Installing OpenSSL and OpenSSH

This document describes how to install OpenSSH (Secure Shell) and OpenSSL (Secure Sockets Layer) on Linux. SSL is a general security library that provides encryption for Web services, VPNs, and other communication software. SSH is a secure replacement for telnet and ftp.

OpenSSL

Although the standard OpenSSL installation will work for some purposes, if you plan to install OpenSSH you need to install OpenSSL twice, once for the static libraries and once to get the shared ones. Otherwise, the OpenSSH configure script may complain about headers not matching the library or OpenSSL headers not being found. It's important to specify the paths when compiling OpenSSL to avoid these errors so you are certain where everything is being installed.

First, install libz, which can be downloaded from the OpenSSL site, if you don't already have it.

Second, install openssl:

./config --prefix=/usr/local --openssldir=/usr/local/ssl make make test make install (as root) ./config shared --prefix=/usr/local --openssldir=/usr/local/ssl make clean make make install (as root) cd /usr/local/ssl/lib cp * /usr/lib

To avoid getting the following error later when you compile OpenSSH:

configure: error: Your OpenSSL headers do not match your library

copy all the SSL include files everywhere:

cd /home/tjnelson/openssl/openssl-* cd include/openssl cp * /usr/include cp * /usr/local/ssl/include cp * /usr/local/ssl/include/openssl

and then add /usr/local/ssl/lib to /etc/ld.so.conf and type

lcdonfig

(as root). This is essential in avoiding "header not found" and "headers do not match your library" errors when you go trying to make OpenSSH.

If the error persists, check config.log to find out what OpenSSH thinks is happening. Sometimes, the actual error has nothing to do with the error message. Or try these commands:

cd /home/tjnelson/openssl/openssl-*/include/openssl cp * /usr/local/ssl/include cd /home/tjnelson/openssl/openssl-* cp lib* /usr/local/ssl/lib/ cp lib* /usr/lib/ ldconfig cd /home/tjnelson/openssl/openssl-*/include/openssl cp * /usr/include/ cp * /usr/local/ssl/include/ cp * /usr/local/ssl/include/openssl

Sometimes, however, libssl complains about something called "pod2man" and refuses to install:

No working pod2man found. Consider installing a new version. As a workaround, we'll use a bundled old copy of pod2man.pl. sh: util/pod2man.pl: No such file or directory

In that case, you must install it manually:

cp libssl.a /usr/local/ssl/lib/ cp *.a /usr/local/ssl/lib/ cp *.so* /usr/local/ssl/lib/ cd include/openssl mkdir /usr/include/openssl/ cp * /usr/include/openssl/ cp * /usr/local/ssl/include/openssl/

In many cases, if you upgrade OpenSSL you also have to rebuild OpenSSH, or you will get a message like:

Starting SSH daemon OpenSSL version mismatch. Built against 907002, you have 90703f startproc: exit status of /usr/sbin/sshd: 255

See below for the procedure.

OpenSSH

OpenSSH requires a working installation of SSL. If OpenSSL is not already installed, install it as described above before proceeding. For OpenSSH version 3.4 or above, it is necessary to create a new user named "sshd" and give a safe place to chroot to. Depending on your system, you may also need to install TCP Wrappers and zlib.

Preparation

1. Add 'sshd' user: If you haven't already done so, create the new user.

   mkdir /var/empty chown root:sys /var/empty chmod 700 /var/empty groupadd sshd useradd -g sshd -c 'sshd privsep' -d /var/empty \ -s /bin/false sshd

2. zlib: On some systems, it's necessary to upgrade zlib before OpenSSH will compile.

3. PAM (not recommended): Use of PAM is no longer recommended. If you want to use PAM, the PAM headers and the "--with-pam" configuration option are needed. DO NOT INSTALL PAM unless you are sure of what you're doing! Carelessly installing PAM could trash your system! Make sure your system really uses PAM before using this option. If you need PAM to install ssh, a safe precaution is to install the headers only, and copy the libraries and header files manually into the ssh directory.

