Openssh is meant to supply security to your systems.
If you don't understand how to properly use it, you may have problems. Such problems are your responsibility. See our disclaimer. Please read the instructions below fully
and carefully before you do any installation.
NOTE ALSO --- If you already have openssh installed, you may want to back up thesshd_config and ssh_config files in /usr/local/etc first.
Installation of the openssh software on a Solaris machine is lengthy, but straightforward. To get ssh and sshd running you need to install a number of packages. There are a number of places on the net with details of this procedure. One of the best is on the Sun Blueprints web pages (in pdf format) at
Building and Deploying OpenSSH on Solaris[tm] Operating System (a pdf file)
or the
I do not use the Sun blueprint method exactly because some things have changed since that document was created.
The seven pieces of software that may need to be on your system to use ssh properly are openssl, openssh, zlib, libgcc (if you have gcc-3.3.2 installed, you do not need to install libgcc), and optionally egd, prngd, perl (there is a perl with Solaris 9 and 10 in /usr/bin), and tcp_wrappers. You can either download the sources and do the compiles yourself if you have a C compiler installed and working or you can go to sunfreeware.com and get pre-compiled packages. If you are very concerned about your machine's security and don't want to trust software compiled by someone else, then it is best for you to compile the software yourself. It is also a great learning experience.
The sources for these different programs are on sunfreeware.com or you can go to their home pages at
http://www.zlib.org zlib
http://www.perl.org perl
http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html prngd
http://www.openssl.org openssl
http://www.openssh.org openssh
http://www.lothar.com/tech/crypto/ egd
ftp://ftp.porcupine.org/pub/security/index.html tcp_wrappers
You will also need to have the /usr/local/lib/libgcc_s.so.1 library from the libgcc-3.3 or gcc-3.3.2 or higher packages.
I have included support for the optional use of the tcp_wrappers program (using the so-called Advanced Method). This can help to restrict the use of ssh logins to those computers defined in the so-called hosts.allow and hosts.deny files when set up properly. Ssh logins can also be logged using this software.
Step One: Getting the packages
To install the version of openssh from sunfreeware.com, go to the main page and select the files for SPARC/Solaris 2.6 or SPARC/Solaris 7 at the right.
Or, here are the files you need to download for Solaris 7 (get the similar files for Solaris 2.5(,1) (you will also need the snprintf package), or 2.6):
openssh-5.6p1-sol7-sparc-local.gz (5.1p1 for Solaris 2.5 and 2.6 now)
openssl-1.0.0d-sol7-sparc-local.gz
tcp_wrappers-7.6-sol7-sparc-local.gz (optional, but recommended (unless you are using IPV6 - see
the tcp_wrappers listing for details on this issue)
zlib-1.2.5-sol7-sparc-local.gz
libgcc-3.4.6-sol7-sparc-local.gz or the gcc-3.4.6-sol7-sparc-local.gz
perl-5.8.5-sol7-sparc-local.gz (optional)
prngd-0.9.25-sol7-sparc-local.gz
egd-0.8-sol7-sparc-local.gz
If you have already installed some of the above files, you can skip their downloads, but most are new.
Step Two: Installing the packages
With the files downloaded, go to the directory where you put them and run
# gunzip openssh-5.6p1-sol7-sparc-local.gz # gunzip openssl-1.0.0d-sol7-sparc-local.gz # gunzip zlib-1.2.5-sol7-sparc-local.gz # gunzip libgcc-3.4.6-sol7-sparc-local.gz # gunzip tcp_wrappers-7.6-sol7-sparc-local.gz (again optional) # gunzip prngd-0.9.25-sol7-sparc-local.gz # gunzip egd-0.8-sol7-sparc-local.gz # gunzip perl-5.8.5-sol7-sparc-local.gz (optional if you already have perl) # gunzip snprintf-2.2-sol25-sparc-local.gz (for Solaris 2.5(.1) only) Then run as root: # pkgadd -d openssh-5.6p1-sol7-sparc-local # pkgadd -d openssl-1.0.0d-sol7-sparc-local # pkgadd -d zlib-1.2.5-sol7-sparc-local # pkgadd -d libgcc-3.4.6-sol7-sparc-local (if you don't have gcc-3.3.2 installed) # pkgadd -d tcp_wrappers-7.6-sol7-sparc-local (optional) # pkgadd -d prngd-0.9.25-sol7-sparc-local # pkgadd -d snprintf-2.2-sol25-sparc-local (for Solaris 2.5(.1) only) # pkgadd -d egd-0.8-sol7-sparc-local # pkgadd -d 5.8.5-sol7-sparc-local (optional)
Once you have installed the packages above, you will have files in various subdirectories of /usr/local. The default location for the ssl files is in /usr/local/ssl. While these files were compiled to avoid the need to put directories like /usr/local/lib and /usr/local/ssl/lib in your LD_LIBRARY_PATH, it is possible that you may need to set this. You should now find ssh in /usr/local/bin and sshd in /usr/local/sbin. Make sure you have /usr/local/bin and /usr/local/sbin in your PATH environment variable. The perl scripts in the optional egd package (with .pl extensions) will look for perl in /usr/local/bin. If you are using the Sun perl, then the Perl programs will need to have /usr/bin at the beginning, while the sunfreeware Perl goes in /usr/local/bin.
Step Three: Getting Entropy
The next step in installation is to start the generation of entropy
for use by openssl and openssh. This is done with the prngd program.
To set this up, read the README.prngd file. Make sure you have /usr/local/sbin in your PATH first. Now go to
your /var/log, /var/adm, or similar directories and look for some
log files like messages, syslog, etc. Make sure you are logged in
as root user and run
cat ....various log files from your /var/log or /var/adm directories... >
/usr/local/etc/prngd/prngd-seed
such as
cat syslog messages > /usr/local/etc/prngd/prngd-seed
Then run
mkdir /var/spool/prngd
/usr/local/sbin/prngd /var/spool/prngd/pool
This should start up the prngd daemon and start generating entropy. You can
check this by running
/usr/local/bin/egc.pl /var/spool/prngd/pool get
which, if the egd package (see README.egd) is installed along with perl, will give a message
like
32800 bits of entropy in pool
indicating that the prngd is working.
Note: Several users have pointed out that they may get a "PRNG not seeded" message when trying to start sshd. This seems to be a new issue with openssl 0.9.7
versions. They point out that the OpenSSL FAQ says:
ln -s /var/spool/prngd/pool /dev/egd-pool
or similar, the not seeded message above goes away and opnessh programs
then work properly.
If you want to automatically
start prngd at boot time, you will need to create a startup script
appropriate to your setup.
I use the script below placed in /etc/init.d as prngd, which you may wish to modify:
# chown root /etc/init.d/prngd
# /etc/rc2.d/S98prngd start
will start the process if you want to do it by hand and
# /etc/rc2.d/S98prngd stop
will stop the prngd daemon. You can test that this script actually
starts the prngd daemon at boot time by rebooting your system and
then doing
ps -e | grep prngd
to see if the process is started.
Step Four: Setting up the sshd user and the /var/empty directory
In openssh 3.5p1, a new security method is setup called privilege separation.
The details can be found in the README.privsep file in the openssh source distribution.
This method is now the default in openssh. Before doing anything else,
you should read the above document and if you agree, implement these steps as root:
The default sshd_config file /usr/local/etc has the last line
Subsystem sftp /usr/libexec/sftp-server
This may need to be changed to
Subsystem sftp /usr/local/libexec/sftp-server
If you do not do this and attempt to start up sshd, you will get
error messages and the daemon will not start.
Step Five: Setting up tcp_wrappers
The next step it to setup tcp_wrappers. First read the
README.tcpwrappers so that
you know what tcp_wrappers does and how. Basically, tcp_wrappers is used
to restrict to some limited group of machines access to your communication
ports such as the port 22 that the sshd program uses. If you have tcp_wrappers running
already, then you will only need to make sure that the sshd daemon entry is
placed in the /etc/hosts.allow and /etc/hosts.deny files in a way
that is appropriate to your setup. If you are not currently running tcp_wrappers, you can first create the file /etc/hosts.deny and put the single
line
sshd: ALL
in it. Then, create the file /etc/hosts.allow file and put a line, for example, like
sshd: ... a list of the IP numbers of machine you want to be able to
communicate with your machine separated by commas ...
in the file. We will test these entries later.
Step Six: Installing ssh and sshd
This is the final step. You should have read the README.openssl and INSTALL.openssl documents
and you should also have read the openssh documents README.openssh and INSTALL.openssh.
Each machine that you want to communicate with via the ssh client will need to have an sshd daemon running. But first, you need to run the following
three lines to create the key information for the server machine. Again,
make sure you have /usr/local/bin and /usr/local/sbin in your PATH. If you
have been running sshd before and have keys in /usr/local/etc, running these commands will overwrite them. As root, enter
You might also want to study the /usr/local/etc/ssh_config and
/usr/local/etc/sshd_config files to see if there is anything
you want to configure differently.
Now we can set up scripts to start the sshd daemon. I use the script
below which I place in /etc/init.d as sshd, but you are free to devise others to match your needs. There have been some comments on the net
recently in the sun-managers mailing list that this script should be
replaced. See the post below for details.
Alternative script comments
Starting with version 0.9.7, OpenSSL will automatically
look for an EGD socket at /var/run/egd-pool, /dev/egd-pool,
/etc/egd-pool and /etc/entropy.
and if they did a link like
#!/bin/sh
pid=`/usr/bin/ps -e | /usr/bin/grep prngd | /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
case $1 in
'start')
/usr/local/sbin/prngd /var/spool/prngd/pool
;;
'stop')
if [ "${pid}" != "" ]
then
/usr/bin/kill ${pid}
fi
;;
*)
echo "usage: /etc/init.d/prngd {start|stop}"
;;
esac
placed in /etc/init.d with file name prngd and then as root run
# chgrp sys /etc/init.d/prngd
# chmod 555 /etc/init.d/prngd
# ln -s /etc/init.d/prngd /etc/rc2.d/S98prngd
# mkdir /var/empty
# chown root:sys /var/empty
# chmod 755 /var/empty
# groupadd sshd
# useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
/var/empty should not contain any files.
# ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N ""
# ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key -N ""
# ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key -N ""
and wait until each is done - this may take a few minutes depending
on the speed of your machine.
#!/bin/sh
pid=`/usr/bin/ps -e | /usr/bin/grep sshd | /usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
case $1 in
'start')
/usr/local/sbin/sshd
;;
'stop')
if [ "${pid}" != "" ]
then
/usr/bin/kill ${pid}
fi
;;
*)
echo "usage: /etc/init.d/sshd {start|stop}"
;;
esac