Context Navigation

source: postlfs/security/openssh.xml@ 0f76bd9

Visit:

12.0 12.1 ken/TL2024 ken/tuningfonts lazarus plabs/newcss python3.11 rahul/power-profiles-daemon renodr/vulkan-addition trunk xry111/llvm18

Last change on this file since 0f76bd9 was ed345e7, checked in by Douglas R. Reno <renodr@…>, 10 months ago
Tags
Property mode set to `100644`
File size: 19.2 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY openssh-download-http
8	"https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9	<!ENTITY openssh-download-ftp
10	" "> <!-- at the moment, unable to connect via ftp: ken
11	"ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz"> -->
12	<!ENTITY openssh-md5sum "&openssh-md5sum;">
13	<!ENTITY openssh-size "1.7 MB">
14	<!ENTITY openssh-buildsize "45 MB (add 22 MB for tests)">
15	<!ENTITY openssh-time "0.2 SBU (Using parallelism=4;
16	running the tests takes about 20 minutes,
17	irrespective of processor speed)">
18	]>
19
20	<!-- make check: real 18m13.005s; 9.2p1 3 Feb 2023 -->
21	<!-- make check: real 18m08.654s; 9.3p1 17 Mar 2023 -->
22
23	<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
24	<?dbhtml filename="openssh.html"?>
25
26	<title>OpenSSH-&openssh-version;</title>
27
28	<indexterm zone="openssh">
29	<primary sortas="a-OpenSSH">OpenSSH</primary>
30	</indexterm>
31
32	<sect2 role="package">
33	<title>Introduction to OpenSSH</title>
34
35	<para>
36	The <application>OpenSSH</application> package contains
37	<command>ssh</command> clients and the <command>sshd</command> daemon.
38	This is useful for encrypting authentication and subsequent traffic over
39	a network. The <command>ssh</command> and <command>scp</command> commands
40	are secure implementations of <command>telnet</command> and
41	<command>rcp</command> respectively.
42	</para>
43
44	&lfs120_checked;
45
46	<bridgehead renderas="sect3">Package Information</bridgehead>
47	<itemizedlist spacing="compact">
48	<listitem>
49	<para>
50	Download (HTTP): <ulink url="&openssh-download-http;"/>
51	</para>
52	</listitem>
53	<listitem>
54	<para>
55	Download (FTP): <ulink url="&openssh-download-ftp;"/>
56	</para>
57	</listitem>
58	<listitem>
59	<para>
60	Download MD5 sum: &openssh-md5sum;
61	</para>
62	</listitem>
63	<listitem>
64	<para>
65	Download size: &openssh-size;
66	</para>
67	</listitem>
68	<listitem>
69	<para>
70	Estimated disk space required: &openssh-buildsize;
71	</para>
72	</listitem>
73	<listitem>
74	<para>
75	Estimated build time: &openssh-time;
76	</para>
77	</listitem>
78	</itemizedlist>
79	<!--
80	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
81	<itemizedlist spacing="compact">
82	<listitem>
83	<para>
84	Required patch:
85	<ulink url="&patch-root;/openssh-&openssh-version;-glibc_2.31_fix-1.patch"/>
86	</para>
87	</listitem>
88	</itemizedlist>
89	-->
90	<bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
91
92	<bridgehead renderas="sect4">Optional</bridgehead>
93	<para role="optional">
94	<xref linkend="gdb"/> (for tests),
95	<xref linkend="linux-pam"/>,
96	<xref linkend="xorg7-app"/> (or
97	<xref linkend='xorg-env' role='nodep'/>, see Command Explanations),
98	<xref linkend="mitkrb"/>,
99	<xref linkend="which"/> (for tests),
100	<ulink url="https://www.thrysoee.dk/editline/">libedit</ulink>,
101	<ulink url="https://www.libressl.org/">LibreSSL Portable</ulink>,
102	<ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
103	<ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
104	</para>
105
106	<bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
107	<para role="optional">
108	<!--<xref role="runtime" linkend="openjdk"/>, Not seen in 8.8p1 -->
109	<xref role="runtime" linkend="net-tools"/>, and
110	<xref role="runtime" linkend="sysstat"/>
111	</para>
112
113	<para condition="html" role="usernotes">
114	Editor Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
115	</para>
116	</sect2>
117
118	<sect2 role="installation">
119	<title>Installation of OpenSSH</title>
120
121	<para>
122	<application>OpenSSH</application> runs as two processes when connecting
123	to other computers. The first process is a privileged process and controls
124	the issuance of privileges as necessary. The second process communicates
125	with the network. Additional installation steps are necessary to set up
126	the proper environment, which are performed by issuing the following
127	commands as the <systemitem class="username">root</systemitem> user:
128	</para>
129
130	<screen role="root"><userinput>install -v -g sys -m700 -d /var/lib/sshd &&
131
132	groupadd -g 50 sshd &&
133	useradd -c 'sshd PrivSep' \
134	-d /var/lib/sshd \
135	-g sshd \
136	-s /bin/false \
137	-u 50 sshd</userinput></screen>
138	<!--
139	<para>
140	Apply a patch to allow OpenSSH to build and function with
141	<application>Glibc-2.31</application> and later:
142	</para>
143
144	<screen><userinput remap="pre">patch -Np1 -i ../openssh-&openssh-version;-glibc_2.31_fix-1.patch</userinput></screen>
145	-->
146
147	<!-- Applied in 8.5p1
148	<para>
149	First, adapt <application>ssh-copy-id</application> to changes
150	in bash-5.1:
151	</para>
152
153	<screen><userinput remap="pre">sed -e '/INSTALLKEYS_SH/s/)//' -e '260a\ )' -i contrib/ssh-copy-id</userinput></screen>
154
155	<para>
156	Next, fix an issue on platforms other than x86_64:
157	</para>
158	<screen><userinput remap="pre">if [ "$(uname -m)" != "x86_64" ]; then
159	l1="#ifdef __NR_pselect6_time64"
160	l2=" SC_ALLOW(__NR_pselect6_time64),"
161	l3="#endif"
162	sed -e "/^#ifdef __NR_read$/ i $l1\n$l2\n$l3" \
163	-i sandbox-seccomp-filter.c
164	fi</userinput></screen>
165	-->
166	<para>
167	Install <application>OpenSSH</application> by running the following
168	commands:
169	</para>
170
171	<!-- -\-with-md5-passwords used to be here, but a comment inside of a <screen>
172	block leaves an eyesore. -->
173	<screen><userinput>./configure --prefix=/usr \
174	--sysconfdir=/etc/ssh \
175	--with-privsep-path=/var/lib/sshd \
176	--with-default-path=/usr/bin \
177	--with-superuser-path=/usr/sbin:/usr/bin \
178	--with-pid-dir=/run &&
179	make</userinput></screen>
180
181	<!-- I got all tests passed without this with 9.3p1, June 12, 2023.
182	<para>
183	The test suite requires an installed copy of <command>scp</command> to
184	complete the multiplexing tests. To run the test suite, first copy the
185	<command>scp</command> program to
186	<filename class="directory">/usr/bin</filename>, making sure that you
187	backup any existing copy first.
188	</para>
189	-->
190	<!-- I got all tests passed without this with 9.0p1. Apr 13, 2022.
191	<para>
192	If you wish to run the tests, remove a test suite that is not valid on
193	Linux-based platforms:
194	</para>
195
196	<screen><userinput>sed -i 's/conch-ciphers//' regress/Makefile</userinput></screen>
197	-->
198	<para>
199	To test the results, issue: <command>make -j1 tests</command>.
200	<!--One test, <filename>key options</filename>, fails when run in chroot.-->
201	</para>
202
203	<!-- commenting this, I get "all tests passed" [ ken ]
204	NB tests should be run as _user_ but the role in the comment is root
205
206	commenting [ bruce ]: There are a couple of tests that want root.
207	The log mentions that SUDO is not set. These skipped tests are
208	ignored and the end says 'all tests passed' even when not root
209
210	<para>
211	To run the test suite, issue the following commands:
212	</para>
213
214	<screen role="root"><userinput>make tests 2>&1 \| tee check.log
215	grep FATAL check.log</userinput></screen>
216
217	<para>
218	If the above command produces no 'FATAL' errors, then proceed with the
219	installation, as the <systemitem class="username">root</systemitem> user:
220	</para>-->
221	<para>
222	Now, as the <systemitem class="username">root</systemitem> user:
223	</para>
224
225	<screen role="root"><userinput>make install &&
226	install -v -m755 contrib/ssh-copy-id /usr/bin &&
227
228	install -v -m644 contrib/ssh-copy-id.1 \
229	/usr/share/man/man1 &&
230	install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &&
231	install -v -m644 INSTALL LICENCE OVERVIEW README* \
232	/usr/share/doc/openssh-&openssh-version;</userinput></screen>
233	</sect2>
234
235	<sect2 role="commands">
236	<title>Command Explanations</title>
237
238	<para>
239	<parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
240	configuration files from being installed in
241	<filename class="directory">/usr/etc</filename>.
242	</para>
243
244	<!--
245	<para>
246	<parameter>-\-with-md5-passwords</parameter>: This enables the use of MD5
247	passwords.
248	</para>
249	-->
250
251	<para>
252	<parameter>--with-default-path=/usr/bin</parameter> and
253	<parameter>--with-superuser-path=/usr/sbin:/usr/bin</parameter>:
254	These set <envar>PATH</envar> consistent with LFS and BLFS
255	<application>Shadow</application> package.
256	</para>
257
258	<para>
259	<parameter>--with-pid-dir=/run</parameter>: This prevents
260	<application>OpenSSH</application> from referring to deprecated
261	<filename class="directory">/var/run</filename>.
262	</para>
263
264	<para>
265	<option>--with-pam</option>: This parameter enables
266	<application>Linux-PAM</application> support in the build.
267	</para>
268
269	<para>
270	<option>--with-xauth=$XORG_PREFIX/bin/xauth</option>: Set the default
271	location for the <command>xauth</command> binary for X authentication.
272	The environment variable <envar>XORG_PREFIX</envar> should be set
273	following <xref linkend='xorg-env'/>. This can also be controlled from
274	<filename>sshd_config</filename> with the XAuthLocation keyword. You can
275	omit this switch if <application>Xorg</application> is already installed.
276	</para>
277
278	<para>
279	<option>--with-kerberos5=/usr</option>: This option is used to
280	include Kerberos 5 support in the build.
281	</para>
282
283	<para>
284	<option>--with-libedit</option>: This option enables line editing
285	and history features for <command>sftp</command>.
286	</para>
287
288	</sect2>
289
290	<sect2 role="configuration">
291	<title>Configuring OpenSSH</title>
292
293	<sect3 id="openssh-config">
294	<title>Config Files</title>
295
296	<para>
297	<filename>~/.ssh/*</filename>,
298	<filename>/etc/ssh/ssh_config</filename>, and
299	<filename>/etc/ssh/sshd_config</filename>
300	</para>
301
302	<indexterm zone="openssh openssh-config">
303	<primary sortas="e-AA.ssh">~/.ssh/*</primary>
304	</indexterm>
305
306	<indexterm zone="openssh openssh-config">
307	<primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
308	</indexterm>
309
310	<indexterm zone="openssh openssh-config">
311	<primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
312	</indexterm>
313
314	<para>
315	There are no required changes to any of these files. However,
316	you may wish to view the
317	<filename class='directory'>/etc/ssh/</filename> files and make any
318	changes appropriate for the security of your system. One recommended
319	change is that you disable
320	<systemitem class='username'>root</systemitem> login via
321	<command>ssh</command>. Execute the following command as the
322	<systemitem class='username'>root</systemitem> user to disable
323	<systemitem class='username'>root</systemitem> login via
324	<command>ssh</command>:
325	</para>
326
327	<screen role="root"><userinput>echo "PermitRootLogin no" >> /etc/ssh/sshd_config</userinput></screen>
328
329	<para>
330	If you want to be able to log in without typing in your password, first
331	create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
332	<command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
333	~/.ssh/authorized_keys on the remote computer that you want to log into.
334	You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
335	computer and you'll also need to enter your password for the ssh-copy-id command
336	to succeed:
337	</para>
338
339	<screen><userinput>ssh-keygen &&
340	ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
341
342	<para>
343	Once you've got passwordless logins working it's actually more secure
344	than logging in with a password (as the private key is much longer than
345	most people's passwords). If you would like to now disable password
346	logins, as the <systemitem class="username">root</systemitem> user:
347	</para>
348
349
350	<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &&
351	echo "KbdInteractiveAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
352
353	<para>
354	If you added <application>Linux-PAM</application> support and you want
355	ssh to use it then you will need to add a configuration file for
356	<application>sshd</application> and enable use of
357	<application>LinuxPAM</application>. Note, ssh only uses PAM to check
358	passwords, if you've disabled password logins these commands are not
359	needed. If you want to use PAM, issue the following commands as the
360	<systemitem class='username'>root</systemitem> user:
361	</para>
362
363	<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd &&
364	chmod 644 /etc/pam.d/sshd &&
365	echo "UsePAM yes" >> /etc/ssh/sshd_config</userinput></screen>
366
367	<para>
368	Additional configuration information can be found in the man
369	pages for <command>sshd</command>, <command>ssh</command> and
370	<command>ssh-agent</command>.
371	</para>
372	</sect3>
373
374	<sect3 id="openssh-init">
375	<title><phrase revision="sysv">Boot Script</phrase>
376	<phrase revision="systemd">Systemd Unit</phrase></title>
377
378	<para revision="sysv">
379	To start the SSH server at system boot, install the
380	<filename>/etc/rc.d/init.d/sshd</filename> init script included
381	in the <xref linkend="bootscripts"/> package.
382	</para>
383
384	<para revision="systemd">
385	To start the SSH server at system boot, install the
386	<filename>sshd.service</filename> unit included in the
387	<xref linkend="systemd-units"/> package.
388	</para>
389
390	<indexterm zone="openssh openssh-init">
391	<primary sortas="f-sshd">sshd</primary>
392	</indexterm>
393
394	<screen role="root"><userinput>make install-sshd</userinput></screen>
395	</sect3>
396	</sect2>
397
398	<sect2 role="content">
399	<title>Contents</title>
400
401	<segmentedlist>
402	<segtitle>Installed Programs</segtitle>
403	<segtitle>Installed Libraries</segtitle>
404	<segtitle>Installed Directories</segtitle>
405
406	<seglistitem>
407	<seg>
408	scp, sftp, <!--slogin (symlink to ssh),--> ssh, ssh-add, ssh-agent,
409	ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
410	</seg>
411	<seg>
412	None
413	</seg>
414	<seg>
415	/etc/ssh,
416	/usr/share/doc/openssh-&openssh-version;, and
417	/var/lib/sshd
418	</seg>
419	</seglistitem>
420	</segmentedlist>
421
422	<variablelist>
423	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
424	<?dbfo list-presentation="list"?>
425	<?dbhtml list-presentation="table"?>
426
427	<varlistentry id="scp">
428	<term><command>scp</command></term>
429	<listitem>
430	<para>
431	is a file copy program that acts like <command>rcp</command> except
432	it uses an encrypted protocol
433	</para>
434	<indexterm zone="openssh scp">
435	<primary sortas="b-scp">scp</primary>
436	</indexterm>
437	</listitem>
438	</varlistentry>
439
440	<varlistentry id="sftp">
441	<term><command>sftp</command></term>
442	<listitem>
443	<para>
444	is an FTP-like program that works over the SSH1 and SSH2 protocols
445	</para>
446	<indexterm zone="openssh sftp">
447	<primary sortas="b-sftp">sftp</primary>
448	</indexterm>
449	</listitem>
450	</varlistentry>
451	<!-- Not installed anymore as of 8.5p1
452	<varlistentry id="slogin">
453	<term><command>slogin</command></term>
454	<listitem>
455	<para>
456	is a symlink to <command>ssh</command>
457	</para>
458	<indexterm zone="openssh slogin">
459	<primary sortas="b-slogin">slogin</primary>
460	</indexterm>
461	</listitem>
462	</varlistentry>
463	-->
464	<varlistentry id="ssh">
465	<term><command>ssh</command></term>
466	<listitem>
467	<para>
468	is an <command>rlogin</command>/<command>rsh</command>-like client
469	program except it uses an encrypted protocol
470	</para>
471	<indexterm zone="openssh ssh">
472	<primary sortas="b-ssh">ssh</primary>
473	</indexterm>
474	</listitem>
475	</varlistentry>
476
477	<varlistentry id="sshd">
478	<term><command>sshd</command></term>
479	<listitem>
480	<para>
481	is a daemon that listens for <command>ssh</command> login requests
482	</para>
483	<indexterm zone="openssh sshd">
484	<primary sortas="b-sshd">sshd</primary>
485	</indexterm>
486	</listitem>
487	</varlistentry>
488
489	<varlistentry id="ssh-add">
490	<term><command>ssh-add</command></term>
491	<listitem>
492	<para>
493	is a tool which adds keys to the <command>ssh-agent</command>
494	</para>
495	<indexterm zone="openssh ssh-add">
496	<primary sortas="b-ssh-add">ssh-add</primary>
497	</indexterm>
498	</listitem>
499	</varlistentry>
500
501	<varlistentry id="ssh-agent">
502	<term><command>ssh-agent</command></term>
503	<listitem>
504	<para>
505	is an authentication agent that can store private keys
506	</para>
507	<indexterm zone="openssh ssh-agent">
508	<primary sortas="b-ssh-agent">ssh-agent</primary>
509	</indexterm>
510	</listitem>
511	</varlistentry>
512
513	<varlistentry id="ssh-copy-id">
514	<term><command>ssh-copy-id</command></term>
515	<listitem>
516	<para>
517	is a script that enables logins on remote machines using local keys
518	</para>
519	<indexterm zone="openssh ssh-copy-id">
520	<primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
521	</indexterm>
522	</listitem>
523	</varlistentry>
524
525	<varlistentry id="ssh-keygen">
526	<term><command>ssh-keygen</command></term>
527	<listitem>
528	<para>
529	is a key generation tool
530	</para>
531	<indexterm zone="openssh ssh-keygen">
532	<primary sortas="b-ssh-keygen">ssh-keygen</primary>
533	</indexterm>
534	</listitem>
535	</varlistentry>
536
537	<varlistentry id="ssh-keyscan">
538	<term><command>ssh-keyscan</command></term>
539	<listitem>
540	<para>
541	is a utility for gathering public host keys from a number of hosts
542	</para>
543	<indexterm zone="openssh ssh-keyscan">
544	<primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
545	</indexterm>
546	</listitem>
547	</varlistentry>
548
549	</variablelist>
550	</sect2>
551
552	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: