Building openssh

Building the OpenSSH package is a relatively complex job. The following details how it can be done.

It should be noted that this example was prepared using

• PkgTools 1.1.7
• OpenSSH 3.4p1
• The OpenSSL libraries installed with a prefix of /usr/local from a Solaris package called OpenSSL
• The Pseudo Random Number Generator Daemon (PRNGD), installed from a Solaris package called PRNGD

Building OpenSSH

Actually building OpenSSH is simple; I just used the following:

% ./configure
% make

The above does assume that you want OpenSSH installed in its default location and that you have various supporting systems like OpenSSL installed in their default locations; i.e. under the /usr/local tree.

Initial packaging

Once the actual software is ready we can start the work required to package it for installation. In doing this we will run build-pkg twice and make changes to the package in between runs.

To create the initial package we run the following:

% build-pkg make install-nokeys

After we answer a number of questions about the package, this builds a package and places it in the directory InstallPackage. We ignore this package; we only ran build-pkg so that the InstallPackage/build directory would be populated with the OpenSSH installation.

Package control scripts

The first thing we do is prepare a number of package control scripts and files. These include the following which are placed in the InstallPackage directory.

• depend - place a dependancy on other packages
• postinstall - Script run after package installation
• preremove - Script run before package removal
• postremove - Script run after package removal

depend - place a dependancy on other packages

This is a simple file (see depend(4) for details) which lists any packages, patches, etc the package may depend on or conflicts with. In this case it contains:

P OpenSSL SSL access libraries
P PRNGD Pseudo Random Number Generator Daemon
I SUNWsshu Sun supplied SSH daemon
I SUNWsshdu Sun supplied SSH daemon

The "P" refers to a package which is a pre-condition of installation; i.e the packages OpenSSL and PRNGD have to exist for the package to be installed. By using this you also ensure that if someone tries to remove one of the packages this package depends on they will get a warning to that effect.

The "I" refers to a package which conflicts with the package; i.e. that package should not be installed for the successful addition of the package. In this case we have the package installation fail if the Sun provided SSH daemon is present on the system; this is the case if you are running Solaris 9.

A copy of this file is available here: depend.

postinstall - Script run after package installation

This script is run after package installation and will do the following tasks:

• Re-build the manual page index (windex) for the /usr/local/man tree

• Copy configuration files (ssh_config and sshd_config) into place. We alter the installation of ssh under the InstallPackage/build tree in a later step so that these files are installed by the package into /usr/local/etc as ssh_config.sample and sshd_config.sample.

  If script sees that there are already copies of the ssh_config and sshd_config in place then it will not copy over the new sample files. Instead it runs diff across them so that the sysadmin performing the installation can adjust their OpenSSH configuration as required.

• If the host keys do not exist it creates them. In this case we generate three separate host keys:

  • /usr/local/etc/ssh_host_key - RSA1
  • /usr/local/etc/ssh_dsa_host_key - DSA
  • /usr/local/etc/ssh_rsa_host_key - RSA

• We then do work so that sshd can use its new privilage separation system. To this end the script does the following:

  • If it does not exist, adds a group called sshd to the system
  • If it does not exist, adds a user called sshd to the system with a primary group of sshd, a home directory of /var/empty and a shell of /bin/false
  • Lock the password of the sshd user

• Start up the sshd daemon by running:

  /usr/local/startup/openssh start
  

A copy of this script is available here: postinstall.

preremove - Script run before package removal

This script is run before a package is removed from the system via pkgrm. The only action this script performs is to stop the sshd if it is running by running:

/usr/local/startup/openssh stop

A copy of this script is available here: preremove.

postremove - Script run after package removal

This script is run after a package has been removed from the system via pkgrm. This script performs the following actions:

• Re-build the manual page index (windex) for the /usr/local/man tree
• Remove the sshd user
• Remove the sshd group

Note that this script does not remove the host keys for the machine or the configuration files held under /usr/local/etc. This is mainly due to the way I deal with upgrading software. First I pkgrm the old version and then pkgadd the new version. As a result I'll often want to leave the configuration files for the package in place.

A copy of this script is available here: postremove.

Work within InstallPackage/build

The following is work done within the InstallPackage/build tree which is where the OpenSSH installation has been placed. By manipulating the contents of this tree and running build-pkg again you can easily effect the contents of the package.

The following assumes that you are in the openssh-3.4p1 directory and that you have a suitable startup/shutdown script for Solaris called openssh.rc in this directory.

A copy of this script is available here: openssh.rc.

The work done is as follows:

• Set a suitable umask

• Rename the configuration files ssh_config and sshd_config so that the text .sample is appended to their names.

• Ensure the /var/empty file is owned by root:sys and has a mode of 0755

• Create the /usr/local/startup directory and place the startup/shutdown script mentioned above into it

• Create the required startup (/etc/rc3.d) and shutdown (/etc/rc0.d) directories and create links as required from there to the startup/shutdown script in /usr/local/startup

The code to do this is as follows. You will need to run the following commands as the root user. The command prompt (i.e. a #) which would normally be prepended to the below has been removed to aid in cut&paste operations.

umask 022
(cd InstallPackage/build/usr/local/etc ; mv sshd_config sshd_config.sample)
(cd InstallPackage/build/usr/local/etc ; mv ssh_config ssh_config.sample)
chown root:sys InstallPackage/build/var/empty
chmod 0755 InstallPackage/build/var/empty
mkdir InstallPackage/build/usr/local/startup
cp openssh.rc InstallPackage/build/usr/local/startup/openssh
chmod 755 InstallPackage/build/usr/local/startup/openssh
mkdir -p InstallPackage/build/etc/rc0.d
mkdir -p InstallPackage/build/etc/rc3.d
ln -s /usr/local/startup/openssh InstallPackage/build/etc/rc0.d/K01openssh
ln -s /usr/local/startup/openssh InstallPackage/build/etc/rc3.d/S20openssh

Final package creation

The final package is ready for creation; this can be done by running the following command:

build-pkg

And the OpenSSH package will be available in the directory InstallPackage.