source: postlfs/security/openssh.xml@ 17756081

10.0 10.1 11.0 11.1 11.2 8.4 9.0 9.1 bdubbs/svn elogind lazarus qt5new trunk upgradedb xry111/intltool xry111/soup3 xry111/test-20220226
Last change on this file since 17756081 was 17756081, checked in by Bruce Dubbs <bdubbs@…>, 4 years ago

Uppdate to openssh-7.9p1.
Uppdate to libdrm-2.4.96.
Uppdate to hdparm-9.57.
Uppdate to gegl-0.4.10.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@20648 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 17.0 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY openssh-download-http
8 "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9 <!ENTITY openssh-download-ftp
10 " "> <!-- at the moment, unable to connect via ftp: ken
11 "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz"> -->
12 <!ENTITY openssh-md5sum "c6af50b7a474d04726a5aa747a5dce8f">
13 <!ENTITY openssh-size "1.5 MB">
14 <!ENTITY openssh-buildsize "39 MB (add 12 MB for tests)">
15 <!ENTITY openssh-time "0.4 SBU (running the tests takes 17+ minutes,
16 irrespective of processor speed)">
17]>
18
19<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
20 <?dbhtml filename="openssh.html"?>
21
22 <sect1info>
23 <othername>$LastChangedBy$</othername>
24 <date>$Date$</date>
25 </sect1info>
26
27 <title>OpenSSH-&openssh-version;</title>
28
29 <indexterm zone="openssh">
30 <primary sortas="a-OpenSSH">OpenSSH</primary>
31 </indexterm>
32
33 <sect2 role="package">
34 <title>Introduction to OpenSSH</title>
35
36 <para>
37 The <application>OpenSSH</application> package contains
38 <command>ssh</command> clients and the <command>sshd</command> daemon.
39 This is useful for encrypting authentication and subsequent traffic over
40 a network. The <command>ssh</command> and <command>scp</command> commands
41 are secure implementations of <command>telnet</command> and
42 <command>rcp</command> respectively.
43 </para>
44
45 &lfs83_checked;
46
47 <bridgehead renderas="sect3">Package Information</bridgehead>
48 <itemizedlist spacing="compact">
49 <listitem>
50 <para>
51 Download (HTTP): <ulink url="&openssh-download-http;"/>
52 </para>
53 </listitem>
54 <listitem>
55 <para>
56 Download (FTP): <ulink url="&openssh-download-ftp;"/>
57 </para>
58 </listitem>
59 <listitem>
60 <para>
61 Download MD5 sum: &openssh-md5sum;
62 </para>
63 </listitem>
64 <listitem>
65 <para>
66 Download size: &openssh-size;
67 </para>
68 </listitem>
69 <listitem>
70 <para>
71 Estimated disk space required: &openssh-buildsize;
72 </para>
73 </listitem>
74 <listitem>
75 <para>
76 Estimated build time: &openssh-time;
77 </para>
78 </listitem>
79 </itemizedlist>
80<!--
81 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
82 <itemizedlist spacing="compact">
83 <listitem>
84 <para>Required patch: <ulink url="&patch-root;/openssh-&openssh-version;-openssl-1.1.0-1.patch"/></para>
85 </listitem>
86 </itemizedlist>
87-->
88 <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
89<!--
90 <bridgehead renderas="sect4">Required</bridgehead>
91 <para role="required">
92 <xref linkend="openssl"/> or
93 <ulink url="http://www.libressl.org/">LibreSSL Portable</ulink></para>
94-->
95 <bridgehead renderas="sect4">Optional</bridgehead>
96 <para role="optional">
97 <xref linkend="linux-pam"/>,
98 <xref linkend="x-window-system"/>,
99 <xref linkend="mitkrb"/>,
100 <ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>,
101 <ulink url="http://www.libressl.org/">LibreSSL Portable</ulink>,
102 <ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
103 <ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
104 </para>
105
106 <bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
107 <para role="optional">
108 <xref role="runtime" linkend="openjdk"/>,
109 <xref role="runtime" linkend="net-tools"/>, and
110 <xref role="runtime" linkend="sysstat"/>
111 </para>
112
113 <para condition="html" role="usernotes">
114 User Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
115 </para>
116 </sect2>
117
118 <sect2 role="installation">
119 <title>Installation of OpenSSH</title>
120
121 <para>
122 <application>OpenSSH</application> runs as two processes when connecting
123 to other computers. The first process is a privileged process and controls
124 the issuance of privileges as necessary. The second process communicates
125 with the network. Additional installation steps are necessary to set up
126 the proper environment, which are performed by issuing the following
127 commands as the <systemitem class="username">root</systemitem> user:
128 </para>
129
130<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &amp;&amp;
131chown -v root:sys /var/lib/sshd &amp;&amp;
132
133groupadd -g 50 sshd &amp;&amp;
134useradd -c 'sshd PrivSep' \
135 -d /var/lib/sshd \
136 -g sshd \
137 -s /bin/false \
138 -u 50 sshd</userinput></screen>
139
140 <para>
141 Install <application>OpenSSH</application> by running the following
142 commands:
143 </para>
144
145<screen><userinput>./configure --prefix=/usr \
146 --sysconfdir=/etc/ssh \
147 --with-md5-passwords \
148 --with-privsep-path=/var/lib/sshd &amp;&amp;
149make</userinput></screen>
150
151 <para>
152 The testsuite requires an installed copy of <command>scp</command> to
153 complete the multiplexing tests. To run the test suite, first copy the
154 <command>scp</command> program to
155 <filename class="directory">/usr/bin</filename>, making sure that you
156 backup any existing copy first.
157 </para>
158
159 <para>
160 To test the results, issue: <command>make tests</command>.
161 </para>
162
163<!-- commenting this, I get "all tests passed" [ ken ]
164 NB tests should be run as _user_ but the role in the comment is root
165
166 commenting [ bruce ]: There are a couple of tests that want root.
167 The log mentions that SUDO is not set. These skipped tests are
168 ignored and the end says 'all tests passed' even when not root
169
170 <para>
171 To run the test suite, issue the following commands:
172 </para>
173
174<screen role="root"><userinput>make tests 2&gt;&amp;1 | tee check.log
175grep FATAL check.log</userinput></screen>
176
177 <para>
178 If the above command produces no 'FATAL' errors, then proceed with the
179 installation, as the <systemitem class="username">root</systemitem> user:
180 </para>-->
181 <para>
182 Now, as the <systemitem class="username">root</systemitem> user:
183 </para>
184
185<screen role="root"><userinput>make install &amp;&amp;
186install -v -m755 contrib/ssh-copy-id /usr/bin &amp;&amp;
187
188install -v -m644 contrib/ssh-copy-id.1 \
189 /usr/share/man/man1 &amp;&amp;
190install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &amp;&amp;
191install -v -m644 INSTALL LICENCE OVERVIEW README* \
192 /usr/share/doc/openssh-&openssh-version;</userinput></screen>
193 </sect2>
194
195 <sect2 role="commands">
196 <title>Command Explanations</title>
197
198 <para>
199 <parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
200 configuration files from being installed in
201 <filename class="directory">/usr/etc</filename>.
202 </para>
203
204 <para>
205 <parameter>--with-md5-passwords</parameter>: This enables the use of MD5
206 passwords.
207 </para>
208
209 <para>
210 <option>--with-pam</option>: This parameter enables
211 <application>Linux-PAM</application> support in the build.
212 </para>
213
214 <para>
215 <option>--with-xauth=/usr/bin/xauth</option>: Set the default
216 location for the <command>xauth</command> binary for X authentication.
217 Change the location if <command>xauth</command> will be installed to a
218 different path. This can also be controlled from
219 <filename>sshd_config</filename> with the XAuthLocation keyword. You can
220 omit this switch if <application>Xorg</application> is already installed.
221 </para>
222
223 <para>
224 <option>--with-kerberos5=/usr</option>: This option is used to
225 include Kerberos 5 support in the build.
226 </para>
227
228 <para>
229 <option>--with-libedit</option>: This option enables line editing
230 and history features for <command>sftp</command>.
