SUMMARY About OpenSSH in (build) & SUNWssh out

From: Bill R. Williams <>
Date: Fri Sep 26 2003 - 10:25:59 EDT
SUMMARY of two related posts:
Subject: About OpenSSH PrivSep
Subject: OpenSSH in, SUNWssh* out

Regarding Subject: About OpenSSH PrivSep
In my original notes I said:
>Question for those of you who are using OpenSSH -- especially those
>who built the newer (7.1.1p1) versions...
>>I have built the OpenSSH 7.1.1p2 (yes, patch-two!) version.

All references to '7.1.1' should have been '3.7.1'.  (Dain bramage.)
(Thanks to Ryan A. Krenzischek for waking me up on this.)

Running Solaris9 and using tools from
	gcc-3.3		BUILD machine
	libgcc-3.3	Needed by OpenSSL on NON-build machines (no
			gcc installed)

After all responses were in and my digging around I ended up building
OpenSSH-3.7.1p2 using:
  ./configure --with-pam --disable-suid-ssh --without-rsh \
	--with-lastlog=/var/adm/lastlog --sysconfdir=/etc/openssh \
	--without-prngd --without-rand-helper \

(Allowed default: --prefix=/usr/local)

After your ./configure and make this is GREAT ...
The openssh-3.7.1 tar.gz packages include:
which will create a package usable as:
	pkgadd -d OpenSSH-Solaris-sparc-OpenSSH_3.7.1p2.pkg
Furthermore, the generated package will have all pre/post install
scripts for creating the privsep user/group/directory IF NEEDED, as
well as the /etc/{init.d,rc.d} scripts/links.
The '' reads the configuration used to build (make) the
binaries to determine values for the installation package, scripts, etc.
I was most impressed with it.

Thanks to:

Vahid Moghaddasi
Dave Foster
	For the UsePrivilegeSeparation validation.

Mitch Bruntel
Dave Foster
	For remarks on --use-pam. and "UsePAM"

And, the ultimate tip came:
>From Mitch Bruntel <> Thu Sep 25 15:58:41 2003

FYI,  has posted the latest version of their OpenSSH
patches too.

Regarding Subject: OpenSSH in, SUNWssh* out
In my original (corrected) notes I said:

>I have built the OpenSSH 3.7.1p2 (yes, patch-two!) version.
>I used the included 'contrib/solaris/' script to build a
>'pkgadd' installable package.  Works great!
>NOW, I have:
>Security    OpenSSH              OpenSSH Portable for Solaris
>And I want to 'pkgrm' these:
>system      SUNWsshcu            SSH Common, (Usr)
>system      SUNWsshdr            SSH Server, (Root)
>system      SUNWsshdu            SSH Server, (Usr)
>system      SUNWsshr             SSH Client and utilities, (Root)
>system      SUNWsshu             SSH Client and utilities, (Usr)
>Q: I get the impression that 'pkgrm -R PATH' will save a removed
>   package to the specified PATH.  Is this correct? 
A: NO!  (Just as I suspected.)

Thanks to: Darren, JV

The SUNWssh* packages can be removed in one invocation *if* they are
specified in the proper order.  I used this little documented script:
# @(#)BRWms: UnInstall SUN SSH
#607:SUNWsshdu             SSH Server, (Usr)
#605:SUNWsshdr             SSH Server, (Root)
#609:SUNWsshr              SSH Client and utilities, (Root)
#611:SUNWsshu              SSH Client and utilities, (Usr)
#603:SUNWsshcu             SSH Common, (Usr)

set -x
pkgrm SUNWsshdu* SUNWsshdr* SUNWsshr* SUNWsshu* SUNWsshcu*

Tips for those moving from SUNWssh* to OpenSSH...
I personally do NOT recommend building OpenSSH with the --sysconfdir
set to /etc/ssh!  This path tends to be used by the vendors (Sun) as
their default SSH Daemon config area.  The overwhelming recommendation
from my research is to use: --sysconfdir=/etc/openssh

You will want to copy your server keys from the SUNWssh* location
(/etc/ssh/*_key*) to the OpenSSH 'sysconfdir' (I used /etc/openssh)
directory so that your server continues to ID the same.

The old (SUNWssh) /etc/sshd_config file will cause complaints with the
new OpenSSH-3.7.1 'sshd'.  Use the new sys[d]_config files and migrate
in your special needs from your old "*_config" files.

UNLESS you created the package to install as --prefix=/ (root) you can
install OpenSSH before your uninstall (pkgrm) SUNWssh*.  Otherwise you
will need to 'pkgrm SUNWssh* ...' before you 'pkgadd -d OpenSSH'.
And, you can try out the OpenSSH before you remove the SUNWssh*, but
be careful to get the location of the OpenSSH binaries first in your
path -- something like:  PATH=/usr/local/bin:$PATH ssh -V
(The new /etc/init.d/openssh has correct FQ-PATH to 'sshd'.  You can
/etc/init.d/sshd stop; /etc/init.d/opensshd start)

Thanks to everyone on the list for your help!

As always, special recognition to those who entertain for one moment
the notion that I am going to play clicky-clicky on some web page to
get past their SPAM blocker.  Why are they even subscribed to this
list?  They'll never see anything from it even if they post a question
to it!

Free unrelated tip:
You people "On vacation" or "Out of the office", set your
'vacation' filter to NOT respond to things including 'sunmanagers' in
the header!

 Bill R. Williams               <>
 ------------------------ ETSU Library Systems
sunmanagers mailing list
Received on Fri Sep 26 10:25:54 2003

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:20 EST