source: postlfs/security/openssh.xml@ af8b2d9

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY openssh-download-http
           "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
  <!ENTITY openssh-download-ftp
           "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
  <!ENTITY openssh-md5sum        "13009a9156510d8f27e752659075cced">
  <!ENTITY openssh-size          "1.5 MB">
  <!ENTITY openssh-buildsize     "43 MB (51 MB with the test suite)">
  <!ENTITY openssh-time          "0.4 SBU (running the tests takes at least 10
                                  minutes, irrespective of processor speed)">
]>

<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
  <?dbhtml filename="openssh.html"?>

  <sect1info>
    <othername>$LastChangedBy$</othername>
    <date>$Date$</date>
  </sect1info>

  <title>OpenSSH-&openssh-version;</title>

  <indexterm zone="openssh">
    <primary sortas="a-OpenSSH">OpenSSH</primary>
  </indexterm>

  <sect2 role="package">
    <title>Introduction to OpenSSH</title>

    <para>
      The <application>OpenSSH</application> package contains
      <command>ssh</command> clients and the <command>sshd</command> daemon. This
      is useful for encrypting authentication and subsequent traffic over a
      network. The <command>ssh</command> and <command>scp</command> commands are
      secure implementions of <command>telnet</command> and <command>rcp</command>
      respectively.
    </para>

    &lfs79_checked;

    &gcc6_checked;

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
          Download (HTTP): <ulink url="&openssh-download-http;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download (FTP): <ulink url="&openssh-download-ftp;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download MD5 sum: &openssh-md5sum;
        </para>
      </listitem>
      <listitem>
        <para>
          Download size: &openssh-size;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated disk space required: &openssh-buildsize;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated build time: &openssh-time;
        </para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>

    <bridgehead renderas="sect4">Required</bridgehead>
    <para role="required">
      <xref linkend="openssl"/> or
      <ulink url="http://www.libressl.org/">LibreSSL Portable</ulink>
    </para>

    <bridgehead renderas="sect4">Optional</bridgehead>
    <para role="optional">
      <xref linkend="linux-pam"/>,
      <xref linkend="x-window-system"/>,
      <xref linkend="mitkrb"/>,
      <ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>,
      <ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
      <ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
    </para>

    <bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
    <para role="optional">
      <xref linkend="openjdk"/>,
      <xref linkend="net-tools"/>, and
      <xref linkend="sysstat"/>
    </para>

    <para condition="html" role="usernotes">
        User Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
    </para>
  </sect2>

  <sect2 role="installation">
    <title>Installation of OpenSSH</title>

    <warning>
    <para>
      If reinstalling over an <application>SSH</application> connection to
      enable <xref linkend="linux-pam"/> support, be certain to temporarily set
      <option>PermitRootLogin</option> to <parameter>yes</parameter> in
      <filename>/etc/ssh/sshd_config</filename> until you complete
      reinstallation of <xref linkend="systemd"/>, or you may find that you are
      unable to login to the system remotely.
    </para>
    </warning>

    <para>
      <application>OpenSSH</application> runs as two processes when connecting
      to other computers. The first process is a privileged process and controls
      the issuance of privileges as necessary. The second process communicates
      with the network. Additional installation steps are necessary to set up
      the proper environment, which are performed by issuing the following
      commands as the <systemitem class="username">root</systemitem> user:
    </para>

<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &amp;&amp;
chown   -v root:sys /var/lib/sshd &amp;&amp;

groupadd -g 50 sshd &amp;&amp;
useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd -s /bin/false -u 50 sshd</userinput></screen>

    <para>
      Install <application>OpenSSH</application> by running the following
      commands:
    </para>

<screen><userinput>./configure --prefix=/usr                     \
            --sysconfdir=/etc/ssh             \
            --with-md5-passwords              \
            --with-privsep-path=/var/lib/sshd &amp;&amp;
make</userinput></screen>

    <para>
      The testsuite requires an installed copy of <command>scp</command> to
      complete the multiplexing tests. To run the test suite, first copy the
      <command>scp</command> program to
      <filename class="directory">/usr/bin</filename>, making sure that you
      back up any existing copy first.
    </para>

    <para>
      To test the results, issue: <command>make tests</command>.
    </para>

<!-- commenting this, I get "all tests passed" [ ken ]
 NB tests should be run as _user_ but the role in the comment is root

 commenting [ bruce ]:  There are a couple of tests that want root.
 The log mentions that SUDO is not set.  These skipped tests are 
 ignored and the end says 'all tests passed' even when not root

    <para>
      To run the test suite, issue the following commands:
    </para>

<screen role="root"><userinput>make tests 2&gt;&amp;1 | tee check.log
grep FATAL check.log</userinput></screen>

    <para>
      If the above command produces no 'FATAL' errors, then proceed with the
      installation, as the <systemitem class="username">root</systemitem> user:
    </para>-->
    <para>
      Now, as the <systemitem class="username">root</systemitem> user:
    </para>

<screen role="root"><userinput>make install                                  &amp;&amp;
install -v -m755 contrib/ssh-copy-id /usr/bin &amp;&amp;
install -v -m644 contrib/ssh-copy-id.1 /usr/share/man/man1 &amp;&amp;
install -v -m755 -d /usr/share/doc/openssh-&openssh-version;           &amp;&amp;
install -v -m644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-&openssh-version;</userinput></screen>
  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para>
      <parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
      configuration files from being installed in
      <filename class="directory">/usr/etc</filename>.
    </para>

    <para>
      <parameter>--with-md5-passwords</parameter>: This enables the use of MD5
      passwords.
    </para>

    <para>
      <parameter>--with-pam</parameter>: This parameter enables
      <application>Linux-PAM</application> support in the build.
    </para>

    <para>
      <parameter>--with-xauth=/usr/bin/xauth</parameter>: Set the default
      location for the <command>xauth</command> binary for X authentication.
      Change the location if <command>xauth</command> will be installed to a
      different path. This can also be controlled from
      <filename>sshd_config</filename> with the XAuthLocation keyword. You can
      omit this switch if <application>Xorg</application> is already installed.
    </para>

    <para>
      <parameter>--with-kerberos5=/usr</parameter>: This option is used to
      include Kerberos 5 support in the build.
    </para>

    <para>
      <parameter>--with-libedit</parameter>: This option enables line editing
      and history features for <command>sftp</command>.
    </para>

  </sect2>

  <sect2 role="configuration">
    <title>Configuring OpenSSH</title>

    <sect3 id="openssh-config">
      <title>Config Files</title>

      <para>
        <filename>~/.ssh/*</filename>,
      <filename>/etc/ssh/ssh_config</filename>, and
      <filename>/etc/ssh/sshd_config</filename>
        </para>

      <indexterm zone="openssh openssh-config">
        <primary sortas="e-AA.ssh">~/.ssh/*</primary>
      </indexterm>

      <indexterm zone="openssh openssh-config">
        <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
      </indexterm>

      <indexterm zone="openssh openssh-config">
        <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
      </indexterm>

      <para>
        There are no required changes to any of these files. However,
        you may wish to view the
        <filename class='directory'>/etc/ssh/</filename> files and make any
        changes appropriate for the security of your system. One recommended
        change is that you disable
        <systemitem class='username'>root</systemitem> login via
        <command>ssh</command>. Execute the following command as the
        <systemitem class='username'>root</systemitem> user to disable
        <systemitem class='username'>root</systemitem> login via
        <command>ssh</command>:
      </para>

<screen role="root"><userinput>echo "PermitRootLogin no" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>

      <para>
        If you want to be able to log in without typing in your password, first
        create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
        <command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
        ~/.ssh/authorized_keys on the remote computer that you want to log into.
        You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
        computer and you'll also need to enter your password for the ssh-copy-id command
        to succeed:
      </para>

<screen><userinput>ssh-keygen &amp;&amp;
ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>

      <para>
        Once you've got passwordless logins working it's actually more secure
        than logging in with a password (as the private key is much longer than
        most people's passwords). If you would like to now disable password
        logins, as the <systemitem class="username">root</systemitem> user:
      </para>


<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &amp;&amp;
echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>

      <para>
        If you added <application>Linux-PAM</application> support and you want
        ssh to use it then you will need to add a configuration file for
        <application>sshd</application> and enable use of
        <application>Linux-PAM</application>. Note that ssh only uses PAM to check
        passwords, if you've disabled password logins these commands are not
        needed. If you want to use PAM issue the following commands as the
        <systemitem class='username'>root</systemitem> user:
      </para>

<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login &gt; /etc/pam.d/sshd &amp;&amp;
chmod 644 /etc/pam.d/sshd &amp;&amp;
echo "UsePAM yes" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>

      <para>
        Additional configuration information can be found in the man
        pages for <command>sshd</command>, <command>ssh</command>, and
        <command>ssh-agent</command>.
      </para>
    </sect3>

    <sect3  id="openssh-init">
      <title>Systemd Units</title>

      <para>
        To start the <command>sshd</command> daemon at boot,
        install the systemd units from the <xref linkend="bootscripts"/>
        package by running the following command as the
        <systemitem class="username">root</systemitem> user:
      </para>

      <indexterm zone="openssh openssh-init">
        <primary sortas="f-sshd">sshd</primary>
      </indexterm>

<screen role="root"><userinput>make install-sshd</userinput></screen>

      <note>
        <para>
          This package comes with two types of units: A service file and a socket file. 
          The service file will start sshd daemon once at boot and it will keep running until the 
          system shuts down. The socket file will make systemd listen on sshd port (Default port is 22, it needs 
          to be edited for anything else) and will start sshd daemon when something tries to connect 
          to that port and stop the daemon when the connection is terminated. This is 
          called socket activation.

          By default, the first method is used - sshd daemon is started at boot and stopped at shutdown. 
          If the socket method is desired, you need to run as the
          <systemitem class="username">root</systemitem> user:

<screen role="root"><userinput>systemctl stop sshd &amp;&amp; 
systemctl disable sshd &amp;&amp;
systemctl enable sshd.socket &amp;&amp;
systemctl start sshd.socket</userinput></screen>
        </para>
      </note>

    </sect3>
  </sect2>

  <sect2 role="content">
    <title>Contents</title>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>
      <segtitle>Installed Libraries</segtitle>
      <segtitle>Installed Directories</segtitle>

      <seglistitem>
        <seg>
          scp, 
          sftp, 
          slogin (symlink to ssh), 
          ssh, 
          ssh-add, 
          ssh-agent,
          ssh-copy-id, 
          ssh-keygen, 
          ssh-keyscan, 
          and sshd
        </seg>
        <seg>
          None
        </seg>
        <seg>
          /etc/ssh,
          /usr/share/doc/openssh-&openssh-version;, and
          /var/lib/sshd
        </seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="scp">
        <term><command>scp</command></term>
        <listitem>
          <para>
            is a file copy program that acts like <command>rcp</command> except
            it uses an encrypted protocol.
          </para>
          <indexterm zone="openssh scp">
            <primary sortas="b-scp">scp</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sftp">
        <term><command>sftp</command></term>
        <listitem>
          <para>
            is an FTP-like program that works over the SSH1 and SSH2 protocols.
          </para>
          <indexterm zone="openssh sftp">
            <primary sortas="b-sftp">sftp</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="slogin">
        <term><command>slogin</command></term>
        <listitem>
          <para>
            is a symlink to <command>ssh</command>.
          </para>
          <indexterm zone="openssh slogin">
            <primary sortas="b-slogin">slogin</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ssh">
        <term><command>ssh</command></term>
        <listitem>
          <para>
            is an <command>rlogin</command>/<command>rsh</command>-like client
            program except it uses an encrypted protocol.
          </para>
          <indexterm zone="openssh ssh">
            <primary sortas="b-ssh">ssh</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sshd">
        <term><command>sshd</command></term>
        <listitem>
          <para>
            is a daemon that listens for <command>ssh</command> login requests.
          </para>
          <indexterm zone="openssh sshd">
            <primary sortas="b-sshd">sshd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ssh-add">
        <term><command>ssh-add</command></term>
        <listitem>
          <para>
            is a tool which adds keys to the <command>ssh-agent</command>.
          </para>
          <indexterm zone="openssh ssh-add">
            <primary sortas="b-ssh-add">ssh-add</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ssh-agent">
        <term><command>ssh-agent</command></term>
        <listitem>
          <para>
            is an authentication agent that can store private keys.
          </para>
          <indexterm zone="openssh ssh-agent">
            <primary sortas="b-ssh-agent">ssh-agent</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ssh-copy-id">
        <term><command>ssh-copy-id</command></term>
        <listitem>
          <para>
            is a script that enables logins on remote machine using local keys.
          </para>
          <indexterm zone="openssh ssh-copy-id">
            <primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ssh-keygen">
        <term><command>ssh-keygen</command></term>
        <listitem>
          <para>
            is a key generation tool.
          </para>
          <indexterm zone="openssh ssh-keygen">
            <primary sortas="b-ssh-keygen">ssh-keygen</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ssh-keyscan">
        <term><command>ssh-keyscan</command></term>
        <listitem>
          <para>
            is a utility for gathering public host keys from a number of hosts.
          </para>
          <indexterm zone="openssh ssh-keyscan">
            <primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>
  </sect2>
</sect1>