Problems with OpenSSH compile/run on Solaris 8 (was: sshd does not start)

Loomis, Rip GILBERT.R.LOOMIS at saic.com
Tue Mar 4 06:25:18 EST 2003 

Joyce--

> I did not install /www/gzip.org/zlib because I assumed that I 
> probably have that, since I have gunzip....

gunzip being present doesn't usually mean that zlib is present,
but you might actually have zlib.  Look for a libz.a in
/usr/local/lib (or appropriate other directory structure
depending on where gunzip is on your system...)

> Openssh compiled but I kept receiving warnings that I do not 
> have a random generator.

Separate issue.  For Solaris 8/SPARC you really need to install
patch 112438-01 which provides /dev/random, and ensure that
your OpenSSL installation is using it.  (That patch is labeled
as security-relevant by Sun, but is still *not* included in the Sun
recommended patch cluster as of last week--it should be installed
on any Solaris 8 box that will ever use OpenSSL or OpenSSH.)
Alternatively you could use PRNGd.  Feel free to contact me offlist
for more info on either.

> After the make install,  I did a ps -ef|grep sshd, but sshd 
> was not running.
> 
> I typed ssh hostname
> and I received the error:
> ssh: connect to host...port 22: connection refused

No surprise; you already said that sshd wasn't running, so there
was no daemon there to accept the connection.

> I tried to start sshd daemon manually:
> /usr/local/sbin/sshd
> I received the error:
> Privilege separtaion user sshd does not exist.
> 
 [[Additional diagnostics deleted]]

> Any help would be greatly appreciated.
> Is the problem that I do not have zlib installed?

Nope, you need to create the sshd privilege separation user just
like the documentation says or disable privilege separation.  The
good news is that neither the lack of zlib nor the lack of
/dev/random apparently kept things from compiling--I'm a little
surprised and I'd still recommend that you go back and
install zlib, install the Solaris /dev/random patch, and
ensure OpenSSL is using the new /dev/random.

Since you're on a PAM-aware platform and to my knowledge there
are still issues with some of the PAM calls needing to be run
with full root privileges, you might consider disabling privilege
separation (in sshd_config, look for PrivilegeSeparation and
ensure you have
UsePrivilegeSeparation no
on that line).  Even without the privsep user, you should then
be able to start sshd.  To make the debugging a little easier,
I then recommend you start sshd with
  sshd -d
(which will cause it to run in debugging mode tied to a terminal,
instead of going into the background)
and then switch to a different virtual terminal and run
  ssh -v hostname
so that both the daemon and client parts are running in the
verbose/debugging mode.

Good luck and feel free to contact me offlist if you need more
help--I'm in the local area.

--
Rip Loomis
Senior Systems Security Engineer, SAIC Enterprise Security Solutions
Brainbench MVP for Internet Security   |   http://www.brainbench.com

More information about the openssh-unix-dev mailing list