   PAM_TTY_KLUDGE used to be required, but is no longer necessary, because it is now defined automatically in linux.

Install TCP Wrappers

If your system uses tcpd, and you don't have libwrap, install Wietse Venema's IPv4 tcp-wrappers . There are several versions of tcpd. Two are from porcupine.org, and one of these is for IPv6. Do not install the tcp-wrappers for IPv6 or tcpd from other locations. They will not work. (This step is only needed if you compile ssh with TCP Wrappers.)

Unfortunately, libwrap software is quite old and no longer compiles in Linux without modification. It also uses the old /etc/inetd.conf file, instead of /etc/xinetd.d. Normally, this would mean a lot of messy renaming of your internet daemons. But luckily, compiling sshd with libwrap avoids this problem, and sshd can use tcp-wrappers without all that mucking around with tcpd.

Solution: Edit Makefile and set the variable REAL_DAEMON_DIR to match the location of your existing tcpd.
Then edit the file percent_m.c and change

extern char *sys_errlist[];

to

extern __const char *__const sys_errlist[];

Edit the file scaffold.c and remove line 28 where it says

extern char *malloc();

make
make install
If "make install" doesn't work, do the following:
copy tcpd.h to /usr/local/include/
copy tcpd to /usr/sbin/
copy libwrap.a to /usr/local/lib/
make sure /usr/local/lib is in your /etc/ld.so.conf file
ldconfig

Patch OpenSSH to fix hang-on-exit bug (Optional)

Note: this problem seems to have finally been fixed, and it is no longer necessary to patch openssh. This information applies to earlier versions.
The ssh client in OpenSSH hangs if a command is started in background. For example, if you use nohup to start a batch file while you're logged in over ssh, the ssh client will hang when you logout, and must be killed manually. The solution involves editing two files in the OpenSSH source code before installing.

File 1: clientloop.c
In the file clientloop.c near line 1192, in the function client_input_channel_req after the line

success = 1;

add the line

quit_pending=1;

Here is a patch file:

--- clientloop.c.bak Sun Feb 16 14:58:30 2003 +++ clientloop.c Sun Feb 16 14:58:37 2003 @@ -1214,6 +1214,7 @@ } else if (strcmp(rtype, "exit-status") == 0) { success = 1; exit_status = packet_get_int(); +quit_pending=1; packet_check_eom(); } if (reply) {

File 2: session.c
The clientloop.c fix solves some cases of ssh hanging, and allows ssh to exit cleanly for nohup'ed processes. However, in most cases it's also necessary to modify session.c as described by Jani Jaakkola:

--- session.c.bak Sun Feb 16 21:22:20 2003 +++ session.c Sun Feb 16 21:27:44 2003 @@ -1705,6 +1705,21 @@ debug("session_exit_message: session %d channel %d pid %d", s->self, s->chanid, s->pid); + + /* Add hang-on-exit bug workaround */ + if (s->ttyfd != -1 && c->istate == CHAN_INPUT_OPEN) { + fd_set dummy_read, dummy_write; + FD_ZERO(&dummy_read); + FD_SET(s->ttyfd,&dummy_read); + FD_ZERO(&dummy_write); + channel_after_select(&dummy_read,&dummy_write); + verbose("hang-on-exit-workaround applied"); + chan_read_failed(c); + } + + if (WIFEXITED(status)) { channel_request_start(s->chanid, "exit-status", 0); packet_put_int(WEXITSTATUS(status));

Patch #2 - Add delay after unsuccessful login (Optional)

This patch adds a delay after unsuccessful login. This makes it inconvenient for attackers to send dictionary lists of common passwords, because it slows their dictionary attack down by a factor of 1000 or more. (Notice that it will not affect attackers who try only a single password per user).

File 1: auth2.c
In function input_userauth_request(), change:

debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);

to

debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); if(authctxt->failures > 2) sleep(10);

Patch #3 - Add delay before getting password (Optional)

This patch adds a delay before any login, making it inconvenient for attackers to send dictionary lists of common passwords. The idea was from this site.

In file auth-passwd.c, add a sleep() function near the beginning of the auth_passwd() function, right after the declarations, like so:

int auth_password(Authctxt *authctxt, const char *password) { struct passwd * pw = authctxt->pw; int result, ok = authctxt->valid; #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) static int expire_checked = 0; #endif /* Password authentication delay */ sleep(4);

Compile and install OpenSSH

In the OpenSSH directory, type

./configure --prefix=/usr

or

./configure --prefix=/usr --with-tcp-wrappers

then

make su make install

Restart sshd, samba, and apache; otherwise these and possibly other applications may crash silently.

cd /etc/rc.d ./apache restart ./sshd restart ./smb restart

Note: sshd sometimes tries to restart before the port is closed, giving "failed" message. In this case, use the commands:

./sshd stop ./sshd start

Edit sshd_config and ssh_config as needed. Be sure to edit the correct sshd_config. This file could be in /etc, /usr/etc/, /etc/ssh, and in a variety of other places. If you're using PAM, edit /etc/pam.d/sshd as well.

Problems

1. If 'configure' can't find ssl, change the configure command to:

   ./configure --prefix=/usr --with-ssl-dir=\ /usr/local/ssl --with-tcp-wrappers

2. Sometimes compilation of openssh bombs out with the following error messages:

   sshd.c:1660: error: storage size of req isn't known sshd.c:1663: warning: implicit declaration of function fromhost sshd.c:1660: warning: unused variable req

3. Another frequent problem is that configure bombs out with the message:

   configure: error: Your OpenSSL headers do not match your library

   The easiest solution is to go to your openssl directory and type:

   make install cd include/openssl cp * /usr/include/openssl/ cp * /usr/local/ssl/include/openssl/

   Compile openssh, using the following command line, and substitute the appropriate path after --with-ssl-dir :

   ./configure --prefix=/usr --with-tcp-wrappers \ --with-ssl-dir=/usr/local/ssl make make install

4. If it says:

   Connecting to carbon... OpenSSL version mismatch. Built against 90603f, you have 90607f Couldn't read packet: Connection reset by peer

   Get rid of your old libcrypto libraries in /usr/lib and rerun ldconfig:

   cd /usr/local/ssl/lib cp * /usr/lib/ ldconfig

   Then rebuild and reinstall openssh (make clean; make; make install), and restart sshd.
5. Sometimes ssh has the following connection problem:
   On client

   Request for subsystem 'sftp' failed on channel 0 Couldn't read packet: Connection reset by peer

   On server

   sshd[7079]: Accepted password for tjnelson from 63.127.146.196 port 32777 ssh2 sshd[7079]: subsystem request for sftp sshd[7079]: error: subsystem: cannot stat /usr/local/libexec/sftp-server: No such file or directory sshd[7079]: subsystem request for sftp failed, subsystem not found

   To solve this problem, do the following:
   Edit /etc/ssh/sshd_config and add:

   Subsystem sftp /usr/local/libexec/sftp-server Protocol 2

   Create /usr/libexec and make a link to sftp-server. For some reason sshd sometimes looks there instead of the path specified in its configuration file.

   mkdir /usr/libexec cd /usr/libexec ln -s /usr/lib/ssh/sftp-server sftp-server

   Stop and start sshd (don't restart, because the port takes a while to close).

   cd /etc/rc.d ./sshd stop ./sshd restart

6. If it says:

   checking for socklen_t equivalent... configure: error: Cannot find a type to use in place of socklen_t

   this means your computer is totally screwed, and you should take it out back and shoot it.
7. If it says:

   sshd re-exec requires execution with an absolute path

   The startup script needs to be modified to include the full path of sshd.
8. If it says:

   Permission denied (publickey,keyboard-interactive).

   This can happen after an upgrade when you change from PAM to password authentication. Edit /etc/ssh/sshd_conf and change PasswordAuthentication to yes.

Warning about sftp:
The sftp program doesn't check whether the file is transferred correctly. If it is not possible to create the file at the remote destination, sftp may silently fail to transfer the file.

---

Back