source: postlfs/security/openssh.xml@ 3806235

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 12.2 9.1 gimp3 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/for-12.3 xry111/intltool xry111/llvm18 xry111/soup3 xry111/spidermonkey128 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since 3806235 was 3806235, checked in by Douglas R. Reno <renodr@…>, 5 years ago

Add openssh glibc patch

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@22658 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 17.2 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY openssh-download-http
8 "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9 <!ENTITY openssh-download-ftp
10 " "> <!-- at the moment, unable to connect via ftp: ken
11 "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz"> -->
12 <!ENTITY openssh-md5sum "513694343631a99841e815306806edf0">
13 <!ENTITY openssh-size "1.5 MB">
14 <!ENTITY openssh-buildsize "45 MB (add 12 MB for tests)">
15 <!ENTITY openssh-time "0.4 SBU (running the tests takes 17+ minutes,
16 irrespective of processor speed)">
17]>
18
19<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
20 <?dbhtml filename="openssh.html"?>
21
22 <sect1info>
23 <othername>$LastChangedBy$</othername>
24 <date>$Date$</date>
25 </sect1info>
26
27 <title>OpenSSH-&openssh-version;</title>
28
29 <indexterm zone="openssh">
30 <primary sortas="a-OpenSSH">OpenSSH</primary>
31 </indexterm>
32
33 <sect2 role="package">
34 <title>Introduction to OpenSSH</title>
35
36 <para>
37 The <application>OpenSSH</application> package contains
38 <command>ssh</command> clients and the <command>sshd</command> daemon.
39 This is useful for encrypting authentication and subsequent traffic over
40 a network. The <command>ssh</command> and <command>scp</command> commands
41 are secure implementations of <command>telnet</command> and
42 <command>rcp</command> respectively.
43 </para>
44
45 &lfs90_checked;
46
47 <bridgehead renderas="sect3">Package Information</bridgehead>
48 <itemizedlist spacing="compact">
49 <listitem>
50 <para>
51 Download (HTTP): <ulink url="&openssh-download-http;"/>
52 </para>
53 </listitem>
54 <listitem>
55 <para>
56 Download (FTP): <ulink url="&openssh-download-ftp;"/>
57 </para>
58 </listitem>
59 <listitem>
60 <para>
61 Download MD5 sum: &openssh-md5sum;
62 </para>
63 </listitem>
64 <listitem>
65 <para>
66 Download size: &openssh-size;
67 </para>
68 </listitem>
69 <listitem>
70 <para>
71 Estimated disk space required: &openssh-buildsize;
72 </para>
73 </listitem>
74 <listitem>
75 <para>
76 Estimated build time: &openssh-time;
77 </para>
78 </listitem>
79 </itemizedlist>
80
81 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
82 <itemizedlist spacing="compact">
83 <listitem>
84 <para>
85 Required patch:
86 <ulink url="&patch-root;/openssh-&openssh-version;-glibc_2.30_fix-1.patch"/>
87 </para>
88 </listitem>
89 </itemizedlist>
90
91 <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
92
93 <bridgehead renderas="sect4">Optional</bridgehead>
94 <para role="optional">
95 <xref linkend="gdb"/> (for tests),
96 <xref linkend="linux-pam"/>,
97 <xref linkend="x-window-system"/>,
98 <xref linkend="mitkrb"/>,
99 <ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>,
100 <ulink url="http://www.libressl.org/">LibreSSL Portable</ulink>,
101 <ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
102 <ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
103 </para>
104
105 <bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
106 <para role="optional">
107 <xref role="runtime" linkend="openjdk"/>,
108 <xref role="runtime" linkend="net-tools"/>, and
109 <xref role="runtime" linkend="sysstat"/>
110 </para>
111
112 <para condition="html" role="usernotes">
113 User Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
114 </para>
115 </sect2>
116
117 <sect2 role="installation">
118 <title>Installation of OpenSSH</title>
119
120 <para>
121 <application>OpenSSH</application> runs as two processes when connecting
122 to other computers. The first process is a privileged process and controls
123 the issuance of privileges as necessary. The second process communicates
124 with the network. Additional installation steps are necessary to set up
125 the proper environment, which are performed by issuing the following
126 commands as the <systemitem class="username">root</systemitem> user:
127 </para>
128
129<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &amp;&amp;
130chown -v root:sys /var/lib/sshd &amp;&amp;
131
132groupadd -g 50 sshd &amp;&amp;
133useradd -c 'sshd PrivSep' \
134 -d /var/lib/sshd \
135 -g sshd \
136 -s /bin/false \
137 -u 50 sshd</userinput></screen>
138
139 <para>
140 Apply a patch to allow OpenSSH to build and function with
141 <application>Glibc-2.30</application> and later:
142 </para>
143
144<screen><userinput remap="pre">patch -Np1 -i ../openssh-&openssh-version;-glibc_2.30_fix-1.patch</userinput></screen>
145
146 <para>
147 Install <application>OpenSSH</application> by running the following
148 commands:
149 </para>
150
151<screen><userinput>./configure --prefix=/usr \
152 --sysconfdir=/etc/ssh \
153 --with-md5-passwords \
154 --with-privsep-path=/var/lib/sshd &amp;&amp;
155make</userinput></screen>
156
157 <para>
158 The testsuite requires an installed copy of <command>scp</command> to
159 complete the multiplexing tests. To run the test suite, first copy the
160 <command>scp</command> program to
161 <filename class="directory">/usr/bin</filename>, making sure that you
162 backup any existing copy first.
163 </para>
164
165 <para>
166 To test the results, issue: <command>make tests</command>.
167 </para>
168
169<!-- commenting this, I get "all tests passed" [ ken ]
170 NB tests should be run as _user_ but the role in the comment is root
171
172 commenting [ bruce ]: There are a couple of tests that want root.
173 The log mentions that SUDO is not set. These skipped tests are
174 ignored and the end says 'all tests passed' even when not root
175
176 <para>
177 To run the test suite, issue the following commands:
178 </para>
179
180<screen role="root"><userinput>make tests 2&gt;&amp;1 | tee check.log
181grep FATAL check.log</userinput></screen>
182
183 <para>
184 If the above command produces no 'FATAL' errors, then proceed with the
185 installation, as the <systemitem class="username">root</systemitem> user:
186 </para>-->
187 <para>
188 Now, as the <systemitem class="username">root</systemitem> user:
189 </para>
190
191<screen role="root"><userinput>make install &amp;&amp;
192install -v -m755 contrib/ssh-copy-id /usr/bin &amp;&amp;
193
194install -v -m644 contrib/ssh-copy-id.1 \
195 /usr/share/man/man1 &amp;&amp;
196install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &amp;&amp;
197install -v -m644 INSTALL LICENCE OVERVIEW README* \
198 /usr/share/doc/openssh-&openssh-version;</userinput></screen>
199 </sect2>
200
201 <sect2 role="commands">
202 <title>Command Explanations</title>
203
204 <para>
205 <parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
206 configuration files from being installed in
207 <filename class="directory">/usr/etc</filename>.
208 </para>
209
210 <para>
211 <parameter>--with-md5-passwords</parameter>: This enables the use of MD5
212 passwords.
213 </para>
214
215 <para>
216 <option>--with-pam</option>: This parameter enables
217 <application>Linux-PAM</application> support in the build.
218 </para>
219
220 <para>
221 <option>--with-xauth=/usr/bin/xauth</option>: Set the default
222 location for the <command>xauth</command> binary for X authentication.
223 Change the location if <command>xauth</command> will be installed to a
224 different path. This can also be controlled from
225 <filename>sshd_config</filename> with the XAuthLocation keyword. You can
226 omit this switch if <application>Xorg</application> is already installed.
227 </para>
228
229 <para>
230 <option>--with-kerberos5=/usr</option>: This option is used to
231 include Kerberos 5 support in the build.
232 </para>
233
234 <para>
235 <option>--with-libedit</option>: This option enables line editing
236 and history features for <command>sftp</command>.
237 </para>
238
239 </sect2>
240
241 <sect2 role="configuration">
242 <title>Configuring OpenSSH</title>
243
244 <sect3 id="openssh-config">
245 <title>Config Files</title>
246
247 <para>
248 <filename>~/.ssh/*</filename>,
249 <filename>/etc/ssh/ssh_config</filename>, and
250 <filename>/etc/ssh/sshd_config</filename>
251 </para>
252
253 <indexterm zone="openssh openssh-config">
254 <primary sortas="e-AA.ssh">~/.ssh/*</primary>
255 </indexterm>
256
257 <indexterm zone="openssh openssh-config">
258 <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
259 </indexterm>
260
261 <indexterm zone="openssh openssh-config">
262 <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
263 </indexterm>
264
265 <para>
266 There are no required changes to any of these files. However,
267 you may wish to view the
268 <filename class='directory'>/etc/ssh/</filename> files and make any
269 changes appropriate for the security of your system. One recommended
270 change is that you disable
271 <systemitem class='username'>root</systemitem> login via
272 <command>ssh</command>. Execute the following command as the
273 <systemitem class='username'>root</systemitem> user to disable
274 <systemitem class='username'>root</systemitem> login via
275 <command>ssh</command>:
276 </para>
277
278<screen role="root"><userinput>echo "PermitRootLogin no" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
279
280 <para>
281 If you want to be able to log in without typing in your password, first
282 create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
283 <command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
284 ~/.ssh/authorized_keys on the remote computer that you want to log into.
285 You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
286 computer and you'll also need to enter your password for the ssh-copy-id command
287 to succeed:
288 </para>
289
290<screen><userinput>ssh-keygen &amp;&amp;
291ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
292
293 <para>
294 Once you've got passwordless logins working it's actually more secure
295 than logging in with a password (as the private key is much longer than
296 most people's passwords). If you would like to now disable password
297 logins, as the <systemitem class="username">root</systemitem> user:
298 </para>
299
300
301<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &amp;&amp;
302echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
303
304 <para>
305 If you added <application>Linux-PAM</application> support and you want
306 ssh to use it then you will need to add a configuration file for
307 <application>sshd</application> and enable use of
308 <application>LinuxPAM</application>. Note, ssh only uses PAM to check
309 passwords, if you've disabled password logins these commands are not
310 needed. If you want to use PAM, issue the following commands as the
311 <systemitem class='username'>root</systemitem> user:
312 </para>
313
314<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login &gt; /etc/pam.d/sshd &amp;&amp;
315chmod 644 /etc/pam.d/sshd &amp;&amp;
316echo "UsePAM yes" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
317
318 <para>
319 Additional configuration information can be found in the man
320 pages for <command>sshd</command>, <command>ssh</command> and
321 <command>ssh-agent</command>.
322 </para>
323 </sect3>
324
325 <sect3 id="openssh-init">
326 <title><phrase revision="sysv">Boot Script</phrase>
327 <phrase revision="systemd">Systemd Unit</phrase></title>
328
329 <para revision="sysv">
330 To start the SSH server at system boot, install the
331 <filename>/etc/rc.d/init.d/sshd</filename> init script included
332 in the <xref linkend="bootscripts"/> package.
333 </para>
334
335 <para revision="systemd">
336 To start the SSH server at system boot, install the
337 <filename>sshd.service</filename> unit included in the
338 <xref linkend="systemd-units"/> package.
339 </para>
340
341 <indexterm zone="openssh openssh-init">
342 <primary sortas="f-sshd">sshd</primary>
343 </indexterm>
344
345<screen role="root"><userinput>make install-sshd</userinput></screen>
346 </sect3>
347 </sect2>
348
349 <sect2 role="content">
350 <title>Contents</title>
351
352 <segmentedlist>
353 <segtitle>Installed Programs</segtitle>
354 <segtitle>Installed Libraries</segtitle>
355 <segtitle>Installed Directories</segtitle>
356
357 <seglistitem>
358 <seg>
359 scp, sftp, slogin (symlink to ssh), ssh, ssh-add, ssh-agent,
360 ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
361 </seg>
362 <seg>
363 None
364 </seg>
365 <seg>
366 /etc/ssh,
367 /usr/share/doc/openssh-&openssh-version;, and
368 /var/lib/sshd
369 </seg>
370 </seglistitem>
371 </segmentedlist>
372
373 <variablelist>
374 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
375 <?dbfo list-presentation="list"?>
376 <?dbhtml list-presentation="table"?>
377
378 <varlistentry id="scp">
379 <term><command>scp</command></term>
380 <listitem>
381 <para>
382 is a file copy program that acts like <command>rcp</command> except
383 it uses an encrypted protocol.
384 </para>
385 <indexterm zone="openssh scp">
386 <primary sortas="b-scp">scp</primary>
387 </indexterm>
388 </listitem>
389 </varlistentry>
390
391 <varlistentry id="sftp">
392 <term><command>sftp</command></term>
393 <listitem>
394 <para>
395 is an FTP-like program that works over the SSH1 and SSH2 protocols.
396 </para>
397 <indexterm zone="openssh sftp">
398 <primary sortas="b-sftp">sftp</primary>
399 </indexterm>
400 </listitem>
401 </varlistentry>
402
403 <varlistentry id="slogin">
404 <term><command>slogin</command></term>
405 <listitem>
406 <para>
407 is a symlink to <command>ssh</command>.
408 </para>
409 <indexterm zone="openssh slogin">
410 <primary sortas="b-slogin">slogin</primary>
411 </indexterm>
412 </listitem>
413 </varlistentry>
414
415 <varlistentry id="ssh">
416 <term><command>ssh</command></term>
417 <listitem>
418 <para>
419 is an <command>rlogin</command>/<command>rsh</command>-like client
420 program except it uses an encrypted protocol.
421 </para>
422 <indexterm zone="openssh ssh">
423 <primary sortas="b-ssh">ssh</primary>
424 </indexterm>
425 </listitem>
426 </varlistentry>
427
428 <varlistentry id="sshd">
429 <term><command>sshd</command></term>
430 <listitem>
431 <para>
432 is a daemon that listens for <command>ssh</command> login requests.
433 </para>
434 <indexterm zone="openssh sshd">
435 <primary sortas="b-sshd">sshd</primary>
436 </indexterm>
437 </listitem>
438 </varlistentry>
439
440 <varlistentry id="ssh-add">
441 <term><command>ssh-add</command></term>
442 <listitem>
443 <para>
444 is a tool which adds keys to the <command>ssh-agent</command>.
445 </para>
446 <indexterm zone="openssh ssh-add">
447 <primary sortas="b-ssh-add">ssh-add</primary>
448 </indexterm>
449 </listitem>
450 </varlistentry>
451
452 <varlistentry id="ssh-agent">
453 <term><command>ssh-agent</command></term>
454 <listitem>
455 <para>
456 is an authentication agent that can store private keys.
457 </para>
458 <indexterm zone="openssh ssh-agent">
459 <primary sortas="b-ssh-agent">ssh-agent</primary>
460 </indexterm>
461 </listitem>
462 </varlistentry>
463
464 <varlistentry id="ssh-copy-id">
465 <term><command>ssh-copy-id</command></term>
466 <listitem>
467 <para>
468 is a script that enables logins on remote machine using local keys.
469 </para>
470 <indexterm zone="openssh ssh-copy-id">
471 <primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
472 </indexterm>
473 </listitem>
474 </varlistentry>
475
476 <varlistentry id="ssh-keygen">
477 <term><command>ssh-keygen</command></term>
478 <listitem>
479 <para>
480 is a key generation tool.
481 </para>
482 <indexterm zone="openssh ssh-keygen">
483 <primary sortas="b-ssh-keygen">ssh-keygen</primary>
484 </indexterm>
485 </listitem>
486 </varlistentry>
487
488 <varlistentry id="ssh-keyscan">
489 <term><command>ssh-keyscan</command></term>
490 <listitem>
491 <para>
492 is a utility for gathering public host keys from a number of hosts.
493 </para>
494 <indexterm zone="openssh ssh-keyscan">
495 <primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
496 </indexterm>
497 </listitem>
498 </varlistentry>
499
500 </variablelist>
501 </sect2>
502</sect1>
Note: See TracBrowser for help on using the repository browser.