Installing OpenSSH Packages for SPARC and x86/Solaris 8 - 11
Openssh is meant to supply security to your systems. If you don't understand how to properly use it, you may have problems. Such problems are your responsibility. Please read the instructions below fully and carefully before you do any installation.
NOTE ALSO --- If you already have openssh installed, you may want to back up the sshd_config and ssh_config files in /usr/local/etc first.
Installation of the openssh software on a Solaris machine is lengthy, but straightforward. To get ssh and sshd running you need to install a number of packages.
Openssh requires that each machine have some sort of random (really pseudo- ) number generation. Solaris 9 - 11 come with /dev/random and /dev/urandom built in and so no outside software is needed. But, in the packages below we have supplied the prngd software that was used previously in case you wish to use that and make your own versions of openssl and openssh.
The eight pieces of software that may need to be on your system to use ssh properly are openssl, openssh, zlib, libgcc (you need this only if you do not have gcc 3.4.6 installed), and optionally egd, prngd, perl (there is a perl with Solaris 8 -11 in /usr/bin), and tcp_wrappers. You can either download the sources and do the compiles yourself if you have a C compiler installed and working or you can go to unixpackages.com and get pre-compiled packages. If you are very concerned about your machine's security and don't want to trust software compiled by someone else, then it is best for you to compile the software yourself. It is also a great learning experience.
It is usually best to keep openssl and openssh updated as there are often security related updates. Again, as you update, backup any configuration files you may have edited.
The sources for these different programs are on unixpackages.com or you can go to their home pages at
zlib http://www.zlib.org
perl http://www.perl.org
prngd http://prngd.sourceforge.net/
openssl http://www.openssl.org
openssh http://www.openssh.org
egd http://www.lothar.com/tech/crypto/
tcp_wrappers ftp://ftp.porcupine.org/pub/security/index.html
We have included support for the optional use of the tcp_wrappers program (using the so-called Advanced Method). This can help to restrict the use of ssh logins to those computers defined in the so-called hosts.allow and hosts.deny files when set up properly. Ssh logins can also be logged using this software.
Installation Steps
Step One: Getting the packages
To install the version of openssh from unixpackages.com, go to the main page and select the openssh package you want from the Packages menu. You will find the dependencies for each version listed there.
Or here are the packages you need to download (the versions may change as we update packages):
openssh-6.6p1
openssl-1.0.1g
tcp_wrappers-7.6 (optional, but recommended) (unless you are using IPV6 - see the tcp_wrappers listing for details on this issue)
zlib-1.2.8
perl-5.12.3 (optional)
prngd-0.9.25 (optional)
egd-0.8 (optional)
If you have already installed some of the above files, you can skip their downloads.
Step Two: Installing the packages
With the files downloaded, go to the directory where you put them and run (here with SPARC/Solaris 10 examples)
# gunzip openssh-6.6p1-sol10-sparc-local.gz
# gunzip openssl-1.0.1g-sol10-sparc-local.gz
# gunzip zlib-1.2.8-sol10-sparc-local.gz
# gunzip libgcc-3.4.6-sol10-sparc-local.gz (if you don't have gcc 3.4.6 installed)
# gunzip tcp_wrappers-7.6-sol10-sparc-local.gz (again optional) and optionally for the other packages.
Then run as root
# pkgadd -d openssh-6.6p1-sol10-sparc-local
# pkgadd -d openssl-1.0.1g-sol10-sparc-local
# pkgadd -d zlib-1.2.8-sol10-sparc-local
# pkgadd -d libgcc-3.4.6-sol10-sparc-local (if you don't have gcc 3.4.6 installed)
# pkgadd -d tcp_wrappers-7.6-sol10-sparc-local (optional)
Once you have installed the packages above, you will have files in various subdirectories of /usr/local. The default location for the ssl files is in /usr/local/ssl. While these files were compiled to avoid the need to put directories like /usr/local/lib and /usr/local/ssl/lib in your LD_LIBRARY_PATH, it is possible that you may need to set this.
You should now find ssh in /usr/local/bin and sshd in /usr/local/sbin. Make sure you have /usr/local/bin and /usr/local/sbin in your PATH environment variable. Note also that if you are using Solaris 9 - 11, you may already have perl installed in your system. The perl scripts in the optional egd package (with .pl extensions) will look for perl in /usr/local/bin. If you are using the Sun perl, then the Perl programs will need to have /usr/bin at the beginning, while the unixpackages Perl goes in /usr/local/bin.
Step Three: Setting up the sshd user and the /var/empty directory
In openssh 5.5p1 and above, a new security method is setup called privilege separation. The details can be found in the README.privsep file in the openssh source distribution or in /usr/local/doc/openssh. This method is now the default in openssh. Before doing anything else, you should read the above document and if you agree, implement these steps as root. Your installation may have different requirements given your own security rules.
# mkdir /var/empty
# chown root:sys /var/empty
# chmod 755 /var/empty
# groupadd sshd
# useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
/var/empty should not contain any files.
The default sshd_config file in /usr/local/etc may have the line
Subsystem sftp /usr/libexec/sftp-server
This may need to be changed to
Subsystem sftp /usr/local/libexec/sftp-server
If you do not do this and attempt to start up sshd, you may get error messages and the daemon will not start.
Step Four: Setting up tcp_wrappers
The next step it to setup tcp_wrappers. First read the README file and other files in /usr/local/doc/tcp_wrappers so that you know what tcp_wrappers does and how. Basically, tcp_wrappers is used to restrict to some limited group of machines access to your communication ports such as the port 22 that the sshd program uses. If you have tcp_wrappers running already, then you will only need to make sure that the sshd daemon entry is placed in the /etc/hosts.allow and /etc/hosts.deny files in a way that is appropriate to your setup. If you are not currently running tcp_wrappers, you can first create the file /etc/hosts.deny and put the single line
sshd: ALL
in it. Then, create the file /etc/hosts.allow file and put a line, for example, like
sshd: ... a list of the IP numbers of machine you want to be able to communicate with your machine separated by commas ...
in the file. We will test these entries later.
