Building OpenSSH—Tools and Tradeoffs
OpenSSH is a free, BSD style license, implementation of the Secure Shell protocols. OpenSSH is designed for strong authentication, for improved privacy, for secure X11 sessions, and to not trust the network. OpenSSH is developed on and for the OpenBSD operating system by the OpenBSD group. The OpenSSH portability team then transforms the OpenBSD version into the portable version that supports many UNIX derived operating systems including the Solaris Operating Environment (Solaris OE) and the Linux operating system.
This article updates much of the information in "Building and Deploying OpenSSH for the Solaris Operating Environment," Sun BluePrints Online article, July 2001. This article contains information about gathering the needed components, deciding the compile-time configuration decisions, building the components, and finally assembling OpenSSH. Things change quickly in the open source world, so the versions mentioned in this article might have changed. Use the latest version, and test it in your environment. Despite version changes, the basic build process should remain the same.
OpenSSH requires several components to be present before you can build it. These components must either be installed individually or as part of the Solaris OE. The following lists the components that are needed:
- Solaris OE build machine
- ANSI C compiler
- Entropy source
- TCP Wrappers (optional)
See the "Resources" section for information on how to obtain the individual software components.
The instructions in this article use software package names and filenames that do not reference the version number of the software packages. Always use the latest versions. The consequence is that the software build process might change in the future. The instructions were written using the following specific versions:
Solaris 9 OE for SPARC processors
gzip 1.3 (included with the Solaris 9 OE)
Forte Developer 7 C 5.4 (rebranded as Sun ONE Studio 7, Complier Collection)
perl v5.6.1 (included with the Solaris 9 OE)
/dev/urandom (Solaris 9 OE feature and entropy source)
PRNGD 0.9.26 (entropy source)
TCP Wrappers 7.6
Consult the installation documentation to prevent build problems.
Before Building OpenSSH
Before you build OpenSSH, you must consider the issues discussed in this section. Compiling code is output intensive. The build and compiler output are not included in the examples.
Using Static Versus Dynamic Libraries
Zlib, OpenSSL, and TCP Wrappers can be built as either static or dynamic libraries. The default is static. The advantage of static libraries is performance and integration. A statically linked binary is faster to start up, and the executable can be installed as a standalone component. It depends on no supporting libraries (other than the required system dynamic libraries such as libc.so.) The disadvantage is that changes to a library require replacing and relinking the executable. Dynamic libraries allow just the library to be replaced and the program restarted. The Solaris OE 8 and 9 versions ship only dynamic libraries for this reason. Unless you foresee the need to replace libraries frequently, use the default of static libraries. This simplifies the configuration, build, and deployment processes.
Install Versus Build Location
OpenSSH requires its components to be installed in the /usr/local directory. This is only for building, not installation of OpenSSH. On the deployed machines, OpenSSH can be installed in either the /opt/OBSDssh directory, the /usr/local directory, or some other location. You must chose the location before building because the location is compiled into the executables.
The component configure scripts expect the programmer (developer) utilities in the /usr/ccs/bin tree to be in the $PATH environment variable. If /usr/ucb/bin is in $PATH, it must be after the compilers and the programmer utilities to prevent the wrong cc command from being called.
To Add /usr/ccs/bin to the $PATH Variable
Check the $PATH variable.
$ echo $PATH /usr/bin:/usr/sbin
Add /usr/ccs/bin to the $PATH variable.
$ PATH=/usr/ccs/bin:$PATH $ echo $PATH /usr/ccs/bin:/usr/bin:/usr/sbin
Checking MD5 Hashes and GNU Privacy Guard Signatures
Before you build the software packages, verify that they have been downloaded correctly by either checking their GNU privacy guard (GPG) signature or MD5 hash. If it differs, do not use the package. You can obtain the MD5 software at:
The compressed TAR file contains both SPARC and x86 binaries. Note that the file permissions on the extracted binaries need to be changed to executable. Consult the GNU Privacy Guard documentation for building it and checking signatures.
To Install the MD5 Software
Download the software into the /tmp directory.
Become the superuser, and change the directory to the /opt directory.
Use the zcat(1) command to uncompress the TAR file.
# zcat /tmp/md5.tar.Z | tar xvf - x md5, 0 bytes, 0 tape blocks x md5/md5-x86, 23452 bytes, 46 tape blocks x md5/md5-sparc, 23892 bytes, 47 tape blocks
Change the permissions and ownership of the files.
# chmod -R 755 /opt/md5 # chown -R root:bin /opt/md5 # exit
To Generate an MD5 Hash
Generate the software's hash.
$ /opt/md5/md5-sparc prngd-x.x.x.tar.gz MD5 (prngd-x.x.x.tar.gz) = f63c06d96d9610619f702e234a660544
Use the cat(1) command to inspect the distributed hash.
$ cat prngd-x.x.x.tar.gz.md5 MD5(prngd-x.x.x.tar.gz)= f63c06d96d9610619f702e234a660544