Context Navigation

source: postlfs/security/openssh.xml@ 075cb1e

Visit:

11.3 12.0 12.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk xry111/llvm18 xry111/xf86-video-removal

Last change on this file since 075cb1e was 075cb1e, checked in by Bruce Dubbs <bdubbs@…>, 15 months ago
Update to openssh and ssh-askpass 9.2p1.
Property mode set to `100644`
File size: 19.0 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY openssh-download-http
8	"https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9	<!ENTITY openssh-download-ftp
10	" "> <!-- at the moment, unable to connect via ftp: ken
11	"ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz"> -->
12	<!ENTITY openssh-md5sum "&openssh-md5sum;">
13	<!ENTITY openssh-size "1.8 MB">
14	<!ENTITY openssh-buildsize "44 MB (add 22 MB for tests)">
15	<!ENTITY openssh-time "0.2 SBU (Using parallelism=4;
16	running the tests takes about 20 minutes,
17	irrespective of processor speed)">
18	]>
19
20	<!-- make check: real 18m13.005s; 9.2p1 3 Feb 2023 -->
21
22	<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
23	<?dbhtml filename="openssh.html"?>
24
25	<title>OpenSSH-&openssh-version;</title>
26
27	<indexterm zone="openssh">
28	<primary sortas="a-OpenSSH">OpenSSH</primary>
29	</indexterm>
30
31	<sect2 role="package">
32	<title>Introduction to OpenSSH</title>
33
34	<para>
35	The <application>OpenSSH</application> package contains
36	<command>ssh</command> clients and the <command>sshd</command> daemon.
37	This is useful for encrypting authentication and subsequent traffic over
38	a network. The <command>ssh</command> and <command>scp</command> commands
39	are secure implementations of <command>telnet</command> and
40	<command>rcp</command> respectively.
41	</para>
42
43	&lfs112_checked;
44
45	<bridgehead renderas="sect3">Package Information</bridgehead>
46	<itemizedlist spacing="compact">
47	<listitem>
48	<para>
49	Download (HTTP): <ulink url="&openssh-download-http;"/>
50	</para>
51	</listitem>
52	<listitem>
53	<para>
54	Download (FTP): <ulink url="&openssh-download-ftp;"/>
55	</para>
56	</listitem>
57	<listitem>
58	<para>
59	Download MD5 sum: &openssh-md5sum;
60	</para>
61	</listitem>
62	<listitem>
63	<para>
64	Download size: &openssh-size;
65	</para>
66	</listitem>
67	<listitem>
68	<para>
69	Estimated disk space required: &openssh-buildsize;
70	</para>
71	</listitem>
72	<listitem>
73	<para>
74	Estimated build time: &openssh-time;
75	</para>
76	</listitem>
77	</itemizedlist>
78	<!--
79	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
80	<itemizedlist spacing="compact">
81	<listitem>
82	<para>
83	Required patch:
84	<ulink url="&patch-root;/openssh-&openssh-version;-glibc_2.31_fix-1.patch"/>
85	</para>
86	</listitem>
87	</itemizedlist>
88	-->
89	<bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
90
91	<bridgehead renderas="sect4">Optional</bridgehead>
92	<para role="optional">
93	<xref linkend="gdb"/> (for tests),
94	<xref linkend="linux-pam"/>,
95	<xref linkend="x-window-system"/>,
96	<xref linkend="mitkrb"/>,
97	<xref linkend="which"/> (for tests),
98	<ulink url="https://www.thrysoee.dk/editline/">libedit</ulink>,
99	<ulink url="https://www.libressl.org/">LibreSSL Portable</ulink>,
100	<ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
101	<ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
102	</para>
103
104	<bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
105	<para role="optional">
106	<!--<xref role="runtime" linkend="openjdk"/>, Not seen in 8.8p1 -->
107	<xref role="runtime" linkend="net-tools"/>, and
108	<xref role="runtime" linkend="sysstat"/>
109	</para>
110
111	<para condition="html" role="usernotes">
112	User Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
113	</para>
114	</sect2>
115
116	<sect2 role="installation">
117	<title>Installation of OpenSSH</title>
118
119	<para>
120	<application>OpenSSH</application> runs as two processes when connecting
121	to other computers. The first process is a privileged process and controls
122	the issuance of privileges as necessary. The second process communicates
123	with the network. Additional installation steps are necessary to set up
124	the proper environment, which are performed by issuing the following
125	commands as the <systemitem class="username">root</systemitem> user:
126	</para>
127
128	<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &&
129	chown -v root:sys /var/lib/sshd &&
130
