Home > Articles > Security > Network Security

  • Print
  • + Share This
Like this article? We recommend

Component Descriptions

This section contains descriptions of the OpenSSH components.

Solaris OS Build Machine

The build machine needs to have the same base architecture as the targeted deployment machines. The Solaris OS is currently available for two platforms: SPARC and x86. You can check the architecture using the uname(1) command. If you deploy both, you will be required to build OpenSSH twice.

The following table will help you determine which build machine architectures are compatible.

TABLE 1 OpenSSH Compatible Architectures Examples

Build Architecture

Target Architecture

Comments

Ultra 1 SPARC

NetraTM T1 SPARC

These architectures are compatible.

Ultra 1 SPARC

V20z IA-32

These architectures are not compatible.

V20z IA-32

V20z IA-32

These architectures are compatible.

V20z IA-32

Sun FireTM 15K SPARC

These architectures are not compatible.


Solaris OS Release

You must build OpenSSH on the oldest Solaris OS release that you plan on supporting. Newer releases of the Solaris OS are backwards compatible. This might require that new features not be used to maintain compatibility across releases. Building a single package reduces build-time costs and prevents a wrong package from being installed. You can check the release version with the uname(1) command.

Metaclusters

The build machine needs to have one of the following metaclusters installed:

  • SUNWCprog (developer metacluster)

  • SUNWCall (entire Solaris OS distribution)

  • SUNWCXall (entire Solaris OS distribution plus OEM support)

The programmer utilities located in the /usr/ccs/bin directory are required to build OpenSSH. The /var/sadm/system/admin/CLUSTER contains the metacluster software installed on the machine. If the metacluster is not one of the above three, the build machine will need to be reinstalled with the correct metacluster.

To Check the Installed Metacluster

  • Use cat(1) to check the installed metacluster.

  • $ cat /var/sadm/system/admin/CLUSTER
    CLUSTER=SUNWCall

    CAUTION

    Do not build on the intended deployment machines. This is particularly critical for machines installed with a minimized approach. Building the software requires a compiler and interpreters that could provide leverage for an attacker. Build the software and package it on the build machine, then deploy it to the target machines.

Gzip

The component source software packages are distributed in the Gzip format (for example, package_name.tar.gz). This is a Gzip compressed TAR file. The file must be uncompressed before it can be extracted. Neither uncompress(1) nor unzip(1) will be able to uncompress the file. Gzip comes with the Solaris 8 and 9 OE releases. For previous releases, you will have to download the Gzip software and build it from the source. Alternatively, prebuilt binaries can be downloaded at:

http://www.sunfreeware.com/

To Extract a Gzip Compressed Software Package

In the following example, foo.tar.gz is the name of the software package.

  • Use the gzip(1) command to uncompress and the tar(1) command to extract the file.

  • $ gzip -dc foo.tar.gz | tar xvf -
    x foo/bar, 0 bytes, 0 tape blocks
    x foo/bar/ChangeLog, 10963 bytes, 22 tape blocks
    x foo/bar/INDEX, 1138 bytes, 3 tape blocks

Compilers

An ANSI C compliant compiler is needed to build the various components. Either the Forte C or GNU C compiler will work. Forte C has the advantage of being able to produce more optimized executables, particularly with the relevant flags being used. The optimization flag usage becomes a factor when building the math-intensive OpenSSL cryptographic library. The Forte complier has the disadvantage of being a separate product. Consult your sales representative for more information on obtaining it. The GNU compiler is available free of charge.

NOTE

Make sure the build system has the appropriate patches applied, particularly the necessary patches for the Forte C compiler, if you are using it.

To build gcc, refer to its documentation. To obtain prebuilt versions of gcc, go to:

http://www.sunfreeware.com/

Perl

The Practical Extraction and Reporting Language (Perl) is needed to configure and install OpenSSL and OpenSSH. Specifically, version five of the language is needed. Perl version five comes with the Solaris 8 and 9 OE releases. For previous releases, you must download it and build from source. To obtain prebuilt binaries, go to:

http://www.sunfreeware.com/

Zlib

Zlib is a lossless data-compression library. Optionally, OpenSSH uses it to compress data as it is transmitted and received to reduce bandwidth consumption. Although the feature is optionally used, Zlib is needed for compilation of OpenSSH. Zlib comes with Solaris 8 and 9 OE releases in dynamic library form.

NOTE

Per Sun Alert 43541, Solaris 8 OE systems should apply the Zlib patch (patch ID 112611 for SPARC and 112612 for x86). The Zlib patch fixes a security bug detailed in CERT Vulnerability VU#368819.

For the Solaris 2.6 and 7 OE releases, to statically link OpenSSH or for minimized machines without the Zlib dynamic libraries, Zlib will need to be built. To build a dynamic Zlib library, consult the documentation.

NOTE

Do not use versions previous to zlib-1.1.4 because there is an exploitable vulnerability (see the previously mentioned CERT vulnerability).

To Build Zlib

  • To configure Zlib to use the Forte C compiler:

  1. Change directories to the zlib-x.x.x directory.

  2. Use the env(1) command to set the options and execute the configure script.

  3. $ env CC=cc \
    CFLAGS="-xO5 -xdepend -xprefetch -dalign -xlibmil -xunroll=5 " \
    ./configure

    NOTE

    If the target machines are without an UltraSPARC II or III processor, omit the -xprefetch flag.

  4. Use the make(1S) command to build the Zlib software.

  5. $ make

  6. Use the make(1S) command to test the build.

  7. $ make test
    hello world
    uncompress(): hello, hello!
    gzread(): hello, hello!
    gzgets() after gzseek: hello!
    inflate(): hello, hello!
    large_inflate(): OK
    after inflateSync(): hello, hello!
    inflate with dictionary: hello, hello!
            *** zlib test OK ***
  8. Install the Zlib software by executing the following commands:

  9. $ su
    Password: password
    # PATH=/usr/ccs/bin:$PATH
    # export PATH
    # make install
    # ls -l /usr/local/lib/libz.a
    -rwxr-xr-x  1 root other   104308 Oct 10 14:03 libz.a

  • To Configure Zlib to Use the GNU C Compiler:

  1. Change the directory to the zlib-x.x.x directory.

  2. Execute the configure script.

  3. $ ./configure

  4. Use the make(1S) command to build the Zlib software.

  5. $ make

  6. Use the make(1S) command to test the build.

  7. $ make test
    hello world
    uncompress(): hello, hello!
    gzread(): hello, hello!
    gzgets() after gzseek: hello!
    inflate(): hello, hello!
    large_inflate(): OK
    after inflateSync(): hello, hello!
    inflate with dictionary: hello, hello!
            *** zlib test OK ***
  8. Install the Zlib software by executing the following commands:

  9. $ su
    Password: password
    # PATH=/usr/ccs/bin:$PATH
    # export PATH
    # make install
    # ls -l /usr/local/lib/libz.a
    -rwxr-xr-x  1 root other   104308 Oct 10 14:03 libz.a
  • + Share This
  • 🔖 Save To Your Account