source: postlfs/security/openssh.xml@ 3077c39

10.0 10.1 11.0 9.0 9.1 ken/refactor-virt lazarus qt5new trunk upgradedb xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since 3077c39 was 3077c39, checked in by Bruce Dubbs <bdubbs@…>, 2 years ago

Initial lfs90 tags

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@21972 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 16.6 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY openssh-download-http
8 "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9 <!ENTITY openssh-download-ftp
10 " "> <!-- at the moment, unable to connect via ftp: ken
11 "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz"> -->
12 <!ENTITY openssh-md5sum "bf050f002fe510e1daecd39044e1122d">
13 <!ENTITY openssh-size "1.5 MB">
14 <!ENTITY openssh-buildsize "45 MB (add 12 MB for tests)">
15 <!ENTITY openssh-time "0.4 SBU (running the tests takes 17+ minutes,
16 irrespective of processor speed)">
17]>
18
19<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
20 <?dbhtml filename="openssh.html"?>
21
22 <sect1info>
23 <othername>$LastChangedBy$</othername>
24 <date>$Date$</date>
25 </sect1info>
26
27 <title>OpenSSH-&openssh-version;</title>
28
29 <indexterm zone="openssh">
30 <primary sortas="a-OpenSSH">OpenSSH</primary>
31 </indexterm>
32
33 <sect2 role="package">
34 <title>Introduction to OpenSSH</title>
35
36 <para>
37 The <application>OpenSSH</application> package contains
38 <command>ssh</command> clients and the <command>sshd</command> daemon.
39 This is useful for encrypting authentication and subsequent traffic over
40 a network. The <command>ssh</command> and <command>scp</command> commands
41 are secure implementations of <command>telnet</command> and
42 <command>rcp</command> respectively.
43 </para>
44
45 &lfs90_checked;
46
47 <bridgehead renderas="sect3">Package Information</bridgehead>
48 <itemizedlist spacing="compact">
49 <listitem>
50 <para>
51 Download (HTTP): <ulink url="&openssh-download-http;"/>
52 </para>
53 </listitem>
54 <listitem>
55 <para>
56 Download (FTP): <ulink url="&openssh-download-ftp;"/>
57 </para>
58 </listitem>
59 <listitem>
60 <para>
61 Download MD5 sum: &openssh-md5sum;
62 </para>
63 </listitem>
64 <listitem>
65 <para>
66 Download size: &openssh-size;
67 </para>
68 </listitem>
69 <listitem>
70 <para>
71 Estimated disk space required: &openssh-buildsize;
72 </para>
73 </listitem>
74 <listitem>
75 <para>
76 Estimated build time: &openssh-time;
77 </para>
78 </listitem>
79 </itemizedlist>
80
81 <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
82
83 <bridgehead renderas="sect4">Optional</bridgehead>
84 <para role="optional">
85 <xref linkend="gdb"/> (for tests),
86 <xref linkend="linux-pam"/>,
87 <xref linkend="x-window-system"/>,
88 <xref linkend="mitkrb"/>,
89 <ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>,
90 <ulink url="http://www.libressl.org/">LibreSSL Portable</ulink>,
91 <ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
92 <ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
93 </para>
94
95 <bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
96 <para role="optional">
97 <xref role="runtime" linkend="openjdk"/>,
98 <xref role="runtime" linkend="net-tools"/>, and
99 <xref role="runtime" linkend="sysstat"/>
100 </para>
101
102 <para condition="html" role="usernotes">
103 User Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
104 </para>
105 </sect2>
106
107 <sect2 role="installation">
108 <title>Installation of OpenSSH</title>
109
110 <para>
111 <application>OpenSSH</application> runs as two processes when connecting
112 to other computers. The first process is a privileged process and controls
113 the issuance of privileges as necessary. The second process communicates
114 with the network. Additional installation steps are necessary to set up
115 the proper environment, which are performed by issuing the following
116 commands as the <systemitem class="username">root</systemitem> user:
117 </para>
118
119<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &amp;&amp;
120chown -v root:sys /var/lib/sshd &amp;&amp;
121
122groupadd -g 50 sshd &amp;&amp;
123useradd -c 'sshd PrivSep' \
124 -d /var/lib/sshd \
125 -g sshd \
126 -s /bin/false \
127 -u 50 sshd</userinput></screen>
128
129 <para>
130 Install <application>OpenSSH</application> by running the following
131 commands:
132 </para>
133
134<screen><userinput>./configure --prefix=/usr \
135 --sysconfdir=/etc/ssh \
136 --with-md5-passwords \
137 --with-privsep-path=/var/lib/sshd &amp;&amp;
138make</userinput></screen>
139
140 <para>
141 The testsuite requires an installed copy of <command>scp</command> to
142 complete the multiplexing tests. To run the test suite, first copy the
143 <command>scp</command> program to
144 <filename class="directory">/usr/bin</filename>, making sure that you
145 backup any existing copy first.
