Openssh is meant to supply security to your systems.
If you don't understand how to properly use it, you may have problems. Such problems are your responsibility. See our disclaimer. Please read the instructions below fully and carefully before you do any installation.
Installation StepsStep Zero: Getting the random patches for Solaris 8 You CANNOT skip this step. This version of openssh requires that the /dev/random patches be installed. To obtain the patches, go to
112438-03 SPARC/Solaris 8 patch for /kernel/drv/random or 112439-02 X86/Solaris 8 patch for /kernel/drv/random It has been pointed out that some of the recommended patch clusters already contain the patches above. So, you may want to check to see if the patch is already installed. Download the patch and install it as indicated in the instructions. You will probably need to reboot your system to have the patch apply. Rebooting requires boot -r to create the new devices. Note: If you are running a system where rebooting to have the patch apply cannot be done, then it is possible to do with without rebooting. One example of how to do this can be found at Application of Solaris 8 patch 112438-01 without reboot There are a number of posts in newsgroups on the net about these patches. Go to Google Groups and search for patch 112438-03 or 112439-02 and you will find a number of discussions that may be of help. Step One: Getting the packagesTo install the version of openssh from sunfreeware.com, go to the main page and select the files for SPARC/Solaris 8 at the right. Or, here are the files you need to download for SPARC:
openssh-4.1p1-sol8-sparc-local.gz
openssl-0.9.7g-sol8-sparc-local.gz
tcp_wrappers-7.6-sol8-sparc-local.gz (optional, but recommended) (unless you are using IPV6 - see
the tcp_wrappers listing for details on this issue) or for Intel:
openssh-4.1p1-sol8-intel-local.gz
openssl-0.9.7g-sol8-intel-local.gz
tcp_wrappers-7.6-sol8-intel-local.gz (optional, but recommended) (unless you are using IPV6 - see
the tcp_wrappers listing for details on this issue) If you have already installed some of the above files, you can skip their downloads, but most are new. Step Two: Installing the packages With the files downloaded, go to the directory where you put them and run (with the Intel files replacing the SPARC files for the Intel packages): # gunzip openssh-4.1p1-sol8-sparc-local.gz # gunzip openssl-0.9.7g-sol8-sparc-local.gz # gunzip zlib-1.2.1-sol8-sparc-local.gz # gunzip libgcc-3.3-sol8-sparc-local.gz (if you don't already have gcc 3.3.2 installed) # gunzip tcp_wrappers-7.6-sol8-sparc-local.gz (again optional) and optionally for the other packages. Then run as root # pkgadd -d openssh-3.8.1p1-sol8-sparc-local # pkgadd -d openssl-0.9.7g-sol8-sparc-local # pkgadd -d zlib-1.2.1-sol8-sparc-local # pkgadd -d libgcc-3.3-sol8-sparc-local (if you don't already have gcc 3.3.2 installed) # pkgadd -d tcp_wrappers-7.6-sol8-sparc-local (optional) Once you have installed the packages above, you will have files in various subdirectories of /usr/local. The default location for the ssl files is in /usr/local/ssl. While these files were compiled to avoid the need to put directories like /usr/local/lib and /usr/local/ssl/lib in your LD_LIBRARY_PATH, it is possible that you may need to set this.
Step Three: Setting up the sshd user and the /var/empty directory
In openssh 3.8.1p1, a new security method is setup called privilege separation. The details can be found in the README.privsep file in the openssh source distribution.
# mkdir /var/empty # chown root:sys /var/empty # chmod 755 /var/empty # groupadd sshd # useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd /var/empty should not contain any files. The default sshd_config file in /usr/local/etc has the last line Subsystem sftp /usr/libexec/sftp-serverThis may need to be changed to Subsystem sftp /usr/local/libexec/sftp-server If you do not do this and attempt to start up sshd, you will get error messages and the daemon will not start. Step Four: Setting up tcp_wrappers The next step it to setup tcp_wrappers. First read the README.tcpwrappers so that you know what tcp_wrappers does and how. Basically, tcp_wrappers is used to restrict to some limited group of machines access to your communication ports such as the port 22 that the sshd program uses. If you have tcp_wrappers running already, then you will only need to make sure that the sshd daemon entry is placed in the /etc/hosts.allow and /etc/hosts.deny files in a way that is appropriate to your setup. If you are not currently running tcp_wrappers, you can first create the file /etc/hosts.deny and put the single line sshd: ALL in it. Then, create the file /etc/hosts.allow file and put a line, for example, like sshd: ... a list of the IP numbers of machine you want to be able to communicate with your machine separated by commas ...in the file. We will test these entries later. Step Five: Installing ssh and sshd This is the final step. You should have read the README.openssl and INSTALL.openssl documents and you should also have read the openssh documents README.openssh and INSTALL.openssh. Each machine that you want to communicate with via the ssh client will need to have an sshd daemon running. But first, you need to run the following three lines to create the key information for the server machine. Again, make sure you have /usr/local/bin and /usr/local/sbin in your PATH. If you have been running sshd before and have keys in /usr/local/etc, running these commands will overwrite them. As root, enter # ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N "" # ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key -N "" # ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key -N "" and wait until each is done - this may take a few minutes depending on the speed of your machine. You might also want to study the /usr/local/etc/ssh_config and /usr/local/etc/sshd_config files to see if there is anything you want to configure differently. The Sun version of ssh and sshd have configuration and key files in /etc/ssh which you may want to study also, though the packages here will not use them. Now we can set up scripts to start the sshd daemon. I use the script which I call sshd and place in the /etc/init.d directory (as root):
#!/bin/sh pid=`/usr/bin/ps -e | /usr/bin/grep sshd | /usr/bin/sed -e 's/^ *//' -e 's/ .*//'` case $1 in 'start') /usr/local/sbin/sshd ;; 'stop') if [ "${pid}" != "" ] then /usr/bin/kill ${pid} fi ;; *) echo "usage: /etc/init.d/sshd {start|stop}" ;; esac Alternative Script Comment Date: Mon, 13 Jan 2003 14:43:53 -0600 (CST) From: "Mike's List" End of Alternative Script Comment Yet another startup script contributed by Enrico Sorge (e.sorge@itsys.it) is #!/bin/sh # # OpenSSH startup script # # Author: Enrico Sorge Finally, I then do # chown root /etc/init.d/sshd # /etc/rc2.d/S98sshd start
to see if sshd is running. If sshd is running and you have set up tcp_wrappers the way you want, then you can test the system. Of course, you have to have another machine that has the ssh program installed so that you can try to communicate with the machine on which you just started sshd. See the OpenSSH documentation for further details. To test that tcp_wrappers is working, you can put a machine's IP address in hosts.allow and see if you can ssh to the server machine from the client and then take it out and see if access is denied. To repeat, if you have questions about the detailed use of any of these programs, please
read the documentation first or go to their web sites. I do not want
to know the security details of any of your systems and it would not
be a good idea for you to tell me or anyone else. Security issues
are very important and I strongly urge anyone to install as much
security software as they can master and to keep a close eye out
on the latest CERT and other vulnerability sites for announcements.
© Copyright 2005 Steven M. Christensen and Associates, Inc.This page was last updated on April 26, 2005. |
||
CLEANUP DOS FILES
If you deal with DOS files and the "^M" character
always appears at the end of the line, here are
two ways to get rid of them.
If you edit the DOS text file with the "vi"
editor in UNIX, use the following from the
"vi" command line:
:%s/^V^M//g
From a Unix shell use the command:
% sed 's/^V^M//g' foo > foo.new
NOTE: ^V is control V and ^M is control M or Enter