.com/.
Or build it from the source code. It's very easy and straight forward to build. As descried below:
- Download the source code from http://www.zlib.net/.
- Extract the tar ball.
- Change to the source directory
- Configure, compile and install by executing the following:
$ ./configure
$ make
$ make test
$ make install
$ ls -l /usr/local/lib/libz.a
5. Entropy source: With the Solaris 8, it is provided in a patch, patch ID 112438. Kernel-level random number generators are the recommended entropy source.
Get the patch from http://sunsolve.sun.com/, install it and then reboot.
To check if it's already installed execute:
$ showrev -p grep 112438
Or
$ ls -l /dev/random
6. gzip: gzip 1.2.4 included with the Solaris 8 2/02 OE
7. libiconv:
Get the package and install it from http://sunfreeware.com/
8. libintl:
Get the package and install it from http://sunfreeware.com/
9. C compiler (gcc):
I used gcc_small-3.4.2-sol8-sparc-local from http://sunfreeware.com/
10. OpenSSL:
Get the package and install it from http://sunfreeware.com/
11. OpenSSH:
- Download the source code from http://sunfreeware.com/
- Extract the source code.
- Change to OpenSSH source code directory.
- Configure and compile with the following commands:
$ ./configure --with-pam --disable-suid-ssh --without-rsh --with-lastlog=/var/adm/lastlog --prefix=/usr/local --without-privsep-user --without-privsep-path --without-prngd --without-rand-helper --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/ssl --with-pid-dir=/var/run
$ make
Note: the installation directory is /usr/local and the configuration files are in /etc/ssh.
Now after you prepared the build machine the next step is building the packaged using makeOpenSSHPackage.ksh script, available from sun in bundled tools secureshell-tools.tar.Z at sun web site
http://www.sun.com/blueprints/tools/index.html
12. Copy makeOpenSSHPackage.ksh and openssh.server to the source code directory of OpenSSH.
13. Edit makeOpenSSHPackage.ksh:
- Changing the installDir variable to be
- Changing the initScript variable to be
- Include the OpenSSL cryptographic library and gcc library which is required by OpenSSH daemon to start. To do so do the following changes:
Create the container directorys ../ssl/lib and ../lib by adding the following lines after line 160.
mkdir –p $buildDir/$openSSHDir/ssl/lib
mkdir –p $buildDir/$openSSHDir/lib
Add those lines to the script after line 207 to include the library file.
# Copy OpenSSL cryptographic library
print "Copying OpenSSL cryptographic library:\c"
dir=$buildDir/$openSSHDir/ssl/lib
file=libcrypto.so.0.9.8
cp $openSSHDir/ssl/lib/$file $dir
strip $dir/$file
chmod 755 $dir/$file
print " $file."
14. I also suggest changing the lines that create the package build directories, from line 155 to 167 and line 151 to assign directory mode 755 to all directory
mkdir -pm 755 …
By doing so, you will avoid the conflict massages that may appear when installing the package.
15. Edit the default sshd_config.out file according to your needs.
The makeOpenSSHPackage.ksh script uses the following files as the default configuration files for the OpenSSH installation:
- sshd_config.out
- ssh_config.out
- Protocol 2
- MaxAuthTries 5
- IgnoreUserKnownHosts yes
- ChallengeResponseAuthentication no
- AllowTcpForwarding no
- PrintMotd no
- ClientAliveInterval 10
- MaxStartups 3
- UsePrivilegeSeparation no
It's an important security measure that promotes your system security but it is not fully compatible with Solaris. BSM and PAM don't like it and it will also disable some features in OpenSSH, if enabled.
16. Execute the makeOpenSSHPackage.ksh script:
$ ksh ./makeOpenSSHPackage.ksh OBSDssh-4.3p2-`uname -p`-`uname -m`-`uname -r`.pkg
17. Change the package name to include architecture and version number:
$ mv OBSDssh.pkg OBSDssh-3.7.1p2-`uname -p`-`uname -m`-`uname -r`.pkg
Congratulations! You are done.
Now let's deploy the package
Deploying the OpenSSH Package:
Note: Don't test the package on the build machine. The build machine already has all the dependencies of the OpenSSH. Use another machine to test the successfulness of your package creation.
1.Install kernel-level random number generator by installing patch 112438 for SPARC. Execute the following command inside the patch directory.
$ patchadd –d .
2.Rrestart the system
3.Install the Open SSH package:
$ pkgadd -d OBSDssh-4.3p2-sparc-sun4u-5.8.pkg
4.Enable logging, if not already enabled, by removing the comment from the line below in the this file /etc/syslog.conf
auth.info ifdef(`LOGHOST', /var/log/authlog, @loghost)
5.Restart the syslogd:
$ pkill –1 syslogd
Start the OpenSSH daemon:
/etc/init.d/openssh.server start
The first time you start the OpenSSH daemon it takes a while for the script to generate the keys before it starts. try it and test it's functionallity before you precede with deplying the package on your servres.
Congratulations! You are done.
8/30/06
If this article was beneficial to you, please let me know. Your comments, suggestions and notes are highly appreciated.
References:
1. Sun BluePrints: Building OpenSSH—Tools and Tradeoffs, Updated for OpenSSH 3.7.1p2 at: http://www.sun.com/blueprints/online.html
2. Manual Reference Pages - SSHD_CONFIG (5)
1 comment:
hi,
great job and nice site ,
keep going
Post a Comment