Context Navigation

source: postlfs/security/openssh.xml

Visit:

trunk

Last change on this file was da5da7ae, checked in by Thomas Trepl <thomas@…>, 7 weeks ago
Upgrade openssh-9.7p1, ssh-askpass-9.7p1
Property mode set to `100644`
File size: 19.3 KB

Line
1	<?xml version="1.0" encoding="UTF-8"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY openssh-download-http
8	"https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9	<!ENTITY openssh-download-ftp " ">
10	<!ENTITY openssh-md5sum "&openssh-md5sum;">
11	<!ENTITY openssh-size "1.7 MB">
12	<!ENTITY openssh-buildsize "45 MB (add 22 MB for tests)">
13	<!ENTITY openssh-time "0.2 SBU (Using parallelism=4;
14	running the tests takes about 20 minutes,
15	irrespective of processor speed)">
16	]>
17
18	<!-- make check: real 18m13.005s; 9.2p1 3 Feb 2023 -->
19	<!-- make check: real 18m08.654s; 9.3p1 17 Mar 2023 -->
20
21	<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
22	<?dbhtml filename="openssh.html"?>
23
24	<title>OpenSSH-&openssh-version;</title>
25
26	<indexterm zone="openssh">
27	<primary sortas="a-OpenSSH">OpenSSH</primary>
28	</indexterm>
29
30	<sect2 role="package">
31	<title>Introduction to OpenSSH</title>
32
33	<para>
34	The <application>OpenSSH</application> package contains
35	<command>ssh</command> clients and the <command>sshd</command> daemon.
36	This is useful for encrypting authentication and subsequent traffic over
37	a network. The <command>ssh</command> and <command>scp</command> commands
38	are secure implementations of <command>telnet</command> and
39	<command>rcp</command> respectively.
40	</para>
41
42	&lfs121_checked;
43
44	<bridgehead renderas="sect3">Package Information</bridgehead>
45	<itemizedlist spacing="compact">
46	<listitem>
47	<para>
48	Download (HTTP): <ulink url="&openssh-download-http;"/>
49	</para>
50	</listitem>
51	<listitem>
52	<para>
53	Download (FTP): <ulink url="&openssh-download-ftp;"/>
54	</para>
55	</listitem>
56	<listitem>
57	<para>
58	Download MD5 sum: &openssh-md5sum;
59	</para>
60	</listitem>
61	<listitem>
62	<para>
63	Download size: &openssh-size;
64	</para>
65	</listitem>
66	<listitem>
67	<para>
68	Estimated disk space required: &openssh-buildsize;
69	</para>
70	</listitem>
71	<listitem>
72	<para>
73	Estimated build time: &openssh-time;
74	</para>
75	</listitem>
76	</itemizedlist>
77	<!--
78	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
79	<itemizedlist spacing="compact">
80	<listitem>
81	<para>
82	Required patch:
83	<ulink url="&patch-root;/openssh-&openssh-version;-glibc_2.31_fix-1.patch"/>
84	</para>
85	</listitem>
86	</itemizedlist>
87	-->
88	<bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
89
90	<bridgehead renderas="sect4">Optional</bridgehead>
91	<para role="optional">
92	<xref linkend="gdb"/> (for tests),
93	<xref linkend="linux-pam"/> (PAM configuration files from
94	<xref linkend="shadow"/> are used to create openssh ones),
95	<xref linkend="xorg7-app"/> (or
96	<xref linkend='xorg-env' role='nodep'/>, see Command Explanations),
97	<xref linkend="mitkrb"/>,
98	<xref linkend="which"/> (for tests),
99	<ulink url="https://www.thrysoee.dk/editline/">libedit</ulink>,
100	<ulink url="https://www.libressl.org/">LibreSSL Portable</ulink>,
101	<ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
102	<ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
103	</para>
104
105	<bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
106	<para role="optional">
107	<!--<xref role="runtime" linkend="openjdk"/>, Not seen in 8.8p1 -->
108	<xref role="runtime" linkend="net-tools"/>, and
109	<xref role="runtime" linkend="sysstat"/>
110	</para>
111
112	</sect2>
113
114	<sect2 role="installation">
115	<title>Installation of OpenSSH</title>
116
117	<para>
118	<application>OpenSSH</application> runs as two processes when connecting
119	to other computers. The first process is a privileged process and controls
120	the issuance of privileges as necessary. The second process communicates
121	with the network. Additional installation steps are necessary to set up
122	the proper environment, which are performed by issuing the following
123	commands as the <systemitem class="username">root</systemitem> user:
124	</para>
125
126	<screen role="root"><userinput>install -v -g sys -m700 -d /var/lib/sshd &&
127
128	groupadd -g 50 sshd &&