Step Five: Installing ssh and sshd
This is the final step. You should have read the documents in /usr/local/doc/openssl and /usr/local/doc/openssh directories.
Each machine that you want to communicate with via the ssh client will need to have an sshd daemon running. But first, you need to run the following three lines to create the key information for the server machine. Again, make sure you have /usr/local/bin and /usr/local/sbin in your PATH. If you have been running sshd before and have keys in /usr/local/etc, running these commands will overwrite them. As root, enter
# ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N ""
# ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key -N ""
# ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key -N ""
and wait until each is done - this may take a few minutes depending on the speed of your machine.
You might also want to study the /usr/local/etc/ssh_config and /usr/local/etc/sshd_config files to see if there is anything you want to configure differently. The Sun version of ssh and sshd have configuration and key files in /etc/ssh which you may want to study also, though the packages here will not use them.
Now we can set up scripts to start the sshd daemon. In Solaris 9 and 10, there is an sshd script in /etc/init.d that starts the Sun version of sshd during bootup. We use the following lines in the file /etc/init.d/sshd, but you may want to use modified versions of this or the Sun version. One possible script for Solaris 10 is
There have been some comments on the net recently in the sun-managers mailing list that this script should be replaced. See the post below for details. We have received another idea for use with Solaris 10. See Solaris 10 startup at the end of this page.
#!/bin/sh
pid=`/usr/bin/ps -e | /usr/bin/grep sshd | /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
case $1 in
'start')
/usr/local/sbin/sshd
;;
'stop')
if [ "${pid}" != "" ]
then
/usr/bin/kill ${pid}
fi
;;
*)
echo "usage: /etc/init.d/sshd {start|stop}"
;;
esac
Alternative Script Comment
Date: Mon, 13 Jan 2003 14:43:53 -0600 (CST)
From: "Mike's List"
To: sunmanagers
Subject: SUMMARY: sshd weirdness
Some recommend search for the /var/run/sshd.pid, this way your ssh
terminal won't get zap while sshd daemon is re-hup or stop/start.
Thanks all.
- Mike
case "$1" in
'start')
if [ -x /usr/local/sbin/sshd ]; then
echo "Starting the secure shell daemon"
/usr/local/sbin/sshd &
fi
;;
'stop')
echo "Stopping the secure shell daemon "
pkill -TERM sshd
;;
*)
echo "Usage: /etc/init.d/sshd { start | stop }"
;;
esac
exit 0
On Fri, 10 Jan 2003, Mike's List wrote:
> Ok, quite a few asked to see the script (below) --Solaris 8 2/02 running
> openssh 3.7.1p2 --a couple of suggestions below doing
>
> /bin/sh -x /etc/init.d/sshd stop
>
> ...to see what's going on, I'm in the server remotely right now so I can't
> stop/start (because stop would just kills all the sshd processes and I
> can't get back in to start).
>
>
> - Mike
>
>
> #!/bin/sh
> pid=`/usr/bin/ps -e | /usr/bin/grep sshd | /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
> case $1 in
> 'start')
> /usr/local/sbin/sshd
> ;;
> 'stop')
> if [ "${pid}" != "" ]
> then
> /usr/bin/kill ${pid}
> fi
> ;;
> *)
> echo "usage: /etc/init.d/sshd {start|stop}"
> ;;
> esac
End of Alternative Script Comment
We then do
# chown root /etc/init.d/sshd
# chgrp sys /etc/init.d/sshd
# chmod 555 /etc/init.d/sshd
# ln -s /etc/init.d/sshd /etc/rc2.d/S98sshd
# /etc/rc2.d/S98sshd start
will start the process if you want to do it by hand and
# /etc/rc2.d/S98sshd stop
will stop the sshd daemon. You can check this with
# ps -e | grep sshd
to see if sshd is running. If sshd is running and you have set up tcp_wrappers the way you want, then you can test the system. Of course, you have to have another machine that has the ssh program installed so that you can try to communicate with the machine on which you just started sshd. See the
OpenSSH documentation for further details. To test that tcp_wrappers is working, you can put a machine's IP address in hosts.allow and see if you can ssh to the server machine from the client and then take it out and see if access is denied.
To repeat, if you have questions about the detailed use of any of these programs, please read the documentation first or go to their web sites. We do not want to know the security details of any of your systems and it would not be a good idea for you to tell me or anyone else. Security issues are very important and we strongly urge anyone to install as much security software as they can master and to keep a close eye out on the latest CERT and other vulnerability sites for announcements.
We are fully open to constructive suggestions on how make these instructions clearer or better and will include reasonable comments as they arrive.
Solaris 10 Alternative Startup Script
From: Ostrowski.Jamie Just wanted to pass something along which I though might be helpful for those using the OpenSSH Packages tutorial for Solaris 10. At the end of the writup, startup scripts are mentioned. I found that on Solaris 10, since it's using the newly modified svcs manifest startup software instead of the traditional startup scripts, I could modify it to work with the new solaris 10 init config simply by: 1) Editing /lib/svc/method/sshd and changing the paths to sshd and ssh...specifically, these lines: SSHDIR=/usr/local/etc/ssh KEYGEN="/usr/local/bin/ssh-keygen -q" and 'start') /usr/local/sbin/sshd This will work with the new Solaris 10 init.
End of Solaris 10 Alternative Startup Script