Problem: The common UNIX remote access protocols - telnet, FTP and the Berkeley r-commands -- are unencrypted. Account and password information can easily be sniffed by unauthorized intruders and others who have been granted access to the same network. OpenSSH can be used to encrypt all remote sessions, thereby eliminating this vulnerability.
OpenSSH is free and runs on virtually all of the different UNIX and Linux variants. Zlib, a compression library and OpenSSL, the secure sockets layer software, are required by OpenSSH, so you need to install them first. Also highly recommended is a suitable random number generator.

Step 1. Download and install the GNU C compiler

Since all the software to install is in source code format and will have to be compiled, you need to make sure that you have a C compiler installed. If not, download and install the GNU C compiler.

Point your web browser to http://gcc.gnu.org/install/binaries.html

Click on the Solaris 2 - Sunfreeware link.

Click on FTP/Mirror Sites on the left-hand column, and then choose one of the mirror sites (generally you will get better download performance from a mirror site).

Click on Sparc/Solaris 8 on the right-hand column to see the list of software available for Solaris 8; scroll down and click on the latest release of gcc (3.2 as of this writing)

Usually the latest gcc package will appear at the top of the page, e.g. gcc-3.2-sol8-sparc-local.gz. Download this package into /usr/local.

Uncompress the .gz file, as shown below:

        $   cd  /usr/local
        $   gunzip ./gcc-3.2-sol8-sparc-local.gz

Use pkgadd to install the gcc binaries, as shown below:

        $ su
        Password: ********
        # pkgadd --d ./gcc-3.2-sol8-sparc-local

This will install a new Solaris package named SMCgcc. The gcc binary will be placed in /usr/local/bin. Use pkginfo to verify the installation, as shown below:

       # pkginfo -l  SMCgcc
           PKGINST:  SMCgcc
              NAME:  gcc
          CATEGORY:  application
              ARCH:  sparc
           VERSION:  3.2
           BASEDIR:  /usr/local
            VENDOR:  Free Software Foundation
            PSTAMP:  Steve Christensen
          INSTDATE:  Nov 14 2002 16:52
             EMAIL:  steve@smc.vnet.net
            STATUS:  completely installed
             FILES:      1776 installed pathnames
                            4 linked files
                          136 directories
                           43 executables
                       548584 blocks used (approx)

Step 2. Download, compile and install Zlib compression library

Point your web browser to http://www.gzip.org/zlib.

Download the latest version of the ".gz" format of Zlib (1.1.4 as of this writing) into /usr/local.

Use gunzip and tar to extract the source code, as shown below:

        $ cd /usr/local
        $ gunzip ./zlib-1.1.4.tar.gz
        $ tar xvf ./zlib-1.1.4.tar

This will create a source-code directory structure such as /usr/local/zlib-1.1.4.

Review the README and Makefile files.

Configure, make and compile, as shown below:

        $ cd /usr/local/zlib-1.1.4
        $ ./configure
        $ make test
        $ su
                                  Password: ********
        # make install

Step 3. Download, compile and install a random number generator

Some UNIX implementations, such as Solaris 8, do not provide a random number generator (e.g. /dev/random) out of the box. OpenSSL will automatically provide a random number generator if one is not found on the system, but it is highly recommended to use a higher quality random number generator, such as ANDIrand, PRNGD or EGD. Instructions are provided below for both ANDIrand and PRNGD.

ANDIrand

NDIrand is a simple package install (as opposed to a source-code compile) and creates the /dev/random and /dev/urandom devices at install time, from which SSL, one of the prerequisites to OpenSSH, obtains its random data.

Point your web browser to http://www.cosy.sbg.ac.at/~andi/SUNrand/.

Download the latest version of the package format (0.7 of this writing) into /usr/local.

Use pkgadd to install the ANDIrand binaries as user root, as shown below:

        # cd /usr/local
        # pkgadd -d ./ANDIrand-0.7-5.8-sparc-1.pkg

 Note  You will be prompted as to whether to continue to install the package with root privileges – enter "Y" to continue

This will install a new Solaris package named ANDIrand and will also create the /dev/random and /dev/urandom files on your system. Use pkginfo –l to see the details for the install:

        # pkginfo -l  ANDIrand
            PKGINST:  ANDIrand
               NAME:  random-0.7
           CATEGORY:  system
               ARCH:  sparc
            VERSION:  0.7
            VENDOR:   Andreas Maier
              DESC:   random number generator
            PSTAMP:   200111201124
          INSTDATE:   Nov 18 2002 14:28
           HOTLINE:   http://www.cosy.sbg.ac.at/~andi/
             EMAIL:   andi@cosy.sbg.ac.at
            STATUS:   completely installed
             FILES:        13  installed pathnames
                            8  shared pathnames
                            2  linked files
                            7  directories
                            2  executables
                           26  blocks used (approx)

PRNGD

PRNGD is a source-code compile, which creates a prngd executable to be run as a daemon on the UNIX system.

