[Peeweelinux] HowTo: OpenSSH on PWL
Troy Engel
[email protected]
Wed, 19 Feb 2003 14:29:38 -0800
As I rebuilt everything for the newly released OpenSSL-0.9.7a, I noticed
a slight error -- the OpenSSH build line is missing a "/usr" for the
zlib/ssl-dir params. It *should* reads as follows:
./configure --prefix=/usr --sysconfdir=/etc/ssh
--with-zlib=/var/tmp/ssh-root/usr --with-ssl-dir=/var/tmp/ssh-root/usr
--without-shadow --with-pid-dir=/var/run --with-ipv4-default
--build=i386-pc-linux-gnu --without-privsep-user --without-privsep-path
Also found an easier way to create the filelist for pwlconfig -- first,
create the tarball then just run "tar -tf openssh-3.5p1.tar >
openssh-3.5p1.list" and you're done.
hth,
-te
Troy Engel wrote:
> This is a bit tricky, so if it doesn't work quite right (or I missed a
> step in this document, etc), just try it again. Errors and ommisions,
> just send a note.
>
> Required:
> - Red Hat 6.2 box with root priv (will be explained)
> - zlib 1.1.4
> - openssl-0.9.7
> - openssh-3.5p1
>
> I ran into a smattering of problems, mainly during linking, when trying
> to build this all on a RH 7.2 box with the 6.2 compat libs installed. To
> save a lot of hearttache, it was easier to use one of my 6.2 boxes -
> they have the same glibc and stuff PWL does.
>
>
> Set up stuff
> ============
> /var/tmp/ is your working directory. Make a directory /var/tmp/ssh-root
> (for installs), /var/tmp/src/ and /var/tmp/build/. Download all tarballs
> to /var/tmp/src/.
>
>
> Build zlib
> ==========
> Untar zlib to /var/tmp/build/, then build as follows:
>
> ./configure --prefix=/usr --shared
> make
> make install prefix=/var/tmp/ssh-root/usr
>
>
> Build openssl
> =============
> Untar openssl to /var/tmp/build/, then build as follows:
> /usr/bin/perl ./Configure --prefix=/usr -no-krb5 linux-elf shared
> zlib-dynamic
>
> make
> make INSTALL_PREFIX=/var/tmp/ssh-root install
>
>
> Edit LD path
> ============
> The openssl configure script (and maybe build, but didn't check) has an
> issue with trying to use the openssl libs you just built, if they're not
> in the LD scene. Add the following line to /etc/ld.so.conf:
>
> /var/tmp/ssh-root/usr/lib
>
> ...and run /sbin/ldconfig. We'll remove this when done.
>
>
> Build openssh
> =============
> Untar openssl to /var/tmp/build/, then build as follows:
>
> ./configure --prefix=/usr --sysconfdir=/etc/ssh
> --with-zlib=/var/tmp/ssh-root --with-ssl-dir=/var/tmp/ssh-root
> --without-shadow --with-pid-dir=/var/run --with-ipv4-default
> --build=i386-pc-linux-gnu --without-privsep-user --without-privsep-path
>
> make
> make install DESTDIR=/var/tmp/ssh-root
>
>
> Create sshd keys
> ================
> Run the following commands to create the host keypairs (you could do
> this on bootup, but I prefer to prepackage them). Change the comment
> used in the -C option to your desired comment.
