source: postlfs/security/openssh-systemd.xml@ 295ca00

systemd-13485
Last change on this file since 295ca00 was 295ca00, checked in by Douglas R. Reno <renodr@…>, 6 years ago

Update to Sudo-1.8.15 (merged from trunk r16594)
Update to stunnel-5.29 (merged from trunk r16797)
Update to ssh-askpass-4.1p2 (merged from trunk r16811)
Update to p11-kit-0.23.2 (merged from trunk r16716)
Update to OpenSSL-1.0.2e (merged from trunk r16708)
Update to OpenSSH-7.1p2 (merged from trunk r16811)
Update to NSS-3.21 (merged from trunk r16627)
Update to MIT Kerberos V5-1.14 (merged from trunk r16679)
Update to iptables-1.6.0 (merged from trunk r16742)
Update to GPGME-1.6.0 (merged from trunk r16360)
Update to GnuTLS-3.4.8 (merged from trunk r16797)

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/branches/systemd@16833 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 17.3 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY openssh-download-http
8 "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9 <!ENTITY openssh-download-ftp
10 "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
11 <!ENTITY openssh-md5sum "4d8547670e2a220d5ef805ad9e47acf2">
12 <!ENTITY openssh-size "1.5 MB">
13 <!ENTITY openssh-buildsize "43 MB (51 MB with the test suite)">
14 <!ENTITY openssh-time "0.5 SBU (running the tests takes at least 10
15 minutes, irrespective of processor speed)">
16]>
17
18<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
19 <?dbhtml filename="openssh.html"?>
20
21 <sect1info>
22 <othername>$LastChangedBy$</othername>
23 <date>$Date$</date>
24 </sect1info>
25
26 <title>OpenSSH-&openssh-version;</title>
27
28 <indexterm zone="openssh">
29 <primary sortas="a-OpenSSH">OpenSSH</primary>
30 </indexterm>
31
32 <sect2 role="package">
33 <title>Introduction to OpenSSH</title>
34
35 <para>
36 The <application>OpenSSH</application> package contains
37 <command>ssh</command> clients and the <command>sshd</command> daemon. This
38 is useful for encrypting authentication and subsequent traffic over a
39 network. The <command>ssh</command> and <command>scp</command> commands are
40 secure implementions of <command>telnet</command> and <command>rcp</command>
41 respectively.
42 </para>
43
44 &lfs78_checked;
45
46 <bridgehead renderas="sect3">Package Information</bridgehead>
47 <itemizedlist spacing="compact">
48 <listitem>
49 <para>
50 Download (HTTP): <ulink url="&openssh-download-http;"/>
51 </para>
52 </listitem>
53 <listitem>
54 <para>
55 Download (FTP): <ulink url="&openssh-download-ftp;"/>
56 </para>
57 </listitem>
58 <listitem>
59 <para>
60 Download MD5 sum: &openssh-md5sum;
61 </para>
62 </listitem>
63 <listitem>
64 <para>
65 Download size: &openssh-size;
66 </para>
67 </listitem>
68 <listitem>
69 <para>
70 Estimated disk space required: &openssh-buildsize;
71 </para>
72 </listitem>
73 <listitem>
74 <para>
75 Estimated build time: &openssh-time;
76 </para>
77 </listitem>
78 </itemizedlist>
79
80 <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
81
82 <bridgehead renderas="sect4">Required</bridgehead>
83 <para role="required">
84 <xref linkend="openssl"/> or
85 <ulink url="http://www.libressl.org/">LibreSSL Portable</ulink>
86 </para>
87
88 <bridgehead renderas="sect4">Optional</bridgehead>
89 <para role="optional">
90 <xref linkend="linux-pam"/>,
91 <xref linkend="x-window-system"/>,
92 <xref linkend="mitkrb"/>,
93 <ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>,
94 <ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
95 <ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
96 </para>
97
98 <bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
99 <para role="optional">
100 <xref linkend="openjdk"/>,
101 <xref linkend="net-tools"/>, and
102 <xref linkend="sysstat"/>
103 </para>
104
105 <para condition="html" role="usernotes">
106 User Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
107 </para>
108 </sect2>
109
110 <sect2 role="installation">
111 <title>Installation of OpenSSH</title>
112
113 <para>
114 <application>OpenSSH</application> runs as two processes when connecting
115 to other computers. The first process is a privileged process and controls
116 the issuance of privileges as necessary. The second process communicates
117 with the network. Additional installation steps are necessary to set up
118 the proper environment, which are performed by issuing the following
119 commands as the <systemitem class="username">root</systemitem> user:
120 </para>
121
122<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &amp;&amp;
123chown -v root:sys /var/lib/sshd &amp;&amp;
124
125groupadd -g 50 sshd &amp;&amp;
126useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd -s /bin/false -u 50 sshd</userinput></screen>
127
128 <para>
129 Install <application>OpenSSH</application> by running the following
130 commands:
131 </para>
132
133<screen><userinput>./configure --prefix=/usr \
134 --sysconfdir=/etc/ssh \
135 --with-md5-passwords \
136 --with-privsep-path=/var/lib/sshd &amp;&amp;
137make</userinput></screen>
138
139 <para>
140 The testsuite requires an installed copy of <command>scp</command> to
141 complete the multiplexing tests. To run the test suite, first copy the
142 <command>scp</command> program to
143 <filename class="directory">/usr/bin</filename>, making sure that you
144 back up any existing copy first.
145 </para>
146
147 <para>
148 To test the results, issue: <command>make tests</command>.
149 </para>
150
151<!-- commenting this, I get "all tests passed" [ ken ]
152 NB tests should be run as _user_ but the role in the comment is root
153
154 commenting [ bruce ]: There are a couple of tests that want root.
155 The log mentions that SUDO is not set. These skipped tests are
156 ignored and the end says 'all tests passed' even when not root
157
158 <para>
159 To run the test suite, issue the following commands:
160 </para>
161
162<screen role="root"><userinput>make tests 2&gt;&amp;1 | tee check.log
163grep FATAL check.log</userinput></screen>
164
165 <para>
166 If the above command produces no 'FATAL' errors, then proceed with the
167 installation, as the <systemitem class="username">root</systemitem> user:
168 </para>-->
169 <para>
170 Now, as the <systemitem class="username">root</systemitem> user:
171 </para>
172
173<screen role="root"><userinput>make install &amp;&amp;
174install -v -m755 contrib/ssh-copy-id /usr/bin &amp;&amp;
175install -v -m644 contrib/ssh-copy-id.1 /usr/share/man/man1 &amp;&amp;
176install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &amp;&amp;
177install -v -m644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-&openssh-version;</userinput></screen>
178 </sect2>
179
180 <sect2 role="commands">
181 <title>Command Explanations</title>
182
183 <para>
184 <parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
185 configuration files from being installed in
186 <filename class="directory">/usr/etc</filename>.
187 </para>
188
189 <para>
190 <parameter>--with-md5-passwords</parameter>: This enables the use of MD5
191 passwords.
192 </para>
193
194 <para>
195 <parameter>--with-pam</parameter>: This parameter enables
196 <application>Linux-PAM</application> support in the build.
197 </para>
198
199 <para>
200 <parameter>--with-xauth=/usr/bin/xauth</parameter>: Set the default
201 location for the <command>xauth</command> binary for X authentication.
202 Change the location if <command>xauth</command> will be installed to a
203 different path. This can also be controlled from
204 <filename>sshd_config</filename> with the XAuthLocation keyword. You can
205 omit this switch if <application>Xorg</application> is already installed.
206 </para>
207
208 <para>
209 <parameter>--with-kerberos5=/usr</parameter>: This option is used to
210 include Kerberos 5 support in the build.
211 </para>
212
213 <para>
214 <parameter>--with-libedit</parameter>: This option enables line editing
215 and history features for <command>sftp</command>.
