Context Navigation

source: postlfs/security/openssh.xml@ 0be837af

Visit:

12.2 lazarus trunk

Last change on this file since 0be837af was 9c48a24b, checked in by Bruce Dubbs <bdubbs@…>, 5 weeks ago
Inital tags for BLFS-12.2.
Property mode set to `100644`
File size: 19.6 KB

Line
1	<?xml version="1.0" encoding="UTF-8"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY openssh-download-http
8	"https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9	<!ENTITY openssh-download-ftp " ">
10	<!ENTITY openssh-md5sum "&openssh-md5sum;">
11	<!ENTITY openssh-size "1.8 MB">
12	<!ENTITY openssh-buildsize "44 MB (add 22 MB for tests)">
13	<!ENTITY openssh-time "0.3 SBU (Using parallelism=4;
14	running the tests takes about 20 minutes,
15	irrespective of processor speed)">
16	]>
17
18	<!-- make check: real 18m13.005s; 9.2p1 3 Feb 2023 -->
19	<!-- make check: real 18m08.654s; 9.3p1 17 Mar 2023 -->
20	<!-- make check: real 18m25.324s; 9.8p1 1 Jul 2024 -->
21
22	<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
23	<?dbhtml filename="openssh.html"?>
24
25	<title>OpenSSH-&openssh-version;</title>
26
27	<indexterm zone="openssh">
28	<primary sortas="a-OpenSSH">OpenSSH</primary>
29	</indexterm>
30
31	<sect2 role="package">
32	<title>Introduction to OpenSSH</title>
33
34	<para>
35	The <application>OpenSSH</application> package contains
36	<command>ssh</command> clients and the <command>sshd</command> daemon.
37	This is useful for encrypting authentication and subsequent traffic over
38	a network. The <command>ssh</command> and <command>scp</command> commands
39	are secure implementations of <command>telnet</command> and
40	<command>rcp</command> respectively.
41	</para>
42
43	&lfs122_checked;
44
45	<bridgehead renderas="sect3">Package Information</bridgehead>
46	<itemizedlist spacing="compact">
47	<listitem>
48	<para>
49	Download (HTTP): <ulink url="&openssh-download-http;"/>
50	</para>
51	</listitem>
52	<listitem>
53	<para>
54	Download (FTP): <ulink url="&openssh-download-ftp;"/>
55	</para>
56	</listitem>
57	<listitem>
58	<para>
59	Download MD5 sum: &openssh-md5sum;
60	</para>
61	</listitem>
62	<listitem>
63	<para>
64	Download size: &openssh-size;
65	</para>
66	</listitem>
67	<listitem>
68	<para>
69	Estimated disk space required: &openssh-buildsize;
70	</para>
71	</listitem>
72	<listitem>
73	<para>
74	Estimated build time: &openssh-time;
75	</para>
76	</listitem>
77	</itemizedlist>
78	<!--
79	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
80	<itemizedlist spacing="compact">
81	<listitem>
82	<para>
83	Required patch:
84	<ulink url="&patch-root;/openssh-&openssh-version;-glibc_2.31_fix-1.patch"/>
85	</para>
86	</listitem>
87	</itemizedlist>
88	-->
89	<bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
90
91	<bridgehead renderas="sect4">Optional</bridgehead>
92	<para role="optional">
93	<xref linkend="gdb"/> (for tests),
94	<xref linkend="linux-pam"/> (PAM configuration files from
95	<xref linkend="shadow"/> are used to create openssh ones),
96	<xref linkend="xorg7-app"/> (or
97	<xref linkend='xorg-env' role='nodep'/>, see Command Explanations),
98	<xref linkend="mitkrb"/>,
99	<xref linkend="which"/> (for tests),
100	<ulink url="https://www.thrysoee.dk/editline/">libedit</ulink>,
101	<ulink url="https://www.libressl.org/">LibreSSL Portable</ulink>,
102	<ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
103	<ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
104	</para>
105
106	<bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
107	<para role="optional">
108	<!--<xref role="runtime" linkend="openjdk"/>, Not seen in 8.8p1 -->
109	<xref role="runtime" linkend="net-tools"/>, and
110	<xref role="runtime" linkend="sysstat"/>
111	</para>
112
113	</sect2>
114
115	<sect2 role="installation">
116	<title>Installation of OpenSSH</title>
117
118	<para>
119	<application>OpenSSH</application> runs as two processes when connecting
120	to other computers. The first process is a privileged process and controls
121	the issuance of privileges as necessary. The second process communicates
122	with the network. Additional installation steps are necessary to set up
123	the proper environment, which are performed by issuing the following
124	commands as the <systemitem class="username">root</systemitem> user:
125	</para>
126
127	<screen role="root"><userinput>install -v -g sys -m700 -d /var/lib/sshd &&
128
129	groupadd -g 50 sshd &&
130	useradd -c 'sshd PrivSep' \
131	-d /var/lib/sshd \
132	-g sshd \
133	-s /bin/false \
134	-u 50 sshd</userinput></screen>
135	<!--
136	<para>
137	Apply a patch to allow OpenSSH to build and function with
138	<application>Glibc-2.31</application> and later:
139	</para>
140
141	<screen><userinput remap="pre">patch -Np1 -i ../openssh-&openssh-version;-glibc_2.31_fix-1.patch</userinput></screen>
142	-->
143
144	<!-- Applied in 8.5p1
145	<para>
146	First, adapt <application>ssh-copy-id</application> to changes
147	in bash-5.1:
148	</para>
149
150	<screen><userinput remap="pre">sed -e '/INSTALLKEYS_SH/s/)//' -e '260a\ )' -i contrib/ssh-copy-id</userinput></screen>
151
152	<para>
153	Next, fix an issue on platforms other than x86_64:
154	</para>
155	<screen><userinput remap="pre">if [ "$(uname -m)" != "x86_64" ]; then
156	l1="#ifdef __NR_pselect6_time64"
157	l2=" SC_ALLOW(__NR_pselect6_time64),"
158	l3="#endif"
159	sed -e "/^#ifdef __NR_read$/ i $l1\n$l2\n$l3" \
160	-i sandbox-seccomp-filter.c
161	fi</userinput></screen>
162	-->
163	<para>
164	Install <application>OpenSSH</application> by running the following
165	commands:
166	</para>
167
168	<!-- -\-with-md5-passwords used to be here, but a comment inside of a <screen>
169	block leaves an eyesore. -->
170	<screen><userinput>./configure --prefix=/usr \
171	--sysconfdir=/etc/ssh \
172	--with-privsep-path=/var/lib/sshd \
173	--with-default-path=/usr/bin \
174	--with-superuser-path=/usr/sbin:/usr/bin \
175	--with-pid-dir=/run &&
176	make</userinput></screen>
177
178	<!-- I got all tests passed without this with 9.3p1, June 12, 2023.
179	<para>
180	The test suite requires an installed copy of <command>scp</command> to
181	complete the multiplexing tests. To run the test suite, first copy the
182	<command>scp</command> program to
183	<filename class="directory">/usr/bin</filename>, making sure that you
184	backup any existing copy first.
185	</para>
186	-->
187	<!-- I got all tests passed without this with 9.0p1. Apr 13, 2022.
188	<para>
189	If you wish to run the tests, remove a test suite that is not valid on
190	Linux-based platforms:
191	</para>
192
193	<screen><userinput>sed -i 's/conch-ciphers//' regress/Makefile</userinput></screen>
194	-->
195	<para>
196	To test the results, issue: <command>make -j1 tests</command>.
197	<!--One test, <filename>key options</filename>, fails when run in chroot.-->
198	</para>
199
200	<!-- commenting this, I get "all tests passed" [ ken ]
201	NB tests should be run as _user_ but the role in the comment is root
202
203	commenting [ bruce ]: There are a couple of tests that want root.
204	The log mentions that SUDO is not set. These skipped tests are
205	ignored and the end says 'all tests passed' even when not root
206
207	<para>
208	To run the test suite, issue the following commands:
209	</para>
210
211	<screen role="root"><userinput>make tests 2>&1 \| tee check.log
212	grep FATAL check.log</userinput></screen>
213
214	<para>
215	If the above command produces no 'FATAL' errors, then proceed with the
216	installation, as the <systemitem class="username">root</systemitem> user:
217	</para>-->
218	<para>
219	Now, as the <systemitem class="username">root</systemitem> user:
220	</para>
221
222	<screen role="root"><userinput>make install &&
223	install -v -m755 contrib/ssh-copy-id /usr/bin &&
224
225	install -v -m644 contrib/ssh-copy-id.1 \
226	/usr/share/man/man1 &&
227	install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &&
228	install -v -m644 INSTALL LICENCE OVERVIEW README* \
229	/usr/share/doc/openssh-&openssh-version;</userinput></screen>
230	</sect2>
231
232	<sect2 role="commands">
233	<title>Command Explanations</title>
234
235	<para>
236	<parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
237	configuration files from being installed in
238	<filename class="directory">/usr/etc</filename>.
239	</para>
240
241	<para>
242	<parameter>--with-default-path=/usr/bin</parameter> and
243	<parameter>--with-superuser-path=/usr/sbin:/usr/bin</parameter>:
244	These set <envar>PATH</envar> consistent with LFS and BLFS
245	<application>Shadow</application> package.
246	</para>
247
248	<para>
249	<parameter>--with-pid-dir=/run</parameter>: This prevents
250	<application>OpenSSH</application> from referring to deprecated
251	<filename class="directory">/var/run</filename>.
252	</para>
253	<!--
254	<para>
255	<parameter>- -without-zlib-version-check</parameter>: This prevents
256	<application>OpenSSH</application> from checking the version of
257	the system <application>Zlib</application>. We need to use this
258	switch or the version check would mistakenly report the latest
259	<application>Zlib</application> 1.13 <quote>too old</quote> and
260	reject it.
261	</para>
262	-->
263	<para>
264	<option>--with-pam</option>: This parameter enables
265	<application>Linux-PAM</application> support in the build.
266	</para>
267
268	<para>
269	<option>--with-xauth=$XORG_PREFIX/bin/xauth</option>: Set the default
270	location for the <command>xauth</command> binary for X authentication.
271	The environment variable <envar>XORG_PREFIX</envar> should be set
272	following <xref linkend='xorg-env'/>. This can also be controlled from
273	<filename>sshd_config</filename> with the XAuthLocation keyword. You can
274	omit this switch if <application>Xorg</application> is already installed.
275	</para>
276
277	<para>
278	<option>--with-kerberos5=/usr</option>: This option is used to
279	include Kerberos 5 support in the build.
280	</para>
281
282	<para>
283	<option>--with-libedit</option>: This option enables line editing
284	and history features for <command>sftp</command>.
285	</para>
286
287	</sect2>
288
289	<sect2 role="configuration">
290	<title>Configuring OpenSSH</title>
291
292	<sect3 id="openssh-config">
293	<title>Config Files</title>
294
295	<para>
296	<filename>~/.ssh/*</filename>,
297	<filename>/etc/ssh/ssh_config</filename>, and
298	<filename>/etc/ssh/sshd_config</filename>
299	</para>
300
301	<indexterm zone="openssh openssh-config">
302	<primary sortas="e-AA.ssh">~/.ssh/*</primary>
303	</indexterm>
304
305	<indexterm zone="openssh openssh-config">
306	<primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
307	</indexterm>
308
309	<indexterm zone="openssh openssh-config">
310	<primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
311	</indexterm>
312
313	<para>
314	There are no required changes to any of these files. However,
315	you may wish to view the
316	<filename class='directory'>/etc/ssh/</filename> files and make any
317	changes appropriate for the security of your system. One recommended
318	change is that you disable
319	<systemitem class='username'>root</systemitem> login via
320	<command>ssh</command>. Execute the following command as the
321	<systemitem class='username'>root</systemitem> user to disable
322	<systemitem class='username'>root</systemitem> login via
323	<command>ssh</command>:
324	</para>
325
326	<screen role="root"><userinput>echo "PermitRootLogin no" >> /etc/ssh/sshd_config</userinput></screen>
327
328	<para>
329	If you want to be able to log in without typing in your password, first
330	create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
331	<command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
332	~/.ssh/authorized_keys on the remote computer that you want to log into.
333	You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
334	computer and you'll also need to enter your password for the ssh-copy-id command
335	to succeed:
336	</para>
337
338	<screen role='nodump'><userinput>ssh-keygen &&
339	ssh-copy-id -i ~/.ssh/id_ed25519.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
340
341	<para>
342	Once you've got passwordless logins working it's actually more secure
343	than logging in with a password (as the private key is much longer than
344	most people's passwords). If you would like to now disable password
345	logins, as the <systemitem class="username">root</systemitem> user:
346	</para>
347
348
349	<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &&
350	echo "KbdInteractiveAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
351
352	<para>
353	If you added <application>Linux-PAM</application> support and you want
354	ssh to use it then you will need to add a configuration file for
355	<application>sshd</application> and enable use of
356	<application>LinuxPAM</application>. Note, ssh only uses PAM to check
357	passwords, if you've disabled password logins these commands are not
358	needed. If you want to use PAM, issue the following commands as the
359	<systemitem class='username'>root</systemitem> user:
360	</para>
361
362	<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd &&
363	chmod 644 /etc/pam.d/sshd &&
364	echo "UsePAM yes" >> /etc/ssh/sshd_config</userinput></screen>
365
366	<para>
367	Additional configuration information can be found in the man
368	pages for <command>sshd</command>, <command>ssh</command> and
369	<command>ssh-agent</command>.
370	</para>
371	</sect3>
372
373	<sect3 id="openssh-init">
374	<title><phrase revision="sysv">Boot Script</phrase>
375	<phrase revision="systemd">Systemd Unit</phrase></title>
376
377	<para revision="sysv">
378	To start the SSH server at system boot, install the
379	<filename>/etc/rc.d/init.d/sshd</filename> init script included
380	in the <xref linkend="bootscripts"/> package.
381	</para>
382
383	<para revision="systemd">
384	To start the SSH server at system boot, install the
385	<filename>sshd.service</filename> unit included in the
386	<xref linkend="systemd-units"/> package.
387	</para>
388
389	<note>
390	<para>
391	Changing the setting of <option>ListenAddress</option> in
392	<filename>/etc/sshd/sshd_config</filename> is unsupported with
393	the BLFS sshd <phrase revision='sysv'>bootscript</phrase><phrase
394	revision='systemd'>systemd unit</phrase>.
395	</para>
396	</note>
397
398	<indexterm zone="openssh openssh-init">
399	<primary sortas="f-sshd">sshd</primary>
400	</indexterm>
401
402	<screen role="root"><userinput>make install-sshd</userinput></screen>
403	</sect3>
404	</sect2>
405
406	<sect2 role="content">
407	<title>Contents</title>
408
409	<segmentedlist>
410	<segtitle>Installed Programs</segtitle>
411	<segtitle>Installed Libraries</segtitle>
412	<segtitle>Installed Directories</segtitle>
413
414	<seglistitem>
415	<seg>
416	scp, sftp, <!--slogin (symlink to ssh),--> ssh, ssh-add, ssh-agent,
417	ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
418	</seg>
419	<seg>
420	None
421	</seg>
422	<seg>
423	/etc/ssh,
424	/usr/share/doc/openssh-&openssh-version;, and
425	/var/lib/sshd
426	</seg>
427	</seglistitem>
428	</segmentedlist>
429
430	<variablelist>
431	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
432	<?dbfo list-presentation="list"?>
433	<?dbhtml list-presentation="table"?>
434
435	<varlistentry id="scp">
436	<term><command>scp</command></term>
437	<listitem>
438	<para>
439	is a file copy program that acts like <command>rcp</command> except
440	it uses an encrypted protocol
441	</para>
442	<indexterm zone="openssh scp">
443	<primary sortas="b-scp">scp</primary>
444	</indexterm>
445	</listitem>
446	</varlistentry>
447
448	<varlistentry id="sftp">
449	<term><command>sftp</command></term>
450	<listitem>
451	<para>
452	is an FTP-like program that works over the SSH1 and SSH2 protocols
453	</para>
454	<indexterm zone="openssh sftp">
455	<primary sortas="b-sftp">sftp</primary>
456	</indexterm>
457	</listitem>
458	</varlistentry>
459	<!-- Not installed anymore as of 8.5p1
460	<varlistentry id="slogin">
461	<term><command>slogin</command></term>
462	<listitem>
463	<para>
464	is a symlink to <command>ssh</command>
465	</para>
466	<indexterm zone="openssh slogin">
467	<primary sortas="b-slogin">slogin</primary>
468	</indexterm>
469	</listitem>
470	</varlistentry>
471	-->
472	<varlistentry id="ssh">
473	<term><command>ssh</command></term>
474	<listitem>
475	<para>
476	is an <command>rlogin</command>/<command>rsh</command>-like client
477	program except it uses an encrypted protocol
478	</para>
479	<indexterm zone="openssh ssh">
480	<primary sortas="b-ssh">ssh</primary>
481	</indexterm>
482	</listitem>
483	</varlistentry>
484
485	<varlistentry id="sshd">
486	<term><command>sshd</command></term>
487	<listitem>
488	<para>
489	is a daemon that listens for <command>ssh</command> login requests
490	</para>
491	<indexterm zone="openssh sshd">
492	<primary sortas="b-sshd">sshd</primary>
493	</indexterm>
494	</listitem>
495	</varlistentry>
496
497	<varlistentry id="ssh-add">
498	<term><command>ssh-add</command></term>
499	<listitem>
500	<para>
501	is a tool which adds keys to the <command>ssh-agent</command>
502	</para>
503	<indexterm zone="openssh ssh-add">
504	<primary sortas="b-ssh-add">ssh-add</primary>
505	</indexterm>
506	</listitem>
507	</varlistentry>
508
509	<varlistentry id="ssh-agent">
510	<term><command>ssh-agent</command></term>
511	<listitem>
512	<para>
513	is an authentication agent that can store private keys
514	</para>
515	<indexterm zone="openssh ssh-agent">
516	<primary sortas="b-ssh-agent">ssh-agent</primary>
517	</indexterm>
518	</listitem>
519	</varlistentry>
520
521	<varlistentry id="ssh-copy-id">
522	<term><command>ssh-copy-id</command></term>
523	<listitem>
524	<para>
525	is a script that enables logins on remote machines using local keys
526	</para>
527	<indexterm zone="openssh ssh-copy-id">
528	<primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
529	</indexterm>
530	</listitem>
531	</varlistentry>
532
533	<varlistentry id="ssh-keygen">
534	<term><command>ssh-keygen</command></term>
535	<listitem>
536	<para>
537	is a key generation tool
538	</para>
539	<indexterm zone="openssh ssh-keygen">
540	<primary sortas="b-ssh-keygen">ssh-keygen</primary>
541	</indexterm>
542	</listitem>
543	</varlistentry>
544
545	<varlistentry id="ssh-keyscan">
546	<term><command>ssh-keyscan</command></term>
547	<listitem>
548	<para>
549	is a utility for gathering public host keys from a number of hosts
550	</para>
551	<indexterm zone="openssh ssh-keyscan">
552	<primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
553	</indexterm>
554	</listitem>
555	</varlistentry>
556
557	</variablelist>
558	</sect2>
559
560	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: