Installing the NCAC OpenSSH dist on IRIX

Guide to install the OpenSSH distribution I have compiled for IRIX on your SGI workstation. (This draft is terse and assumes an intermediate level IRIX experience).

There is a dependency on the ifl_eoe.sw.c++ subsystem. It is the most convenient place to get the zlib compression shared library, but it is not installed by default on systems. To check for the subsystem:

showprods -3s ifl_eoe.sw.c++

If the subsystem is installed the subsystem's name is returned, if nothing is returned you need to install it before continuing.

Because of a bug in the zlib compression library distributed with all versions of IRIX before 6.5.16, the minimum version of my OpenSSH distribution is 6.5.16.

The latest version of my OpenSSH distribution is statically linked against openssl-0.9.6e and includes the prngd-0.9.26 "Pseudo Random Number Generator Daemon." Optionally the keychain-1.9 script can be installed that makes using ssh-agent much easier. keychain also installs the procmail lockfile program for reliable file locking if several keychain are run at the same time.

As root, install the software distribution:

inst -f http://crash.ncac.gwu.edu/jason/dist/openssh.tardist

Optionally, to start the secure shell daemon, add these lines to /etc/init.d/network.local:

if test -x /usr/sbin/prngd; then
    /usr/sbin/prngd /dev/egd-pool
    if [ ! -f /etc/ssh/ssh_host_rsa_key ] ; then
        /sbin/sleep 90
        /usr/bin/ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""
    fi
    /usr/sbin/sshd | logger -t sshd
fi

and to stop the daemon:

if test -x /usr/sbin/prngd; then
    /usr/bin/kill `/sbin/cat /etc/ssh/sshd.pid`
    /usr/sbin/prngd --kill /dev/egd-pool
fi

Since OpenSSH was compiled to use entropy from a random number device it is important to start prngd first. If there is no RSA host key then one must be generated before starting the daemon.

Edit /etc/ssh/sshd_config to suit your needs. Here is a fairly paranoid configuration for IRIX.

I do not use rhosts-rsa authentication or hostbased authentication and so I do not have the ssh binary setuid root bit set. The distribution was compiled --without-rsh.

Keychain script
To use keychain when you create a new shell add the following to your .login

# Start ssh-agent when needed or ForwardAgent no, quiet when non interactive.
if ( $?SSH_AUTH_SOCK == 0 ) then
	if ( -x /usr/bin/keychain ) then
        	/usr/bin/keychain $QUIET ~/.ssh/id_rsa
        	source ~/.ssh-agent-csh-`uname -n`
	endif
endif

And to use that $QUIET feature, append

set QUIET=""

into the commands run in the ENVONLY check in your .cshrc.

Security comments

Although OpenSSH supports SSHv1, the protocol has security concerns.
I also choose not to use the DSA algorithm because of security concerns.
Minimum supported OS is IRIX 6.5.16 because of the double free bug discovered in the zlib compression library.

Additional
PGP DH vs. RSA FAQ

Other resources
OpenSSH
OpenSSL
Keychain