Context Navigation

openssh-systemd.xml@ 932240d

Visit:

7.6-blfs 7.6-systemd kde5-14269 kde5-14686 systemd-13485

Last change on this file since 932240d was 932240d, checked in by Krejzi <krejzi@…>, 10 years ago

More systemd integration.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/branches/systemd@13502 af4574ff-66df-0310-9fd7-8a98e5e911e0

Property mode set to 100644

File size: 18.7 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY openssh-download-http
8	"http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9	<!ENTITY openssh-download-ftp
10	"ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
11	<!ENTITY openssh-md5sum "3e9800e6bca1fbac0eea4d41baa7f239">
12	<!ENTITY openssh-size "1.3 MB">
13	<!ENTITY openssh-buildsize "32 MB (additional 2 MB if running the tests)">
14	<!ENTITY openssh-time "0.5 SBU (running the tests takes at least 10
15	minutes, irrespective of processor speed)">
16	]>
17
18	<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
19	<?dbhtml filename="openssh.html"?>
20
21	<sect1info>
22	<othername>$LastChangedBy$</othername>
23	<date>$Date$</date>
24	</sect1info>
25
26	<title>OpenSSH-&openssh-version;</title>
27
28	<indexterm zone="openssh">
29	<primary sortas="a-OpenSSH">OpenSSH</primary>
30	</indexterm>
31
32	<sect2 role="package">
33	<title>Introduction to OpenSSH</title>
34
35	<para>
36	The <application>OpenSSH</application> package contains
37	<command>ssh</command> clients and the <command>sshd</command> daemon. This
38	is useful for encrypting authentication and subsequent traffic over a
39	network. The <command>ssh</command> and <command>scp</command> commands are
40	secure implementions of <command>telnet</command> and <command>rcp</command>
41	respectively.
42	</para>
43
44	&lfs75_checked;
45
46	<bridgehead renderas="sect3">Package Information</bridgehead>
47	<itemizedlist spacing="compact">
48	<listitem>
49	<para>
50	Download (HTTP): <ulink url="&openssh-download-http;"/>
51	</para>
52	</listitem>
53	<listitem>
54	<para>
55	Download (FTP): <ulink url="&openssh-download-ftp;"/>
56	</para>
57	</listitem>
58	<listitem>
59	<para>
60	Download MD5 sum: &openssh-md5sum;
61	</para>
62	</listitem>
63	<listitem>
64	<para>
65	Download size: &openssh-size;
66	</para>
67	</listitem>
68	<listitem>
69	<para>
70	Estimated disk space required: &openssh-buildsize;
71	</para>
72	</listitem>
73	<listitem>
74	<para>
75	Estimated build time: &openssh-time;
76	</para>
77	</listitem>
78	</itemizedlist>
79
80	<bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
81
82	<bridgehead renderas="sect4">Required</bridgehead>
83	<para role="required"><xref linkend="openssl"/></para>
84
85	<bridgehead renderas="sect4">Optional</bridgehead>
86	<para role="optional">
87	<xref linkend="linux-pam"/>,
88	<xref linkend="x-window-system"/>,
89	<xref linkend="mitkrb"/>,
90	<ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>,
91	<ulink url="http://www.opensc-project.org/">OpenSC</ulink>, and
92	<ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
93	</para>
94
95	<bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
96	<para role="optional">
97	<xref linkend="openjdk"/>,
98	<xref linkend="net-tools"/>, and
99	<xref linkend="sysstat"/>.
100	</para>
101
102	<para condition="html" role="usernotes">
103	User Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
104	</para>
105	</sect2>
106
107	<sect2 role="installation">
108	<title>Installation of OpenSSH</title>
109
110	<para>
111	<application>OpenSSH</application> runs as two processes when connecting
112	to other computers. The first process is a privileged process and controls
113	the issuance of privileges as necessary. The second process communicates
114	with the network. Additional installation steps are necessary to set up
115	the proper environment, which are performed by issuing the following
116	commands as the <systemitem class="username">root</systemitem> user:
117	</para>
118
119	<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &&
120	chown -v root:sys /var/lib/sshd &&
121
122	groupadd -g 50 sshd &&
123	useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd -s /bin/false -u 50 sshd</userinput></screen>
124
125	<para>
126	Install <application>OpenSSH</application> by running the following
127	commands:
128	</para>
129
130	<screen><userinput>./configure --prefix=/usr \
131	--sysconfdir=/etc/ssh \
132	--with-md5-passwords \
133	--with-privsep-path=/var/lib/sshd &&
