System Adm » suse http://www.system.adm.br Some IT Tips (Linux, Unix, HP-UX, AIX, Solaris, etc). Wed, 19 May 2010 20:11:00 +0000 en hourly 1 http://wordpress.org/?v=3.0 Installing OpenSSH from source on SuSe 10 http://www.system.adm.br/2009/04/installing-openssh-from-source-on-suse-10/ http://www.system.adm.br/2009/04/installing-openssh-from-source-on-suse-10/#comments Tue, 07 Apr 2009 14:13:35 +0000 Lincoln Zuljewic Silva http://www.system.adm.br/?p=3 The current version of my SuSe is:
# cat /etc/SuSE-release
SUSE Linux Enterprise Server 10 (i586) VERSION = 10 PATCHLEVEL = 1

1 – Download OpenSSH:
# cd /usr/src
# wget http://anga.funkfeuer.at/ftp/pub/OpenBSD/OpenSSH/portable/openssh-5.2p1.tar.gz

2 – Unpack it:
# tar zxvf openssh-5.2p1.tar.gz

3 – Check if you have the necessary packages:
automake-1.9.6-2.i586.rpm
cpp-4.0.2_20050901-3.i586.rpm
gcc-4.0.2_20050901-3.i586.rpm
gcc-c++-4.0.2_20050901-3.i586.rpm
glibc-2.3.5-40.i586.rpm
glibc-devel-2.3.5-40.i586.rpm
libselinux-1.23.11-3.i586.rpm
libstdc++-4.0.2_20050901-3.i586.rpm
libstdc++-devel-4.0.2_20050901-3.i586.rpm
openssl-devel-0.9.8a-18.15.i586.rpm
pam-devel-0.99.6.3-28.8.i586.rpm
pam_ssh-1.91-19.2.i586.rpm
sudo-1.6.8p9-2.i586.rpm
tcpd-devel-7.6-731.2.i586.rpm
zlib-devel-1.2.3-3.i586.rpm

You can check it by typing:
# rpm -qa (example: "rpm -qa |grep openssl-devel")

4 – If there are some packeage missing, I advice you search it in www.filewatcher.com and install using:
# rpm -ivh (example: "rpm -ivh tcpd-devel-7.6-731.2.i586.rpm")

5 – Run configure:
# cd /usr/src/openssh-5.2p1
# ./configure --prefix=/opt/ssh2 --with-libs=-ldl --disable-suid-ssh --with-privsep-user=sshd -with-tcp-wrappers --with-pam

After some time, you should see something like this:
OpenSSH has been configured with the following options:
User binaries: /opt/ssh2/bin
System binaries: /opt/ssh2/sbin
Configuration files: /opt/ssh2/etc
Askpass program: /opt/ssh2/libexec/ssh-askpass
Manual pages: /opt/ssh2/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/opt/ssh2/bin
Manpage format: doc
PAM support: yes
OSF SIA support: no
KerberosV support: no
SELinux support: no
Smartcard support: no
S/KEY support: no
TCP Wrappers support: yes
MD5 password support: no
libedit support: no
Solaris process contract support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Host: i686-pc-linux-gnu
Compiler: gcc
Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -std=gnu99
Preprocessor flags:
Linker flags:
Libraries: -lresolv -lcrypto -lutil -lz -lnsl -ldl -lcrypt +for sshd: -lwrap -lpam

PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory

6 – Install contrib scripts. Check into /usr/src/openssh-5.2p1/contrib some files that we can use to setup our server:
# cp sshd.pam.generic /etc/pam.d/sshd
# cp rc.sshd /etc/init.d/sshd
# cp sysconfig.ssh /etc/sysconfig/ssh
# cp rc.config.sshd /etc/rc.d/sshd
# chmod 755 /etc/init.d/sshd /etc/rc.d/sshd
# ln -s /etc/init.d/sshd /etc/rc.d/rc3.d/S20-sshd

7 – Configure some parameters. Edit the main SSHD configuration file
# vi /opt/ssh2/etc/sshd_config
Ensure that some lines are uncommented:
Line 21: Protocol 2 -> Enable just the protocol version 2 (more secure)
Line 41: PermitRootLogin no -> Do not enable root login
Line 46: RSAAuthentication yes -> enable authentication thru auth-keys
Line 47: PubkeyAuthentication yes -> enable authentication thru auth-keys
Line 48: AuthorizedKeysFile .ssh/authorized_keys -> enable authentication thru auth-keys (keys location - user's home)
Line 86: UsePAM yes -> enable PAM authentication
Line 113: Subsystem sftp /opt/ssh2/libexec/sftp-server -> enable the sftp subsystem (for secure file transfer - NOT SCP)

8 – Start the server:
# /etc/init.d/sshd start

9 – Place a login test

10 – Check in your /var/log/message. If you see the following message:
Apr 7 10:02:48 localhost sshd[8388]: pam_unix(sshd:setcred): Unknown option: `shadow'
Apr 7 10:02:48 localhost sshd[8388]: pam_unix(sshd:setcred): Unknown option: `nodelay'
Apr 7 10:02:48 localhost sshd[8390]: pam_unix(sshd:setcred): Unknown option: `shadow'
Apr 7 10:02:48 localhost sshd[8390]: pam_unix(sshd:setcred): Unknown option: `nodelay'

Edit your /etc/pam.d/sshd and change the following lines:
auth required /lib/security/pam_unix.so shadow nodelay
to
auth required /lib/security/pam_unix.so

and

password required /lib/security/pam_unix.so shadow nullok use_authtok
to
password required /lib/security/pam_unix.so use_authtok

Thats it!

]]> http://www.system.adm.br/2009/04/installing-openssh-from-source-on-suse-10/feed/ 0