129	useradd -c 'sshd PrivSep' \
130	-d /var/lib/sshd \
131	-g sshd \
132	-s /bin/false \
133	-u 50 sshd</userinput></screen>
134	<!--
135	<para>
136	Apply a patch to allow OpenSSH to build and function with
137	<application>Glibc-2.31</application> and later:
138	</para>
139
140	<screen><userinput remap="pre">patch -Np1 -i ../openssh-&openssh-version;-glibc_2.31_fix-1.patch</userinput></screen>
141	-->
142
143	<!-- Applied in 8.5p1
144	<para>
145	First, adapt <application>ssh-copy-id</application> to changes
146	in bash-5.1:
147	</para>
148
149	<screen><userinput remap="pre">sed -e '/INSTALLKEYS_SH/s/)//' -e '260a\ )' -i contrib/ssh-copy-id</userinput></screen>
150
151	<para>
152	Next, fix an issue on platforms other than x86_64:
153	</para>
154	<screen><userinput remap="pre">if [ "$(uname -m)" != "x86_64" ]; then
155	l1="#ifdef __NR_pselect6_time64"
156	l2=" SC_ALLOW(__NR_pselect6_time64),"
157	l3="#endif"
158	sed -e "/^#ifdef __NR_read$/ i $l1\n$l2\n$l3" \
159	-i sandbox-seccomp-filter.c
160	fi</userinput></screen>
161	-->
162	<para>
163	Install <application>OpenSSH</application> by running the following
164	commands:
165	</para>
166
167	<!-- -\-with-md5-passwords used to be here, but a comment inside of a <screen>
168	block leaves an eyesore. -->
169	<screen><userinput>./configure --prefix=/usr \
170	--sysconfdir=/etc/ssh \
171	--with-privsep-path=/var/lib/sshd \
172	--with-default-path=/usr/bin \
173	--with-superuser-path=/usr/sbin:/usr/bin \
174	--with-pid-dir=/run &&
175	make</userinput></screen>
176
177	<!-- I got all tests passed without this with 9.3p1, June 12, 2023.
178	<para>
179	The test suite requires an installed copy of <command>scp</command> to
180	complete the multiplexing tests. To run the test suite, first copy the
181	<command>scp</command> program to
182	<filename class="directory">/usr/bin</filename>, making sure that you
183	backup any existing copy first.
184	</para>
185	-->
186	<!-- I got all tests passed without this with 9.0p1. Apr 13, 2022.
187	<para>
188	If you wish to run the tests, remove a test suite that is not valid on
189	Linux-based platforms:
190	</para>
191
192	<screen><userinput>sed -i 's/conch-ciphers//' regress/Makefile</userinput></screen>
193	-->
194	<para>
195	To test the results, issue: <command>make -j1 tests</command>.
196	<!--One test, <filename>key options</filename>, fails when run in chroot.-->
197	</para>
198
199	<!-- commenting this, I get "all tests passed" [ ken ]
200	NB tests should be run as _user_ but the role in the comment is root
201
202	commenting [ bruce ]: There are a couple of tests that want root.
203	The log mentions that SUDO is not set. These skipped tests are
204	ignored and the end says 'all tests passed' even when not root
205
206	<para>
207	To run the test suite, issue the following commands:
208	</para>
209
210	<screen role="root"><userinput>make tests 2>&1 \| tee check.log
211	grep FATAL check.log</userinput></screen>
212
213	<para>
214	If the above command produces no 'FATAL' errors, then proceed with the
215	installation, as the <systemitem class="username">root</systemitem> user:
216	</para>-->
217	<para>
218	Now, as the <systemitem class="username">root</systemitem> user:
219	</para>
220
221	<screen role="root"><userinput>make install &&
222	install -v -m755 contrib/ssh-copy-id /usr/bin &&
223
224	install -v -m644 contrib/ssh-copy-id.1 \
225	/usr/share/man/man1 &&
226	install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &&
227	install -v -m644 INSTALL LICENCE OVERVIEW README* \
228	/usr/share/doc/openssh-&openssh-version;</userinput></screen>
229	</sect2>
230
231	<sect2 role="commands">
232	<title>Command Explanations</title>
233
234	<para>
235	<parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
236	configuration files from being installed in
237	<filename class="directory">/usr/etc</filename>.
238	</para>
239
240	<para>
241	<parameter>--with-default-path=/usr/bin</parameter> and
242	<parameter>--with-superuser-path=/usr/sbin:/usr/bin</parameter>:
243	These set <envar>PATH</envar> consistent with LFS and BLFS
244	<application>Shadow</application> package.
245	</para>
246
247	<para>
248	<parameter>--with-pid-dir=/run</parameter>: This prevents
249	<application>OpenSSH</application> from referring to deprecated
250	<filename class="directory">/var/run</filename>.
