Posts Tagged suse

Installing OpenSSH from source on SuSe 10

Posted by Lincoln Zuljewic Silva in Linux on April 7th, 2009

Installing OpenSSH 5.2 on a SUSE Linux Enterprise Server 10

The current version of my SuSe is:

cat /etc/SuSE-release
SUSE Linux Enterprise Server 10 (i586)
VERSION = 10
PATCHLEVEL = 1

1 – Download OpenSSH:

cd /usr/src
wget http://anga.funkfeuer.at/ftp/pub/OpenBSD/OpenSSH/portable/openssh-5.2p1.tar.gz

2 – Unpack it:

tar zxvf openssh-5.2p1.tar.gz

3 – Check if you have the necessary packages:

automake-1.9.6-2.i586.rpm
cpp-4.0.2_20050901-3.i586.rpm
gcc-4.0.2_20050901-3.i586.rpm
gcc-c++-4.0.2_20050901-3.i586.rpm
glibc-2.3.5-40.i586.rpm
glibc-devel-2.3.5-40.i586.rpm
libselinux-1.23.11-3.i586.rpm
libstdc++-4.0.2_20050901-3.i586.rpm
libstdc++-devel-4.0.2_20050901-3.i586.rpm
openssl-devel-0.9.8a-18.15.i586.rpm
pam-devel-0.99.6.3-28.8.i586.rpm
pam_ssh-1.91-19.2.i586.rpm
sudo-1.6.8p9-2.i586.rpm
tcpd-devel-7.6-731.2.i586.rpm
zlib-devel-1.2.3-3.i586.rpm

You can check it by typing:

rpm -qa (example: “rpm -qa |grep openssl-devel“)

4 – If there are some packeage missing, I advice you search it in www.filewatcher.com and install using:

rpm -ivh (example: “rpm -ivh tcpd-devel-7.6-731.2.i586.rpm“)

5 – Run configure:

cd /usr/src/openssh-5.2p1
./configure –prefix=/opt/ssh2 –with-libs=-ldl –disable-suid-ssh –with-privsep-user=sshd -with-tcp-wrappers –with-pam

After some time, you should see something like this:

OpenSSH has been configured with the following options:
User binaries: /opt/ssh2/bin
System binaries: /opt/ssh2/sbin
Configuration files: /opt/ssh2/etc
Askpass program: /opt/ssh2/libexec/ssh-askpass
Manual pages: /opt/ssh2/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/opt/ssh2/bin
Manpage format: doc
PAM support: yes
OSF SIA support: no
KerberosV support: no
SELinux support: no
Smartcard support: no
S/KEY support: no
TCP Wrappers support: yes
MD5 password support: no
libedit support: no
Solaris process contract support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY

Host: i686-pc-linux-gnu
Compiler: gcc
Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -std=gnu99
Preprocessor flags:
Linker flags:
Libraries: -lresolv -lcrypto -lutil -lz -lnsl -ldl -lcrypt
+for sshd: -lwrap -lpam

PAM is enabled. You may need to install a PAM control file
for sshd, otherwise password authentication may fail.
Example PAM control files can be found in the contrib/
subdirectory

6 – Install contrib scripts. Check into /usr/src/openssh-5.2p1/contrib some files that we can use to setup our server:

cp sshd.pam.generic /etc/pam.d/sshd
cp rc.sshd /etc/init.d/sshd
cp sysconfig.ssh /etc/sysconfig/ssh
cp rc.config.sshd /etc/rc.d/sshd
chmod 755 /etc/init.d/sshd /etc/rc.d/sshd
ln -s /etc/init.d/sshd /etc/rc.d/rc3.d/S20-sshd

7 – Configure some parameters. Edit the main SSHD configuration file

vi /opt/ssh2/etc/sshd_config
Ensure that some lines are uncommented:
Line 21: Protocol 2 -> Enable just the protocol version 2 (more secure)
Line 41: PermitRootLogin no -> Do not enable root login
Line 46: RSAAuthentication yes -> enable authentication thru auth-keys
Line 47: PubkeyAuthentication yes -> enable authentication thru auth-keys
Line 48: AuthorizedKeysFile .ssh/authorized_keys -> enable authentication thru auth-keys (keys location – user’s home)
Line 86: UsePAM yes -> enable PAM authentication
Line 113: Subsystem sftp /opt/ssh2/libexec/sftp-server -> enable the sftp subsystem (for secure file transfer – NOT SCP)

8 – Start the server:

/etc/init.d/sshd start

9 – Place a login test

10 – Check in your /var/log/message. If you see the following message:

Apr 7 10:02:48 localhost sshd[8388]: pam_unix(sshd:setcred): Unknown option: `shadow’
Apr 7 10:02:48 localhost sshd[8388]: pam_unix(sshd:setcred): Unknown option: `nodelay’
Apr 7 10:02:48 localhost sshd[8390]: pam_unix(sshd:setcred): Unknown option: `shadow’
Apr 7 10:02:48 localhost sshd[8390]: pam_unix(sshd:setcred): Unknown option: `nodelay’

Edit your /etc/pam.d/sshd and change the following lines:

auth required /lib/security/pam_unix.so shadow nodelay

to

auth required /lib/security/pam_unix.so

and

password required /lib/security/pam_unix.so shadow nullok use_authtok
password required /lib/security/pam_unix.so use_authtok

Thats it!

, ,

No Comments