SUMMARY of two related posts: Subject: About OpenSSH PrivSep Subject: OpenSSH in, SUNWssh* out ---------------------------------------------------------------------- Regarding Subject: About OpenSSH PrivSep ---------------------------------------------------------------------- In my original notes I said: >Question for those of you who are using OpenSSH -- especially those >who built the newer (7.1.1p1) versions... >>I have built the OpenSSH 7.1.1p2 (yes, patch-two!) version. All references to '7.1.1' should have been '3.7.1'. (Dain bramage.) (Thanks to Ryan A. Krenzischek for waking me up on this.) Running Solaris9 and using tools from sunfreeware.com: gcc-3.3 BUILD machine openssl-0.9.7b libgcc-3.3 Needed by OpenSSL on NON-build machines (no gcc installed) After all responses were in and my digging around I ended up building OpenSSH-3.7.1p2 using: ./configure --with-pam --disable-suid-ssh --without-rsh \ --with-lastlog=/var/adm/lastlog --sysconfdir=/etc/openssh \ --without-prngd --without-rand-helper \ --with-tcp-wrappers=/usr/sfw (Allowed default: --prefix=/usr/local) After your ./configure and make this is GREAT ... The openssh-3.7.1 tar.gz packages include: contrib/solaris/buildpkg.sh which will create a package usable as: pkgadd -d OpenSSH-Solaris-sparc-OpenSSH_3.7.1p2.pkg Furthermore, the generated package will have all pre/post install scripts for creating the privsep user/group/directory IF NEEDED, as well as the /etc/{init.d,rc.d} scripts/links. The 'buildpkg.sh' reads the configuration used to build (make) the binaries to determine values for the installation package, scripts, etc. I was most impressed with it. Thanks to: Vahid Moghaddasi Dave Foster For the UsePrivilegeSeparation validation. Mitch Bruntel Dave Foster For remarks on --use-pam. and "UsePAM" And, the ultimate tip came: >From Mitch Bruntel <> Thu Sep 25 15:58:41 2003 FYI, sunfreeware.com has posted the latest version of their OpenSSH patches too. ---------------------------------------------------------------------- Regarding Subject: OpenSSH in, SUNWssh* out ---------------------------------------------------------------------- In my original (corrected) notes I said: >I have built the OpenSSH 3.7.1p2 (yes, patch-two!) version. >I used the included 'contrib/solaris/buildpkg.sh' script to build a >'pkgadd' installable package. Works great! > >NOW, I have: >Security OpenSSH OpenSSH Portable for Solaris > >And I want to 'pkgrm' these: >system SUNWsshcu SSH Common, (Usr) >system SUNWsshdr SSH Server, (Root) >system SUNWsshdu SSH Server, (Usr) >system SUNWsshr SSH Client and utilities, (Root) >system SUNWsshu SSH Client and utilities, (Usr) > >Q: I get the impression that 'pkgrm -R PATH' will save a removed > package to the specified PATH. Is this correct? A: NO! (Just as I suspected.) Thanks to: Darren, JV The SUNWssh* packages can be removed in one invocation *if* they are specified in the proper order. I used this little documented script: ----------------------------------- # @(#)BRWms: UnInstall SUN SSH #607:SUNWsshdu SSH Server, (Usr) #605:SUNWsshdr SSH Server, (Root) #609:SUNWsshr SSH Client and utilities, (Root) #611:SUNWsshu SSH Client and utilities, (Usr) #603:SUNWsshcu SSH Common, (Usr) set -x pkgrm SUNWsshdu* SUNWsshdr* SUNWsshr* SUNWsshu* SUNWsshcu* ----------------------------------- ---------------------------------------------------------------------- Tips for those moving from SUNWssh* to OpenSSH... ---------------------------------------------------------------------- I personally do NOT recommend building OpenSSH with the --sysconfdir set to /etc/ssh! This path tends to be used by the vendors (Sun) as their default SSH Daemon config area. The overwhelming recommendation from my research is to use: --sysconfdir=/etc/openssh You will want to copy your server keys from the SUNWssh* location (/etc/ssh/*_key*) to the OpenSSH 'sysconfdir' (I used /etc/openssh) directory so that your server continues to ID the same. The old (SUNWssh) /etc/sshd_config file will cause complaints with the new OpenSSH-3.7.1 'sshd'. Use the new sys[d]_config files and migrate in your special needs from your old "*_config" files. UNLESS you created the package to install as --prefix=/ (root) you can install OpenSSH before your uninstall (pkgrm) SUNWssh*. Otherwise you will need to 'pkgrm SUNWssh* ...' before you 'pkgadd -d OpenSSH'. And, you can try out the OpenSSH before you remove the SUNWssh*, but be careful to get the location of the OpenSSH binaries first in your path -- something like: PATH=/usr/local/bin:$PATH ssh -V (The new /etc/init.d/openssh has correct FQ-PATH to 'sshd'. You can /etc/init.d/sshd stop; /etc/init.d/opensshd start) Thanks to everyone on the list for your help! As always, special recognition to those who entertain for one moment the notion that I am going to play clicky-clicky on some web page to get past their SPAM blocker. Why are they even subscribed to this list? They'll never see anything from it even if they post a question to it! Free unrelated tip: You people "On vacation" or "Out of the office", set your 'vacation' filter to NOT respond to things including 'sunmanagers' in the header! -- --------------------------------------------- Bill R. Williams <brw@etsu.edu> ------------------------ ETSU Library Systems _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Fri Sep 26 10:25:54 2003
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:20 EST