251	</para>
252	<!--
253	<para>
254	<parameter>- -without-zlib-version-check</parameter>: This prevents
255	<application>OpenSSH</application> from checking the version of
256	the system <application>Zlib</application>. We need to use this
257	switch or the version check would mistakenly report the latest
258	<application>Zlib</application> 1.13 <quote>too old</quote> and
259	reject it.
260	</para>
261	-->
262	<para>
263	<option>--with-pam</option>: This parameter enables
264	<application>Linux-PAM</application> support in the build.
265	</para>
266
267	<para>
268	<option>--with-xauth=$XORG_PREFIX/bin/xauth</option>: Set the default
269	location for the <command>xauth</command> binary for X authentication.
270	The environment variable <envar>XORG_PREFIX</envar> should be set
271	following <xref linkend='xorg-env'/>. This can also be controlled from
272	<filename>sshd_config</filename> with the XAuthLocation keyword. You can
273	omit this switch if <application>Xorg</application> is already installed.
274	</para>
275
276	<para>
277	<option>--with-kerberos5=/usr</option>: This option is used to
278	include Kerberos 5 support in the build.
279	</para>
280
281	<para>
282	<option>--with-libedit</option>: This option enables line editing
283	and history features for <command>sftp</command>.
284	</para>
285
286	</sect2>
287
288	<sect2 role="configuration">
289	<title>Configuring OpenSSH</title>
290
291	<sect3 id="openssh-config">
292	<title>Config Files</title>
293
294	<para>
295	<filename>~/.ssh/*</filename>,
296	<filename>/etc/ssh/ssh_config</filename>, and
297	<filename>/etc/ssh/sshd_config</filename>
298	</para>
299
300	<indexterm zone="openssh openssh-config">
301	<primary sortas="e-AA.ssh">~/.ssh/*</primary>
302	</indexterm>
303
304	<indexterm zone="openssh openssh-config">
305	<primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
306	</indexterm>
307
308	<indexterm zone="openssh openssh-config">
309	<primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
310	</indexterm>
311
312	<para>
313	There are no required changes to any of these files. However,
314	you may wish to view the
315	<filename class='directory'>/etc/ssh/</filename> files and make any
316	changes appropriate for the security of your system. One recommended
317	change is that you disable
318	<systemitem class='username'>root</systemitem> login via
319	<command>ssh</command>. Execute the following command as the
320	<systemitem class='username'>root</systemitem> user to disable
321	<systemitem class='username'>root</systemitem> login via
322	<command>ssh</command>:
323	</para>
324
325	<screen role="root"><userinput>echo "PermitRootLogin no" >> /etc/ssh/sshd_config</userinput></screen>
326
327	<para>
328	If you want to be able to log in without typing in your password, first
329	create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
330	<command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
331	~/.ssh/authorized_keys on the remote computer that you want to log into.
332	You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
333	computer and you'll also need to enter your password for the ssh-copy-id command
334	to succeed:
335	</para>
336
337	<screen role='nodump'><userinput>ssh-keygen &&
338	ssh-copy-id -i ~/.ssh/id_ed25519.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
339
340	<para>
341	Once you've got passwordless logins working it's actually more secure
342	than logging in with a password (as the private key is much longer than
343	most people's passwords). If you would like to now disable password
344	logins, as the <systemitem class="username">root</systemitem> user:
345	</para>
346
347
348	<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &&
349	echo "KbdInteractiveAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
350
351	<para>
352	If you added <application>Linux-PAM</application> support and you want
353	ssh to use it then you will need to add a configuration file for
354	<application>sshd</application> and enable use of
355	<application>LinuxPAM</application>. Note, ssh only uses PAM to check
356	passwords, if you've disabled password logins these commands are not
357	needed. If you want to use PAM, issue the following commands as the
358	<systemitem class='username'>root</systemitem> user:
359	</para>
360
361	<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd &&
362	chmod 644 /etc/pam.d/sshd &&
363	echo "UsePAM yes" >> /etc/ssh/sshd_config</userinput></screen>
364
365	<para>
366	Additional configuration information can be found in the man
367	pages for <command>sshd</command>, <command>ssh</command> and
368	<command>ssh-agent</command>.
369	</para>
370	</sect3>
371
372	<sect3 id="openssh-init">
373	<title><phrase revision="sysv">Boot Script</phrase>
374	<phrase revision="systemd">Systemd Unit</phrase></title>
375
376	<para revision="sysv">
377	To start the SSH server at system boot, install the
378	<filename>/etc/rc.d/init.d/sshd</filename> init script included
379	in the <xref linkend="bootscripts"/> package.
380	</para>
381
382	<para revision="systemd">
383	To start the SSH server at system boot, install the
384	<filename>sshd.service</filename> unit included in the
385	<xref linkend="systemd-units"/> package.
