вторник, 7 апреля 2009 г.

Solaris Installing OpenSSH

Installing OpenSSH
In this example, I install OpenSSH 4.6p1 and prerequisites from Sunfreeware packages on a Solaris 8 Sparc system.

Sunfreeware Packages:

openssh-4.6p1-sol8-sparc-local.gz
libgcc-3.4.6-sol8-sparc-local.gz
openssl-0.9.8e-sol8-sparc-local.gz

# gzip -d openssh-4.6p1-sol8-sparc-local.gz
# gzip -d libgcc-3.4.6-sol8-sparc-local.gz
# gzip -d openssl-0.9.8e-sol8-sparc-local.gz

# pkgadd -d ./openssh-4.6p1-sol8-sparc-local
# pkgadd -d ./libgcc-3.4.6-sol8-sparc-local
# pkgadd -d ./openssl-0.9.8e-sol8-sparc-local

After installing the packages, run the following script to configure and run OpenSSH:
#!/bin/sh

# Create sshd startup/shutdown script
cat << 'SSHD' > /etc/init.d/sshd
#!/bin/sh

case "$1" in
'start')
/usr/local/sbin/sshd
;;
'stop')
/usr/bin/kill `/usr/bin/head -1 /var/run/sshd.pid`
;;
'reload')
/usr/bin/kill -HUP `/usr/bin/head -1 /var/run/sshd.pid`
;;
*)
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
exit 0
SSHD
chown root:root /etc/init.d/sshd
chmod 555 /etc/init.d/sshd
ln -s /etc/init.d/sshd /etc/rc2.d/S98sshd

# Create ssh keys
/usr/local/bin/ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N ""
/usr/local/bin/ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key -N ""
/usr/local/bin/ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key -N ""

# Use only ssh protocol 2
sed -e 's/#Protocol 2,1/Protocol 2/' /usr/local/etc/sshd_config > /usr/local/etc/sshd_config_new
mv /usr/local/etc/sshd_config_new /usr/local/etc/sshd_config

# Create privilege separation user and environment
mkdir -m 755 /var/empty
chown root:root /var/empty
groupadd sshd
useradd -g sshd -c "OpenSSH privilege separation user" -d /var/empty -s /bin/false sshd

# start sshd
/etc/init.d/sshd start
Old notes

The following instructions show how to install OpenSSH from source and from package for Solaris. I recommend installing from source on Solaris systems, because if a vulnerability is discovered in OpenSSH, it is faster to upgrade from source than wait for package maintainers to release new packages.

Download the "portable" (i.e. you are not running OpenBSD) version of OpenSSH here:
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/
Installing OpenSSH from source
1. Download and install the openssl and zlib prerequisites from source or from package.

2. Download the "portable" version of OpenSSH.

3. Uncompress the OpenSSH tarball.

4. Run ./configure
Note: to build static OpenSSH binaries, run ./configure --with-ldflags=-static

If you receive the following error when running ./configure, you may have to install the libgcc package from Sunfreeware:
checking OpenSSL header version... not found
configure: error: OpenSSL version header not found.

Error in config.log:
configure:8694: ./conftest
ld.so.1: ./conftest: fatal: libgcc_s.so.1: open failed: No such file or directory
Killed

If you receive the following warning when running ./configure:

Random number source: ssh-rand-helper

WARNING: you are using the builtin random number collection
service. Please read WARNING.RNG and request that your OS
vendor includes kernel-based random number collection in
future versions of your OS.

You may want to install the ANDIrand package. This package installs a kernel module that emulates /dev/random and /dev/urandom on Solaris systems. A reboot is not required after installing this package to create the devices.
Alternatively, you may download the PRNGd package and compile OpenSSH with support for PRNGd (--with-prngd-port=xx or --with-prngd-socket=xx). In any case, OpenSSH's WARNING.RNG file appears to suggest using an alternate method of entropy generation rather than the built-in ssh-rand-helper.

If you see:

Random number source: OpenSSL internal ONLY

OpenSSH will use OpenSSL's random number source, which uses /dev/urandom. You are not using OpenSSH's built-in random number collection service, so you should not see the warning message.

5. Run make

6. Create the sshd privilege separation user and environment. View README.privsep from the OpenSSH source for more information.

# [ ! -d /var/empty ] && mkdir -m 755 /var/empty
# chown root:sys /var/empty
# groupadd sshd
# useradd -g sshd -c "OpenSSH privilege separation user" -d /var/empty -s /bin/false sshd

7. Run su root -c "make install"

8. Create an sshd startup/shutdown script.

# vi /etc/init.d/sshd

Add:
#!/bin/sh

case "$1" in
'start')
/usr/local/sbin/sshd
;;
'stop')
/usr/bin/kill `/usr/bin/head -1 /var/run/sshd.pid`
;;
'reload')
/usr/bin/kill -HUP `/usr/bin/head -1 /var/run/sshd.pid`
;;
*)
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
exit 0

# chown root:root /etc/init.d/sshd
# chmod 744 /etc/init.d/sshd
# ln -s /etc/init.d/sshd /etc/rc2.d/S98sshd
9. Start sshd.
# /etc/init.d/sshd start

Installing OpenSSH from package

I use the following steps to install OpenSSH from Solaris packages. Please read all scripts carefully along with the excellent Web pages "Installing OpenSSH Packages" and "Installing OpenSSH Packages for SPARC and Intel/Solaris 8."

OpenSSH requires /dev/random or a pseudo-random number generator like PRNGd to generate entropy.

* Solaris 9 provides /dev/random by default. The PRNGd package is not needed to generate entropy.
* If you are using Solaris 8, you may install Solaris patch 112438-01 (PRNG /kernel/drv/random patch) to create /dev/random and /dev/urandom. PRNGd is not needed if you use this patch. A reboot is required after installing this patch to create /dev/random and /dev/urandom. A reboot is not required if you install the Solaris 8 ANDIrand package (see below).
* If you are using earlier versions of Solaris, you may install the ANDIrand package. This package installs a kernel module to emulate /dev/random and /dev/urandom. PRNGd is not needed if you install this package. A reboot is not required after installing the ANDIrand package.
* If you use PRNGd with Solaris 8, the prngd executable is in /usr/local/sbin, not /usr/local/bin. Change /etc/init.d/prngd accordingly.

General instructions:

1. Download and install the openssh, PRNGd (if applicable), openssl, zlib, and libgcc packages from Sunfreeware. I prefer the Sunfreeware mirror ftp://mirrors.xmission.com/sunfreeware

2. Create prngd file (if applicable):

#!/bin/sh

case "$1" in
'start')
/usr/local/sbin/prngd /var/spool/prngd/pool
;;
'stop')
/usr/bin/kill `/usr/bin/ps -e -o pid,args | /usr/bin/grep [p]rngd | /usr/bin/awk '{print $1}'`
;;
*)
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
exit 0

3. Create sshd file:

#!/bin/sh

case "$1" in
'start')
/usr/local/sbin/sshd
;;
'stop')
/usr/bin/kill `/usr/bin/head -1 /var/run/sshd.pid`
;;
'reload')
/usr/bin/kill -HUP `/usr/bin/head -1 /var/run/sshd.pid`
;;
*)
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
exit 0

4. Create install.sh file.

If you are using PRNGd:

#!/bin/sh

# Create entropy
cat /var/log/* /var/adm/* > /usr/local/etc/prngd/prngd-seed
mkdir /var/spool/prngd
/usr/local/sbin/prngd /var/spool/prngd/pool

# Run prngd at startup
cp prngd /etc/init.d
chown root:root /etc/init.d/prngd
chmod 555 /etc/init.d/prngd
ln -s /etc/init.d/prngd /etc/rc2.d/S98prngd

# Create ssh keys
/usr/local/bin/ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N ""
/usr/local/bin/ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key -N ""
/usr/local/bin/ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key -N ""

# Run sshd at startup
cp sshd /etc/init.d
chown root:root /etc/init.d/sshd
chmod 555 /etc/init.d/sshd
ln -s /etc/init.d/sshd /etc/rc2.d/S98sshd

# Use only ssh protocol 2; version 1.33 and 1.5 of ssh protocol
# is not completely cryptographically safe (according to Nessus probe)
# Do not allow remote root logins via ssh
# Prevent /etc/motd from displaying twice when using ssh
# Allow X11 forwarding
sed -e 's/#Protocol 2,1/Protocol 2/' -e 's/PermitRootLogin yes/#PermitRootLogin no/' -e 's/#X11Forwarding no/X11Forwarding yes/' -e's/#PrintMotd yes/PrintMotd no/' /usr/local/etc/sshd_config > /usr/local/etc/sshd_config_new
mv /usr/local/etc/sshd_config_new /usr/local/etc/sshd_config

# Create privilege separation user and environment
mkdir -m 755 /var/empty
chown root:root /var/empty
groupadd sshd
useradd -g sshd -c "OpenSSH privilege separation user" -d /var/empty -s /bin/false sshd
# Start sshd
/etc/init.d/sshd start

If you are not using PRNGd:

#!/bin/sh

# Create ssh keys
/usr/local/bin/ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N ""
/usr/local/bin/ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key -N ""
/usr/local/bin/ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key -N ""

# Run sshd at startup
cp sshd /etc/init.d
chown root:root /etc/init.d/sshd
chmod 555 /etc/init.d/sshd
ln -s /etc/init.d/sshd /etc/rc2.d/S98sshd

# Use only ssh protocol 2; version 1.33 and 1.5 of ssh protocol
# is not completely cryptographically safe (according to Nessus probe)
# Do not allow remote root logins via ssh
# Prevent /etc/motd from displaying twice when using ssh
# Allow X11 forwarding
sed -e 's/#Protocol 2,1/Protocol 2/' \
-e 's/PermitRootLogin yes/#PermitRootLogin no/' \
-e 's/#X11Forwarding no/X11Forwarding yes/' \
-e 's/#PrintMotd yes/PrintMotd no/' \
/usr/local/etc/sshd_config > /usr/local/etc/sshd_config_new
mv /usr/local/etc/sshd_config_new /usr/local/etc/sshd_config

# Create privilege separation user and environment
mkdir -m 755 /var/empty
chown root:root /var/empty
groupadd sshd
useradd -g sshd -c "OpenSSH privilege separation user" -d /var/empty -s /bin/false sshd
# Start sshd
/etc/init.d/sshd start

5. Run install.sh as root.
# sh ./install.sh

Комментариев нет:

Отправить комментарий