216 </para>
217
218 </sect2>
219
220 <sect2 role="configuration">
221 <title>Configuring OpenSSH</title>
222
223 <sect3 id="openssh-config">
224 <title>Config Files</title>
225
226 <para>
227 <filename>~/.ssh/*</filename>,
228 <filename>/etc/ssh/ssh_config</filename>, and
229 <filename>/etc/ssh/sshd_config</filename>
230 </para>
231
232 <indexterm zone="openssh openssh-config">
233 <primary sortas="e-AA.ssh">~/.ssh/*</primary>
234 </indexterm>
235
236 <indexterm zone="openssh openssh-config">
237 <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
238 </indexterm>
239
240 <indexterm zone="openssh openssh-config">
241 <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
242 </indexterm>
243
244 <para>
245 There are no required changes to any of these files. However,
246 you may wish to view the
247 <filename class='directory'>/etc/ssh/</filename> files and make any
248 changes appropriate for the security of your system. One recommended
249 change is that you disable
250 <systemitem class='username'>root</systemitem> login via
251 <command>ssh</command>. Execute the following command as the
252 <systemitem class='username'>root</systemitem> user to disable
253 <systemitem class='username'>root</systemitem> login via
254 <command>ssh</command>:
255 </para>
256
257<screen role="root"><userinput>echo "PermitRootLogin no" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
258
259 <para>
260 If you want to be able to log in without typing in your password, first
261 create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
262 <command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
263 ~/.ssh/authorized_keys on the remote computer that you want to log into.
264 You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
265 computer and you'll also need to enter your password for the ssh-copy-id command
266 to succeed:
267 </para>
268
269<screen><userinput>ssh-keygen &amp;&amp;
270ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
271
272 <para>
273 Once you've got passwordless logins working it's actually more secure
274 than logging in with a password (as the private key is much longer than
275 most people's passwords). If you would like to now disable password
276 logins, as the <systemitem class="username">root</systemitem> user:
277 </para>
278
279
280<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &amp;&amp;
281echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
282
283 <para>
284 If you added <application>LinuxPAM</application> support and you want
285 ssh to use it then you will need to add a configuration file for
286 <application>sshd</application> and enable use of
287 <application>LinuxPAM</application>. Note, ssh only uses PAM to check
288 passwords, if you've disabled password logins these commands are not
289 needed. If you want to use PAM issue the following commands as the
290 <systemitem class='username'>root</systemitem> user:
291 </para>
292
293<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login &gt; /etc/pam.d/sshd &amp;&amp;
294chmod 644 /etc/pam.d/sshd &amp;&amp;
295echo "UsePAM yes" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
296
297 <para>
298 Additional configuration information can be found in the man
299 pages for <command>sshd</command>, <command>ssh</command> and
300 <command>ssh-agent</command>.
301 </para>
302 </sect3>
303
304 <sect3 id="openssh-init">
305 <title>Systemd Units</title>
306
307 <para>
308 To start the <command>sshd</command> daemon at boot,
309 install the systemd units from the <xref linkend="bootscripts"/>
310 package by running the following command as the
311 <systemitem class="username">root</systemitem> user:
312 </para>
313
314 <indexterm zone="openssh openssh-init">
315 <primary sortas="f-sshd">sshd</primary>
316 </indexterm>
317
318<screen role="root"><userinput>make install-sshd</userinput></screen>
319
320 <note>
321 <para>
322 This package comes with two types of units: A service file and a socket file.
323 The service file will start sshd daemon once at boot and it will keep running until the
324 system shuts down. The socket file will make systemd listen on sshd port (Default 22, needs
325 to be edited for anything else) and will start sshd daemon when something tries to connect
326 to that port and stop the daemon when the connection is terminated. This is
327 called socket activation.
328
329 By default, the first method is used - sshd daemon is started at boot and stopped at shutdown.
330 If the socket method is desired, you need to run as the
331 <systemitem class="username">root</systemitem> user:
332
333<screen role="root"><userinput>systemctl stop sshd &amp;&amp;
334systemctl disable sshd &amp;&amp;
335systemctl enable sshd.socket &amp;&amp;
336systemctl start sshd.socket</userinput></screen>
337 </para>
338 </note>
339
340 </sect3>
341 </sect2>
342
343 <sect2 role="content">
344 <title>Contents</title>
345
346 <segmentedlist>
347 <segtitle>Installed Programs</segtitle>
348 <segtitle>Installed Libraries</segtitle>
349 <segtitle>Installed Directories</segtitle>
350
351 <seglistitem>
352 <seg>
353 scp,
354 sftp,
355 slogin (symlink to ssh),
356 ssh,
357 ssh-add,
358 ssh-agent,
359 ssh-copy-id,
360 ssh-keygen,
361 ssh-keyscan,
362 and sshd
363 </seg>
364 <seg>
365 None
366 </seg>
367 <seg>
368 /etc/ssh,
369 /usr/share/doc/openssh-&openssh-version;, and
370 /var/lib/sshd
371 </seg>
372 </seglistitem>
373 </segmentedlist>
374
375 <variablelist>
376 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
377 <?dbfo list-presentation="list"?>
378 <?dbhtml list-presentation="table"?>
379
380 <varlistentry id="scp">
381 <term><command>scp</command></term>
382 <listitem>
383 <para>
384 is a file copy program that acts like <command>rcp</command> except
385 it uses an encrypted protocol.
386 </para>
387 <indexterm zone="openssh scp">
388 <primary sortas="b-scp">scp</primary>
389 </indexterm>
390 </listitem>
391 </varlistentry>
392
393 <varlistentry id="sftp">
394 <term><command>sftp</command></term>
395 <listitem>
396 <para>
397 is an FTP-like program that works over the SSH1 and SSH2 protocols.
398 </para>
399 <indexterm zone="openssh sftp">
400 <primary sortas="b-sftp">sftp</primary>
401 </indexterm>
402 </listitem>
403 </varlistentry>
404
405 <varlistentry id="slogin">
406 <term><command>slogin</command></term>
407 <listitem>
408 <para>
409 is a symlink to <command>ssh</command>.
410 </para>
411 <indexterm zone="openssh slogin">
412 <primary sortas="b-slogin">slogin</primary>
413 </indexterm>
414 </listitem>
415 </varlistentry>
416
417 <varlistentry id="ssh">
418 <term><command>ssh</command></term>
419 <listitem>
420 <para>
421 is an <command>rlogin</command>/<command>rsh</command>-like client
422 program except it uses an encrypted protocol.
423 </para>
424 <indexterm zone="openssh ssh">
425 <primary sortas="b-ssh">ssh</primary>
426 </indexterm>
427 </listitem>
428 </varlistentry>
429
430 <varlistentry id="sshd">
431 <term><command>sshd</command></term>
432 <listitem>
433 <para>
434 is a daemon that listens for <command>ssh</command> login requests.
435 </para>
436 <indexterm zone="openssh sshd">
437 <primary sortas="b-sshd">sshd</primary>
438 </indexterm>
439 </listitem>
440 </varlistentry>
441
442 <varlistentry id="ssh-add">
443 <term><command>ssh-add</command></term>
444 <listitem>
445 <para>
446 is a tool which adds keys to the <command>ssh-agent</command>.
447 </para>
448 <indexterm zone="openssh ssh-add">
449 <primary sortas="b-ssh-add">ssh-add</primary>
450 </indexterm>
451 </listitem>
452 </varlistentry>
453
454 <varlistentry id="ssh-agent">
455 <term><command>ssh-agent</command></term>
456 <listitem>
457 <para>
458 is an authentication agent that can store private keys.
459 </para>
460 <indexterm zone="openssh ssh-agent">
461 <primary sortas="b-ssh-agent">ssh-agent</primary>
462 </indexterm>
463 </listitem>
464 </varlistentry>
465
466 <varlistentry id="ssh-copy-id">
467 <term><command>ssh-copy-id</command></term>
468 <listitem>
469 <para>
470 is a script that enables logins on remote machine using local keys.
471 </para>
472 <indexterm zone="openssh ssh-copy-id">
473 <primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
474 </indexterm>
475 </listitem>
476 </varlistentry>
477
478 <varlistentry id="ssh-keygen">
479 <term><command>ssh-keygen</command></term>
480 <listitem>
481 <para>
482 is a key generation tool.
483 </para>
484 <indexterm zone="openssh ssh-keygen">
485 <primary sortas="b-ssh-keygen">ssh-keygen</primary>
486 </indexterm>
487 </listitem>
488 </varlistentry>
489
490 <varlistentry id="ssh-keyscan">
491 <term><command>ssh-keyscan</command></term>
492 <listitem>
493 <para>
494 is a utility for gathering public host keys from a number of hosts.
495 </para>
496 <indexterm zone="openssh ssh-keyscan">
497 <primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
498 </indexterm>
499 </listitem>
500 </varlistentry>
501
502 </variablelist>
503 </sect2>
504</sect1>
Note: See TracBrowser for help on using the repository browser.