From: Bill R. Williams (brwms@etsu.edu)
Date: Fri Sep 26 2003 - 10:22:08 EDT
SUMMARY of two related posts:
Subject: About OpenSSH PrivSep
Subject: OpenSSH in, SUNWssh* out
----------------------------------------------------------------------
Regarding Subject: About OpenSSH PrivSep
----------------------------------------------------------------------
In my original notes I said:
>Question for those of you who are using OpenSSH -- especially those
>who built the newer (7.1.1p1) versions...
>>I have built the OpenSSH 7.1.1p2 (yes, patch-two!) version.
All references to '7.1.1' should have been '3.7.1'. (Dain bramage.)
(Thanks to Ryan A. Krenzischek for waking me up on this.)
Running Solaris9 and using tools from sunfreeware.com:
gcc-3.3 BUILD machine
openssl-0.9.7b
libgcc-3.3 Needed by OpenSSL on NON-build machines (no
gcc installed)
After all responses were in and my digging around I ended up building
OpenSSH-3.7.1p2 using:
./configure --with-pam --disable-suid-ssh --without-rsh \
--with-lastlog=/var/adm/lastlog --sysconfdir=/etc/openssh \
--without-prngd --without-rand-helper \
--with-tcp-wrappers=/usr/sfw
(Allowed default: --prefix=/usr/local)
After your ./configure and make this is GREAT ...
The openssh-3.7.1 tar.gz packages include:
contrib/solaris/buildpkg.sh
which will create a package usable as:
pkgadd -d OpenSSH-Solaris-sparc-OpenSSH_3.7.1p2.pkg
Furthermore, the generated package will have all pre/post install
scripts for creating the privsep user/group/directory IF NEEDED, as
well as the /etc/{init.d,rc.d} scripts/links.
The 'buildpkg.sh' reads the configuration used to build (make) the
binaries to determine values for the installation package, scripts, etc.
I was most impressed with it.
Thanks to:
Vahid Moghaddasi
Dave Foster
For the UsePrivilegeSeparation validation.
Mitch Bruntel
Dave Foster
For remarks on --use-pam. and "UsePAM"
And, the ultimate tip came:
>From Mitch Bruntel <> Thu Sep 25 15:58:41 2003
FYI, sunfreeware.com has posted the latest version of their OpenSSH
patches too.
----------------------------------------------------------------------
Regarding Subject: OpenSSH in, SUNWssh* out
----------------------------------------------------------------------
In my original (corrected) notes I said:
>I have built the OpenSSH 3.7.1p2 (yes, patch-two!) version.
>I used the included 'contrib/solaris/buildpkg.sh' script to build a
>'pkgadd' installable package. Works great!
>
>NOW, I have:
>Security OpenSSH OpenSSH Portable for Solaris
>
>And I want to 'pkgrm' these:
>system SUNWsshcu SSH Common, (Usr)
>system SUNWsshdr SSH Server, (Root)
>system SUNWsshdu SSH Server, (Usr)
>system SUNWsshr SSH Client and utilities, (Root)
>system SUNWsshu SSH Client and utilities, (Usr)
>
>Q: I get the impression that 'pkgrm -R PATH' will save a removed
> package to the specified PATH. Is this correct?
A: NO! (Just as I suspected.)
Thanks to: Darren, JV
The SUNWssh* packages can be removed in one invocation *if* they are
specified in the proper order. I used this little documented script:
-----------------------------------
# @(#)BRWms: UnInstall SUN SSH
#607:SUNWsshdu SSH Server, (Usr)
#605:SUNWsshdr SSH Server, (Root)
#609:SUNWsshr SSH Client and utilities, (Root)
#611:SUNWsshu SSH Client and utilities, (Usr)
#603:SUNWsshcu SSH Common, (Usr)
set -x
pkgrm SUNWsshdu* SUNWsshdr* SUNWsshr* SUNWsshu* SUNWsshcu*
-----------------------------------
----------------------------------------------------------------------
Tips for those moving from SUNWssh* to OpenSSH...
----------------------------------------------------------------------
I personally do NOT recommend building OpenSSH with the --sysconfdir
set to /etc/ssh! This path tends to be used by the vendors (Sun) as
their default SSH Daemon config area. The overwhelming recommendation
from my research is to use: --sysconfdir=/etc/openssh
You will want to copy your server keys from the SUNWssh* location
(/etc/ssh/*_key*) to the OpenSSH 'sysconfdir' (I used /etc/openssh)
directory so that your server continues to ID the same.
The old (SUNWssh) /etc/sshd_config file will cause complaints with the
new OpenSSH-3.7.1 'sshd'. Use the new sys[d]_config files and migrate
in your special needs from your old "*_config" files.
UNLESS you created the package to install as --prefix=/ (root) you can
install OpenSSH before your uninstall (pkgrm) SUNWssh*. Otherwise you
will need to 'pkgrm SUNWssh* ...' before you 'pkgadd -d OpenSSH'.
And, you can try out the OpenSSH before you remove the SUNWssh*, but
be careful to get the location of the OpenSSH binaries first in your
path -- something like: PATH=/usr/local/bin:$PATH ssh -V
(The new /etc/init.d/openssh has correct FQ-PATH to 'sshd'. You can
/etc/init.d/sshd stop; /etc/init.d/opensshd start)
Thanks to everyone on the list for your help!
As always, special recognition to those who entertain for one moment
the notion that I am going to play clicky-clicky on some web page to
get past their SPAM blocker. Why are they even subscribed to this
list? They'll never see anything from it even if they post a question
to it!
Free unrelated tip:
You people "On vacation" or "Out of the office", set your
'vacation' filter to NOT respond to things including 'sunmanagers' in
the header!
-- --------------------------------------------- Bill R. Williams <brw@etsu.edu> ------------------------ ETSU Library Systems _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:27:11 EDT