This page was created to guide in the installation of openssh-4.3p2 and related openssl, prngd, etc. packages. Due to security issues, version 3.4p1 or higher has now been released and, if possible, you should be using that. Go back to the main openssh page and click on the appropriate link for details.
Openssh is meant to supply security to your systems. If you don't understand how to properly use it, you may have problems. Such problems are your responsibility. See our disclaimer.
Installation of the openssh software on a Solaris machine is lengthy, but straightforward. To get ssh and sshd running you need to install a number of packages. There are a number of places on the net with details of this procedure. One of the best is on the Sun Blueprints web pages (in pdf format) at
Building and Deploying OpenSSH on Solaris[tm] Operating System
Robert Wolf kindly sent the following email:
From: "Robert Wolf"
Thanks for your notes on installing OpenSSH on Solaris boxes.
It works so well we were able to disable telnet, rsh, rcmd.
Attached is a document I created on installing and configuring ssh plus how to
make ssh work without passwords amongst your trusted machines.
Feel free to use this document anyway you want and even publish on your web
site, since it will help ssh newbies like myself.
Thanks
I have placed two versions of Robert's document here:
.doc file readable with Star Office or Microsoft Word. Hold down the shift key when you click on the link to obtain the file.
html conversion of the doc file. You may have to widen your browser window to see this properly.
The seven pieces of software that need to be on your system to use ssh
properly are zlib, perl, prngd, openssl, openssh, and optionally egd
and tcp_wrappers. You can either download the sources and do the compiles
yourself if you have a C compiler installed and working or you can go to
sunfreeware.com and get pre-compiled packages. If you are very
concerned about your machine's security and don't want to trust software
compiled by someone else, then it is best for you to compile the software
yourself.
The sources for these different programs are on sunfreeware.com or you can go to their home pages at
http://www.zlib.org
The Sun Blueprint site above has pointers to some scripts that can be used
to create and configure openssh. I do not use the same steps as
the blueprint article, but they are similar.
I have included support for the optional use of the tcp_wrappers program
which can be used to help restrict the use of ssh logins to those computers
in the so-called hosts.allow file when set up properly. Ssh logins can also
be logged using this software. I have chosen to use the PRNGD software to
generate the randomness that the openssh programs need. I discuss
the egd software because it is another randomness generation option and is
mentioned in the prngd documents.
Please note that I cannot help you solve detailed configuration problems, but
will accept comments on any problems you might have with my packages or
my instructions.
Step One: Getting the packages
To install the version of openssh from sunfreeware.com, go to the main page
and select the files above for the version of Solaris and the processor you
have. In this example, I will use the files for Solaris 8 and the SPARC processor. If you are using an Intel-compatible processor with Solaris 8 or an earlier version of Solaris (2.5, 2,6, or 7) on SPARC, you will have to download those files instead. The Solaris 8 for SPARC files are
zlib-1.1.3-sol8-sparc-local.gz
perl-5.6.1-sol8-sparc-local.gz
prngd-0.9.23-sol8-sparc-local.gz
egd-0.8-sol8-sparc-local.gz
tcp_wrappers-7.6-sol8-sparc-local.gz (unless you are using IPV6 - see
the tcp_wrappers listing for details on this issue)
If you have already installed some of the above files, you can skip
their downloads.
Once you have installed the packages above for your version of Solaris,
you will have files in various subdirectories of /usr/local. The default
location for the ssl files is in /usr/local/ssl. While these files
were compiled to avoid the need to put directories like /usr/local/lib
in your LD_LIBRARY_PATH, it is possible that you may need to set this.
You should make sure you have /usr/local/bin and /usr/local/sbin
in your PATH environment variable (or /usr/local/ssh/bin and /usr/local/ssh/sbin in
the Intel/Solaris 8 case). Note also that if you are using
Solaris 8, you may already have perl installed in your system. The perl
scripts in the egd package (with .pl extensions) will look for perl
in /usr/local/bin. You may either have to install the perl from
sunfreeware.com or edit the first line in the perl scripts to point
to the perl on your system.
Step Two: Getting Entropy
The next step in installation is to start the generation of entropy
for use by openssl and openssh. This is done with the prngd program.
To set this up, read the README.prngd file. Make sure you have /usr/local/bin in your PATH first. Now go to
your /var/log, /var/adm, or similar directories and look for some
log files like messages, syslog, etc. Make sure you are logged in
as root user and run
cat ....various log files from your /var/log or /var/adm directories... >
/usr/local/etc/prngd/prngd-seed
such as
cat syslog messages > /usr/local/etc/prngd/prngd-seed
Then run
mkdir /var/spool/prngd
/usr/local/bin/prngd /var/spool/prngd/pool
This should start up the prngd daemon and start generating entropy. You can
check this by running
/usr/local/bin/egc.pl /var/spool/prngd/pool get
which, if the egd package (see README.egd) is installed along with perl, will give a message
like
32800 bits of entropy in pool
indicating that the prngd is working. If you want to automatically
start prngd at boot time, you will need to create a startup script
appropriate to your setup.
I use the script
# chown root /etc/init.d/prngd
# /etc/rc2.d/S98prngd start
will start the process if you want to do it by hand and
# /etc/rc2.d/S98prngd stop
will stop the prngd daemon. You can test that this script actually
starts the prngd daemon at boot time by rebooting your system and
then doing
ps -e | grep prngd
to see if the process is started. If you like to have your daemon programs
in /usr/local/sbin, you can move the /usr/local/bin/prngd to /usr/local/sbin
and edit the above script to reflect the move.
Step Three: Setting up tcp_wrappers
The next step it to setup tcp_wrappers. First read the
README.tcpwrappers so that
you know what tcp_wrappers does and how. Basically, tcp_wrappers is used
to restrict to some limited group of machines access to your communication
ports such as the port 22 that the sshd program uses. If you have tcp_wrappers running
already, then you will only need to make sure that the sshd daemon entry is
placed in the /etc/hosts.allow and /etc/hosts.deny files in a way
that is appropriate to your setup. If you are not using tcp_wrappers, you can first create the file /etc/hosts.deny and put the single
line
sshd: ALL
in it. Then create the file /etc/hosts.allow file and put a line, for example, like
sshd: ... a list of the IP numbers of machine you want to be able to
communicate with your machine separated by commas ...
in the file. We will test these entries later.
Step Four: Installing ssh and sshd
This is the final step. We have installed the openssl package (see README.openssl and INSTALL.openssl)
package with places its files in the /usr/local/ssl directory. You should also have installed the openssh package (see README.openssh and INSTALL.openssh) package.
Each machine that you want to communicate with via the ssh client will need to have an sshd daemon running. But first, you need to run the following
three lines to create the key information for the server machine. Again,
make sure you have /usr/local/bin and /usr/local/sbin in your PATH. In the case of the Intel/Solaris 8 version of openssh, the files go in
/usr/local/ssh/bin and /usr/local/ssh/sbin instead. As root, enter
Now we can set up scripts to start the sshd daemon. I use the following
lines in the file /etc/init.d/sshd
similar to the prngd script above. I then do
# /etc/rc2.d/S98sshd start
will start the process if you want to do it by hand and
# /etc/rc2.d/S98sshd stop
will stop the sshd daemon. You can check this with
# ps -e | grep sshd
to see if sshd is running. If prngd and sshd are running and
you have set up tcp_wrappers the way you want, then you can test
the system. Of course, you have to have another machine that has
the ssh program installed so that you can try to communicate
with the machine on which you just started sshd. See the
OpenSSH documentation for further details. To test that tcp_wrappers
is working, you can put a machine's IP address in hosts.allow and
see if you can ssh to the server machine from the client and then
take it out and see if access is denied.
If you have questions about the detailed use of any of these programs, please
read the documentation first or go to their web sites. I do not want
to know the security details of any of your systems and it would not
be a good idea for you to tell me or anyone else. Security issues
are very important and I strongly urge anyone to install as much
security software as they can master and to keep a close eye out
on the latest CERT and other vulnerability sites for announcements.
Subject: openssh
Date: Wed, 27 Feb 2002 11:07:17 -0500
http://www.perl.org
http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
http://www.openssl.org
http://www.openssh.org
http://www.lothar.com/tech/crypto/
ftp://ftp.porcupine.org/pub/security/index.html
Installation Steps
openssl-1.0.0-sol8-sparc-local.gz
openssh-4.7p1-sol8-sparc-local.gz
#!/bin/sh
pid=`/usr/bin/ps -e | /usr/bin/grep prngd | /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
case $1 in
'start')
/usr/local/bin/prngd /var/spool/prngd/pool
;;
'stop')
if [ "${pid}" != "" ]
then
/usr/bin/kill ${pid}
fi
;;
*)
echo "usage: /etc/init.d/prngd {start|stop}"
;;
esac
placed in /etc/init.d with file name prngd and then as root run
# chgrp sys /etc/init.d/prngd
# chmod 555 /etc/init.d/prngd
# ln -s /etc/init.d/prngd /etc/rc2.d/S98prngd
# ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N ""
# ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key -N ""
# ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key -N ""
(for the Intel/Solaris 8 use /usr/local/etc as the directory
above)
and wait until each is done - this may take a few minutes depending
on the speed of your machine.
#!/bin/sh
pid=`/usr/bin/ps -e | /usr/bin/grep sshd | /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
case $1 in
'start')
/usr/local/sbin/sshd
;;
'stop')
if [ "${pid}" != "" ]
then
/usr/bin/kill ${pid}
fi
;;
*)
echo "usage: /etc/init.d/sshd {start|stop}"
;;
esac
# chown root /etc/init.d/sshd
# chgrp sys /etc/init.d/sshd
# chmod 555 /etc/init.d/sshd
# ln -s /etc/init.d/sshd /etc/rc2.d/S98sshd
© Copyright 2005 Steven M. Christensen and Associates, Inc.
This page was last updated on September 26, 2005.