131	groupadd -g 50 sshd &&
132	useradd -c 'sshd PrivSep' \
133	-d /var/lib/sshd \
134	-g sshd \
135	-s /bin/false \
136	-u 50 sshd</userinput></screen>
137	<!--
138	<para>
139	Apply a patch to allow OpenSSH to build and function with
140	<application>Glibc-2.31</application> and later:
141	</para>
142
143	<screen><userinput remap="pre">patch -Np1 -i ../openssh-&openssh-version;-glibc_2.31_fix-1.patch</userinput></screen>
144	-->
145
146	<!-- Applied in 8.5p1
147	<para>
148	First, adapt <application>ssh-copy-id</application> to changes
149	in bash-5.1:
150	</para>
151
152	<screen><userinput remap="pre">sed -e '/INSTALLKEYS_SH/s/)//' -e '260a\ )' -i contrib/ssh-copy-id</userinput></screen>
153
154	<para>
155	Next, fix an issue on platforms other than x86_64:
156	</para>
157	<screen><userinput remap="pre">if [ "$(uname -m)" != "x86_64" ]; then
158	l1="#ifdef __NR_pselect6_time64"
159	l2=" SC_ALLOW(__NR_pselect6_time64),"
160	l3="#endif"
161	sed -e "/^#ifdef __NR_read$/ i $l1\n$l2\n$l3" \
162	-i sandbox-seccomp-filter.c
163	fi</userinput></screen>
164	-->
165	<para>
166	Install <application>OpenSSH</application> by running the following
167	commands:
168	</para>
169
170	<!-- -\-with-md5-passwords used to be here, but a comment inside of a <screen>
171	block leaves an eyesore. -->
172	<screen><userinput>./configure --prefix=/usr \
173	--sysconfdir=/etc/ssh \
174	--with-privsep-path=/var/lib/sshd \
175	--with-default-path=/usr/bin \
176	--with-superuser-path=/usr/sbin:/usr/bin \
177	--with-pid-dir=/run &&
178	make</userinput></screen>
179
180	<para>
181	The test suite requires an installed copy of <command>scp</command> to
182	complete the multiplexing tests. To run the test suite, first copy the
183	<command>scp</command> program to
184	<filename class="directory">/usr/bin</filename>, making sure that you
185	backup any existing copy first.
186	</para>
187	<!-- I got all tests passed without this with 9.0p1. Apr 13, 2022.
188	<para>
189	If you wish to run the tests, remove a test suite that is not valid on
190	Linux-based platforms:
191	</para>
192
193	<screen><userinput>sed -i 's/conch-ciphers//' regress/Makefile</userinput></screen>
194	-->
195	<para>
196	To test the results, issue: <command>make -j1 tests</command>.
197	<!--One test, <filename>key options</filename>, fails when run in chroot.-->
198	</para>
199
200	<!-- commenting this, I get "all tests passed" [ ken ]
201	NB tests should be run as _user_ but the role in the comment is root
202
203	commenting [ bruce ]: There are a couple of tests that want root.
204	The log mentions that SUDO is not set. These skipped tests are
205	ignored and the end says 'all tests passed' even when not root
206
207	<para>
208	To run the test suite, issue the following commands:
209	</para>
210
211	<screen role="root"><userinput>make tests 2>&1 \| tee check.log
212	grep FATAL check.log</userinput></screen>
213
214	<para>
215	If the above command produces no 'FATAL' errors, then proceed with the
216	installation, as the <systemitem class="username">root</systemitem> user:
217	</para>-->
218	<para>
219	Now, as the <systemitem class="username">root</systemitem> user:
220	</para>
221
222	<screen role="root"><userinput>make install &&
223	install -v -m755 contrib/ssh-copy-id /usr/bin &&
224
225	install -v -m644 contrib/ssh-copy-id.1 \
226	/usr/share/man/man1 &&
227	install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &&
228	install -v -m644 INSTALL LICENCE OVERVIEW README* \
229	/usr/share/doc/openssh-&openssh-version;</userinput></screen>
230	</sect2>
231
232	<sect2 role="commands">
233	<title>Command Explanations</title>
234
235	<para>
236	<parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
237	configuration files from being installed in
238	<filename class="directory">/usr/etc</filename>.
239	</para>
240
241	<!--
242	<para>
243	<parameter>-\-with-md5-passwords</parameter>: This enables the use of MD5
244	passwords.
245	</para>
246	-->
247
248	<para>
249	<parameter>--with-default-path=/usr/bin</parameter> and
250	<parameter>--with-superuser-path=/usr/sbin:/usr/bin</parameter>:
251	These set <envar>PATH</envar> consistent with LFS and BLFS
252	<application>Shadow</application> package.
253	</para>
254
255	<para>
256	<parameter>--with-pid-dir=/run</parameter>: This prevents
257	<application>OpenSSH</application> from referring to deprecated
258	<filename class="directory">/var/run</filename>.
259	</para>
260
261	<para>
262	<option>--with-pam</option>: This parameter enables
263	<application>Linux-PAM</application> support in the build.
264	</para>
265
266	<para>
267	<option>--with-xauth=/usr/bin/xauth</option>: Set the default
268	location for the <command>xauth</command> binary for X authentication.
269	Change the location if <command>xauth</command> will be installed to a
270	different path. This can also be controlled from
271	<filename>sshd_config</filename> with the XAuthLocation keyword. You can
272	omit this switch if <application>Xorg</application> is already installed.
273	</para>
274
275	<para>
276	<option>--with-kerberos5=/usr</option>: This option is used to
277	include Kerberos 5 support in the build.
278	</para>
279
280	<para>
281	<option>--with-libedit</option>: This option enables line editing
282	and history features for <command>sftp</command>.
283	</para>
284
285	</sect2>
286
287	<sect2 role="configuration">
288	<title>Configuring OpenSSH</title>
289
290	<sect3 id="openssh-config">
291	<title>Config Files</title>
292
293	<para>
294	<filename>~/.ssh/*</filename>,
295	<filename>/etc/ssh/ssh_config</filename>, and
296	<filename>/etc/ssh/sshd_config</filename>
297	</para>
298
299	<indexterm zone="openssh openssh-config">
300	<primary sortas="e-AA.ssh">~/.ssh/*</primary>
301	</indexterm>
302
303	<indexterm zone="openssh openssh-config">
304	<primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
305	</indexterm>
306
307	<indexterm zone="openssh openssh-config">
308	<primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
309	</indexterm>
310
311	<para>
312	There are no required changes to any of these files. However,
313	you may wish to view the
314	<filename class='directory'>/etc/ssh/</filename> files and make any
315	changes appropriate for the security of your system. One recommended
316	change is that you disable
317	<systemitem class='username'>root</systemitem> login via
318	<command>ssh</command>. Execute the following command as the
319	<systemitem class='username'>root</systemitem> user to disable
320	<systemitem class='username'>root</systemitem> login via
321	<command>ssh</command>:
322	</para>
323
324	<screen role="root"><userinput>echo "PermitRootLogin no" >> /etc/ssh/sshd_config</userinput></screen>
325
326	<para>
327	If you want to be able to log in without typing in your password, first
328	create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
329	<command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
330	~/.ssh/authorized_keys on the remote computer that you want to log into.
331	You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
332	computer and you'll also need to enter your password for the ssh-copy-id command
333	to succeed:
334	</para>
335
336	<screen><userinput>ssh-keygen &&
337	ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
338
339	<para>
340	Once you've got passwordless logins working it's actually more secure
341	than logging in with a password (as the private key is much longer than
342	most people's passwords). If you would like to now disable password
343	logins, as the <systemitem class="username">root</systemitem> user:
344	</para>
345
346
347	<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &&
348	echo "KbdInteractiveAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
349
350	<para>
351	If you added <application>Linux-PAM</application> support and you want
352	ssh to use it then you will need to add a configuration file for
353	<application>sshd</application> and enable use of
354	<application>LinuxPAM</application>. Note, ssh only uses PAM to check
355	passwords, if you've disabled password logins these commands are not
356	needed. If you want to use PAM, issue the following commands as the
357	<systemitem class='username'>root</systemitem> user:
358	</para>
359
360	<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd &&
361	chmod 644 /etc/pam.d/sshd &&
362	echo "UsePAM yes" >> /etc/ssh/sshd_config</userinput></screen>
363
364	<para>
365	Additional configuration information can be found in the man
366	pages for <command>sshd</command>, <command>ssh</command> and
367	<command>ssh-agent</command>.
368	</para>
369	</sect3>
370
371	<sect3 id="openssh-init">
372	<title><phrase revision="sysv">Boot Script</phrase>
373	<phrase revision="systemd">Systemd Unit</phrase></title>
374
375	<para revision="sysv">
376	To start the SSH server at system boot, install the
377	<filename>/etc/rc.d/init.d/sshd</filename> init script included
378	in the <xref linkend="bootscripts"/> package.
379	</para>
380
381	<para revision="systemd">
382	To start the SSH server at system boot, install the
383	<filename>sshd.service</filename> unit included in the
384	<xref linkend="systemd-units"/> package.
385	</para>
386
387	<indexterm zone="openssh openssh-init">
388	<primary sortas="f-sshd">sshd</primary>
389	</indexterm>
390
391	<screen role="root"><userinput>make install-sshd</userinput></screen>
392	</sect3>
393	</sect2>
394
395	<sect2 role="content">
396	<title>Contents</title>
397
398	<segmentedlist>
399	<segtitle>Installed Programs</segtitle>
400	<segtitle>Installed Libraries</segtitle>
401	<segtitle>Installed Directories</segtitle>
402
403	<seglistitem>
404	<seg>
405	scp, sftp, <!--slogin (symlink to ssh),--> ssh, ssh-add, ssh-agent,
406	ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
407	</seg>
408	<seg>
409	None
410	</seg>
411	<seg>
412	/etc/ssh,
413	/usr/share/doc/openssh-&openssh-version;, and
414	/var/lib/sshd
415	</seg>
416	</seglistitem>
417	</segmentedlist>
418
419	<variablelist>
420	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
421	<?dbfo list-presentation="list"?>
422	<?dbhtml list-presentation="table"?>
423
424	<varlistentry id="scp">
425	<term><command>scp</command></term>
426	<listitem>
427	<para>
428	is a file copy program that acts like <command>rcp</command> except
429	it uses an encrypted protocol
430	</para>
431	<indexterm zone="openssh scp">
432	<primary sortas="b-scp">scp</primary>
433	</indexterm>
434	</listitem>
435	</varlistentry>
436
437	<varlistentry id="sftp">
438	<term><command>sftp</command></term>
439	<listitem>
440	<para>
441	is an FTP-like program that works over the SSH1 and SSH2 protocols
442	</para>
443	<indexterm zone="openssh sftp">
444	<primary sortas="b-sftp">sftp</primary>
445	</indexterm>
446	</listitem>
447	</varlistentry>
448	<!-- Not installed anymore as of 8.5p1
449	<varlistentry id="slogin">
450	<term><command>slogin</command></term>
451	<listitem>
452	<para>
453	is a symlink to <command>ssh</command>
454	</para>
455	<indexterm zone="openssh slogin">
456	<primary sortas="b-slogin">slogin</primary>
457	</indexterm>
458	</listitem>
459	</varlistentry>
460	-->
461	<varlistentry id="ssh">
462	<term><command>ssh</command></term>
463	<listitem>
464	<para>
465	is an <command>rlogin</command>/<command>rsh</command>-like client
466	program except it uses an encrypted protocol
467	</para>
468	<indexterm zone="openssh ssh">
469	<primary sortas="b-ssh">ssh</primary>
470	</indexterm>
471	</listitem>
472	</varlistentry>
473
474	<varlistentry id="sshd">
475	<term><command>sshd</command></term>
476	<listitem>
477	<para>
478	is a daemon that listens for <command>ssh</command> login requests
479	</para>
480	<indexterm zone="openssh sshd">
481	<primary sortas="b-sshd">sshd</primary>
482	</indexterm>
483	</listitem>
484	</varlistentry>
485
486	<varlistentry id="ssh-add">
487	<term><command>ssh-add</command></term>
488	<listitem>
489	<para>
490	is a tool which adds keys to the <command>ssh-agent</command>
491	</para>
492	<indexterm zone="openssh ssh-add">
493	<primary sortas="b-ssh-add">ssh-add</primary>
494	</indexterm>
495	</listitem>
496	</varlistentry>
497
498	<varlistentry id="ssh-agent">
499	<term><command>ssh-agent</command></term>
500	<listitem>
501	<para>
502	is an authentication agent that can store private keys
503	</para>
504	<indexterm zone="openssh ssh-agent">
505	<primary sortas="b-ssh-agent">ssh-agent</primary>
506	</indexterm>
507	</listitem>
508	</varlistentry>
509
510	<varlistentry id="ssh-copy-id">
511	<term><command>ssh-copy-id</command></term>
512	<listitem>
513	<para>
514	is a script that enables logins on remote machines using local keys
515	</para>
516	<indexterm zone="openssh ssh-copy-id">
517	<primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
518	</indexterm>
519	</listitem>
520	</varlistentry>
521
522	<varlistentry id="ssh-keygen">
523	<term><command>ssh-keygen</command></term>
524	<listitem>
525	<para>
526	is a key generation tool
527	</para>
528	<indexterm zone="openssh ssh-keygen">
529	<primary sortas="b-ssh-keygen">ssh-keygen</primary>
530	</indexterm>
531	</listitem>
532	</varlistentry>
533
534	<varlistentry id="ssh-keyscan">
535	<term><command>ssh-keyscan</command></term>
536	<listitem>
537	<para>
538	is a utility for gathering public host keys from a number of hosts
539	</para>
540	<indexterm zone="openssh ssh-keyscan">
541	<primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
542	</indexterm>
543	</listitem>
544	</varlistentry>
545
546	</variablelist>
547	</sect2>
548
549	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: