Context Navigation

source: postlfs/security/openssh.xml@ 8ebc8b4

Visit:

12.1 12.2 gimp3 ken/TL2024 ken/tuningfonts lazarus plabs/newcss python3.11 rahul/power-profiles-daemon renodr/vulkan-addition trunk xry111/for-12.3 xry111/llvm18 xry111/spidermonkey128

Last change on this file since 8ebc8b4 was ecab0590, checked in by Xi Ruoyao <xry111@…>, 13 months ago
openssh: Work around FTBFS with zlib-1.13
Property mode set to `100644`
File size: 19.5 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY openssh-download-http
8	"https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9	<!ENTITY openssh-download-ftp
10	" "> <!-- at the moment, unable to connect via ftp: ken
11	"ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz"> -->
12	<!ENTITY openssh-md5sum "&openssh-md5sum;">
13	<!ENTITY openssh-size "1.7 MB">
14	<!ENTITY openssh-buildsize "45 MB (add 22 MB for tests)">
15	<!ENTITY openssh-time "0.2 SBU (Using parallelism=4;
16	running the tests takes about 20 minutes,
17	irrespective of processor speed)">
18	]>
19
20	<!-- make check: real 18m13.005s; 9.2p1 3 Feb 2023 -->
21	<!-- make check: real 18m08.654s; 9.3p1 17 Mar 2023 -->
22
23	<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
24	<?dbhtml filename="openssh.html"?>
25
26	<title>OpenSSH-&openssh-version;</title>
27
28	<indexterm zone="openssh">
29	<primary sortas="a-OpenSSH">OpenSSH</primary>
30	</indexterm>
31
32	<sect2 role="package">
33	<title>Introduction to OpenSSH</title>
34
35	<para>
36	The <application>OpenSSH</application> package contains
37	<command>ssh</command> clients and the <command>sshd</command> daemon.
38	This is useful for encrypting authentication and subsequent traffic over
39	a network. The <command>ssh</command> and <command>scp</command> commands
40	are secure implementations of <command>telnet</command> and
41	<command>rcp</command> respectively.
42	</para>
43
44	&lfs120_checked;
45
46	<bridgehead renderas="sect3">Package Information</bridgehead>
47	<itemizedlist spacing="compact">
48	<listitem>
49	<para>
50	Download (HTTP): <ulink url="&openssh-download-http;"/>
51	</para>
52	</listitem>
53	<listitem>
54	<para>
55	Download (FTP): <ulink url="&openssh-download-ftp;"/>
56	</para>
57	</listitem>
58	<listitem>
59	<para>
60	Download MD5 sum: &openssh-md5sum;
61	</para>
62	</listitem>
63	<listitem>
64	<para>
65	Download size: &openssh-size;
66	</para>
67	</listitem>
68	<listitem>
69	<para>
70	Estimated disk space required: &openssh-buildsize;
71	</para>
72	</listitem>
73	<listitem>
74	<para>
75	Estimated build time: &openssh-time;
76	</para>
77	</listitem>
78	</itemizedlist>
79	<!--
80	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
81	<itemizedlist spacing="compact">
82	<listitem>
83	<para>
84	Required patch:
85	<ulink url="&patch-root;/openssh-&openssh-version;-glibc_2.31_fix-1.patch"/>
86	</para>
87	</listitem>
88	</itemizedlist>
89	-->
90	<bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
91
92	<bridgehead renderas="sect4">Optional</bridgehead>
93	<para role="optional">
94	<xref linkend="gdb"/> (for tests),
95	<xref linkend="linux-pam"/>,
96	<xref linkend="xorg7-app"/> (or
97	<xref linkend='xorg-env' role='nodep'/>, see Command Explanations),
98	<xref linkend="mitkrb"/>,
99	<xref linkend="which"/> (for tests),
100	<ulink url="https://www.thrysoee.dk/editline/">libedit</ulink>,
101	<ulink url="https://www.libressl.org/">LibreSSL Portable</ulink>,
102	<ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
103	<ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
104	</para>
105
106	<bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
107	<para role="optional">
108	<!--<xref role="runtime" linkend="openjdk"/>, Not seen in 8.8p1 -->
109	<xref role="runtime" linkend="net-tools"/>, and
110	<xref role="runtime" linkend="sysstat"/>
111	</para>
112
113	<para condition="html" role="usernotes">
114	Editor Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
115	</para>
116	</sect2>
117
118	<sect2 role="installation">
119	<title>Installation of OpenSSH</title>
120
121	<para>
122	<application>OpenSSH</application> runs as two processes when connecting
123	to other computers. The first process is a privileged process and controls
124	the issuance of privileges as necessary. The second process communicates
125	with the network. Additional installation steps are necessary to set up
126	the proper environment, which are performed by issuing the following
127	commands as the <systemitem class="username">root</systemitem> user:
128	</para>
129
130	<screen role="root"><userinput>install -v -g sys -m700 -d /var/lib/sshd &&
131
132	groupadd -g 50 sshd &&
133	useradd -c 'sshd PrivSep' \
134	-d /var/lib/sshd \
135	-g sshd \
136	-s /bin/false \
137	-u 50 sshd</userinput></screen>
138	<!--
139	<para>
140	Apply a patch to allow OpenSSH to build and function with
141	<application>Glibc-2.31</application> and later:
142	</para>
143
144	<screen><userinput remap="pre">patch -Np1 -i ../openssh-&openssh-version;-glibc_2.31_fix-1.patch</userinput></screen>
145	-->
146
147	<!-- Applied in 8.5p1
148	<para>
149	First, adapt <application>ssh-copy-id</application> to changes
150	in bash-5.1:
151	</para>
152
153	<screen><userinput remap="pre">sed -e '/INSTALLKEYS_SH/s/)//' -e '260a\ )' -i contrib/ssh-copy-id</userinput></screen>
154
155	<para>
156	Next, fix an issue on platforms other than x86_64:
157	</para>
158	<screen><userinput remap="pre">if [ "$(uname -m)" != "x86_64" ]; then
159	l1="#ifdef __NR_pselect6_time64"
160	l2=" SC_ALLOW(__NR_pselect6_time64),"
161	l3="#endif"
162	sed -e "/^#ifdef __NR_read$/ i $l1\n$l2\n$l3" \
163	-i sandbox-seccomp-filter.c
164	fi</userinput></screen>
165	-->
166	<para>
167	Install <application>OpenSSH</application> by running the following
168	commands:
169	</para>
170
171	<!-- -\-with-md5-passwords used to be here, but a comment inside of a <screen>
172	block leaves an eyesore. -->
173	<screen><userinput>./configure --prefix=/usr \
174	--sysconfdir=/etc/ssh \
175	--with-privsep-path=/var/lib/sshd \
176	--with-default-path=/usr/bin \
177	--with-superuser-path=/usr/sbin:/usr/bin \
178	--with-pid-dir=/run \
179	--without-zlib-version-check &&
180	make</userinput></screen>
181
182	<!-- I got all tests passed without this with 9.3p1, June 12, 2023.
183	<para>
184	The test suite requires an installed copy of <command>scp</command> to
185	complete the multiplexing tests. To run the test suite, first copy the
186	<command>scp</command> program to
187	<filename class="directory">/usr/bin</filename>, making sure that you
188	backup any existing copy first.
189	</para>
190	-->
191	<!-- I got all tests passed without this with 9.0p1. Apr 13, 2022.
192	<para>
193	If you wish to run the tests, remove a test suite that is not valid on
194	Linux-based platforms:
195	</para>
196
197	<screen><userinput>sed -i 's/conch-ciphers//' regress/Makefile</userinput></screen>
198	-->
199	<para>
200	To test the results, issue: <command>make -j1 tests</command>.
201	<!--One test, <filename>key options</filename>, fails when run in chroot.-->
202	</para>
203
204	<!-- commenting this, I get "all tests passed" [ ken ]
205	NB tests should be run as _user_ but the role in the comment is root
206
207	commenting [ bruce ]: There are a couple of tests that want root.
208	The log mentions that SUDO is not set. These skipped tests are
209	ignored and the end says 'all tests passed' even when not root
210
211	<para>
212	To run the test suite, issue the following commands:
213	</para>
214
215	<screen role="root"><userinput>make tests 2>&1 \| tee check.log
216	grep FATAL check.log</userinput></screen>
217
218	<para>
219	If the above command produces no 'FATAL' errors, then proceed with the
220	installation, as the <systemitem class="username">root</systemitem> user:
221	</para>-->
222	<para>
223	Now, as the <systemitem class="username">root</systemitem> user:
224	</para>
225
226	<screen role="root"><userinput>make install &&
227	install -v -m755 contrib/ssh-copy-id /usr/bin &&
228
229	install -v -m644 contrib/ssh-copy-id.1 \
230	/usr/share/man/man1 &&
231	install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &&
232	install -v -m644 INSTALL LICENCE OVERVIEW README* \
233	/usr/share/doc/openssh-&openssh-version;</userinput></screen>
234	</sect2>
235
236	<sect2 role="commands">
237	<title>Command Explanations</title>
238
239	<para>
240	<parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
241	configuration files from being installed in
242	<filename class="directory">/usr/etc</filename>.
243	</para>
244
245	<para>
246	<parameter>--with-default-path=/usr/bin</parameter> and
247	<parameter>--with-superuser-path=/usr/sbin:/usr/bin</parameter>:
248	These set <envar>PATH</envar> consistent with LFS and BLFS
249	<application>Shadow</application> package.
250	</para>
251
252	<para>
253	<parameter>--with-pid-dir=/run</parameter>: This prevents
254	<application>OpenSSH</application> from referring to deprecated
255	<filename class="directory">/var/run</filename>.
256	</para>
257
258	<para>
259	<parameter>--without-zlib-version-check</parameter>: This prevents
260	<application>OpenSSH</application> from checking the version of
261	the system <application>Zlib</application>. We need to use this
262	switch or the version check would mistakenly report the latest
263	<application>Zlib</application> 1.13 <quote>too old</quote> and
264	reject it.
265	</para>
266
267	<para>
268	<option>--with-pam</option>: This parameter enables
269	<application>Linux-PAM</application> support in the build.
270	</para>
271
272	<para>
273	<option>--with-xauth=$XORG_PREFIX/bin/xauth</option>: Set the default
274	location for the <command>xauth</command> binary for X authentication.
275	The environment variable <envar>XORG_PREFIX</envar> should be set
276	following <xref linkend='xorg-env'/>. This can also be controlled from
277	<filename>sshd_config</filename> with the XAuthLocation keyword. You can
278	omit this switch if <application>Xorg</application> is already installed.
279	</para>
280
281	<para>
282	<option>--with-kerberos5=/usr</option>: This option is used to
283	include Kerberos 5 support in the build.
284	</para>
285
286	<para>
287	<option>--with-libedit</option>: This option enables line editing
288	and history features for <command>sftp</command>.
289	</para>
290
291	</sect2>
292
293	<sect2 role="configuration">
294	<title>Configuring OpenSSH</title>
295
296	<sect3 id="openssh-config">
297	<title>Config Files</title>
298
299	<para>
300	<filename>~/.ssh/*</filename>,
301	<filename>/etc/ssh/ssh_config</filename>, and
302	<filename>/etc/ssh/sshd_config</filename>
303	</para>
304
305	<indexterm zone="openssh openssh-config">
306	<primary sortas="e-AA.ssh">~/.ssh/*</primary>
307	</indexterm>
308
309	<indexterm zone="openssh openssh-config">
310	<primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
311	</indexterm>
312
313	<indexterm zone="openssh openssh-config">
314	<primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
315	</indexterm>
316
317	<para>
318	There are no required changes to any of these files. However,
319	you may wish to view the
320	<filename class='directory'>/etc/ssh/</filename> files and make any
321	changes appropriate for the security of your system. One recommended
322	change is that you disable
323	<systemitem class='username'>root</systemitem> login via
324	<command>ssh</command>. Execute the following command as the
325	<systemitem class='username'>root</systemitem> user to disable
326	<systemitem class='username'>root</systemitem> login via
327	<command>ssh</command>:
328	</para>
329
330	<screen role="root"><userinput>echo "PermitRootLogin no" >> /etc/ssh/sshd_config</userinput></screen>
331
332	<para>
333	If you want to be able to log in without typing in your password, first
334	create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
335	<command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
336	~/.ssh/authorized_keys on the remote computer that you want to log into.
337	You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
338	computer and you'll also need to enter your password for the ssh-copy-id command
339	to succeed:
340	</para>
341
342	<screen><userinput>ssh-keygen &&
343	ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
344
345	<para>
346	Once you've got passwordless logins working it's actually more secure
347	than logging in with a password (as the private key is much longer than
348	most people's passwords). If you would like to now disable password
349	logins, as the <systemitem class="username">root</systemitem> user:
350	</para>
351
352
353	<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &&
354	echo "KbdInteractiveAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
355
356	<para>
357	If you added <application>Linux-PAM</application> support and you want
358	ssh to use it then you will need to add a configuration file for
359	<application>sshd</application> and enable use of
360	<application>LinuxPAM</application>. Note, ssh only uses PAM to check
361	passwords, if you've disabled password logins these commands are not
362	needed. If you want to use PAM, issue the following commands as the
363	<systemitem class='username'>root</systemitem> user:
364	</para>
365
366	<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd &&
367	chmod 644 /etc/pam.d/sshd &&
368	echo "UsePAM yes" >> /etc/ssh/sshd_config</userinput></screen>
369
370	<para>
371	Additional configuration information can be found in the man
372	pages for <command>sshd</command>, <command>ssh</command> and
373	<command>ssh-agent</command>.
374	</para>
375	</sect3>
376
377	<sect3 id="openssh-init">
378	<title><phrase revision="sysv">Boot Script</phrase>
379	<phrase revision="systemd">Systemd Unit</phrase></title>
380
381	<para revision="sysv">
382	To start the SSH server at system boot, install the
383	<filename>/etc/rc.d/init.d/sshd</filename> init script included
384	in the <xref linkend="bootscripts"/> package.
385	</para>
386
387	<para revision="systemd">
388	To start the SSH server at system boot, install the
389	<filename>sshd.service</filename> unit included in the
390	<xref linkend="systemd-units"/> package.