386	</para>
387
388	<indexterm zone="openssh openssh-init">
389	<primary sortas="f-sshd">sshd</primary>
390	</indexterm>
391
392	<screen role="root"><userinput>make install-sshd</userinput></screen>
393	</sect3>
394	</sect2>
395
396	<sect2 role="content">
397	<title>Contents</title>
398
399	<segmentedlist>
400	<segtitle>Installed Programs</segtitle>
401	<segtitle>Installed Libraries</segtitle>
402	<segtitle>Installed Directories</segtitle>
403
404	<seglistitem>
405	<seg>
406	scp, sftp, <!--slogin (symlink to ssh),--> ssh, ssh-add, ssh-agent,
407	ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
408	</seg>
409	<seg>
410	None
411	</seg>
412	<seg>
413	/etc/ssh,
414	/usr/share/doc/openssh-&openssh-version;, and
415	/var/lib/sshd
416	</seg>
417	</seglistitem>
418	</segmentedlist>
419
420	<variablelist>
421	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
422	<?dbfo list-presentation="list"?>
423	<?dbhtml list-presentation="table"?>
424
425	<varlistentry id="scp">
426	<term><command>scp</command></term>
427	<listitem>
428	<para>
429	is a file copy program that acts like <command>rcp</command> except
430	it uses an encrypted protocol
431	</para>
432	<indexterm zone="openssh scp">
433	<primary sortas="b-scp">scp</primary>
434	</indexterm>
435	</listitem>
436	</varlistentry>
437
438	<varlistentry id="sftp">
439	<term><command>sftp</command></term>
440	<listitem>
441	<para>
442	is an FTP-like program that works over the SSH1 and SSH2 protocols
443	</para>
444	<indexterm zone="openssh sftp">
445	<primary sortas="b-sftp">sftp</primary>
446	</indexterm>
447	</listitem>
448	</varlistentry>
449	<!-- Not installed anymore as of 8.5p1
450	<varlistentry id="slogin">
451	<term><command>slogin</command></term>
452	<listitem>
453	<para>
454	is a symlink to <command>ssh</command>
455	</para>
456	<indexterm zone="openssh slogin">
457	<primary sortas="b-slogin">slogin</primary>
458	</indexterm>
459	</listitem>
460	</varlistentry>
461	-->
462	<varlistentry id="ssh">
463	<term><command>ssh</command></term>
464	<listitem>
465	<para>
466	is an <command>rlogin</command>/<command>rsh</command>-like client
467	program except it uses an encrypted protocol
468	</para>
469	<indexterm zone="openssh ssh">
470	<primary sortas="b-ssh">ssh</primary>
471	</indexterm>
472	</listitem>
473	</varlistentry>
474
475	<varlistentry id="sshd">
476	<term><command>sshd</command></term>
477	<listitem>
478	<para>
479	is a daemon that listens for <command>ssh</command> login requests
480	</para>
481	<indexterm zone="openssh sshd">
482	<primary sortas="b-sshd">sshd</primary>
483	</indexterm>
484	</listitem>
485	</varlistentry>
486
487	<varlistentry id="ssh-add">
488	<term><command>ssh-add</command></term>
489	<listitem>
490	<para>
491	is a tool which adds keys to the <command>ssh-agent</command>
492	</para>
493	<indexterm zone="openssh ssh-add">
494	<primary sortas="b-ssh-add">ssh-add</primary>
495	</indexterm>
496	</listitem>
497	</varlistentry>
498
499	<varlistentry id="ssh-agent">
500	<term><command>ssh-agent</command></term>
501	<listitem>
502	<para>
503	is an authentication agent that can store private keys
504	</para>
505	<indexterm zone="openssh ssh-agent">
506	<primary sortas="b-ssh-agent">ssh-agent</primary>
507	</indexterm>
508	</listitem>
509	</varlistentry>
510
511	<varlistentry id="ssh-copy-id">
512	<term><command>ssh-copy-id</command></term>
513	<listitem>
514	<para>
515	is a script that enables logins on remote machines using local keys
516	</para>
517	<indexterm zone="openssh ssh-copy-id">
518	<primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
519	</indexterm>
520	</listitem>
521	</varlistentry>
522
523	<varlistentry id="ssh-keygen">
524	<term><command>ssh-keygen</command></term>
525	<listitem>
526	<para>
527	is a key generation tool
528	</para>
529	<indexterm zone="openssh ssh-keygen">
530	<primary sortas="b-ssh-keygen">ssh-keygen</primary>
531	</indexterm>
532	</listitem>
533	</varlistentry>
534
535	<varlistentry id="ssh-keyscan">
536	<term><command>ssh-keyscan</command></term>
537	<listitem>
538	<para>
539	is a utility for gathering public host keys from a number of hosts
540	</para>
541	<indexterm zone="openssh ssh-keyscan">
542	<primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
543	</indexterm>
544	</listitem>
545	</varlistentry>
546
547	</variablelist>
548	</sect2>
549
550	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: