Thanks to all who responded. This is a tough one, and ultimately unsatisfying, in that we don't really know if we are using the cards or if SSL has reverted to internal entropy gathering. We're actually going to look into commercial SSH support. It seems clear that we're not the only ones who don't really understand this! We're also going to experiment with building OpenSSH using the SSL that shipped from Sun with the cards. Anyway, here's what we did: --Must use an "engine" version of OpenSSL 0.9.6. We used 0.9.6c --During OpenSSH configuration, we used the option --with-libs=-ldl (ell, dee, ell). This seemed to be necessary with the "engine" versions of OpenSSL to prevent complaints about symbol reference errors between libcrypto.a and /usr/lib/libdl.so.1 --We also found it useful to make sure libcrypto.a and libssl.a are in /usr/local/lib and that openssl header files are in /usr/local/include/openssl, even if they were originally installed in alternate locations. (Setting PATH variables and appropriate compiler flags didn't seem to do the trick.) --We made sure to have the Sun-tailored TCP wrappers with IPV6 support in place as /usr/local/lib/libwrap.a and /usr/local/include/tcpd.h --The Sun-provided GNU "strip" and OpenSSH don't seem to play nice together on Sun boxes. We'd seen this occasionally on Ultras running Solaris 7 as well (though others with theoretically-identical configurations had built fine). So in the "install-files" section of the Makefile, we took any instances of the -s option to ginstall out of lines like this: $(INSTALL) -m $(SSH_MODE) ssh $(DESTDIR)$(bindir)/ssh $(INSTALL) -m 0755 scp $(DESTDIR)$(bindir)/scp We are far from expert at tweaking installations and there may be much more elegant ways to solve all these problems, but this functioned for us. Eric ************************************ Eric P. Watson Supervisor of System Administration Services Harvard Law School 617-496-6518 ************************************ _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Mon Jun 24 16:41:46 2002
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:47 EST