134	make</userinput></screen>
135
136	<para>
137	The testsuite requires an installed copy of <command>scp</command> to
138	complete the multiplexing tests. To run the test suite, first copy the
139	<command>scp</command> program to
140	<filename class="directory">/usr/bin</filename>, making sure that you
141	back up any existing copy first.
142	</para>
143
144	<para>
145	To test the results, issue: <command>make tests</command>.
146	</para>
147
148	<!-- commenting this, I get "all tests passed" [ ken ]
149	NB tests should be run as _user_ but the role in the comment is root
150
151	commenting [ bruce ]: There are a couple of tests that want root.
152	The log mentions that SUDO is not set. These skipped tests are
153	ignored and the end says 'all tests passed' even when not root
154
155	<para>
156	To run the test suite, issue the following commands:
157	</para>
158
159	<screen role="root"><userinput>make tests 2>&1 \| tee check.log
160	grep FATAL check.log</userinput></screen>
161
162	<para>
163	If the above command produces no 'FATAL' errors, then proceed with the
164	installation, as the <systemitem class="username">root</systemitem> user:
165	</para>-->
166	<para>
167	Now, as the <systemitem class="username">root</systemitem> user:
168	</para>
169
170	<screen role="root"><userinput>make install &&
171	install -v -m755 contrib/ssh-copy-id /usr/bin &&
172	install -v -m644 contrib/ssh-copy-id.1 /usr/share/man/man1 &&
173	install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &&
174	install -v -m644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-&openssh-version;</userinput></screen>
175	</sect2>
176
177	<sect2 role="commands">
178	<title>Command Explanations</title>
179
180	<para>
181	<parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
182	configuration files from being installed in
183	<filename class="directory">/usr/etc</filename>.
184	</para>
185
186	<para>
187	<parameter>--with-md5-passwords</parameter>: This enables the use of MD5
188	passwords.
189	</para>
190
191	<para>
192	<parameter>--with-pam</parameter>: This parameter enables
193	<application>Linux-PAM</application> support in the build.
194	</para>
195
196	<para>
197	<parameter>--with-xauth=/usr/bin/xauth</parameter>: Set the default
198	location for the <command>xauth</command> binary for X authentication.
199	Change the location if <command>xauth</command> will be installed to a
200	different path. This can also be controlled from
201	<filename>sshd_config</filename> with the XAuthLocation keyword. You can
202	omit this switch if <application>Xorg</application> is already installed.
203	</para>
204
205	<para>
206	<parameter>--with-kerberos5=/usr</parameter>: This option is used to
207	include Kerberos 5 support in the build.
208	</para>
209
210	<para>
211	<parameter>--with-libedit</parameter>: This option enables line editing
212	and history features for <command>sftp</command>.
213	</para>
214
215	</sect2>
216
217	<sect2 role="configuration">
218	<title>Configuring OpenSSH</title>
219
220	<sect3 id="openssh-config">
221	<title>Config Files</title>
222
223	<para>
224	<filename>~/.ssh/*</filename>,
225	<filename>/etc/ssh/ssh_config</filename>, and
226	<filename>/etc/ssh/sshd_config</filename>
227	</para>
228
229	<indexterm zone="openssh openssh-config">
230	<primary sortas="e-AA.ssh">~/.ssh/*</primary>
231	</indexterm>
232
233	<indexterm zone="openssh openssh-config">
234	<primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
235	</indexterm>
236
237	<indexterm zone="openssh openssh-config">
238	<primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
239	</indexterm>
240
241	<para>
242	There are no required changes to any of these files. However,
243	you may wish to view the
244	<filename class='directory'>/etc/ssh/</filename> files and make any
245	changes appropriate for the security of your system. One recommended
246	change is that you disable
247	<systemitem class='username'>root</systemitem> login via
248	<command>ssh</command>. Execute the following command as the
249	<systemitem class='username'>root</systemitem> user to disable
250	<systemitem class='username'>root</systemitem> login via
251	<command>ssh</command>:
252	</para>
253
254	<screen role="root"><userinput>echo "PermitRootLogin no" >> /etc/ssh/sshd_config</userinput></screen>
255
256	<para>
257	If you want to be able to log in without typing in your password, first
258	create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
