Home > Articles > Operating Systems, Server > Solaris

  • Print
  • + Share This
Like this article? We recommend

OpenSSH

OpenSSH is the OpenBSD group's implementation of the Secure Shell protocols: one and two. It is based on Tatu Ylonen's original Secure Shell implementation. Before building OpenSSH, all of the required and optional components must be built and installed on the build machine.

Configuring OpenSSH

The configure script includes many arguments that influence the compilation and installation process. OpenSSH needs to be configured based on the installation targets, compiler choice, and entropy source usage.

To Obtain the List of Arguments in the Configure Script

  1. Change directories to the openssh-x.xp1 directory.

  2. Execute the configure script with the -help option to obtain the argument list.

    $ ./configure -help

As a best practice, you should build OpenSSH with the following arguments:

  • --with-pam

    This argument enables the use of plugable authentication modules (PAM).

  • --disable-suid-ssh

    Do not install OpenSSH with the setuid bit. This prevents a local root compromise if a vulnerability is found with the ssh command. The setuid bit is only needed for regression to the rsh protocol, which is disabled by the following option.

  • --without-rsh

    Do not regress to the insecure rsh protocol if you are unable to connect by using the Secure Shell protocol.

  • --with-lastlog=/var/adm/lastlog

    Define the lastlog file location for the Solaris OE.

  • --sysconfdir=/etc/openssh

    This argument establishes the location for the OpenSSH configuration files. Make it a standard location, but avoid /etc/ssh to prevent a collision with the Solaris Secure Shell software. The location can also be: /etc or /usr/local/etc

  • --prefix=/opt/OBSDssh

    This argument establishes the top-level installation directory. The /opt/OBSDssh directory is for package generation. You can also use the /usr/local directory. The top-level installation directory is where OpenSSH looks for its various components.

  • --without-privsep-user

    This argument disables privilege separation due to PAM interactions.

  • --without-privsep-path

    This argument also disables privilege separation due to PAM interactions.

  • --with-prngd-socket=/var/run/egd-pool

    For systems using PRNGD, add this argument. It is the location of the entropy pool socket.

  • --without-prngd

    For systems using /dev/random, without PRNGD, add this argument. Do not use PRNGD.

  • --without-rand-helper

    For systems using /dev/random, add this argument. Do not use the subprocess entropy gatherer.

    NOTE

    The configure script will report Random number source: OpenSSL internal ONLY; disregard this message.

  • --with-tcp-wrappers=/usr/local

    For TCP wrappers support, add this argument. If you are using the integrated Solaris 9 OE version, use the /usr/sfw directory instead of the /usr/local directory.

  • --with-cflags="-O5 -xdepend -dalign -xlibmil -xunroll=5 -xprefetch "

    For the Forte C compiler, add this argument.

    NOTE

    If the target machines are without an UltraSPARC II or III processor, omit the -xprefetch flag.

To Configure OpenSSH

  • For package creation, /dev/random usage, and the Forte C compiler

    • Execute the following command with the appropriate flags.

      $ ./configure --with-pam --disable-suid-ssh --without-rsh 
      --with-lastlog=/var/adm/lastlog --sysconfdir=/etc/openssh 
      --prefix=/opt/OBSDssh --without-privsep-user --without-privsep-path 
      --without-prngd --without-rand-helper 
      --with-cflags="-KPIC -xO5 -xdepend -dalign -xlibmil -xunroll=5 -xprefetch "
  • For package creation, /dev/random usage, and the GNU C Compiler

    • Execute the following command with the appropriate flags.

      $ ./configure --with-pam --disable-suid-ssh --without-rsh 
      --with-lastlog=/var/adm/lastlog --sysconfdir=/etc/openssh 
      --prefix=/opt/OBSDssh --without-privsep-user --without-privsep-path 
      --without-prngd --without-rand-helper
  • For package creation, PRNGD usage, and the Forte C Compiler

    • Execute the following command with the appropriate flags.

      $ ./configure --with-pam --disable-suid-ssh --without-rsh 
      --with-lastlog=/var/adm/lastlog --sysconfdir=/etc/openssh 
      --prefix=/opt/OBSDssh --without-privsep-user --without-privsep-path 
      --with-prngd-socket=/var/run/egd-pool 
      --with-cflags="-KPIC -xO5 -xdepend -dalign -xlibmil -xunroll=5 -xprefetch "
  • For /usr/local installation, PRNGD Usage, and the GNU C Compiler

    • Execute the following command with the appropriate flags.

      $ ./configure --with-pam --disable-suid-ssh --without-rsh 
      --with-lastlog=/var/adm/lastlog --sysconfdir=/etc/openssh 
      --prefix=/usr/local --without-privsep-user --without-privsep-path 
      --with-prngd-socket=/var/run/egd-pool
  • Building OpenSSH

    Build OpenSSH by executing the make(1S) command, as in the following procedure. Installation is not needed because OpenSSH is packaged later for deployment.

    To Build OpenSSH

    1. Change the directory to the openssh-x.xpx directory.

    2. Execute the make(1S) command.

      $ make
    • + Share This
    • 🔖 Save To Your Account