Building OpenSSH--Tools and Tradeoffs, Updated for OpenSSH 3.7.1p2
OpenSSH is a free, BSD style license, implementation of the Secure Shell protocols. OpenSSH is designed for strong authentication, for improved privacy, for secure X11 sessions, and to not trust the network. OpenSSH is developed on and for the OpenBSD operating system by the OpenBSD group. The OpenSSH portability team then transforms the OpenBSD version into the portable version that supports many UNIXTM derived operating systems including the SolarisTM Operating System (Solaris OS) and the Linux operating system.
This article updates much of the information in "Building OpenSSHTools and Tradeoffs," Sun BluePrintsTM Online article, January 2003. This article contains information about gathering the needed components, deciding the compile-time configuration decisions, building the components, and finally assembling OpenSSH for the Solaris OS. Things change quickly in the open source world, so the versions mentioned in this article might have changed. Use the latest version, and test it in your environment. Despite version changes, the basic build process should remain the same.
OpenSSH requires several components to be present before you can build it. These components must either be installed individually or as part of the Solaris OS. The following lists the components that are needed:
Solaris OS build machine
ANSI C compiler
TCP Wrappers (optional)
See "Resources" on page 25 for information on how to obtain the individual software components.
The instructions in this article use software package names and file names that do not reference the version number of the software packages. Always use the latest versions. The consequence is that the software build process might change in the future. The instructions were written using the following specific versions:
Solaris 8 2/02 OE for SPARCTM processors
gzip 1.2.4 (included with the Solaris 8 2/02 OE)
Forte Developer 7 C 5.4 (rebranded as SunTM ONE Studio 7, Complier Collection)
Perl 5.005_03 (included with the Solaris 8 2/02 OE)
/dev/urandom (available for Solaris 8 OE in a patch)
TCP Wrappers 7.6
Consult the installation documentation to prevent build problems.
Before Building OpenSSH
Before you build OpenSSH, you must consider the issues discussed in this section. Compiling code is output intensive. The build and compiler output are not included in the examples.
Using Static Versus Dynamic Libraries
Zlib, OpenSSL, and TCP Wrappers can be built as either static or dynamic libraries. The default is static. The advantage of static libraries is performance and integration. A statically linked binary is faster to start up, and the executable can be installed as a standalone component. It depends on no supporting libraries (other than the required system dynamic libraries such as libc.so.) The disadvantage is that changes to a library require replacing and relinking the executable. Dynamic libraries allow just the library to be replaced and the program restarted. The Solaris OS 8 and 9 releases ship only dynamic libraries for this reason. Unless you foresee the need to replace libraries frequently, use the default of static libraries. This simplifies the configuration, build, and deployment processes.
Install Versus Build Location
OpenSSH requires its components to be installed in the /usr/local directory. This is only for building, not installation of OpenSSH. On the deployed machines, OpenSSH can be installed in either the /opt/OBSDssh directory, the /usr/local directory, or some other location. You must chose the location before building because the location is compiled into the executables.
The component configure scripts expect the programmer (developer) utilities in the /usr/ccs/bin tree to be in the $PATH environment variable. If /usr/ucb/bin is in $PATH, it must be after the compilers and the programmer utilities to prevent the wrong cc command from being called.
To Add /usr/ccs/bin to the $PATH Variable (sh or ksh)
Check the $PATH variable.
Add /usr/ccs/bin to the $PATH variable.
$ echo $PATH /usr/bin:/usr/sbin
$ PATH=/usr/ccs/bin:$PATH $ echo $PATH /usr/ccs/bin:/usr/bin:/usr/sbin
Checking MD5 Hashes and GNU Privacy Guard Signatures
Before you build the software packages, verify that they have been downloaded correctly by either checking their GNU privacy guard (GPG) signature or MD5 hash. If it differs, do not use the package. You can obtain the MD5 software at:
The compressed TAR file contains both SPARC and x86 binaries. Note that the file permissions on the extracted binaries need to be changed to executable. Consult the GNU Privacy Guard documentation for building it and checking signatures.
To Install the MD5 Software
Download the software into the /tmp directory.
Become the superuser, and change the directory to the /opt directory.
Use the zcat(1) command to uncompress the TAR file.
Change the permissions and ownership of the files.
# zcat /tmp/md5.tar.Z | tar xvf - x md5, 0 bytes, 0 tape blocks x md5/md5-x86, 23452 bytes, 46 tape blocks x md5/md5-sparc, 23892 bytes, 47 tape blocks
# chmod -R 755 /opt/md5 # chown -R root:bin /opt/md5 # exit
To Generate an MD5 Hash
Generate the software's hash.
Use the cat(1) command to inspect the distributed hash.
$ /opt/md5/md5-sparc prngd-x.x.x.tar.gz MD5 (prngd-x.x.x.tar.gz) = f63c06d96d9610619f702e234a660544
$ cat prngd-x.x.x.tar.gz.md5 MD5(prngd-x.x.x.tar.gz)= f63c06d96d9610619f702e234a660544