SUMMARY: Sun Crypto cards and compiling SSH

Thanks to all who responded.  This is a tough one, and ultimately
unsatisfying, in that we don't really know if we are using the cards or if
SSL has reverted to internal entropy gathering.  We're actually going to
look into commercial SSH support.  It seems clear that we're not the only
ones who don't really understand this!  We're also going to experiment with
building OpenSSH using the SSL that shipped from Sun with the cards.
Anyway, here's what we did:

--Must use an "engine" version of OpenSSL 0.9.6. We used 0.9.6c

--During OpenSSH configuration, we used the option --with-libs=-ldl (ell,
dee, ell). This seemed to be necessary with the "engine" versions of OpenSSL
to prevent complaints about symbol reference errors between libcrypto.a and
/usr/lib/libdl.so.1

--We also found it useful to make sure libcrypto.a and libssl.a are in
/usr/local/lib and that openssl header files are in
/usr/local/include/openssl, even if they were originally installed in
alternate locations. (Setting PATH variables and appropriate compiler flags
didn't seem to do the trick.)

--We made sure to have the Sun-tailored TCP wrappers with IPV6 support in
place as /usr/local/lib/libwrap.a and /usr/local/include/tcpd.h

--The Sun-provided GNU "strip" and OpenSSH don't seem to play nice together
on Sun boxes. We'd seen this occasionally on Ultras running Solaris 7 as
well (though others with theoretically-identical configurations had built
fine). So in the "install-files" section of the Makefile, we took any
instances of the -s option to ginstall out of lines like this:

        $(INSTALL) -m $(SSH_MODE) ssh $(DESTDIR)$(bindir)/ssh
        $(INSTALL) -m 0755 scp $(DESTDIR)$(bindir)/scp

We are far from expert at tweaking installations and there may be much more
elegant ways to solve all these problems, but this functioned for us.

Eric

************************************
Eric P. Watson
Supervisor of System Administration
  Services
Harvard Law School 617-496-6518
************************************