Home > Articles > Security > Network Security

  • Print
  • + Share This
Like this article? We recommend

OpenSSH

OpenSSH is the OpenBSD group's implementation of the Secure Shell protocols: one and two. It is based on Tatu Yl?en's original Secure Shell implementation. Before building OpenSSH, all of the required and optional components must be built and installed on the build machine.

Configuring OpenSSH

The configure script includes many arguments that influence the compilation and installation process. OpenSSH needs to be configured based on the installation targets, compiler choice, and entropy source usage.

To Obtain the List of Arguments in the Configure Script

  1. Change directories to the openssh-x.xpx directory.

  2. Execute the configure script with the -help option to obtain the argument list.

  3. $ ./configure -help

    As a best practice, you should build OpenSSH with the following arguments:

    • --with-pam

    • This argument enables the use of pluggable authentication modules (PAM).

    • --disable-suid-ssh

    • Do not install OpenSSH with the setuid bit. This prevents a local root compromise if a vulnerability is found with the ssh command. The setuid bit is only needed for regression to the rsh protocol, which is disabled by the following option.

    • --without-rsh

    • Do not regress to the insecure rsh protocol if you are unable to connect by using the Secure Shell protocol.

    • --with-lastlog=/var/adm/lastlog

    • Defines the lastlog file location for the Solaris OS.

    • --prefix=/opt/OBSDssh

    • This argument establishes the top-level installation directory. The /opt/OBSDssh directory is for package generation. You can also use the /usr/local directory. The top-level installation directory is where OpenSSH looks for its various components.

    • --without-privsep-user

    • This argument disables privilege separation due to PAM interactions.

      CAUTION

      If you receive a Privilege separation user does not exist error, add the UsePrivilegeSeparation no entry to the sshd_config file. You can prevent this error from occurring by adding the entry to the sshd_config.out file before you generate the package.

    • --without-privsep-path

    • This argument also disables privilege separation due to PAM interactions.

    • --with-prngd-socket=/var/run/egd-pool

    • For systems using PRNGD, add this argument. It is the location of the entropy pool socket.

    • --without-prngd

    • For systems using /dev/random, without PRNGD, add this argument. Do not use PRNGD.

    • --without-rand-helper

    • For systems using /dev/random, add this argument. Do not use the subprocess entropy gatherer.

      NOTE

      The configure script will report Random number source: OpenSSL internal ONLY; disregard this message.

    • --with-tcp-wrappers=/usr/local

    • For TCP wrappers support, add this argument. If you are using the integrated Solaris 9 OE version, use the /usr/sfw directory instead of the /usr/local directory.

    • --with-cflags="-x05 -xdepend -dalign -xlibmil -xunroll=5 -xprefetch "

    • For the Forte C compiler, add this argument.

      NOTE

      If the target machines are without an UltraSPARC II or III processor, omit the -xprefetch flag.

To Configure OpenSSH

  • For package creation, /dev/random usage, and the Forte C compiler

  • Execute the following command with the appropriate flags.

  • $ ./configure --with-pam --disable-suid-ssh --without-rsh \
    --with-lastlog=/var/adm/lastlog \
    --prefix=/opt/OBSDssh --without-privsep-user --without-privsep-path \
    --without-prngd --without-rand-helper \
    --with-cflags="-xO5 -xdepend -dalign -xlibmil -xunroll=5 -xprefetch "

  • For package creation, /dev/random usage, and the GNU C Compiler

  • Execute the following command with the appropriate flags.

  • $ ./configure --with-pam --disable-suid-ssh --without-rsh \
    --with-lastlog=/var/adm/lastlog \
    --prefix=/opt/OBSDssh --without-privsep-user --without-privsep-path \
    --without-prngd --without-rand-helper 
  • For package creation, PRNGD usage, and the Forte C Compiler

  • Execute the following command with the appropriate flags.

  • $ ./configure --with-pam --disable-suid-ssh --without-rsh \
    --with-lastlog=/var/adm/lastlog \
    --prefix=/opt/OBSDssh --without-privsep-user --without-privsep-path \
    --with-prngd-socket=/var/run/egd-pool \
    --with-cflags="-xO5 -xdepend -dalign -xlibmil -xunroll=5 -xprefetch "

  • For /usr/local installation, PRNGD Usage, and the GNU C Compiler

  • Execute the following command with the appropriate flags.

  • $ ./configure --with-pam --disable-suid-ssh --without-rsh \
    --with-lastlog=/var/adm/lastlog \
    --prefix=/usr/local --without-privsep-user --without-privsep-path \
    --with-prngd-socket=/var/run/egd-pool

Building OpenSSH

Build OpenSSH by executing the make(1S) command, as in the following procedure. Installation is not needed because OpenSSH is packaged later for deployment.

To Build OpenSSH

  1. Change the directory to the openssh-x.xpx directory.

  2. Execute the make(1S) command.

  3. $ make

  • + Share This
  • 🔖 Save To Your Account