SUMMARY: Sun Crypto cards and compiling SSH

From: Eric Watson <>
Date: Mon Jun 24 2002 - 16:35:17 EDT
Thanks to all who responded.  This is a tough one, and ultimately
unsatisfying, in that we don't really know if we are using the cards or if
SSL has reverted to internal entropy gathering.  We're actually going to
look into commercial SSH support.  It seems clear that we're not the only
ones who don't really understand this!  We're also going to experiment with
building OpenSSH using the SSL that shipped from Sun with the cards.
Anyway, here's what we did:

--Must use an "engine" version of OpenSSL 0.9.6. We used 0.9.6c

--During OpenSSH configuration, we used the option --with-libs=-ldl (ell,
dee, ell). This seemed to be necessary with the "engine" versions of OpenSSL
to prevent complaints about symbol reference errors between libcrypto.a and

--We also found it useful to make sure libcrypto.a and libssl.a are in
/usr/local/lib and that openssl header files are in
/usr/local/include/openssl, even if they were originally installed in
alternate locations. (Setting PATH variables and appropriate compiler flags
didn't seem to do the trick.)

--We made sure to have the Sun-tailored TCP wrappers with IPV6 support in
place as /usr/local/lib/libwrap.a and /usr/local/include/tcpd.h

--The Sun-provided GNU "strip" and OpenSSH don't seem to play nice together
on Sun boxes. We'd seen this occasionally on Ultras running Solaris 7 as
well (though others with theoretically-identical configurations had built
fine). So in the "install-files" section of the Makefile, we took any
instances of the -s option to ginstall out of lines like this:

        $(INSTALL) -m $(SSH_MODE) ssh $(DESTDIR)$(bindir)/ssh
        $(INSTALL) -m 0755 scp $(DESTDIR)$(bindir)/scp

We are far from expert at tweaking installations and there may be much more
elegant ways to solve all these problems, but this functioned for us.


Eric P. Watson
Supervisor of System Administration
Harvard Law School 617-496-6518
sunmanagers mailing list
Received on Mon Jun 24 16:41:46 2002

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:47 EST