Installing and configuring OpenSSH with pam_ldap for Solaris9


(See also related documents at


Last Updated: 15-Mar-2006




The document is one of the deliverables of the “Centralized LDAP Authentication Project”, the reader may also refer to its sister documents titled “Installing and configuring OpenLDAP for Solaris9


This document describes the steps involved in installing and configuring an OpenSSH Server, which is also an OpenLDAP Client, with pam_ldap support on Solaris8/9. This is to be accessed by Windows/UNIX/Linux OpenSSH clients.


Another related document "Deploying Solaris Native LDAP Client by using automated scripts", describes the steps involved in building up an infrastructure environment for rapid deployment of Solaris Native LDAP Client.


Useful URLs:


·       SUN’s “System Administration Guide: Security Services - May 2002” (could be found at

·       OpenSSH:

·       OpenSSH LPK (LDAP Public Key) patch:

·       OpenSSL:

·       PAM:

·       PAM_LDAP and NSS_LDAP:

·       ZLIB:

·       PRNGD:


Example used:


·       NSS_LDAP and PAM_LDAP library path: /usr/local/lib and /usr/local/lib/security respectively

·       OpenSSL install directory = /usr/local/ssl

·       OpenLDAP install directory = /usr/local


Note 1: OpenSSH requires random number generation, SUN random number generation devices /dev/random and /dev/urandom must be available, for Solaris9, they are built-in, for Solaris8, Patch 112438-01 followed by a reboot is required, alternatively, you may use PRNGD and specify option --with-prngd-socket=<socket file name of PRNGD>


Note 2: Do not use Solaris version of  “gcc” compiler version 3.4.X as there is report that it gives rise to compilation and/or linking issue. Gcc 3.1.X, 3.2.X and 3.3.X are OK.


Step 1: Install nss_ldap 2.X.X and pam_ldap 1.X.X



This step is no more required as I encourage you to use Solaris9/8 Native LDAP Client.


Step 2: Install OpenSSL


IMPORTANT NOTE 1: Skip this step if it is already installed, may be via Solaris package file (SMCossl) downloaded from, the default prefix is /usr/local, the binaries will be in /usr/local/ssl/bin, the libraries will be in /usr/local/ssl/lib.


# cd /var/tmp

# tar xvf openssl-0.9.7e.tar

# cd openssl-0.9.7e

# ./config

# make clean

# make

# make install


IMPORTANT NOTE: For Solaris9, just run "./config" instead of "./config shared", i.e. do not generate shared library files (.so) for OpenSSL, we will link the static library files (.a) generated STATICALLY into OpenSSH.


Verify the OpenSSL version


# /usr/local/ssl/bin/openssl version

OpenSSL 0.9.7e DD MMM YYYY


Step 3: Configure and install OpenSSH Server


Prior to doing anything, backup the SUN SSH Server original configuration files and host keys.


# mkdir –p /etc/ssh.orig

# cp /etc/ssh/* /etc/ssh.orig


Now configure OpenSSH with support for PAM and OpenSSL


NOTE: Solaris SUN-SSH usually stores host keys in /etc/ssh


# cd /var/tmp

# tar xvf openssh-3.9p1.tar

# cd openssh-3.9p1

# env MAKE=/usr/ccs/bin/make LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:/usr/local/ssl/lib ./configure --with-pam --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/ssl


Compile and install it.


# make clean

# make

# make install


IMPORTANT NOTE 1: having --sysconfdir=/etc/ssh will preserve SUN-SSH original /etc/ssh/ssh_config and /etc/ssh/sshd_config as well as host keys, but as the original sshd_config file MAY NOT include NEW settings, you MAY overwrite sshd_config with a sample from OpenSSH distribution, with references to original settings.


IMPORTANT NOTE 2: “make install” will NOT overwrite the TWO original SSH v2 host keys already provide by SUN-SSH, it will ADD a THIRD v1 host key.


Step 4: Create start/stop scripts


Create /etc/init.d/openssh.server, and rename/adjust rc startup links


# mv /etc/rc3.d/S89sshd /etc/rc3.d/s89sshd

# touch /etc/init.d/openssh.server; chmod 744 /etc/init.d/openssh.server

# ln –s /etc/init.d/openssh.server  /etc/rc3.d/S99openssh.server


Content of /etc/init.d/openssh.server


#! /bin/sh


case $1 in





        PID=`cat /var/run/`

        if [ -n "$PID" ]


                /usr/bin/kill -9 $PID




        echo "usage: /etc/init.d/sshd {start|stop}"




Copy sample sshd_config and ssh_config from OpenSSH build directory.


# cp /var/tmp/openssh-3.X.XpX/sshd_config /etc/ssh

# cp /var/tmp/openssh-3.X.XpX/ssh_config /etc/ssh


Edit /etc/ssh/sshd_config, enable PasswordAuthentication, enable ChallengeResponseAuthentication, enable PAM and verify path for sftp-server does exist


# vi /etc/ssh/sshd_config


PasswordAuthentication yes

ChallengeResponseAuthentication yes

UsePAM yes

Subsystem       sftp    /usr/local/libexec/sftp-server


Note: in older version (pre-3.6.1) of OpenSSH Server, instead of  “UsePAM yes”, the parameter is:

# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
PAMAuthenticationViaKbdInt yes


Create privilege separation user id as per OpenSSH requirement.


# mkdir –p /var/empty; chmod 755 /var/empty

# groupadd -g 999 sshd

# useradd -u 999 -g 999 –c “sshd privilege separation”  -d /var/empty -s /bin/false sshd


Optionally, for any reason if there is a need to re-create the host keys for sshd, you may perform:


/usr/local/bin/ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ""

/usr/local/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ""

/usr/local/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""


Optionally, you may want to fine tune OpenSSH server for it to be more secure, i.e. use only Protocol 2, disable default PermitRootLogin, enable X11Forwarding, and so on…below is an example:


# sed -e 's/#Protocol 2,1/Protocol 2/' \

   -e 's/#PermitRootLogin yes/PermitRootLogin no/' \

   -e 's/#X11Forwarding no/X11Forwarding yes/' \

   -e 's/#PrintMotd yes/PrintMotd no/' \

   /etc/ssh/sshd_config > /etc/ssh/sshd_config_new

# mv /etc/ssh/sshd_config_new /etc/ssh/sshd_config


That’s all, kill existing SSH Server and re-start OpenSSH Server


# /etc/init.d/sshd stop; /etc/init.d/openssh.server start


Step 5: Create ldap.conf for BOTH pam_ldap and OpenLDAP


This step is no more required as I encourage you to use Solaris9/8 Native LDAP Client.


Step 6: Prepare /usr/local/etc/openldap/cacert.pem


This step is no more required as I encourage you to use Solaris9/8 Native LDAP Client.


Step 7: Backup and Create /etc/pam.conf


Log in as root at the console of the LDAP Client (SSH Server)


# mv /etc/pam.conf /etc/pam.conf.orig

# cp /etc/pam.conf.orig /etc/pam.conf


Edit /etc/pam.conf.


Use the following /etc/pam.conf for SUN Solaris Native LDAP client.  This is actually the sample from Solaris10 documentation, with commented out.


# pam.conf.ldapv2_native_client






# 1) This is a /etc/pam.conf with password management support that works for:


# Solaris10 Native LDAP Client

# Solaris9 Native LDAP Client provided that:

# - latest kernel patch and Patch 112960 are applied

# - all the lines are commented out

# Solaris8 Native LDAP Client provided that:

# - latest kernel patch and Patch 108993 are applied

# - all the lines are commented out


# 2) If modules for "sshd" or any are not defined, default is "other"

# as seen by output of "grep other /etc/pam.conf"


# Authentication management


# login service (explicit because of pam_dial_auth)


login   auth requisite

login   auth required

#login   auth required

login   auth required

login   auth binding server_policy

login   auth required


# rlogin service (explicit because of pam_rhost_auth)


rlogin  auth sufficient

rlogin  auth requisite

rlogin  auth required

#rlogin  auth required

rlogin  auth binding server_policy

rlogin  auth required


# rsh service (explicit because of pam_rhost_auth,

# and pam_unix_auth for meaningful pam_setcred)


rsh     auth sufficient

#rsh     auth required

rsh     auth binding server_policy

rsh     auth required


# PPP service (explicit because of pam_dial_auth)


ppp     auth requisite

ppp     auth required

ppp     auth required

ppp     auth binding server_policy

ppp     auth required


# Default definitions for Authentication management

# Used when service name is not explicitly mentioned for authentication


other   auth requisite

other   auth required

#other   auth required

other   auth binding server_policy

other   auth required


# passwd command (explicit because of a different authentication module)


passwd  auth binding server_policy

passwd  auth required


# cron service (explicit because of non-usage of


cron    account required


# Default definition for Account management

# Used when service name is not explicitly mentioned for account management


other   account requisite

other   account binding server_policy

other   account required


# Default definition for Session management

# Used when service name is not explicitly mentioned for session management


other   session required


# Default definition for  Password management

# Used when service name is not explicitly mentioned for password management


other   password required

other   password requisite

other   password requisite

other   password required server_policy


# Support for Kerberos V5 authentication and example configurations can

# be found in the pam_krb5(5) man page under the "EXAMPLES" section.



Step 8: Define LDAP domain (For Solaris LDAP Client Only)


# domainname

# echo "" >/etc/defaultdomain


That is all, reboot your LDAP Client to confirm OpenSSH gets started properly. If there is any boot issue, you may run "boot –s" after STOP-A keyboard interrupt into OpenBootPROM mode, to go into Single User mode, and try to fix the issue, if issue persists, you may restore back the original /etc/pam.conf backed up as /etc/pam.conf.orig.


# sync;sync;sync

# init 6


# shutdown –y –g0 –i6


---End of Doc---