Point your web browser to http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html

Click on the prngd 0.9.27 link in the Download section to download the latest version of the prngd source-code (0.9.27 of this writing) into /usr/local

Use gunzip and tar to extract the source code, as shown below:

        $ cd /usr/local
        $ gunzip ./prngd-0.9.27.tar.gz
        $ tar xvf ./prngd-0.9.27.tar
        $ cd ./prngd-0.9.27

This will create a source-code directory structure such as /usr/local/prngd-0.9.27.

Review the 00README file for compile and install instructions

Use your favorite editor to edit the "Makefile" file and make the following 2 changes:

Scroll down to the section corresponding to your particular OS and uncomment the lines in that section.

Scroll down to the section beginning with "# Move default locations" and select a default location for storing the prngd-seed and prngd.conf files. (if you don't specify a "new" default location, the default is /usr/local/etc/prngd).

Become root

        $ su
        Password:  *********
        #

After saving changes to the Makefile, run make to compile the prngd source code:

        # make

Copy the prngd executable to /usr/local/sbin

        # cp -p ./prngd /usr/local/sbin

Copy a default prngd.conf file. There are sample prngd.conf files for numerous OS' under the contrib subdirectory. The location of the prngd.conf file should be consistent with what you specified earlier when you edited the Makefile. In the following example, a sample Solaris prngd.conf file is copied to the default location of /usr/local/etc/prngd:

        # pwd
        /usr/local/prngd-0.9.27
        # cd contrib
        # ls
        AIX-3.2        IRIX-65        OSF1          SCO3          SunOS-4
        AIX-4.3        Linux-2        OSR5          Solaris-2.6   Tru64
        ATT-NCR        MacOSX-10      OpenUNIX-8    Solaris-7     Ultrix-4.5
        HPUX           NeXTStep-3.3   ReliantUNIX   Solaris-8     Unixware-7
        # cd Solaris-7
        # ls
        prngd.conf.solaris-7
        # cp ./prngd.conf.solaris-7 /usr/local/etc/prngd/prngd.conf

 Note  The Solaris-8 directory simply has instructions to use the conf file from the Solaris-7 directory.

Use the following command to generate an initial "seed" for PRNGD:

        # cat /var/adm/messages /var/log/syslog > /usr/local/etc/prngd/prngd-seed

Start PRNGD:

        # /usr/local/sbin/prngd /var/run/egd-pool

Since PRNGD is a daemon, you'll want to be sure to create a startup script and place it in the appropriate OS startup directory so the system will automatically start PRNGD on system startup. There are sample startup scripts for most OS' in the "contrib" sub-directory:

        # pwd
        /usr/local/prngd-0.9.27
        # cd contrib
        # ls
        AIX-3.2        IRIX-65        OSF1          SCO3          SunOS-4
        AIX-4.3        Linux-2        OSR5          Solaris-2.6   Tru64
        ATT-NCR        MacOSX-10      OpenUNIX-8    Solaris-7     Ultrix-4.5
        HPUX           NeXTStep-3.3   ReliantUNIX   Solaris-8     Unixware-7

Step 4. Download, compile and install OpenSSL

Point your web browser to http://www.openssl.org/source/

Download the latest version of the source code (0.9.7b as of this writing) into /usr/local

Use gunzip and tar to extract the source code, as shown below:

        $ cd /usr/local
        $ gunzip ./openssl-0.9.7b.tar.gz
        $ tar xvf ./openssl-0.9.7b.tar
        $ cd openssl-0.9.7b

This will create the source-code directory structure, such as /usr/local/openssl-0.9.7b

Review the README and INSTALL files

Configure, make and compile, as shown below:

        $ ./config
        $ make            (go for coffee, this takes awhile)
        $ make test
        $ su
        Password: ********
        # make install

Step 5. Download, compile and install OpenSSH

Point your web browser to http://www.openSSH.com/portable.html

Download the latest version of the source code (3.6.1p2 as of this writing) into /usr/local

Use gunzip and tar to extract the source code, as shown below:

        $ cd /usr/local
        $ gunzip ./openSSH-3.6.1p2.tar.gz
        $ tar xvf ./openSSH-3.6.1p2.tar

This will create a source-code directory structure such as /usr/local/openSSH-3.6.1p2.

Review the README and INSTALL files.

Issue the following commands to configure, make and compile OpenSSH. The default options, such as where the binaries will be installed, can be changed when the configure script is run. The options can be displayed by running ./configure –help.

        $ cd /usr/local/openSSH-3.6.1p2
        $ ./configure
        $ make
        $ su
        Password: ********

The OpenSSH software requires that we have an sshd UNIX account defined before it will start the "sshd" daemon. If we do not do this before we run make install, we will see the message "Privilege separation user sshd does not exist" at the end of the make install output.

Since we do not want anyone logging in directly to this account, we should make it a non-interactive account. The following command creates the sshd user with a user id of 1100 and an invalid shell that prevents anyone from logging in directly:

        # useradd -c "sshd owner" -d /var/empty \
        -u 1100 -s /bin/false sshd

If the home directory for this account, /var/empty, does not exist, it should be created as follows:

        # mkdir /var/empty
        # chmod 555 /var/empty

As an extra measure of securing this account, issue the following command to lock it:

        # passwd -l sshd

Once the "sshd" user is created, OpenSSH can be installed as shown below.

        # make install

At the end of the make install output, you should see messages similar to the following:

        Generating public/private rsa1 key pair.
        Your identification has been saved in /usr/local/etc/ssh_host_key.
        Your public key has been saved in /usr/local/etc/ssh_host_key.pub.
        The key fingerprint is:
        71:9f:97:e7:23:53:1e:38:84:f2:91:ff:bc:6e:4a:59 root@client.example.com
        Generating public/private dsa key pair.
        Your identification has been saved in /usr/local/etc/ssh_host_dsa_key.
        Your public key has been saved in /usr/local/etc/ssh_host_dsa_key.pub.
        The key fingerprint is:
        24:95:93:f2:9f:c8:68:37:08:32:f8:12:95:63:26:3a root@client.example.com
        Generating public/private rsa key pair.
        Your identification has been saved in /usr/local/etc/ssh_host_rsa_key.
        Your public key has been saved in /usr/local/etc/ssh_host_rsa_key.pub.
        The key fingerprint is:
        45:a1:35:51:06:2d:0d:0f:1a:0c:a4:ab:41:05:cd:70 root@client.example.com
        /usr/local/sbin/sshd -t -f /usr/local/etc/sshd_config

Congratulations – you have successfully installed the OpenSSH software - both client-side and server-side. If the machine on which you installed will function as an OpenSSH client only (i.e., will initiate connections to remote systems, but not accept remote connections), then we're ready to test and verify that the installation is correct. If the machine will be an OpenSSH client and server (will accept remote connections) or an OpenSSH server only, there are a few more steps to perform.

Step 6. Configure the sshd_config configuration file

Now that the OpenSSH software is installed, we need to make sure the server configuration is set up correctly. The configuration file for the SSH daemon is usually located in /etc/ssh and is called sshd_config. You can leave most of the settings alone as the defaults should work for most installations. However, the following should be verified to make sure they are set correctly.

• Protocol – The Protocol option sets which SSH protocol version to use. By default, SSHv1 and SSHv2 are permitted. Protocol version 1 has a number of vulnerabilities and its use is discouraged. More information on protocol version 1's problems can be found at http://www.openSSH.com/security.html

  OpenSSH should be set to only allow SSHv2 connections. To do this, uncomment the line "Protocol" in sshd_config and place only a "2" after it, as shown below:

          Protocol 2  

• PermitRootLogin – is a setting which specifies whether or not root is allowed to log in remotely to the server. By default, OpenSSH allows this. Allowing root to log in remotely is typically discouraged since it provides one more avenue for an attacker to target and if root is compromised, an entire system is compromised. To disable the ability to remotely log in as root, change the "PermitRootLogin" as shown below:

          PermitRootLogin no  

• PubkeyAuthentication – specifies whether or not SSHv2 public key authentication is allowed to be used. By default, this is set to "yes". If you plan on using public key authentication, you should verify that this option is still set to "yes". You can manually allow public key authentication by setting the option as shown below:

          PubkeyAuthentication yes  

• X11Forwarding – specifies whether or not the OpenSSH daemon will allow connecting clients to use X11 Forwarding. X11 Forwarding.

  By default, this is not allowed. If you wish to allow incoming clients the ability to use the X11 Forwarding feature of OpenSSH, set the X11Forwarding option as shown below:

          X11Forwarding yes  

• Banner – The Banner option specifies a text file that will be displayed whenever anyone connects to the server with an SSH client. This may be required for legal purposes. The Banner option can be set as shown below:

          banner /etc/issue  

Step 7. Configure auto-start of sshd daemon (for OpenSSH server)

The OpenSSH server daemon, sshd, must be started before OpenSSH clients will be allowed to connect.

You can simply launch the sshd daemon as root and place it in the background as follows:

        # /usr/local/sbin/sshd &  

You should also place this command in a startup script so that it launches each time the system is booted. For example, on Solaris 8 we could use an editor to insert and save the above command in the file /etc/init.d/sshd_start, then issue the following commands:

        # ln /etc/init.d/sshd_start /etc/rc3.d/S95sshd  

Now each time the system is booted, the sshd daemon will start automatically as user "sshd".