146 </para>
147
148 <para>
149 To test the results, issue: <command>make tests</command>.
150 </para>
151
152<!-- commenting this, I get "all tests passed" [ ken ]
153 NB tests should be run as _user_ but the role in the comment is root
154
155 commenting [ bruce ]: There are a couple of tests that want root.
156 The log mentions that SUDO is not set. These skipped tests are
157 ignored and the end says 'all tests passed' even when not root
158
159 <para>
160 To run the test suite, issue the following commands:
161 </para>
162
163<screen role="root"><userinput>make tests 2&gt;&amp;1 | tee check.log
164grep FATAL check.log</userinput></screen>
165
166 <para>
167 If the above command produces no 'FATAL' errors, then proceed with the
168 installation, as the <systemitem class="username">root</systemitem> user:
169 </para>-->
170 <para>
171 Now, as the <systemitem class="username">root</systemitem> user:
172 </para>
173
174<screen role="root"><userinput>make install &amp;&amp;
175install -v -m755 contrib/ssh-copy-id /usr/bin &amp;&amp;
176
177install -v -m644 contrib/ssh-copy-id.1 \
178 /usr/share/man/man1 &amp;&amp;
179install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &amp;&amp;
180install -v -m644 INSTALL LICENCE OVERVIEW README* \
181 /usr/share/doc/openssh-&openssh-version;</userinput></screen>
182 </sect2>
183
184 <sect2 role="commands">
185 <title>Command Explanations</title>
186
187 <para>
188 <parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
189 configuration files from being installed in
190 <filename class="directory">/usr/etc</filename>.
191 </para>
192
193 <para>
194 <parameter>--with-md5-passwords</parameter>: This enables the use of MD5
195 passwords.
196 </para>
197
198 <para>
199 <option>--with-pam</option>: This parameter enables
200 <application>Linux-PAM</application> support in the build.
201 </para>
202
203 <para>
204 <option>--with-xauth=/usr/bin/xauth</option>: Set the default
205 location for the <command>xauth</command> binary for X authentication.
206 Change the location if <command>xauth</command> will be installed to a
207 different path. This can also be controlled from
208 <filename>sshd_config</filename> with the XAuthLocation keyword. You can
209 omit this switch if <application>Xorg</application> is already installed.
210 </para>
211
212 <para>
213 <option>--with-kerberos5=/usr</option>: This option is used to
214 include Kerberos 5 support in the build.
215 </para>
216
217 <para>
218 <option>--with-libedit</option>: This option enables line editing
219 and history features for <command>sftp</command>.
220 </para>
221
222 </sect2>
223
224 <sect2 role="configuration">
225 <title>Configuring OpenSSH</title>
226
227 <sect3 id="openssh-config">
228 <title>Config Files</title>
229
230 <para>
231 <filename>~/.ssh/*</filename>,
232 <filename>/etc/ssh/ssh_config</filename>, and
233 <filename>/etc/ssh/sshd_config</filename>
234 </para>
235
236 <indexterm zone="openssh openssh-config">
237 <primary sortas="e-AA.ssh">~/.ssh/*</primary>
238 </indexterm>
239
240 <indexterm zone="openssh openssh-config">
241 <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
242 </indexterm>
243
244 <indexterm zone="openssh openssh-config">
245 <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
246 </indexterm>
247
248 <para>
249 There are no required changes to any of these files. However,
250 you may wish to view the
251 <filename class='directory'>/etc/ssh/</filename> files and make any
252 changes appropriate for the security of your system. One recommended
253 change is that you disable
254 <systemitem class='username'>root</systemitem> login via
255 <command>ssh</command>. Execute the following command as the
256 <systemitem class='username'>root</systemitem> user to disable
257 <systemitem class='username'>root</systemitem> login via
258 <command>ssh</command>:
259 </para>
260
261<screen role="root"><userinput>echo "PermitRootLogin no" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
262
263 <para>
264 If you want to be able to log in without typing in your password, first
265 create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
266 <command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
267 ~/.ssh/authorized_keys on the remote computer that you want to log into.
268 You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
269 computer and you'll also need to enter your password for the ssh-copy-id command
270 to succeed:
271 </para>
272
273<screen><userinput>ssh-keygen &amp;&amp;
274ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
275
276 <para>
277 Once you've got passwordless logins working it's actually more secure
278 than logging in with a password (as the private key is much longer than
279 most people's passwords). If you would like to now disable password
280 logins, as the <systemitem class="username">root</systemitem> user:
281 </para>
282
283
284<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &amp;&amp;
285echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
286
287 <para>
288 If you added <application>Linux-PAM</application> support and you want
289 ssh to use it then you will need to add a configuration file for
290 <application>sshd</application> and enable use of
291 <application>LinuxPAM</application>. Note, ssh only uses PAM to check
292 passwords, if you've disabled password logins these commands are not
293 needed. If you want to use PAM, issue the following commands as the
294 <systemitem class='username'>root</systemitem> user:
295 </para>
296
297<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login &gt; /etc/pam.d/sshd &amp;&amp;
298chmod 644 /etc/pam.d/sshd &amp;&amp;
299echo "UsePAM yes" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
300
301 <para>
302 Additional configuration information can be found in the man
303 pages for <command>sshd</command>, <command>ssh</command> and
304 <command>ssh-agent</command>.
305 </para>
306 </sect3>
307
308 <sect3 id="openssh-init">
309 <title><phrase revision="sysv">Boot Script</phrase>
310 <phrase revision="systemd">Systemd Unit</phrase></title>
311
312 <para revision="sysv">
313 To start the SSH server at system boot, install the
314 <filename>/etc/rc.d/init.d/sshd</filename> init script included
315 in the <xref linkend="bootscripts"/> package.
316 </para>
317
318 <para revision="systemd">
319 To start the SSH server at system boot, install the
320 <filename>sshd.service</filename> unit included in the
321 <xref linkend="systemd-units"/> package.
322 </para>
323
324 <indexterm zone="openssh openssh-init">
325 <primary sortas="f-sshd">sshd</primary>
326 </indexterm>
327
328<screen role="root"><userinput>make install-sshd</userinput></screen>
329 </sect3>
330 </sect2>
331
332 <sect2 role="content">
333 <title>Contents</title>
334
335 <segmentedlist>
336 <segtitle>Installed Programs</segtitle>
337 <segtitle>Installed Libraries</segtitle>
338 <segtitle>Installed Directories</segtitle>
339
340 <seglistitem>
341 <seg>
342 scp, sftp, slogin (symlink to ssh), ssh, ssh-add, ssh-agent,
343 ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
344 </seg>
345 <seg>
346 None
347 </seg>
348 <seg>
349 /etc/ssh,
350 /usr/share/doc/openssh-&openssh-version;, and
351 /var/lib/sshd
352 </seg>
353 </seglistitem>
354 </segmentedlist>
355
356 <variablelist>
357 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
358 <?dbfo list-presentation="list"?>
359 <?dbhtml list-presentation="table"?>
360
361 <varlistentry id="scp">
362 <term><command>scp</command></term>
363 <listitem>
364 <para>
365 is a file copy program that acts like <command>rcp</command> except
366 it uses an encrypted protocol.
367 </para>
368 <indexterm zone="openssh scp">
369 <primary sortas="b-scp">scp</primary>
370 </indexterm>
371 </listitem>
372 </varlistentry>
373
374 <varlistentry id="sftp">
375 <term><command>sftp</command></term>
376 <listitem>
377 <para>
378 is an FTP-like program that works over the SSH1 and SSH2 protocols.
379 </para>
380 <indexterm zone="openssh sftp">
381 <primary sortas="b-sftp">sftp</primary>
382 </indexterm>
383 </listitem>
384 </varlistentry>
385
386 <varlistentry id="slogin">
387 <term><command>slogin</command></term>
388 <listitem>
389 <para>
390 is a symlink to <command>ssh</command>.
391 </para>
392 <indexterm zone="openssh slogin">
393 <primary sortas="b-slogin">slogin</primary>
394 </indexterm>
395 </listitem>
396 </varlistentry>
397
398 <varlistentry id="ssh">
399 <term><command>ssh</command></term>
400 <listitem>
401 <para>
402 is an <command>rlogin</command>/<command>rsh</command>-like client
403 program except it uses an encrypted protocol.
404 </para>
405 <indexterm zone="openssh ssh">
406 <primary sortas="b-ssh">ssh</primary>
407 </indexterm>
408 </listitem>
409 </varlistentry>
410
411 <varlistentry id="sshd">
412 <term><command>sshd</command></term>
413 <listitem>
414 <para>
415 is a daemon that listens for <command>ssh</command> login requests.
416 </para>
417 <indexterm zone="openssh sshd">
418 <primary sortas="b-sshd">sshd</primary>
419 </indexterm>
420 </listitem>
421 </varlistentry>
422
423 <varlistentry id="ssh-add">
424 <term><command>ssh-add</command></term>
425 <listitem>
426 <para>
427 is a tool which adds keys to the <command>ssh-agent</command>.
428 </para>
429 <indexterm zone="openssh ssh-add">
430 <primary sortas="b-ssh-add">ssh-add</primary>
431 </indexterm>
432 </listitem>
433 </varlistentry>
434
435 <varlistentry id="ssh-agent">
436 <term><command>ssh-agent</command></term>
437 <listitem>
438 <para>
439 is an authentication agent that can store private keys.
440 </para>
441 <indexterm zone="openssh ssh-agent">
442 <primary sortas="b-ssh-agent">ssh-agent</primary>
443 </indexterm>
444 </listitem>
445 </varlistentry>
446
447 <varlistentry id="ssh-copy-id">
448 <term><command>ssh-copy-id</command></term>
449 <listitem>
450 <para>
451 is a script that enables logins on remote machine using local keys.
452 </para>
453 <indexterm zone="openssh ssh-copy-id">
454 <primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
455 </indexterm>
456 </listitem>
457 </varlistentry>
458
459 <varlistentry id="ssh-keygen">
460 <term><command>ssh-keygen</command></term>
461 <listitem>
462 <para>
463 is a key generation tool.
464 </para>
465 <indexterm zone="openssh ssh-keygen">
466 <primary sortas="b-ssh-keygen">ssh-keygen</primary>
467 </indexterm>
468 </listitem>
469 </varlistentry>
470
471 <varlistentry id="ssh-keyscan">
472 <term><command>ssh-keyscan</command></term>
473 <listitem>
474 <para>
475 is a utility for gathering public host keys from a number of hosts.
476 </para>
477 <indexterm zone="openssh ssh-keyscan">
478 <primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
479 </indexterm>
480 </listitem>
481 </varlistentry>
482
483 </variablelist>
484 </sect2>
485</sect1>
Note: See TracBrowser for help on using the repository browser.