Installing and configuring OpenSSH with pam_ldap for Solaris9

 

(See also related documents at http://web.singnet.com.sg/~garyttt/)

 

Last Updated: 15-Mar-2006

 

Purpose:

 

The document is one of the deliverables of the “Centralized LDAP Authentication Project”, the reader may also refer to its sister documents titled “Installing and configuring OpenLDAP for Solaris9

 

This document describes the steps involved in installing and configuring an OpenSSH Server, which is also an OpenLDAP Client, with pam_ldap support on Solaris8/9. This is to be accessed by Windows/UNIX/Linux OpenSSH clients.

 

Another related document "Deploying Solaris Native LDAP Client by using automated scripts", describes the steps involved in building up an infrastructure environment for rapid deployment of Solaris Native LDAP Client.

 

Useful URLs:

 

·       SUN’s “System Administration Guide: Security Services - May 2002” (could be found at http://docs.sun.com)

·       OpenSSH: http://www.openssh.org/

·       OpenSSH LPK (LDAP Public Key) patch: http://www.opendarwin.org/en/projects/openssh-lpk

·       OpenSSL: http://www.openssl.org/

·       PAM: http://www.kernel.org/pub/linux/libs/pam/

·       PAM_LDAP and NSS_LDAP: http://www.padl.com

·       ZLIB: http://www.gzip.org/zlib/

·       PRNGD: http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html

 

Example used:

 

·       NSS_LDAP and PAM_LDAP library path: /usr/local/lib and /usr/local/lib/security respectively

·       OpenSSL install directory = /usr/local/ssl

·       OpenLDAP install directory = /usr/local

 

Note 1: OpenSSH requires random number generation, SUN random number generation devices /dev/random and /dev/urandom must be available, for Solaris9, they are built-in, for Solaris8, Patch 112438-01 followed by a reboot is required, alternatively, you may use PRNGD and specify option --with-prngd-socket=<socket file name of PRNGD>

 

Note 2: Do not use Solaris version of  “gcc” compiler version 3.4.X as there is report that it gives rise to compilation and/or linking issue. Gcc 3.1.X, 3.2.X and 3.3.X are OK.

 

Step 1: Install nss_ldap 2.X.X and pam_ldap 1.X.X

 

 

This step is no more required as I encourage you to use Solaris9/8 Native LDAP Client.

 

Step 2: Install OpenSSL

 

IMPORTANT NOTE 1: Skip this step if it is already installed, may be via Solaris package file (SMCossl) downloaded from http://www.sunfreeware.com, the default prefix is /usr/local, the binaries will be in /usr/local/ssl/bin, the libraries will be in /usr/local/ssl/lib.

 

# cd /var/tmp

# tar xvf openssl-0.9.7e.tar

# cd openssl-0.9.7e

# ./config

# make clean

# make

# make install

 

IMPORTANT NOTE: For Solaris9, just run "./config" instead of "./config shared", i.e. do not generate shared library files (.so) for OpenSSL, we will link the static library files (.a) generated STATICALLY into OpenSSH.

 

Verify the OpenSSL version

 

# /usr/local/ssl/bin/openssl version

OpenSSL 0.9.7e DD MMM YYYY

 

Step 3: Configure and install OpenSSH Server

 

Prior to doing anything, backup the SUN SSH Server original configuration files and host keys.

 

# mkdir –p /etc/ssh.orig

# cp /etc/ssh/* /etc/ssh.orig

 

Now configure OpenSSH with support for PAM and OpenSSL

 

NOTE: Solaris SUN-SSH usually stores host keys in /etc/ssh

 

# cd /var/tmp

# tar xvf openssh-3.9p1.tar

# cd openssh-3.9p1

# env MAKE=/usr/ccs/bin/make LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:/usr/local/ssl/lib ./configure --with-pam --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/ssl

 

Compile and install it.

 

# make clean

# make

# make install

 

IMPORTANT NOTE 1: having --sysconfdir=/etc/ssh will preserve SUN-SSH original /etc/ssh/ssh_config and /etc/ssh/sshd_config as well as host keys, but as the original sshd_config file MAY NOT include NEW settings, you MAY overwrite sshd_config with a sample from OpenSSH distribution, with references to original settings.

 

IMPORTANT NOTE 2: “make install” will NOT overwrite the TWO original SSH v2 host keys already provide by SUN-SSH, it will ADD a THIRD v1 host key.

 

Step 4: Create start/stop scripts

 

Create /etc/init.d/openssh.server, and rename/adjust rc startup links

 

# mv /etc/rc3.d/S89sshd /etc/rc3.d/s89sshd

# touch /etc/init.d/openssh.server; chmod 744 /etc/init.d/openssh.server

# ln –s /etc/init.d/openssh.server  /etc/rc3.d/S99openssh.server

 

Content of /etc/init.d/openssh.server

 

#! /bin/sh

LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:/usr/local/ssl/lib
export LD_LIBRARY_PATH

case $1 in

'start')

        /usr/local/sbin/sshd

        ;;

'stop')

        PID=`cat /var/run/sshd.pid`

        if [ -n "$PID" ]

        then

                /usr/bin/kill -9 $PID

        fi

        ;;

*)

        echo "usage: /etc/init.d/sshd {start|stop}"

        ;;

esac

 

Copy sample sshd_config and ssh_config from OpenSSH build directory.

 

# cp /var/tmp/openssh-3.X.XpX/sshd_config /etc/ssh

# cp /var/tmp/openssh-3.X.XpX/ssh_config /etc/ssh

 

Edit /etc/ssh/sshd_config, enable PasswordAuthentication, enable ChallengeResponseAuthentication, enable PAM and verify path for sftp-server does exist

 

# vi /etc/ssh/sshd_config

 

PasswordAuthentication yes

ChallengeResponseAuthentication yes

UsePAM yes

Subsystem       sftp    /usr/local/libexec/sftp-server

 

Note: in older version (pre-3.6.1) of OpenSSH Server, instead of  “UsePAM yes”, the parameter is:

# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
PAMAuthenticationViaKbdInt yes

 

Create privilege separation user id as per OpenSSH requirement.

 

# mkdir –p /var/empty; chmod 755 /var/empty

# groupadd -g 999 sshd

# useradd -u 999 -g 999 –c “sshd privilege separation”  -d /var/empty -s /bin/false sshd

 

Optionally, for any reason if there is a need to re-create the host keys for sshd, you may perform:

 

/usr/local/bin/ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ""

/usr/local/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ""

/usr/local/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""

 

Optionally, you may want to fine tune OpenSSH server for it to be more secure, i.e. use only Protocol 2, disable default PermitRootLogin, enable X11Forwarding, and so on…below is an example:

 

# sed -e 's/#Protocol 2,1/Protocol 2/' \

   -e 's/#PermitRootLogin yes/PermitRootLogin no/' \

   -e 's/#X11Forwarding no/X11Forwarding yes/' \

   -e 's/#PrintMotd yes/PrintMotd no/' \

   /etc/ssh/sshd_config > /etc/ssh/sshd_config_new

# mv /etc/ssh/sshd_config_new /etc/ssh/sshd_config

 

That’s all, kill existing SSH Server and re-start OpenSSH Server

 

# /etc/init.d/sshd stop; /etc/init.d/openssh.server start

 

Step 5: Create ldap.conf for BOTH pam_ldap and OpenLDAP

 

This step is no more required as I encourage you to use Solaris9/8 Native LDAP Client.

 

Step 6: Prepare /usr/local/etc/openldap/cacert.pem

 

This step is no more required as I encourage you to use Solaris9/8 Native LDAP Client.

 

Step 7: Backup and Create /etc/pam.conf

 

Log in as root at the console of the LDAP Client (SSH Server)

 

# mv /etc/pam.conf /etc/pam.conf.orig

# cp /etc/pam.conf.orig /etc/pam.conf

 

Edit /etc/pam.conf.

 

Use the following /etc/pam.conf for SUN Solaris Native LDAP client.  This is actually the sample from Solaris10 documentation, with pam_unix_cred.so.1 commented out.