391	</para>
392
393	<indexterm zone="openssh openssh-init">
394	<primary sortas="f-sshd">sshd</primary>
395	</indexterm>
396
397	<screen role="root"><userinput>make install-sshd</userinput></screen>
398	</sect3>
399	</sect2>
400
401	<sect2 role="content">
402	<title>Contents</title>
403
404	<segmentedlist>
405	<segtitle>Installed Programs</segtitle>
406	<segtitle>Installed Libraries</segtitle>
407	<segtitle>Installed Directories</segtitle>
408
409	<seglistitem>
410	<seg>
411	scp, sftp, <!--slogin (symlink to ssh),--> ssh, ssh-add, ssh-agent,
412	ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
413	</seg>
414	<seg>
415	None
416	</seg>
417	<seg>
418	/etc/ssh,
419	/usr/share/doc/openssh-&openssh-version;, and
420	/var/lib/sshd
421	</seg>
422	</seglistitem>
423	</segmentedlist>
424
425	<variablelist>
426	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
427	<?dbfo list-presentation="list"?>
428	<?dbhtml list-presentation="table"?>
429
430	<varlistentry id="scp">
431	<term><command>scp</command></term>
432	<listitem>
433	<para>
434	is a file copy program that acts like <command>rcp</command> except
435	it uses an encrypted protocol
436	</para>
437	<indexterm zone="openssh scp">
438	<primary sortas="b-scp">scp</primary>
439	</indexterm>
440	</listitem>
441	</varlistentry>
442
443	<varlistentry id="sftp">
444	<term><command>sftp</command></term>
445	<listitem>
446	<para>
447	is an FTP-like program that works over the SSH1 and SSH2 protocols
448	</para>
449	<indexterm zone="openssh sftp">
450	<primary sortas="b-sftp">sftp</primary>
451	</indexterm>
452	</listitem>
453	</varlistentry>
454	<!-- Not installed anymore as of 8.5p1
455	<varlistentry id="slogin">
456	<term><command>slogin</command></term>
457	<listitem>
458	<para>
459	is a symlink to <command>ssh</command>
460	</para>
461	<indexterm zone="openssh slogin">
462	<primary sortas="b-slogin">slogin</primary>
463	</indexterm>
464	</listitem>
465	</varlistentry>
466	-->
467	<varlistentry id="ssh">
468	<term><command>ssh</command></term>
469	<listitem>
470	<para>
471	is an <command>rlogin</command>/<command>rsh</command>-like client
472	program except it uses an encrypted protocol
473	</para>
474	<indexterm zone="openssh ssh">
475	<primary sortas="b-ssh">ssh</primary>
476	</indexterm>
477	</listitem>
478	</varlistentry>
479
480	<varlistentry id="sshd">
481	<term><command>sshd</command></term>
482	<listitem>
483	<para>
484	is a daemon that listens for <command>ssh</command> login requests
485	</para>
486	<indexterm zone="openssh sshd">
487	<primary sortas="b-sshd">sshd</primary>
488	</indexterm>
489	</listitem>
490	</varlistentry>
491
492	<varlistentry id="ssh-add">
493	<term><command>ssh-add</command></term>
494	<listitem>
495	<para>
496	is a tool which adds keys to the <command>ssh-agent</command>
497	</para>
498	<indexterm zone="openssh ssh-add">
499	<primary sortas="b-ssh-add">ssh-add</primary>
500	</indexterm>
501	</listitem>
502	</varlistentry>
503
504	<varlistentry id="ssh-agent">
505	<term><command>ssh-agent</command></term>
506	<listitem>
507	<para>
508	is an authentication agent that can store private keys
509	</para>
510	<indexterm zone="openssh ssh-agent">
511	<primary sortas="b-ssh-agent">ssh-agent</primary>
512	</indexterm>
513	</listitem>
514	</varlistentry>
515
516	<varlistentry id="ssh-copy-id">
517	<term><command>ssh-copy-id</command></term>
518	<listitem>
519	<para>
520	is a script that enables logins on remote machines using local keys
521	</para>
522	<indexterm zone="openssh ssh-copy-id">
523	<primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
524	</indexterm>
525	</listitem>
526	</varlistentry>
527
528	<varlistentry id="ssh-keygen">
529	<term><command>ssh-keygen</command></term>
530	<listitem>
531	<para>
532	is a key generation tool
533	</para>
534	<indexterm zone="openssh ssh-keygen">
535	<primary sortas="b-ssh-keygen">ssh-keygen</primary>
536	</indexterm>
537	</listitem>
538	</varlistentry>
539
540	<varlistentry id="ssh-keyscan">
541	<term><command>ssh-keyscan</command></term>
542	<listitem>
543	<para>
544	is a utility for gathering public host keys from a number of hosts
545	</para>
546	<indexterm zone="openssh ssh-keyscan">
547	<primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
548	</indexterm>
549	</listitem>
550	</varlistentry>
551
552	</variablelist>
553	</sect2>
554
555	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: