Where possible, I'm currently using:

mkencap -bv package.ep
sudo mkencap -bvI package.ep

See here for recent .ep files. The following information is just slightly more than historical.

Prereqs

Linux: must have /etc/pam.d/sshd installed:

#%PAM-1.0
auth       required     /lib/security/pam_unix.so shadow nodelay
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_unix.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_unix.so shadow nullok use_authtok
session    required     /lib/security/pam_unix.so
session    required     /lib/security/pam_limits.so

Build steps

Actually, most things are currently using v3.7.1p2, and their build information is in /usr/local/encap/openssh-3.7.1p2/openssh-3.7.1p2.ep.

Linux

./configure --prefix=/usr/local/encap/openssh-3.6.1p2
		--with-privsep-path=/usr/local/var/empty --with-pam 
	  --with-privsep-user=nobody

Followed the same general tricks as the file servers, except I also linked to the standard config files. Look in the README file in the old encap.

Solaris

./configure --prefix=/usr/local/encap/openssh-3.5p1
	      --with-pam --with-privsep-path=/Common/shared/ssh/privsep 
	      --with-prngd-socket=/dev/entropy --with-mantype=man

File servers (more stand-alone)

./configure --prefix=/usr/local/encap/openssh-3.5p1s
	      --with-privsep-path=/usr/local/var/empty
	      --with-privsep-user=nobody
	      --with-pam --with-prngd-socket=/dev/entropy --with-mantype=man

IRIX

./configure --prefix=/usr/local/encap/openssh-3.5p1
	      --with-prngd-socket=/dev/entropy

AIX

./configure --prefix=/usr/local/encap/openssh-3.5p1
	      --with-privsep-path=/Common/shared/ssh/privsep
        --with-prngd-socket=/dev/entropy

For post-install (as root)

cd /usr/local/encap/openssh-3.5p1s
chmod a+s bin/ssh
mkdir var var/empty
cd etc; rm *key*
for i in _dsa_key _rsa_key _key
do
  ln -s /etc/ssh_host$i .
  ln -s /etc/ssh_host$i.pub .
done
[make a preinstall script to make /etc/ssh*]
cd ../..; gtar -czf /tmp/openssh_server.tgz openssh-3.5p1s

Then copy this to the file servers. You probably want to remove it from the regular trees if possible.

More Post-Install Steps

VERSION=3.5p1

cd /usr/local/encap/openssh-VERSION/etc
for i in ssh_conjig sshd_config 
do
  mv $i $i.bak
  ln -s /Common/shared/ssh/$i .
done
ln -s /Common/shared/ssh/ssh_known_hosts* .

Notes

  • The /Common/shared/ssh bit wasn't all that good. I like the /usr/local/var/empty method much more, it keeps things more self-contained.

References