 

# pam.conf.ldapv2_native_client

#

# http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=view

#

# IMPORTANT NOTES from Gary Tay

#

# 1) This is a /etc/pam.conf with password management support that works for:

#

# Solaris10 Native LDAP Client

# Solaris9 Native LDAP Client provided that:

# - latest kernel patch and Patch 112960 are applied

# - all the pam_unix_cred.so.1 lines are commented out

# Solaris8 Native LDAP Client provided that:

# - latest kernel patch and Patch 108993 are applied

# - all the pam_unix_cred.so.1 lines are commented out

#

# 2) If modules for "sshd" or any are not defined, default is "other"

# as seen by output of "grep other /etc/pam.conf"

#

# Authentication management

#

# login service (explicit because of pam_dial_auth)

#

login   auth requisite        pam_authtok_get.so.1

login   auth required         pam_dhkeys.so.1

#login   auth required         pam_unix_cred.so.1

login   auth required         pam_dial_auth.so.1

login   auth binding          pam_unix_auth.so.1 server_policy

login   auth required         pam_ldap.so.1

#

# rlogin service (explicit because of pam_rhost_auth)

#

rlogin  auth sufficient       pam_rhosts_auth.so.1

rlogin  auth requisite        pam_authtok_get.so.1

rlogin  auth required         pam_dhkeys.so.1

#rlogin  auth required         pam_unix_cred.so.1

rlogin  auth binding          pam_unix_auth.so.1 server_policy

rlogin  auth required         pam_ldap.so.1

#

# rsh service (explicit because of pam_rhost_auth,

# and pam_unix_auth for meaningful pam_setcred)

#

rsh     auth sufficient       pam_rhosts_auth.so.1

#rsh     auth required         pam_unix_cred.so.1

rsh     auth binding          pam_unix_auth.so.1 server_policy

rsh     auth required         pam_ldap.so.1

#

# PPP service (explicit because of pam_dial_auth)

#

ppp     auth requisite        pam_authtok_get.so.1

ppp     auth required         pam_dhkeys.so.1

ppp     auth required         pam_dial_auth.so.1

ppp     auth binding          pam_unix_auth.so.1 server_policy

ppp     auth required         pam_ldap.so.1

#

# Default definitions for Authentication management

# Used when service name is not explicitly mentioned for authentication

#

other   auth requisite        pam_authtok_get.so.1

other   auth required         pam_dhkeys.so.1

#other   auth required         pam_unix_cred.so.1

other   auth binding          pam_unix_auth.so.1 server_policy

other   auth required         pam_ldap.so.1

#

# passwd command (explicit because of a different authentication module)

#

passwd  auth binding          pam_passwd_auth.so.1 server_policy

passwd  auth required         pam_ldap.so.1

#

# cron service (explicit because of non-usage of pam_roles.so.1)

#

cron    account required      pam_unix_account.so.1

#

# Default definition for Account management

# Used when service name is not explicitly mentioned for account management

#

other   account requisite     pam_roles.so.1

other   account binding       pam_unix_account.so.1 server_policy

other   account required      pam_ldap.so.1

#

# Default definition for Session management

# Used when service name is not explicitly mentioned for session management

#

other   session required      pam_unix_session.so.1

#

# Default definition for  Password management

# Used when service name is not explicitly mentioned for password management

#

other   password required     pam_dhkeys.so.1

other   password requisite    pam_authtok_get.so.1

other   password requisite    pam_authtok_check.so.1

other   password required     pam_authtok_store.so.1 server_policy

#

# Support for Kerberos V5 authentication and example configurations can

# be found in the pam_krb5(5) man page under the "EXAMPLES" section.

#

 

Step 8: Define LDAP domain (For Solaris LDAP Client Only)

 

# domainname example.com

# echo "example.com" >/etc/defaultdomain

 

That is all, reboot your LDAP Client to confirm OpenSSH gets started properly. If there is any boot issue, you may run "boot –s" after STOP-A keyboard interrupt into OpenBootPROM mode, to go into Single User mode, and try to fix the issue, if issue persists, you may restore back the original /etc/pam.conf backed up as /etc/pam.conf.orig.

 

# sync;sync;sync

# init 6

or

# shutdown –y –g0 –i6

 

---End of Doc---