[SUMMARY] SSH2 on SunOS 4.1.4 Paramasivam, Meenakshisundaram mparamas@iupui.edu Wed, 4 Apr 2001 09:07:12 -0500 * Previous message: SUMMARY: Simulate Raid-5 disk failure * Next message: SUMMARY: Resetting the "Locale" setting on Solaris 7 * Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] ------------------------------------------------------------------------ This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C0BD10.8B715280 Content-Type: text/plain; charset="iso-8859-1" Thanks to David Foster [foster@dim.ucsd.edu] who shared his notes (attached). I find this to be very useful, and this is what I needed. I would add to notes that PERL 5 is also needed to install OpenSSL-0.9.6. I also thank Sergio Gelato [Sergio.Gelato@astro.su.se] who responded: 1) Don't ever build software as root. You only need root privileges for the final installation step. >>I am aware of this. In http://www.ssh.com/products/ssh/ssh2-ssh1-server-howto.html first bullet says "All of this should be done as root.". Perhaps they should rephrase. 2) Have you tried OpenSSH 2.5.2p2 ? See www.openssh.com (the .org domain was already taken). >>No, but I will look into it. 3) gcc 2.8.1 isn't all that current; you may have more luck with 2.95.2. Mind you, all versions of gcc have bugs. >>I am aware that 2.95.2 is recent. Yet, ssh2 ought to compile with 2.8.1. If not, I can always get recent gcc version and try. Sundar -----Original Message----- From: Paramasivam, Meenakshisundaram [mailto:mparamas@iupui.edu] Sent: Friday, March 30, 2001 1:47 PM To: sunmanagers@sunmanagers.org Subject: SSH2 on SunOS 4.1.4 Are there any pre compiled binaries for SSH2 on SunOS 4.1.4? I could not find this on ssh.com or other places on internet. I started to compile SSH2 on 4.1.4 but the compilation fails after a while. I used gcc 2.8.1 and I was root. I would really like to have SSH2 on 4.1.4, and I can not upgrade to Solaris due to 3rd party firmware, the machine controls an old medical scanner. I am aware of operability issues between SSH1 and SSH2, and it is why I want SSH2 on all our machines. ------_=_NextPart_000_01C0BD10.8B715280 Content-Type: text/plain; name="SSH2-SunOS.info.txt" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="SSH2-SunOS.info.txt" SSH.INFO 12-06-99 DSFoster Information relevant to the installation of SSH on NCMIR systems. Installation of OpenSSH 2.5.2p2 ------------------------------------------------------------------------= ------- * Install Zlib 1.1.2 libraries, compiling from source, on Solaris and = IRIX=20 platforms, into /usr/local/lib: cd /usr/local/src/zlib-1.1.2 ./configure; make; make install ------------------------------------------------------------------------= ------- * Install OpenSSL 0.9.6 , compiling from source on Solaris, and=20 IRIX platforms. On Solaris use Workshop 5.0 cc, on IRIX use native cc (must use Configure to specify compiler explicitly on SGIs).=20 Solaris and Tru64 UNIX: [On Tru64 system extract tarball locally and install from there... otherwise you get NFS errors] cd /usr/local/src/openssl-0.9.6 ./config --prefix=3D/usr/local --openssldir=3D/usr/local/openssl make; make test; make install IRIX: cd /usr/local/src/openssl-0.9.6 ./Configure --prefix=3D/usr/local --openssldir=3D/usr/local/openssl = irix-mips3-cc \ tee Install.IRIX make | tee -a Install.IRIX make test | tee -a Install.IRIX make install | tee -a Install.IRIX Directories created in /usr/local/openssl: certs Initially empty, this is the default location for certificate files. man/man1 Manual pages for the 'openssl' command line tool man/man3 Manual pages for the libraries (very incomplete) misc Various scripts. private Initially empty, this is the default location for private key files. Installs in /usr/local: bin Contains the openssl binary and a few other utility programs. include/openssl Contains the header files needed if you want