>
> cd /var/tmp/ssh-root/usr/bin
> ./ssh-keygen -t rsa1 -f /var/tmp/ssh-root/etc/ssh/ssh_host_key -N ""
> -C "mycomment"
> ./ssh-keygen -t rsa -f /var/tmp/ssh-root/etc/ssh/ssh_host_rsa_key -N
> "" -C "mycomment"
> ./ssh-keygen -t dsa -f /var/tmp/ssh-root/etc/ssh/ssh_host_dsa_key -N
> "" -C "mycomment"
>
>
> Configure sshd_config
> =====================
> Edit /var/tmp/ssh-root/etc/ssh/sshd_config and change params as desired
> -- you must change at least "UsePrivilegeSeparation no", as we're not
> using it here. (I change "X11Forwarding yes")
>
>
> Add startup script
> ==================
> Create a startup script in /var/tmp/ssh-root/etc/rcS.d/ (make dir rcS.d)
> - the exact name will vary depending on your needs. My PWL has been
> customized, so the script for me works named as "60sshd" (I have a
> 10network and 50inetd which fire off first). Make sure the file is mode
> 0755. Here is my script:
>
> #!/bin/sh
>
> # /etc/rcS.d/60sshd
> #
> # Init file for OpenSSH server daemon
>
> [ -f /var/lock/subsys/network ] || exit 0
>
> echo "Starting sshd...."
> /usr/sbin/sshd &
> touch /var/lock/subsys/sshd
>
> exit 0
>
>
> Clean out things
> ================
> Prune down useless stuff (man pages, include files, etc) from your
> /var/tmp/ssh-root/ tree. I wanted to leave the user programs there (we
> have enough space on the CF disk), but I got rid of a lot of things. My
> list is attached at the end of this doc.
>
>
> Create PWL "list" file and tarball
> ==================================
> Change to /var/tmp/ssh-root, then run these commands:
>
> find . | sed -e "s|^./||g ; /^.$/d" > openssh-3.5p1.list
> tar -cf openssh-3.5p1.tar usr/ etc/
>
> ...and now edit "openssh-3.5p1.list" -- you need to add a terminating
> slash to all directory names (usr/, etc/, etc) for PWL to work right later.
>
>
> Add to PWL
> ==========
> Add these two files (openssh-3.5p1.list, openssh-3.5p1.tar) to one of
> the packages/ locations on your PWL build machine
> (packages/Network_Daemons/ seems like a good spot). Run ./pwlconfig and
> select the new openssl files as normal, extract the filesystem, and so
> forth -- it's all normal from here on out.
>
>
> You can now remove the /var/tmp/ssh-root/usr/lib/ from /etc/ld.so.conf
> and rerun /sbin/ldconfig on your build machine. I should note that I run
> kernel 2.4.18 on our systems (see my other HowTo for new kernels), but
> since it builds cleanly on a stock RH62 machine, I don't think there's
> going to be any issues here. (my custom kernel includes unixpty support,
> et al).
>
>
> My openssh-3.5p1.list file
> ==========================
> usr/
> usr/bin/
> usr/bin/scp
> usr/bin/sftp
> usr/bin/slogin
> usr/bin/ssh
> usr/bin/ssh-keygen
> usr/lib/
> usr/lib/libz.so.1.1.4
> usr/lib/libz.so
> usr/lib/libz.so.1
> usr/lib/libcrypto.so
> usr/lib/libcrypto.so.0
> usr/lib/libcrypto.so.0.9.7
> usr/lib/libssl.so
> usr/lib/libssl.so.0
> usr/lib/libssl.so.0.9.7
> usr/libexec/
> usr/libexec/sftp-server
> usr/sbin/
> usr/sbin/sshd
> usr/ssl/
> usr/ssl/certs/
> usr/ssl/private/
> usr/ssl/openssl.cnf
> etc/
> etc/ssh/
> etc/ssh/ssh_config
> etc/ssh/sshd_config
> etc/ssh/moduli
> etc/ssh/ssh_host_key
> etc/ssh/ssh_host_key.pub
> etc/ssh/ssh_host_rsa_key
> etc/ssh/ssh_host_rsa_key.pub
> etc/ssh/ssh_host_dsa_key
> etc/ssh/ssh_host_dsa_key.pub
> etc/rcS.d/
> etc/rcS.d/60sshd
>
>
>
--
Troy Engel, Systems Engineer
Not suitable for children.