Openssh is meant to supply security to your systems. If you don't understand how to properly use it, you may have problems. Such problems are your responsibility. See our disclaimer.
Installation of the openssh software on a Solaris machine is lengthy, but straightforward. To get ssh and sshd running you need to install a number of packages. There are a number of places on the net with details of this procedure. One of the best is on the Sun Blueprints web pages (in pdf format) at
Building and Deploying OpenSSH on Solaris[tm] Operating System
Robert Wolf kindly sent the following email:
From: "Robert Wolf" Thanks for your notes on installing OpenSSH on Solaris boxes.
It works so well we were able to disable telnet, rsh, rcmd.
Attached is a document I created on installing and configuring ssh plus how
to make ssh work without passwords amongst your trusted machines.
Feel free to use this document anyway you want and even publish on your web
site, since it will help ssh newbies like myself.
Thanks
I have placed two versions of Robert's document here:
.doc file readable
with Star Office or Microsoft Word. Hold down the shift key when you click on
the link to obtain the file.
html
conversion of the doc file. You may have to widen your browser window to see
this properly.
The seven pieces of software that need to be on your system to use ssh
properly are zlib, perl, prngd, openssl, openssh, and optionally egd and
tcp_wrappers. You can either download the sources and do the compiles yourself
if you have a C compiler installed and working or you can go to sunfreeware.com
and get pre-compiled packages. If you are very concerned about your machine's
security and don't want to trust software compiled by someone else, then it is
best for you to compile the software yourself.
The sources for these different programs are on sunfreeware.com or you can go
to their home pages at
http://www.zlib.org/ The Sun Blueprint site above has pointers to some scripts that can be used to
create and configure openssh. I do not use the same steps as the blueprint
article, but they are similar.
I have included support for the optional use of the tcp_wrappers program
which can be used to help restrict the use of ssh logins to those computers in
the so-called hosts.allow file when set up properly. Ssh logins can also be
logged using this software. I have chosen to use the PRNGD software to generate
the randomness that the openssh programs need. I discuss the egd software
because it is another randomness generation option and is mentioned in the prngd
documents.
Please note that I cannot help you solve detailed configuration problems, but
will accept comments on any problems you might have with my packages or my
instructions.
Step One: Getting the packages
To install the version of openssh from sunfreeware.com, go to the main page
and select the files above for the version of Solaris and the processor you
have. In this example, I will use the files for Solaris 8 and the SPARC
processor. If you are using an Intel-compatible processor with
Solaris 8 or an earlier version of Solaris (2.5, 2,6, or 7) on SPARC, you will
have to download those files instead. The Solaris 8 for SPARC files are
zlib-1.1.3-sol8-sparc-local.gz If you have already installed some of the above files, you can skip their
downloads.
Once you have installed the packages above for your version of Solaris, you
will have files in various subdirectories of /usr/local. The default location
for the ssl files is in /usr/local/ssl. While these files were compiled to avoid
the need to put directories like /usr/local/lib in your LD_LIBRARY_PATH, it is
possible that you may need to set this. You should make sure you have
/usr/local/bin and /usr/local/sbin in your PATH environment variable (or
/usr/local/ssh/bin and /usr/local/ssh/sbin in the Intel/Solaris 8 case). Note
also that if you are using Solaris 8, you may already have perl installed in
your system. The perl scripts in the egd package (with .pl extensions) will look
for perl in /usr/local/bin. You may either have to install the perl from
sunfreeware.com or edit the first line in the perl scripts to point to the perl
on your system.
Step Two: Getting Entropy
The next step in installation is to start the generation of entropy for use
by openssl and openssh. This is done with the prngd program. To set this up,
read the README.prngd file. Make sure you have /usr/local/bin in your PATH
first. Now go to your /var/log, /var/adm, or similar directories and look for
some log files like messages, syslog, etc. Make sure you are logged in as root
user and run
cat ....various log files from your /var/log or /var/adm directories... >
/usr/local/etc/prngd/prngd-seed
such as
cat syslog messages > /usr/local/etc/prngd/prngd-seed
Then run
mkdir /var/spool/prngd
/usr/local/bin/prngd /var/spool/prngd/pool
This should start up the prngd daemon and start generating entropy. You can
check this by running
/usr/local/bin/egc.pl /var/spool/prngd/pool get
which, if the egd package (see README.egd) is
installed along with perl, will give a message like
32800 bits of entropy in pool
indicating that the prngd is working. If you want to automatically start
prngd at boot time, you will need to create a startup script appropriate to your
setup.
I use the script
# chown root /etc/init.d/prngd # /etc/rc2.d/S98prngd start
will start the process if you want to do it by hand and
# /etc/rc2.d/S98prngd stop
will stop the prngd daemon. You can test that this script actually starts the
prngd daemon at boot time by rebooting your system and then doing
ps -e | grep prngd
to see if the process is started. If you like to have your daemon programs in
/usr/local/sbin, you can move the /usr/local/bin/prngd to /usr/local/sbin and
edit the above script to reflect the move.
Setting up tcp_wrappers
The next step it to setup tcp_wrappers. First read the README.tcpwrappers so that you know what tcp_wrappers does and
how. Basically, tcp_wrappers is used to restrict to some limited group of
machines access to your communication ports such as the port 22 that the sshd
program uses. If you have tcp_wrappers running already, then you will only need
to make sure that the sshd daemon entry is placed in the /etc/hosts.allow and
/etc/hosts.deny files in a way that is appropriate to your setup. If you are not
using tcp_wrappers, you can first create the file /etc/hosts.deny and put the
single line
sshd: ALL
in it. Then create the file /etc/hosts.allow file and put a line, for
example, like
sshd: ... a list of the IP numbers of machine you want to be able to
communicate with your machine separated by commas ...
in the file. We will test these entries later.
Installing ssh and sshd
This is the final step. We have installed the openssl package (see README.openssl and INSTALL.openssl) package with places its files in the
/usr/local/ssl directory. You should also have installed the openssh package
(see README.openssh and INSTALL.openssh) package.
Each machine that you want to communicate with via the ssh client will need
to have an sshd daemon running. But first, you need to run the following three
lines to create the key information for the server machine. Again, make sure you
have /usr/local/bin and /usr/local/sbin in your PATH. In the
case of the Intel/Solaris 8 version of openssh, the files go in
/usr/local/ssh/bin and /usr/local/ssh/sbin instead. As root, enter Now we can set up scripts to start the ssdh daemon. I use the following lines
in the file /etc/init.d/sshd
similar to the prngd script above. I then do
# chown root /etc/init.d/sshd # /etc/rc2.d/S98sshd start
will start the process if you want to do it by hand and
# /etc/rc2.d/S98sshd stop
will stop the sshd daemon. You can check this with
# ps -e | grep sshd
to see if sshd is running. If prngd and sshd are running and you have set up
tcp_wrappers the way you want, then you can test the system. Of course, you have
to have another machine that has the ssh program installed so that you can try
to communicate with the machine on which you just started sshd. See the OpenSSH
documentation for further details. To test that tcp_wrappers is working, you can
put a machine's IP address in hosts.allow and see if you can ssh to the server
machine from the client and then take it out and see if access is denied.
If you have questions about the detailed use of any of these programs, please
read the documentation first or go to their web sites. I do not want to know the
security details of any of your systems and it would not be a good idea for you
to tell me or anyone else. Security issues are very important and I strongly
urge anyone to install as much security software as they can master and to keep
a close eye out on the latest CERT and other vulnerability sites for
announcements.
Subject: openssh
Date:
Wed, 27 Feb 2002 11:07:17 -0500
http://www.perl.org/
http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
http://www.openssl.org/
http://www.openssh.org/
http://www.lothar.com/tech/crypto/
ftp://ftp.porcupine.org/pub/security/index.html
Installation Steps
perl-5.6.1-sol8-sparc-local.gz
prngd-0.9.23-sol8-sparc-local.gz
egd-0.8-sol8-sparc-local.gz
tcp_wrappers-7.6-sol8-sparc-local.gz
(unless you are using
IPV6 - see the tcp_wrappers listing for details on this issue) openssl-0.9.6c-sol8-sparc-local.gz
openssh-3.1p1-sol8-sparc-local.gz
#!/bin/sh
pid=`/usr/bin/ps -e | /usr/bin/grep prngd | /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
case $1 in
'start')
/usr/local/bin/prngd /var/spool/prngd/pool
;;
'stop')
if [ "${pid}" != "" ]
then
/usr/bin/kill ${pid}
fi
;;
*)
echo "usage: /etc/init.d/prngd {start|stop}"
;;
esac
placed in /etc/init.d with file name prngd and then as root run
# chgrp sys /etc/init.d/prngd
# chmod
555 /etc/init.d/prngd
# ln -s /etc/init.d/prngd /etc/rc2.d/S98prngd
# ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N ""
# ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key -N ""
# ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key -N ""
(for the Intel/Solaris 8 use /usr/local/ssh/etc as the
directory above) and wait until each is done - this may take a few
minutes depending on the speed of your machine.
#!/bin/sh
pid=`/usr/bin/ps -e | /usr/bin/grep sshd | /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
case $1 in
'start')
/usr/local/sbin/sshd
;;
'stop')
if [ "${pid}" != "" ]
then
/usr/bin/kill ${pid}
fi
;;
*)
echo "usage: /etc/init.d/sshd {start|stop}"
;;
esac
# chgrp sys /etc/init.d/sshd
# chmod 555
/etc/init.d/sshd
# ln -s /etc/init.d/sshd /etc/rc2.d/S98sshd
© Copyright 2002 Steven M. Christensen and Associates, Inc.
This page was last updated on March 12, 2002.