to compile programs with libcrypto or libssl. lib Contains the OpenSSL library files themselves. ------------------------------------------------------------------------= ------- * For SunOS systems ONLY: Install PCRE (Posix Regular Expression = Library) Required for BSD systems, for compatibility. ftp://ftp.cus.cam.ac.uk/pub/software/programs/pcre/ ./configure; make; make install Then run: ./libtool --finish /usr/local/lib ------------------------------------------------------------------------= ------- * Install OpenSSH 2.5.2 , compiling from source, on all platforms, into /usr. Put all binaries in /usr/bin, put config files in = /etc/openssh, use IPv4 by default, specify location of OpenSSL libraries, install pre-formatted man pages (avoid BSD/SysV incompatibilities). On = Solaris and SunOS, use gcc, on IRIX use cc compiler. Compile on Ncmir (Solaris 2.x), Ranvier (IRIX 6.5.9), Ganesa (Tru64), and Pitstop (SunOS 4.1.4). [On Tru64 system extract tarball locally and install from there... otherwise you get NFS errors] On Solaris systems install the random number generator package ANDIrand-0.6-5.[6,8]-sparc-1.pkg . This is a kernel module that emulates /dev/[u]random: Solaris 2.6: pkgadd -d ~foster/Programs/OpenSSH/ANDIrand-0.6-5.6-sparc-1.pkg = Solaris 8: pkgadd -d ~foster/Programs/OpenSSH/ANDIrand-0.6-5.8-sparc-1.pkg = On IRIX only first do: # Ensure it doesn't find /usr/local/bin/gcc source /.cshrc set CC=3Dcc =20 On SunOS only do: # Make sure it uses gcc (otherwise get errors about openssl not = found) # (have /usr/local/bin in path) source /.ncmir_env On non-Solaris compilation machines do: cd /usr/local/src/openssh-2.5.2p2 ./configure --prefix=3D/usr --exec-prefix=3D/usr = --sysconfdir=3D/etc/openssh \ --sbindir=3D/usr/bin --with-ipv4-default = --with-ssl-dir=3D/usr/local/lib \ --with-catman=3Dcat=09 Solaris: If you are using /dev/random for entropy generator use = instead: cd /usr/local/src/openssh-2.5.2p2 ./configure --prefix=3D/usr --exec-prefix=3D/usr = --sysconfdir=3D/etc/openssh \ --sbindir=3D/usr/bin --with-ipv4-default = --with-ssl-dir=3D/usr/local/lib \ --with-catman=3Dcat \ --with-random=3D/dev/urandom = ************************************************************************= * **** FOR SunOS SYSTEMS = ************************************************** = ************************************************************************= * You'll need to change the following line in the Makefile: LIBS=3D-lz -lcrypto LIBS=3D-lz -lcrypto -Xlinker -Bstatic -lpcreposix -lpcre -Xlinker = -Bdynamic and edit `config.h' (created by ./configure) to=20 /* Define if you lack native POSIX regex and you are using PCRE = */ #define HAVE_LIBPCRE = ************************************************************************= * make Then on each host to install man pages, programs, and generates = host-key: = ************************************************************************= * **** FOR SGI SYSTEMS = **************************************************** = ************************************************************************= * IMPORTANT: For SGI remove "-s" from $(INSTALL) commands which = install the binaries, in the Makefile; BSD compatibility mode will be = used=20 which means that this means "strip" the binaries. This results in an annoying warning msg everytime one of the binaries is run. = ------------------------------------------------------------------------= - IMPORTANT: May need to dit the Makefile and change definition of=20 "mansubdir" to "man" (SGI configure sets this blank, so man pages = get=20 put into /usr/man/1 for example! = ************************************************************************= * NOTE: The remaining steps are included in the script: ~foster/Bin/ssh_upgrade Save existing /etc/openssh for old 2.5.1p1 version to backup, and = install: mv /etc/openssh /etc/openssh.2.5.1p1 cd /usr/local/src/openssh-2.5.2p2 make install make host-key Migrate local modifications of ssh_config and sshd_config files into=20 /etc/openssh (OpenSSH): pushd /etc/openssh cp -f ssh_config ssh_config.default cp -f sshd_config sshd_config.default cp -f ~foster/Sysadmin/Config/OpenSSH/ssh_config . chown root ssh_config chmod 644 ssh_config cp -f ~foster/Sysadmin/Config/OpenSSH/sshd_config . chown root sshd_config chmod 644 sshd_config popd Change location of sshd binary in /etc/init.d/sshd to /usr/bin and restart daemon (Solaris and IRIX): /etc/init.d/sshd start (SunOS: Edit /etc/rc.local and restart sshd daemon manually.) (Tru64: /sbin/rc3.d/S91sshd start ) To generate host-key manually for host do: make host-key Notes from installation (Solaris): OpenSSH configured has been configured with the following options. User binaries: /usr/bin User binaries: /usr/bin System binaries: /usr/bin Configuration files: /etc/openssh Askpass program: /usr/libexec/ssh-askpass Manual pages: /usr/man/manX PID file: /etc/openssh Random number collection: Builtin (timeout 200) Manpage format: man PAM support: yes KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: yes Translate v4 in v6 hack: no Host: sparc-sun-solaris2.6 Compiler: gcc Compiler flags: -g -O2 -Wall -I. -I. -I/usr/local/include -I/usr/local/lib/include Linker flags: -L/usr/local/lib -R/usr/local/lib -L/usr/ucblib = -R/usr/ucblib -L/usr/local/lib/lib -L/usr/local/lib = -R/usr/local/lib/lib \ -R/usr/local/lib Libraries: -ldl -lsocket -lnsl -lz -lpam -lcrypto=20 WARNING: you are using the builtin random number collection = service. Please read WARNING.RNG and request that your OS vendor includes /dev/random in future versions of their OS. Note about ciphers from Steve Lamont's friend: > 3DES and IDEA both offer excellent security and resistance to = attack, > but are fairly slow. Blowfish with a 128 bit key takes a while = to set > up, but the cypher itself runs very fast and provides very good = security. >=20 > "ArcFour" - RC4 before RSA let go of it - is a very fast stream = (as opposed > to block) cypher which provides excellent performance and security = as well. > (DES, 3DES, IDEA, Blowfish are all block cyphers. The principal = difference > is that to use a stream cypher for network traffic you can't have = packets > or bytes re-ordered. For a TCP connection this isn't an issue). >=20 > When I use SSH I usually use Blowfish. Notes on modifications for upgrade from 2.3.0 to 2.5.1: Added/changed in ssh_config: # Add to enable RhostsRSAAuthentication. Otherwise defaults # to ~/.ssh/identity IdentityFile ~/.ssh/id_dsa IdentityFile ~/.ssh/identity PubkeyAuthentication yes KeepAlive yes # When "yes" or "ask" prevents connection when host key has = changed, # no longer prompts user. StrictHostKeyChecking no Added/changed in sshd_config: # Dont have ssh display motd (displays twice!) PrintMotd no Notes on /dev/random alternatives: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - = - I've used that on Sol7 x86 and Sparc with success. http://www.cosy.sbg.ac.at/~andi/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - = - On Thu, Feb 08, 2001 at 04:33:39PM -0500, Steve Bigley wrote: > OpenSSH on Solaris is less than optimal. It prefers to use = /dev/rand for > the TCP sequence packet numbering, which doesn't exist on Solaris = (and some > other platforms, as well). Instead, for Solaris, they use a = software-based > algorithm that is much slower. It would be nice if Solaris = implemented > /dev/rand because I like OpenSSH as well, but until then, if = you're using > ssh heavily on a Solaris box, it's better to use a different = flavor of ssh. I am happily running OpenSSH on Solaris. In fact there are two other possibilities to feed OpenSSH with random numbers (See ./configure = --help). Solaris /dev/random module by Andreas Maier http://www.cosy.sbg.ac.at/~andi/ The module creates the pseudo device /dev/random (/dev/urandom is = also added eventhough it is working exactly as /dev/random). The = random data is collected from the high resolution kernel timer on each open, = read and write call. The code for the random number pool has been = taken from Linux kernel. Entropy Gathering Daemon http://www.lothar.com/tech/crypto/ The entropy gathering daemon is a little perl script that = collects entropy by running programs like 'w' and 'iostat', 'vmstat', ... Data can be read and written through a unix socket. As far as I know the Linux random device isn't that bad and the Entropy Gathering Daemon was created as an addition to GPG, = therefore I assume both sources might generate "good" randomness. Regards, Konrad Rieck - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - = - I've found that the Sun SUNWski package is available seperately from = Sun. It's included in patches 10675[456]-01. But they are not available = for download from SunSolve. [...] But from: 106754-01 - Security and Performance domestic (US only) Patch = [README] http://freeware4sun.wroc.pl/patches/zip/106754-01.tar.gz http://freeware4sun.wroc.pl/patches/README/106754-01.README 106755-01 - Security and Preformance international Patch [README] http://freeware4sun.wroc.pl/patches/zip/106755-01.tar.gz http://freeware4sun.wroc.pl/patches/README/106755-01.README 106756-01 - Security and Performance domestic (US/CANADA) Patch = [README] http://freeware4sun.wroc.pl/patches/zip/106756-01.tar.gz http://freeware4sun.wroc.pl/patches/README/106756-01.README I downloaded this patch (106754-01) from sunsolve just last week. = It contains the SUNWski package. I just pulled it out from the patch = and installed just that package. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - = - The Entropy Gathering Daemon from http://www.lothar.com/tech/crypto/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - = - PRNGD which the OpenSSH people seems to think is nice... http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/prngd.html ********************************************************************* Older SSH-1 1.2.26 and 1.2.27 installations ********************************************************************* General Installation: Compile for each platform, and then do a "make install" on=20 each host to install binaries and man pages in /usr/{bin,man}. Compilation: ----------- cd /usr/local/src/ssh-1.2.27/src ./configure --prefix=3D/usr --without-rsh --with-etcdir=3D/etc/ssh make Installation: ------------ Modify src/Makefile: - Change sbindir to be ${exec_prefix}/bin (not sbin) - Change piddir to be /var/adm (not /var/run) make install Create /etc/ssh/{ssh_config, sshd_config} files: cd /etc/ssh rcp proteus:/etc/ssh/ssh_config . rcp proteus:/etc/ssh/sshd_config . =20 and then update the IP address in sshd_config . Startup files: /etc/init.d/sshd and /etc/rc2.d/S99sshd link rcp dim:/etc/init.d/sshd /etc/init.d cd /etc/rc2.d ln -s ../init.d/sshd S99sshd Be sure the startup file 'sshd' references /usr/bin and not = /usr/sbin. Remember: -------- Machine-dependent configuration file stored in /etc/ssh/ (be sure to update the sshd_config and ssh_config from protues' copy which has been changed for NCMIR's setup; also remember to change the "ListenAddress" in the sshd_config file) Specific Instructions: SGI: --- Compile on Crepitus using gcc. Add the following to src/scp.c: #include #include - - - - - - - - - - - - - - - - - - - - - - Useful information related to SSH: Created: 7-28-99 DSFoster Hi Dave: Here is what I am doing for sshd on amnesiac: 1. Compiled /usr/local/src/ssh-1.2.26/ on pitstop with: ./configure --prefix=3D/usr/local/apps/ssh-1.2.26 \ --without-rsh --with-etcdir=3D/etc/ssh make 2. On amnesiac do: make hostinstall 3. Copy /etc/ssh/sshd_config and ssh_config from other clients and modify sshd_config ListenAddress entry 4. Test by running ssh on another machine to amnesiac and from amnesiac to another machine 5. Post-install: I've modified /etc/rc.local also to start ssh server upon bootup. Mona Also from the /usr/local/src/README.NCMIR, I have: SSH 1.2.26 (Secure Shell): Downloaded from ftp://sunsite.unc.edu/pub/packages/security/ssh/ Package stored in /usr/local/src/ssh-1.2.26/ Compiled and installed on proteus (SGI 6.2) (see NCMIR.README.sgi), alex (SunOS 4.1.4) (see NCMIR.README.sun), and blinky (Solaris 2.6) (see script in NCMIR.README.solaris) Did "make hostinstall" as instructed by the INSTALL file on amnesiac, blinky, camshaft, crepitus, dim, eel, gappy, golgi, hi, knack, pitstop, ranvier, szechuan Machine-dependent configuration file stored in /etc/ssh/ (be sure to update the sshd_config and ssh_config from protues' copy which has been changed for NCMIR's setup; also remember to change the "ListenAddress" in the sshd_config file) User binaries installed in /usr/local/apps/ssh-1.2.26/ Man pages installed in /usr/local/man/man1/: make-ssh-known-hosts.1, make-ssh-known-hosts1.1, scp.1, scp1.1, slogin.1, slogin1.1, ssh-add.1, ssh-add1.1, ssh-agent.1, ssh-agent1.1, ssh-keygen.1, ssh-keygen1.1, ssh.1, ssh1.1 Man pages installed in /usr/local/man/man8/: sshd.8, sshd1.8 - - - - - - - - - - - - - - - - - - - - - - NCMIR sshd_config file: # # NOTE: This file has been modified for NCMIR setup. # If you are going to make any changes to this setup, sccs an = editable # copy from proteus:/etc/ssh/ and then copy the new one to all our = unix # machines; the only exception is that the "ListenAddress" variable # should be different on each machine so if you modify that variable # you do not need to SCCS the change on proteus # # This is ssh server systemwide configuration file. Port 22 ListenAddress 0.0.0.0 HostKey /etc/ssh/ssh_host_key RandomSeed /etc/ssh/ssh_random_seed ServerKeyBits 768 LoginGraceTime 300 KeyRegenerationInterval 3600 PermitRootLogin no IgnoreRhosts no StrictModes yes QuietMode no X11Forwarding yes X11DisplayOffset 10 FascistLogging no PrintMotd yes KeepAlive yes SyslogFacility DAEMON RhostsAuthentication no RhostsRSAAuthentication yes RSAAuthentication yes PasswordAuthentication yes PermitEmptyPasswords no UseLogin no CheckMail yes PidFile /etc/ssh/sshd.pid # AllowHosts *.our.com friend.other.com # DenyHosts lowsecurity.theirs.com *.evil.org evil.org # Umask 022 SilentDeny no - - - - - - - - - - - - - - - - - - - - - - NCMIR ssh_config file: # # NOTE: This file has been modified for NCMIR setup. # If you are going to make any changes to this setup, sccs an = editable # copy from Proteus:/etc/ssh/ and then copy the new one to all our = unix # machines # # Modifications: # 2-29-00 DSF Disable X11 forwarding (ForwardX11 no) # # This is ssh client systemwide configuration file. This file provides # defaults for users, and the values can be changed in per-user = configurati on # files or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for various options # Host * ForwardAgent yes ForwardX11 no RhostsAuthentication no RhostsRSAAuthentication yes RSAAuthentication yes TISAuthentication no PasswordAuthentication yes FallBackToRsh yes UseRsh no BatchMode no StrictHostKeyChecking ask IdentityFile ~/.ssh/identity Port 22 Cipher idea EscapeChar ~ - - - - - - - - - - - - - - - - - - - - - - Startup sshd file: #!/sbin/sh # # Start SSH server # case "$1" in 'start') if test -x /usr/bin/sshd; then echo "Starting SSH server daemons ..." /usr/bin/sshd fi ;; 'stop') ;; esac ------_=_NextPart_000_01C0BD10.8B715280-- _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers ------------------------------------------------------------------------ * Previous message: SUMMARY: Simulate Raid-5 disk failure * Next message: SUMMARY: Resetting the "Locale" setting on Solaris 7 * Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]