%general-entities; ]> $LastChangedBy$ $Date$ The OpenSSH package contains ssh clients and the sshd daemon. This is useful for encrypting authentication and subsequent traffic over a network. The ssh and scp commands are secure implementions of telnet and rcp respectively. &lfs71_checked; OpenSSH Package Information Download (HTTP): Download (FTP): Download MD5 sum: &openssh-md5sum; Download size: &openssh-size; Estimated disk space required: &openssh-buildsize; Estimated build time: &openssh-time; OpenSSH Dependencies Required Optional , , , , libedit (provides a command-line history feature to sftp), OpenSC and libsectok Optional Runtime (Used only to gather entropy) , and . User Notes: OpenSSH runs as two processes when connecting to other computers. The first process is a privileged process and controls the issuance of privileges as necessary. The second process communicates with the network. Additional installation steps are necessary to set up the proper environment, which are performed by issuing the following commands as the root user: install -v -m700 -d /var/lib/sshd && chown -v root:sys /var/lib/sshd && groupadd -g 50 sshd && useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd \ -s /bin/false -u 50 sshd OpenSSH is very sensitive to changes in the linked OpenSSL libraries. If you recompile OpenSSL, OpenSSH may fail to start up. An alternative is to link against the static OpenSSL library. To link against the static library, execute the following command: sed -i 's@-lcrypto@/usr/lib/libcrypto.a -ldl@' configure Install OpenSSH by running the following commands: sed -i.bak '/K5LIBS=/s/ -ldes//' configure && ./configure --prefix=/usr \ --sysconfdir=/etc/ssh \ --datadir=/usr/share/sshd \ --with-md5-passwords \ --with-privsep-path=/var/lib/sshd && make If you linked tcp_wrappers into the build using the --with-tcp-wrappers parameter, ensure you add 127.0.0.1 to the sshd line in /etc/hosts.allow if you have a restrictive /etc/hosts.deny file, or the test suite will fail. Additionally, the testsuite requires an installed copy of scp to complete the multiplexing tests. To run the test suite, first copy the scp program to /usr/bin, making sure that you back up any existing copy first. To run the test suite, issue the following commands: make tests 2>&1 | tee check.log grep FATAL check.log If the above command produces no 'FATAL' errors, then proceed with the installation, as the root user: make install && install -v -m755 -d /usr/share/doc/openssh-&openssh-version; && install -v -m644 INSTALL LICENCE OVERVIEW README* \ /usr/share/doc/openssh-&openssh-version; sed -i.bak '/K5LIBS=/s/ -ldes//' configure: This sed fixes a build crash if you used the --with-kerberos5 option. The command is harmless in all other instances. --sysconfdir=/etc/ssh: This prevents the configuration files from being installed in /usr/etc. --datadir=/usr/share/sshd: This switch puts the Ssh.bin file (used for SmartCard authentication) in /usr/share/sshd. --with-md5-passwords: This enables the use of MD5 passwords. --with-pam: This parameter enables Linux-PAM support in the build. --with-xauth=/usr/bin/xauth: Set the default location for the xauth binary for X authentication. Change the location if xauth will be installed to a different path. This can also be controlled from sshd_config with the XAuthLocation keyword. You can omit this switch if Xorg is already installed. --with-kerberos5=/usr: This option is used to include Kerberos 5 support in the build. ~/.ssh/*, /etc/ssh/ssh_config, and /etc/ssh/sshd_config ~/.ssh/* /etc/ssh/ssh_config /etc/ssh/sshd_config There are no required changes to any of these files. However, you may wish to view the /etc/ssh/ files and make any changes appropriate for the security of your system. One recommended change is that you disable root login via ssh. Execute the following command as the root user to disable root login via ssh: echo "PermitRootLogin no" >> /etc/ssh/sshd_config If you want to be able to log in without typing in your password, first create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with ssh-keygen and then copy ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys on the remote computer that you want to log into. You'll need to change REMOTE_HOSTNAME for the hostname of the remote computer and you'll also need to enter you password for the ssh command to succeed: ssh-keygen && public_key="$(cat ~/.ssh/id_rsa.pub)" && ssh REMOTE_HOSTNAME "echo ${public_key} >> ~/.ssh/authorized_keys" && unset public_key Once you've got passwordless logins working it's actually more secure than logging in with a password (as the private key is much longer than most people's passwords). If you would like to now disable password logins, as the root user: echo "PasswordAuthentication no" >> /etc/ssh/sshd_config && echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config If you added LinuxPAM support and you want ssh to use it then you will need to add a configuration file for sshd and enable use of LinuxPAM. Note, ssh only uses PAM to check passwords, if you've disabled password logins these commands are not needed. If you want to use PAM issue the following commands as the root user: sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd && chmod 644 /etc/pam.d/sshd && echo "USEPAM yes" >> /etc/ssh/sshd_config Additional configuration information can be found in the man pages for sshd, ssh and ssh-agent. To start the SSH server at system boot, install the /etc/rc.d/init.d/sshd init script included in the package. sshd make install-sshd Installed Programs Installed Directories scp, sftp, sftp-server, slogin, ssh, sshd, ssh-add, ssh-agent, ssh-keygen, ssh-keyscan and ssh-keysign. /etc/ssh, /var/lib/sshd, /usr/lib/openssh and /usr/share/doc/openssh-&openssh-version;. Short Descriptions scp is a file copy program that acts like rcp except it uses an encrypted protocol. scp sftp is an FTP-like program that works over the SSH1 and SSH2 protocols. sftp sftp-server is an SFTP server subsystem. This program is not normally called directly by the user. sftp-server slogin is a symlink to ssh. slogin ssh is an rlogin/rsh-like client program except it uses an encrypted protocol. ssh sshd is a daemon that listens for ssh login requests. sshd ssh-add is a tool which adds keys to the ssh-agent. ssh-add ssh-agent is an authentication agent that can store private keys. ssh-agent ssh-keygen is a key generation tool. ssh-keygen ssh-keyscan is a utility for gathering public host keys from a number of hosts. ssh-keyscan ssh-keysign is used by ssh to access the local host keys and generate the digital signature required during hostbased authentication with SSH protocol version 2. This program is not normally called directly by the user. ssh-keysign