<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0042)http://sunfreeware.secsup.org/openssh.html -->
<HTML><HEAD><TITLE>Installing OpenSSH Packages</TITLE>
<META http-equiv=Content-Type content="text/html; charset=windows-1252">
<META content="MSHTML 6.00.2716.2200" name=GENERATOR></HEAD>
<BODY bgColor=#ffffff>
<HR SIZE=3>

<H3>Installing OpenSSH Packages</H3>
<HR SIZE=3>

<P><FONT color=red>Openssh is meant to supply security to your systems. If you 
don't understand how to properly use it, you may have problems. Such problems 
are your responsibility. See our <A 
href="http://sunfreeware.com/disclaimer.html" target=new>disclaimer</A>. </FONT>
<P>Installation of the openssh software on a Solaris machine is lengthy, but 
straightforward. To get ssh and sshd running you need to install a number of 
packages. There are a number of places on the net with details of this 
procedure. One of the best is on the Sun Blueprints web pages (in pdf format) at 

<P><A href="http://www.sun.com/blueprints/0701/openSSH.pdf" target=new>Building 
and Deploying OpenSSH on Solaris[tm] Operating System</A> 
<P>
<HR>

<P>Robert Wolf kindly sent the following email: 
<P>From: "Robert Wolf" <ROBERT.WOLF@NMIINC.COM><BR>Subject: openssh<BR>Date: 
Wed, 27 Feb 2002 11:07:17 -0500<BR>
<P>Thanks for your notes on installing OpenSSH on Solaris boxes. 
<P>It works so well we were able to disable telnet, rsh, rcmd. 
<P>Attached is a document I created on installing and configuring ssh plus how 
to make ssh work without passwords amongst your trusted machines. 
<P>Feel free to use this document anyway you want and even publish on your web 
site, since it will help ssh newbies like myself. 
<P>Thanks 
<P>I have placed two versions of Robert's document here: 
<P><A href="http://sunfreeware.secsup.org/openssh.doc">.doc file</A> readable 
with Star Office or Microsoft Word. Hold down the shift key when you click on 
the link to obtain the file.
<P><A href="http://sunfreeware.secsup.org/opensshdoc.html" target=new>html 
conversion of the doc file.</A> You may have to widen your browser window to see 
this properly. 
<P>
<HR>

<P>The seven pieces of software that need to be on your system to use ssh 
properly are zlib, perl, prngd, openssl, openssh, and optionally egd and 
tcp_wrappers. You can either download the sources and do the compiles yourself 
if you have a C compiler installed and working or you can go to sunfreeware.com 
and get pre-compiled packages. If you are very concerned about your machine's 
security and don't want to trust software compiled by someone else, then it is 
best for you to compile the software yourself. 
<P>The sources for these different programs are on sunfreeware.com or you can go 
to their home pages at
<P><A href="http://www.zlib.org/" target=new>http://www.zlib.org/</A><BR><A 
href="http://www.perl.org/" target=new>http://www.perl.org/</A><BR><A 
href="http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html" 
target=new>http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html</A><BR><A 
href="http://www.openssl.org/" target=new>http://www.openssl.org/</A><BR><A 
href="http://www.openssh.org/" target=new>http://www.openssh.org/</A><BR><A 
href="http://www.lothar.com/tech/crypto/" 
target=new>http://www.lothar.com/tech/crypto/</A><BR><A 
href="ftp://ftp.porcupine.org/pub/security/index.html" 
target=new>ftp://ftp.porcupine.org/pub/security/index.html</A> 
<P>The Sun Blueprint site above has pointers to some scripts that can be used to 
create and configure openssh. I do not use the same steps as the blueprint 
article, but they are similar. 
<P>I have included support for the optional use of the tcp_wrappers program 
which can be used to help restrict the use of ssh logins to those computers in 
the so-called hosts.allow file when set up properly. Ssh logins can also be 
logged using this software. I have chosen to use the PRNGD software to generate 
the randomness that the openssh programs need. I discuss the egd software 
because it is another randomness generation option and is mentioned in the prngd 
documents. 
<P>Please note that I cannot help you solve detailed configuration problems, but 
will accept comments on any problems you might have with my packages or my 
instructions. 
<P>
<HR>

<H4>Installation Steps</H4>
<HR>

<P><B>Step One: Getting the packages </B>
<P>To install the version of openssh from sunfreeware.com, go to the main page 
and select the files above for the version of Solaris and the processor you 
have. In this example, I will use the files for Solaris 8 and the SPARC 
processor. <FONT color=red>If you are using an Intel-compatible processor with 
Solaris 8 or an earlier version of Solaris (2.5, 2,6, or 7) on SPARC, you will 
have to download those files instead. </FONT>The Solaris 8 for SPARC files are 
<P><A href="http://www.sunfreeware.com/programlistsparc8.html#zlib" 
target=new>zlib-1.1.3-sol8-sparc-local.gz</A><BR><A 
href="http://www.sunfreeware.com/programlistsparc8.html#perl" 
target=new>perl-5.6.1-sol8-sparc-local.gz</A><BR><A 
href="http://www.sunfreeware.com/programlistsparc8.html#prngd" 
target=new>prngd-0.9.23-sol8-sparc-local.gz</A><BR><A 
href="http://www.sunfreeware.com/programlistsparc8.html#egd" 
target=new>egd-0.8-sol8-sparc-local.gz</A><BR><A 
href="http://www.sunfreeware.com/programlistsparc8.html#tcp_wrappers" 
target=new>tcp_wrappers-7.6-sol8-sparc-local.gz </A><BR>(unless you are using 
IPV6 - see the tcp_wrappers listing for details on this issue) <A 
href="http://www.sunfreeware.com/programlistsparc8.html#openssl" 
target=new>openssl-0.9.6c-sol8-sparc-local.gz</A><BR><A 
href="http://www.sunfreeware.com/programlistsparc8.html#openssh" 
target=new>openssh-3.1p1-sol8-sparc-local.gz</A><BR>
<P>If you have already installed some of the above files, you can skip their 
downloads. 
<P>Once you have installed the packages above for your version of Solaris, you 
will have files in various subdirectories of /usr/local. The default location 
for the ssl files is in /usr/local/ssl. While these files were compiled to avoid 
the need to put directories like /usr/local/lib in your LD_LIBRARY_PATH, it is 
possible that you may need to set this. You should make sure you have 
/usr/local/bin and /usr/local/sbin in your PATH environment variable (or 
/usr/local/ssh/bin and /usr/local/ssh/sbin in the Intel/Solaris 8 case). Note 
also that if you are using Solaris 8, you may already have perl installed in 
your system. The perl scripts in the egd package (with .pl extensions) will look 
for perl in /usr/local/bin. You may either have to install the perl from 
sunfreeware.com or edit the first line in the perl scripts to point to the perl 
on your system. 
<P><B>Step Two: Getting Entropy</B> 
<P>The next step in installation is to start the generation of entropy for use 
by openssl and openssh. This is done with the prngd program. To set this up, 
read the <A href="http://sunfreeware.secsup.org/README.prngd" 
target=new>README.prngd</A> file. Make sure you have /usr/local/bin in your PATH 
first. Now go to your /var/log, /var/adm, or similar directories and look for 
some log files like messages, syslog, etc. Make sure you are logged in as root 
user and run
<P>cat ....various log files from your /var/log or /var/adm directories... > 
/usr/local/etc/prngd/prngd-seed 
<P>such as 
<P>cat syslog messages > /usr/local/etc/prngd/prngd-seed 
<P>Then run 
<P>mkdir /var/spool/prngd
<P>/usr/local/bin/prngd /var/spool/prngd/pool 
<P>This should start up the prngd daemon and start generating entropy. You can 
check this by running
<P>/usr/local/bin/egc.pl /var/spool/prngd/pool get 
<P>which, if the egd package (see <A 
href="http://sunfreeware.secsup.org/README.egd" target=new>README.egd</A>) is 
installed along with perl, will give a message like
<P>32800 bits of entropy in pool 
<P>indicating that the prngd is working. If you want to automatically start 
prngd at boot time, you will need to create a startup script appropriate to your 
setup.
<P>I use the script
<P><PRE>#!/bin/sh

pid=`/usr/bin/ps -e | /usr/bin/grep prngd | /usr/bin/sed -e 's/^  *//' -e 's/ .*//'`
case $1 in
'start')
  /usr/local/bin/prngd /var/spool/prngd/pool
  ;;
'stop')
  if [ "${pid}" != "" ]
  then
    /usr/bin/kill ${pid}
  fi
  ;;
*)
  echo "usage: /etc/init.d/prngd {start|stop}"
  ;;
esac
</PRE>placed in /etc/init.d with file name prngd and then as root run 
<P># chown root /etc/init.d/prngd<BR># chgrp sys /etc/init.d/prngd<BR># chmod 
555 /etc/init.d/prngd<BR># ln -s /etc/init.d/prngd /etc/rc2.d/S98prngd 
<P># /etc/rc2.d/S98prngd start 
<P>will start the process if you want to do it by hand and 
<P># /etc/rc2.d/S98prngd stop 
<P>will stop the prngd daemon. You can test that this script actually starts the 
prngd daemon at boot time by rebooting your system and then doing
<P>ps -e | grep prngd 
<P>to see if the process is started. If you like to have your daemon programs in 
/usr/local/sbin, you can move the /usr/local/bin/prngd to /usr/local/sbin and 
edit the above script to reflect the move. 
<P><B>Setting up tcp_wrappers</B> 
<P>The next step it to setup tcp_wrappers. First read the <A 
href="http://sunfreeware.secsup.org/README.tcpwrappers" 
target=new>README.tcpwrappers</A> so that you know what tcp_wrappers does and 
how. Basically, tcp_wrappers is used to restrict to some limited group of 
machines access to your communication ports such as the port 22 that the sshd 
program uses. If you have tcp_wrappers running already, then you will only need 
to make sure that the sshd daemon entry is placed in the /etc/hosts.allow and 
/etc/hosts.deny files in a way that is appropriate to your setup. If you are not 
using tcp_wrappers, you can first create the file /etc/hosts.deny and put the 
single line 
<P>sshd: ALL 
<P>in it. Then create the file /etc/hosts.allow file and put a line, for 
example, like 
<P>sshd: ... a list of the IP numbers of machine you want to be able to 
communicate with your machine separated by commas ... 
<P>in the file. We will test these entries later. 
<P><B>Installing ssh and sshd</B> 
<P>This is the final step. We have installed the openssl package (see <A 
href="http://sunfreeware.secsup.org/README.openssl" 
target=new>README.openssl</A> and <A 
href="http://sunfreeware.secsup.org/INSTALL.openssl" 
target=new>INSTALL.openssl</A>) package with places its files in the 
/usr/local/ssl directory. You should also have installed the openssh package 
(see <A href="http://sunfreeware.secsup.org/README.openssh" 
target=new>README.openssh</A> and <A 
href="http://sunfreeware.secsup.org/INSTALL.openssh" 
target=new>INSTALL.openssh</A>) package. 
<P>Each machine that you want to communicate with via the ssh client will need 
to have an sshd daemon running. But first, you need to run the following three 
lines to create the key information for the server machine. Again, make sure you 
have /usr/local/bin and /usr/local/sbin in your PATH. <FONT color=red>In the 
case of the Intel/Solaris 8 version of openssh, the files go in 
/usr/local/ssh/bin and /usr/local/ssh/sbin instead.</FONT> As root, enter <PRE># ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N ""
# ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key -N ""
# ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key -N ""
</PRE><FONT color=red>(for the Intel/Solaris 8 use /usr/local/ssh/etc as the 
directory above)</FONT> and wait until each is done - this may take a few 
minutes depending on the speed of your machine. 
<P>Now we can set up scripts to start the ssdh daemon. I use the following lines 
in the file /etc/init.d/sshd 
<P><PRE>#!/bin/sh

pid=`/usr/bin/ps -e | /usr/bin/grep sshd | /usr/bin/sed -e 's/^  *//' -e 's/ .*//'`
case $1 in
'start')
  /usr/local/sbin/sshd
  ;;
'stop')
  if [ "${pid}" != "" ]
  then
    /usr/bin/kill ${pid}
  fi
  ;;
*)
  echo "usage: /etc/init.d/sshd {start|stop}"
  ;;
esac
</PRE>
<P>similar to the prngd script above. I then do 
<P># chown root /etc/init.d/sshd<BR># chgrp sys /etc/init.d/sshd<BR># chmod 555 
/etc/init.d/sshd<BR># ln -s /etc/init.d/sshd /etc/rc2.d/S98sshd 
<P># /etc/rc2.d/S98sshd start 
<P>will start the process if you want to do it by hand and 
<P># /etc/rc2.d/S98sshd stop 
<P>will stop the sshd daemon. You can check this with
<P># ps -e | grep sshd 
<P>to see if sshd is running. If prngd and sshd are running and you have set up 
tcp_wrappers the way you want, then you can test the system. Of course, you have 
to have another machine that has the ssh program installed so that you can try 
to communicate with the machine on which you just started sshd. See the OpenSSH 
documentation for further details. To test that tcp_wrappers is working, you can 
put a machine's IP address in hosts.allow and see if you can ssh to the server 
machine from the client and then take it out and see if access is denied. 
<P>If you have questions about the detailed use of any of these programs, please 
read the documentation first or go to their web sites. I do not want to know the 
security details of any of your systems and it would not be a good idea for you 
to tell me or anyone else. Security issues are very important and I strongly 
urge anyone to install as much security software as they can master and to keep 
a close eye out on the latest CERT and other vulnerability sites for 
announcements. 
<HR>
<BR>
<H5>© Copyright 2002 Steven M. Christensen and Associates, Inc.</H5>
<H5>This page was last updated on March 12, 2002. </H5></BODY></HTML>