231 </para>
232
233 </sect2>
234
235 <sect2 role="configuration">
236 <title>Configuring OpenSSH</title>
237
238 <sect3 id="openssh-config">
239 <title>Config Files</title>
240
241 <para>
242 <filename>~/.ssh/*</filename>,
243 <filename>/etc/ssh/ssh_config</filename>, and
244 <filename>/etc/ssh/sshd_config</filename>
245 </para>
246
247 <indexterm zone="openssh openssh-config">
248 <primary sortas="e-AA.ssh">~/.ssh/*</primary>
249 </indexterm>
250
251 <indexterm zone="openssh openssh-config">
252 <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
253 </indexterm>
254
255 <indexterm zone="openssh openssh-config">
256 <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
257 </indexterm>
258
259 <para>
260 There are no required changes to any of these files. However,
261 you may wish to view the
262 <filename class='directory'>/etc/ssh/</filename> files and make any
263 changes appropriate for the security of your system. One recommended
264 change is that you disable
265 <systemitem class='username'>root</systemitem> login via
266 <command>ssh</command>. Execute the following command as the
267 <systemitem class='username'>root</systemitem> user to disable
268 <systemitem class='username'>root</systemitem> login via
269 <command>ssh</command>:
270 </para>
271
272<screen role="root"><userinput>echo "PermitRootLogin no" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
273
274 <para>
275 If you want to be able to log in without typing in your password, first
276 create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
277 <command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
278 ~/.ssh/authorized_keys on the remote computer that you want to log into.
279 You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
280 computer and you'll also need to enter your password for the ssh-copy-id command
281 to succeed:
282 </para>
283
284<screen><userinput>ssh-keygen &amp;&amp;
285ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
286
287 <para>
288 Once you've got passwordless logins working it's actually more secure
289 than logging in with a password (as the private key is much longer than
290 most people's passwords). If you would like to now disable password
291 logins, as the <systemitem class="username">root</systemitem> user:
292 </para>
293
294
295<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &amp;&amp;
296echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
297
298 <para>
299 If you added <application>Linux-PAM</application> support and you want
300 ssh to use it then you will need to add a configuration file for
301 <application>sshd</application> and enable use of
302 <application>LinuxPAM</application>. Note, ssh only uses PAM to check
303 passwords, if you've disabled password logins these commands are not
304 needed. If you want to use PAM, issue the following commands as the
305 <systemitem class='username'>root</systemitem> user:
306 </para>
307
308<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login &gt; /etc/pam.d/sshd &amp;&amp;
309chmod 644 /etc/pam.d/sshd &amp;&amp;
310echo "UsePAM yes" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
311
312 <para>
313 Additional configuration information can be found in the man
314 pages for <command>sshd</command>, <command>ssh</command> and
315 <command>ssh-agent</command>.
316 </para>
317 </sect3>
318
319 <sect3 id="openssh-init">
320 <title><phrase revision="sysv">Boot Script</phrase>
321 <phrase revision="systemd">Systemd Unit</phrase></title>
322
323 <para revision="sysv">
324 To start the SSH server at system boot, install the
325 <filename>/etc/rc.d/init.d/sshd</filename> init script included
326 in the <xref linkend="bootscripts"/> package.
327 </para>
328
329 <para revision="systemd">
330 To start the SSH server at system boot, install the
331 <filename>sshd.service</filename> unit included in the
332 <xref linkend="systemd-units"/> package.
333 </para>
334
335 <indexterm zone="openssh openssh-init">
336 <primary sortas="f-sshd">sshd</primary>
337 </indexterm>
338
339<screen role="root"><userinput>make install-sshd</userinput></screen>
340 </sect3>
341 </sect2>
342
343 <sect2 role="content">
344 <title>Contents</title>
345
346 <segmentedlist>
347 <segtitle>Installed Programs</segtitle>
348 <segtitle>Installed Libraries</segtitle>
349 <segtitle>Installed Directories</segtitle>
350
351 <seglistitem>
352 <seg>
353 scp, sftp, slogin (symlink to ssh), ssh, ssh-add, ssh-agent,
354 ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
355 </seg>
356 <seg>
357 None
358 </seg>
359 <seg>
360 /etc/ssh,
361 /usr/share/doc/openssh-&openssh-version;, and
362 /var/lib/sshd
363 </seg>
364 </seglistitem>
365 </segmentedlist>
366
367 <variablelist>
368 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
369 <?dbfo list-presentation="list"?>
370 <?dbhtml list-presentation="table"?>
371
372 <varlistentry id="scp">
373 <term><command>scp</command></term>
374 <listitem>
375 <para>
376 is a file copy program that acts like <command>rcp</command> except
377 it uses an encrypted protocol.
378 </para>
379 <indexterm zone="openssh scp">
380 <primary sortas="b-scp">scp</primary>
381 </indexterm>
382 </listitem>
383 </varlistentry>
384
385 <varlistentry id="sftp">
386 <term><command>sftp</command></term>
387 <listitem>
388 <para>
389 is an FTP-like program that works over the SSH1 and SSH2 protocols.
390 </para>
391 <indexterm zone="openssh sftp">
392 <primary sortas="b-sftp">sftp</primary>
393 </indexterm>
394 </listitem>
395 </varlistentry>
396
397 <varlistentry id="slogin">
398 <term><command>slogin</command></term>
399 <listitem>
400 <para>
401 is a symlink to <command>ssh</command>.
402 </para>
403 <indexterm zone="openssh slogin">
404 <primary sortas="b-slogin">slogin</primary>
405 </indexterm>
406 </listitem>
407 </varlistentry>
408
409 <varlistentry id="ssh">
410 <term><command>ssh</command></term>
411 <listitem>
412 <para>
413 is an <command>rlogin</command>/<command>rsh</command>-like client
414 program except it uses an encrypted protocol.
415 </para>
416 <indexterm zone="openssh ssh">
417 <primary sortas="b-ssh">ssh</primary>
418 </indexterm>
419 </listitem>
420 </varlistentry>
421
422 <varlistentry id="sshd">
423 <term><command>sshd</command></term>
424 <listitem>
425 <para>
426 is a daemon that listens for <command>ssh</command> login requests.
427 </para>
428 <indexterm zone="openssh sshd">
429 <primary sortas="b-sshd">sshd</primary>
430 </indexterm>
431 </listitem>
432 </varlistentry>
433
434 <varlistentry id="ssh-add">
435 <term><command>ssh-add</command></term>
436 <listitem>
437 <para>
438 is a tool which adds keys to the <command>ssh-agent</command>.
439 </para>
440 <indexterm zone="openssh ssh-add">
441 <primary sortas="b-ssh-add">ssh-add</primary>
442 </indexterm>
443 </listitem>
444 </varlistentry>
445
446 <varlistentry id="ssh-agent">
447 <term><command>ssh-agent</command></term>
448 <listitem>
449 <para>
450 is an authentication agent that can store private keys.
451 </para>
452 <indexterm zone="openssh ssh-agent">
453 <primary sortas="b-ssh-agent">ssh-agent</primary>
454 </indexterm>
455 </listitem>
456 </varlistentry>
457
458 <varlistentry id="ssh-copy-id">
459 <term><command>ssh-copy-id</command></term>
460 <listitem>
461 <para>
462 is a script that enables logins on remote machine using local keys.
463 </para>
464 <indexterm zone="openssh ssh-copy-id">
465 <primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
466 </indexterm>
467 </listitem>
468 </varlistentry>
469
470 <varlistentry id="ssh-keygen">
471 <term><command>ssh-keygen</command></term>
472 <listitem>
473 <para>
474 is a key generation tool.
475 </para>
476 <indexterm zone="openssh ssh-keygen">
477 <primary sortas="b-ssh-keygen">ssh-keygen</primary>
478 </indexterm>
479 </listitem>
480 </varlistentry>
481
482 <varlistentry id="ssh-keyscan">
483 <term><command>ssh-keyscan</command></term>
484 <listitem>
485 <para>
486 is a utility for gathering public host keys from a number of hosts.
487 </para>
488 <indexterm zone="openssh ssh-keyscan">
489 <primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
490 </indexterm>
491 </listitem>
492 </varlistentry>
493
494 </variablelist>
495 </sect2>
496</sect1>
Note: See TracBrowser for help on using the repository browser.