(See also related documents at http://web.singnet.com.sg/~garyttt/)
Purpose:
The document is one of the deliverables of the “Centralized LDAP Authentication Project”, the reader may also refer to its sister documents titled “Installing and configuring OpenLDAP for Solaris9”
This document describes the steps involved in installing and configuring an OpenSSH Server, which is also an OpenLDAP Client, with pam_ldap support on Solaris8/9. This is to be accessed by Windows/UNIX/Linux OpenSSH clients.
Another related document "Deploying Solaris Native LDAP Client by using automated scripts", describes the steps involved in building up an infrastructure environment for rapid deployment of Solaris Native LDAP Client.
Useful URLs:
· SUN’s “System Administration Guide: Security Services - May 2002” (could be found at http://docs.sun.com)
· OpenSSH: http://www.openssh.org/
· OpenSSH LPK (LDAP Public Key) patch: http://www.opendarwin.org/en/projects/openssh-lpk
· OpenSSL: http://www.openssl.org/
· PAM: http://www.kernel.org/pub/linux/libs/pam/
· PAM_LDAP and NSS_LDAP: http://www.padl.com
· ZLIB: http://www.gzip.org/zlib/
· PRNGD: http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
Example used:
· NSS_LDAP and PAM_LDAP library path: /usr/local/lib and /usr/local/lib/security respectively
· OpenSSL install directory = /usr/local/ssl
· OpenLDAP install directory = /usr/local
Note 1: OpenSSH requires random number generation, SUN random number generation devices /dev/random and /dev/urandom must be available, for Solaris9, they are built-in, for Solaris8, Patch 112438-01 followed by a reboot is required, alternatively, you may use PRNGD and specify option --with-prngd-socket=<socket file name of PRNGD>
Note 2: Do not use Solaris version of “gcc” compiler version 3.4.X as there is report that it gives rise to compilation and/or linking issue. Gcc 3.1.X, 3.2.X and 3.3.X are OK.
This step is no more required as I encourage you to use Solaris9/8 Native LDAP Client.
IMPORTANT NOTE 1: Skip this step if it is already installed, may be via Solaris package file (SMCossl) downloaded from http://www.sunfreeware.com, the default prefix is /usr/local, the binaries will be in /usr/local/ssl/bin, the libraries will be in /usr/local/ssl/lib.
# cd /var/tmp
# tar xvf openssl-0.9.7e.tar
# cd openssl-0.9.7e
# ./config
# make clean
# make
# make install
# /usr/local/ssl/bin/openssl version
OpenSSL 0.9.7e DD MMM YYYY
Prior to doing anything, backup the SUN SSH Server original configuration files and host keys.
# mkdir –p /etc/ssh.orig
# cp /etc/ssh/* /etc/ssh.orig
Now configure OpenSSH with support for PAM and OpenSSL
NOTE: Solaris SUN-SSH usually stores host keys in /etc/ssh
# cd /var/tmp
# tar xvf openssh-3.9p1.tar
# cd openssh-3.9p1
# env MAKE=/usr/ccs/bin/make LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:/usr/local/ssl/lib ./configure --with-pam --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/ssl
# make clean
# make
# make install
IMPORTANT NOTE 1: having --sysconfdir=/etc/ssh will preserve SUN-SSH original /etc/ssh/ssh_config and /etc/ssh/sshd_config as well as host keys, but as the original sshd_config file MAY NOT include NEW settings, you MAY overwrite sshd_config with a sample from OpenSSH distribution, with references to original settings.
IMPORTANT NOTE 2: “make install” will NOT overwrite the TWO original SSH v2 host keys already provide by SUN-SSH, it will ADD a THIRD v1 host key.
Create /etc/init.d/openssh.server, and rename/adjust rc startup links
# mv /etc/rc3.d/S89sshd /etc/rc3.d/s89sshd
# touch /etc/init.d/openssh.server; chmod 744 /etc/init.d/openssh.server
# ln –s /etc/init.d/openssh.server /etc/rc3.d/S99openssh.server
#! /bin/sh
LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:/usr/local/ssl/lib
export LD_LIBRARY_PATH
case $1 in
'start')
/usr/local/sbin/sshd
;;
'stop')
PID=`cat /var/run/sshd.pid`
if [ -n "$PID" ]
then
/usr/bin/kill -9 $PID
fi
;;
*)
echo "usage: /etc/init.d/sshd {start|stop}"
;;
esac
Copy sample sshd_config and ssh_config from OpenSSH build directory.
# cp /var/tmp/openssh-3.X.XpX/sshd_config /etc/ssh
# cp /var/tmp/openssh-3.X.XpX/ssh_config /etc/ssh
Edit /etc/ssh/sshd_config, enable PasswordAuthentication, enable ChallengeResponseAuthentication, enable PAM and verify path for sftp-server does exist
# vi /etc/ssh/sshd_config
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
Subsystem sftp /usr/local/libexec/sftp-server
# Set this to 'yes' to enable
PAM keyboard-interactive authentication
# Warning: enabling this may
bypass the setting of 'PasswordAuthentication'
PAMAuthenticationViaKbdInt
yes
# mkdir –p /var/empty; chmod 755 /var/empty
# groupadd -g 999 sshd
# useradd -u 999 -g 999 –c “sshd privilege separation” -d /var/empty -s /bin/false sshd
Optionally, for any reason if there is a need to re-create the host keys for sshd, you may perform:
/usr/local/bin/ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ""
/usr/local/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ""
/usr/local/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""
Optionally, you may want to fine tune OpenSSH server for it to be more secure, i.e. use only Protocol 2, disable default PermitRootLogin, enable X11Forwarding, and so on…below is an example:
# sed -e 's/#Protocol 2,1/Protocol 2/' \
-e 's/#PermitRootLogin yes/PermitRootLogin no/' \
-e 's/#X11Forwarding no/X11Forwarding yes/' \
-e 's/#PrintMotd yes/PrintMotd no/' \
/etc/ssh/sshd_config > /etc/ssh/sshd_config_new
# mv /etc/ssh/sshd_config_new /etc/ssh/sshd_config
That’s all, kill existing SSH Server and re-start OpenSSH Server
# /etc/init.d/sshd stop; /etc/init.d/openssh.server start
This step is no more required as I encourage you to use Solaris9/8 Native LDAP Client.
This step is no more required as I encourage you to use Solaris9/8 Native LDAP Client.
Log in as root at the console of the LDAP Client (SSH Server)
# mv /etc/pam.conf /etc/pam.conf.orig
# cp /etc/pam.conf.orig /etc/pam.conf
Edit /etc/pam.conf.
Use the following /etc/pam.conf for SUN Solaris Native LDAP client. This is actually the sample from Solaris10 documentation, with pam_unix_cred.so.1 commented out.
# pam.conf.ldapv2_native_client
#
# http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=view
#
# IMPORTANT NOTES from Gary Tay
#
# 1) This is a /etc/pam.conf with password management support that works for:
#
# Solaris10 Native LDAP Client
# Solaris9 Native LDAP Client provided that:
# - latest kernel patch and Patch 112960 are applied
# - all the pam_unix_cred.so.1 lines are commented out
# Solaris8 Native LDAP Client provided that:
# - latest kernel patch and Patch 108993 are applied
# - all the pam_unix_cred.so.1 lines are commented out
#
# 2) If modules for "sshd" or any are not defined, default is "other"
# as seen by output of "grep other /etc/pam.conf"
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
#login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
#rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
#rsh auth required pam_unix_cred.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
#other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#
# domainname example.com
# echo "example.com" >/etc/defaultdomain
That is all, reboot your LDAP Client to confirm OpenSSH gets started properly. If there is any boot issue, you may run "boot –s" after STOP-A keyboard interrupt into OpenBootPROM mode, to go into Single User mode, and try to fix the issue, if issue persists, you may restore back the original /etc/pam.conf backed up as /etc/pam.conf.orig.
# sync;sync;sync
# init 6
or
# shutdown –y –g0 –i6
---End of Doc---