259	<command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
260	~/.ssh/authorized_keys on the remote computer that you want to log into.
261	You'll need to change REMOTE_HOSTNAME for the hostname of the remote
262	computer and you'll also need to enter you password for the ssh command
263	to succeed:
264	</para>
265
266	<screen><userinput>ssh-keygen &&
267	public_key="$(cat ~/.ssh/id_rsa.pub)" &&
268	ssh REMOTE_HOSTNAME "echo ${public_key} >> ~/.ssh/authorized_keys" &&
269	unset public_key</userinput></screen>
270
271	<para>
272	Once you've got passwordless logins working it's actually more secure
273	than logging in with a password (as the private key is much longer than
274	most people's passwords). If you would like to now disable password
275	logins, as the <systemitem class="username">root</systemitem> user:
276	</para>
277
278
279	<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &&
280	echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
281
282	<para>
283	If you added <application>LinuxPAM</application> support and you want
284	ssh to use it then you will need to add a configuration file for
285	<application>sshd</application> and enable use of
286	<application>LinuxPAM</application>. Note, ssh only uses PAM to check
287	passwords, if you've disabled password logins these commands are not
288	needed. If you want to use PAM issue the following commands as the
289	<systemitem class='username'>root</systemitem> user:
290	</para>
291
292	<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd &&
293	chmod 644 /etc/pam.d/sshd &&
294	echo "UsePAM yes" >> /etc/ssh/sshd_config</userinput></screen>
295
296	<para>
297	Additional configuration information can be found in the man
298	pages for <command>sshd</command>, <command>ssh</command> and
299	<command>ssh-agent</command>.
300	</para>
301	</sect3>
302
303	<sect3 id="openssh-init">
304	<title>Systemd Units</title>
305
306	<para>
307	To start the <command>sshd</command> daemon at boot,
308	install the systemd units from the <xref linkend="bootscripts"/>
309	package by running the following command as the
310	<systemitem class="username">root</systemitem> user:
311	</para>
312
313	<indexterm zone="openssh openssh-init">
314	<primary sortas="f-sshd">sshd</primary>
315	</indexterm>
316
317	<screen role="root"><userinput>make install-sshd</userinput></screen>
318
319	<note>
320	<para>
321	Note that this package comes with two types of units: A service file and a socket file.
322	The service file will start sshd daemon once at boot and it will keep running until the
323	system shuts down. The socket file will make systemd listen to sshd port (Default 22, needs
324	to be edited for anything else) and will start sshd daemon when something tries to connect
325	to that port and stop the daemon when the connection is terminated. This is
326	called socket activation.
327
328	By default, the first method is used - sshd daemon is started at boot and stopped at shutdown.
329	If the socket method is desired, you need to run as the
330	<systemitem class="username">root</systemitem> user:
331
332	<screen role="root"><userinput>systemctl stop sshd &&
333	systemctl disable sshd &&
334	systemctl enable sshd.socket &&
335	systemctl start sshd.socket</userinput></screen>
336	</para>
337	</note>
338
339	</sect3>
340	</sect2>
341
342	<sect2 role="content">
343	<title>Contents</title>
344
345	<segmentedlist>
346	<segtitle>Installed Programs</segtitle>
347	<segtitle>Installed Libraries</segtitle>
348	<segtitle>Installed Directories</segtitle>
349
350	<seglistitem>
351	<seg>
352	scp, sftp, sftp-server, slogin (symlink to ssh), ssh, sshd, ssh-add,
353	ssh-agent, ssh-copy-id, ssh-keygen, ssh-keyscan, ssh-keysign,
354	and ssh-pkcs11-helper
355	</seg>
356	<seg>
357	None
358	</seg>
359	<seg>
360	/etc/ssh,
361	/usr/libexec/openssh,
362	/usr/share/doc/openssh-&openssh-version;, and
363	/var/lib/sshd
364	</seg>
365	</seglistitem>
366	</segmentedlist>
367
368	<variablelist>
369	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
370	<?dbfo list-presentation="list"?>
371	<?dbhtml list-presentation="table"?>
372
373	<varlistentry id="scp">
374	<term><command>scp</command></term>
375	<listitem>
376	<para>
377	is a file copy program that acts like <command>rcp</command> except
378	it uses an encrypted protocol.
379	</para>
380	<indexterm zone="openssh scp">
381	<primary sortas="b-scp">scp</primary>
382	</indexterm>
383	</listitem>
384	</varlistentry>
385
386	<varlistentry id="sftp">
387	<term><command>sftp</command></term>
388	<listitem>
389	<para>
390	is an FTP-like program that works over the SSH1 and SSH2 protocols.
391	</para>
392	<indexterm zone="openssh sftp">
393	<primary sortas="b-sftp">sftp</primary>
394	</indexterm>
395	</listitem>
396	</varlistentry>
397
398	<varlistentry id="sftp-server">
399	<term><command>sftp-server</command></term>
400	<listitem>
401	<para>
402	is an SFTP server subsystem. This program is not normally called
403	directly by the user.
404	</para>
405	<indexterm zone="openssh sftp-server">
406	<primary sortas="b-sftp-server">sftp-server</primary>
407	</indexterm>
408	</listitem>
409	</varlistentry>
410
411	<varlistentry id="slogin">
412	<term><command>slogin</command></term>
413	<listitem>
414	<para>
415	is a symlink to <command>ssh</command>.
416	</para>
417	<indexterm zone="openssh slogin">
418	<primary sortas="b-slogin">slogin</primary>
419	</indexterm>
420	</listitem>
421	</varlistentry>
422
423	<varlistentry id="ssh">
424	<term><command>ssh</command></term>
425	<listitem>
426	<para>
427	is an <command>rlogin</command>/<command>rsh</command>-like client
428	program except it uses an encrypted protocol.
429	</para>
430	<indexterm zone="openssh ssh">
431	<primary sortas="b-ssh">ssh</primary>
432	</indexterm>
433	</listitem>
434	</varlistentry>
435
436	<varlistentry id="sshd">
437	<term><command>sshd</command></term>
438	<listitem>
439	<para>
440	is a daemon that listens for <command>ssh</command> login requests.
441	</para>
442	<indexterm zone="openssh sshd">
443	<primary sortas="b-sshd">sshd</primary>
444	</indexterm>
445	</listitem>
446	</varlistentry>
447
448	<varlistentry id="ssh-add">
449	<term><command>ssh-add</command></term>
450	<listitem>
451	<para>
452	is a tool which adds keys to the <command>ssh-agent</command>.
453	</para>
454	<indexterm zone="openssh ssh-add">
455	<primary sortas="b-ssh-add">ssh-add</primary>
456	</indexterm>
457	</listitem>
458	</varlistentry>
459
460	<varlistentry id="ssh-agent">
461	<term><command>ssh-agent</command></term>
462	<listitem>
463	<para>
464	is an authentication agent that can store private keys.
465	</para>
466	<indexterm zone="openssh ssh-agent">
467	<primary sortas="b-ssh-agent">ssh-agent</primary>
468	</indexterm>
469	</listitem>
470	</varlistentry>
471
472	<varlistentry id="ssh-copy-id">
473	<term><command>ssh-copy-id</command></term>
474	<listitem>
475	<para>
476	is a script that enables logins on remote machine using local keys.
477	</para>
478	<indexterm zone="openssh ssh-copy-id">
479	<primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
480	</indexterm>
481	</listitem>
482	</varlistentry>
483
484	<varlistentry id="ssh-keygen">
485	<term><command>ssh-keygen</command></term>
486	<listitem>
487	<para>
488	is a key generation tool.
489	</para>
490	<indexterm zone="openssh ssh-keygen">
491	<primary sortas="b-ssh-keygen">ssh-keygen</primary>
492	</indexterm>
493	</listitem>
494	</varlistentry>
495
496	<varlistentry id="ssh-keyscan">
497	<term><command>ssh-keyscan</command></term>
498	<listitem>
499	<para>
500	is a utility for gathering public host keys from a number of hosts.
501	</para>
502	<indexterm zone="openssh ssh-keyscan">
503	<primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
504	</indexterm>
505	</listitem>
506	</varlistentry>
507
508	<varlistentry id="ssh-keysign">
509	<term><command>ssh-keysign</command></term>
510	<listitem>
511	<para>
512	is used by <command>ssh</command> to access the local host keys and
513	generate the digital signature required during hostbased
514	authentication with SSH protocol version 2. This program is not
515	normally called directly by the user.
516	</para>
517	<indexterm zone="openssh ssh-keysign">
518	<primary sortas="b-ssh-keysign">ssh-keysign</primary>
519	</indexterm>
520	</listitem>
521	</varlistentry>
522
523	<varlistentry id="ssh-pkcs11-helper">
524	<term><command>ssh-pkcs11-helper</command></term>
525	<listitem>
526	<para>
527	is a <command>ssh-agent</command> helper program for PKCS#11 support.
528	</para>
529	<indexterm zone="openssh ssh-pkcs11-helper">
530	<primary sortas="b-ssh-pkcs11-helper">ssh-pkcs11-helper</primary>
531	</indexterm>
532	</listitem>
533	</varlistentry>
534
535	</variablelist>
536	</sect2>
537	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/openssh-systemd.xml@ 932240d

Download in other formats: