Loomis, Rip
2003-Mar-03 19:25 UTC
Problems with OpenSSH compile/run on Solaris 8 (was: sshd does not start)
Joyce--> I did not install /www/gzip.org/zlib because I assumed that I > probably have that, since I have gunzip....gunzip being present doesn't usually mean that zlib is present, but you might actually have zlib. Look for a libz.a in /usr/local/lib (or appropriate other directory structure depending on where gunzip is on your system...)> Openssh compiled but I kept receiving warnings that I do not > have a random generator.Separate issue. For Solaris 8/SPARC you really need to install patch 112438-01 which provides /dev/random, and ensure that your OpenSSL installation is using it. (That patch is labeled as security-relevant by Sun, but is still *not* included in the Sun recommended patch cluster as of last week--it should be installed on any Solaris 8 box that will ever use OpenSSL or OpenSSH.) Alternatively you could use PRNGd. Feel free to contact me offlist for more info on either.> After the make install, I did a ps -ef|grep sshd, but sshd > was not running. > > I typed ssh hostname > and I received the error: > ssh: connect to host...port 22: connection refusedNo surprise; you already said that sshd wasn't running, so there was no daemon there to accept the connection.> I tried to start sshd daemon manually: > /usr/local/sbin/sshd > I received the error: > Privilege separtaion user sshd does not exist. >[[Additional diagnostics deleted]]> Any help would be greatly appreciated. > Is the problem that I do not have zlib installed?Nope, you need to create the sshd privilege separation user just like the documentation says or disable privilege separation. The good news is that neither the lack of zlib nor the lack of /dev/random apparently kept things from compiling--I'm a little surprised and I'd still recommend that you go back and install zlib, install the Solaris /dev/random patch, and ensure OpenSSL is using the new /dev/random. Since you're on a PAM-aware platform and to my knowledge there are still issues with some of the PAM calls needing to be run with full root privileges, you might consider disabling privilege separation (in sshd_config, look for PrivilegeSeparation and ensure you have UsePrivilegeSeparation no on that line). Even without the privsep user, you should then be able to start sshd. To make the debugging a little easier, I then recommend you start sshd with sshd -d (which will cause it to run in debugging mode tied to a terminal, instead of going into the background) and then switch to a different virtual terminal and run ssh -v hostname so that both the daemon and client parts are running in the verbose/debugging mode. Good luck and feel free to contact me offlist if you need more help--I'm in the local area. -- Rip Loomis Senior Systems Security Engineer, SAIC Enterprise Security Solutions Brainbench MVP for Internet Security | http://www.brainbench.com