source: postlfs/security/openssh.xml@ 479274d

10.0 10.1 11.0 9.1 ken/refactor-virt lazarus qt5new trunk upgradedb xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since 479274d was 479274d, checked in by Bruce Dubbs <bdubbs@…>, 2 years ago

Update to openssh-8.2p1

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@22693 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 17.2 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY openssh-download-http
8 "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9 <!ENTITY openssh-download-ftp
10 " "> <!-- at the moment, unable to connect via ftp: ken
11 "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz"> -->
12 <!ENTITY openssh-md5sum "3076e6413e8dbe56d33848c1054ac091">
13 <!ENTITY openssh-size "1.6 MB">
14 <!ENTITY openssh-buildsize "43 MB (add 17 MB for tests)">
15 <!ENTITY openssh-time "0.4 SBU (Using parallelism=4;
16 running the tests takes 17+ minutes,
17 irrespective of processor speed)">
18]>
19
20<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
21 <?dbhtml filename="openssh.html"?>
22
23 <sect1info>
24 <othername>$LastChangedBy$</othername>
25 <date>$Date$</date>
26 </sect1info>
27
28 <title>OpenSSH-&openssh-version;</title>
29
30 <indexterm zone="openssh">
31 <primary sortas="a-OpenSSH">OpenSSH</primary>
32 </indexterm>
33
34 <sect2 role="package">
35 <title>Introduction to OpenSSH</title>
36
37 <para>
38 The <application>OpenSSH</application> package contains
39 <command>ssh</command> clients and the <command>sshd</command> daemon.
40 This is useful for encrypting authentication and subsequent traffic over
41 a network. The <command>ssh</command> and <command>scp</command> commands
42 are secure implementations of <command>telnet</command> and
43 <command>rcp</command> respectively.
44 </para>
45
46 &lfs91_checked;
47
48 <bridgehead renderas="sect3">Package Information</bridgehead>
49 <itemizedlist spacing="compact">
50 <listitem>
51 <para>
52 Download (HTTP): <ulink url="&openssh-download-http;"/>
53 </para>
54 </listitem>
55 <listitem>
56 <para>
57 Download (FTP): <ulink url="&openssh-download-ftp;"/>
58 </para>
59 </listitem>
60 <listitem>
61 <para>
62 Download MD5 sum: &openssh-md5sum;
63 </para>
64 </listitem>
65 <listitem>
66 <para>
67 Download size: &openssh-size;
68 </para>
69 </listitem>
70 <listitem>
71 <para>
72 Estimated disk space required: &openssh-buildsize;
73 </para>
74 </listitem>
75 <listitem>
76 <para>
77 Estimated build time: &openssh-time;
78 </para>
79 </listitem>
80 </itemizedlist>
81<!--
82 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
83 <itemizedlist spacing="compact">
84 <listitem>
85 <para>
86 Required patch:
87 <ulink url="&patch-root;/openssh-&openssh-version;-glibc_2.31_fix-1.patch"/>
88 </para>
89 </listitem>
90 </itemizedlist>
91-->
92 <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
93
94 <bridgehead renderas="sect4">Optional</bridgehead>
95 <para role="optional">
96 <xref linkend="gdb"/> (for tests),
97 <xref linkend="linux-pam"/>,
98 <xref linkend="x-window-system"/>,
99 <xref linkend="mitkrb"/>,
100 <ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>,
101 <ulink url="http://www.libressl.org/">LibreSSL Portable</ulink>,
102 <ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
103 <ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
104 </para>
105
106 <bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
107 <para role="optional">
108 <xref role="runtime" linkend="openjdk"/>,
109 <xref role="runtime" linkend="net-tools"/>, and
110 <xref role="runtime" linkend="sysstat"/>
111 </para>
112
113 <para condition="html" role="usernotes">
114 User Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
115 </para>
116 </sect2>
117
118 <sect2 role="installation">
119 <title>Installation of OpenSSH</title>
120
121 <para>
122 <application>OpenSSH</application> runs as two processes when connecting
123 to other computers. The first process is a privileged process and controls
124 the issuance of privileges as necessary. The second process communicates
125 with the network. Additional installation steps are necessary to set up
126 the proper environment, which are performed by issuing the following
127 commands as the <systemitem class="username">root</systemitem> user:
128 </para>
129
130<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &amp;&amp;
131chown -v root:sys /var/lib/sshd &amp;&amp;
132
133groupadd -g 50 sshd &amp;&amp;
134useradd -c 'sshd PrivSep' \
135 -d /var/lib/sshd \
136 -g sshd \
137 -s /bin/false \
138 -u 50 sshd</userinput></screen>
139<!--
140 <para>
141 Apply a patch to allow OpenSSH to build and function with
142 <application>Glibc-2.31</application> and later:
143 </para>
144
145<screen><userinput remap="pre">patch -Np1 -i ../openssh-&openssh-version;-glibc_2.31_fix-1.patch</userinput></screen>
146-->
147 <para>
148 Install <application>OpenSSH</application> by running the following
149 commands:
150 </para>
151
152<screen><userinput>./configure --prefix=/usr \
153 --sysconfdir=/etc/ssh \
154 --with-md5-passwords \
155 --with-privsep-path=/var/lib/sshd &amp;&amp;
156make</userinput></screen>
157
158 <para>
159 The testsuite requires an installed copy of <command>scp</command> to
160 complete the multiplexing tests. To run the test suite, first copy the
161 <command>scp</command> program to
162 <filename class="directory">/usr/bin</filename>, making sure that you
163 backup any existing copy first.
164 </para>
165
166 <para>
167 To test the results, issue: <command>make tests</command>.
168 </para>
169
170<!-- commenting this, I get "all tests passed" [ ken ]
171 NB tests should be run as _user_ but the role in the comment is root
172
173 commenting [ bruce ]: There are a couple of tests that want root.
174 The log mentions that SUDO is not set. These skipped tests are
175 ignored and the end says 'all tests passed' even when not root
176
177 <para>
178 To run the test suite, issue the following commands:
179 </para>
180
181<screen role="root"><userinput>make tests 2&gt;&amp;1 | tee check.log
182grep FATAL check.log</userinput></screen>
183
184 <para>
185 If the above command produces no 'FATAL' errors, then proceed with the
186 installation, as the <systemitem class="username">root</systemitem> user:
187 </para>-->
188 <para>
189 Now, as the <systemitem class="username">root</systemitem> user:
190 </para>
191
192<screen role="root"><userinput>make install &amp;&amp;
193install -v -m755 contrib/ssh-copy-id /usr/bin &amp;&amp;
194
195install -v -m644 contrib/ssh-copy-id.1 \
196 /usr/share/man/man1 &amp;&amp;
197install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &amp;&amp;
198install -v -m644 INSTALL LICENCE OVERVIEW README* \
199 /usr/share/doc/openssh-&openssh-version;</userinput></screen>
200 </sect2>
201
202 <sect2 role="commands">
203 <title>Command Explanations</title>
204
205 <para>
206 <parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
207 configuration files from being installed in
208 <filename class="directory">/usr/etc</filename>.
209 </para>
210
211 <para>
212 <parameter>--with-md5-passwords</parameter>: This enables the use of MD5
213 passwords.
214 </para>
215
216 <para>
217 <option>--with-pam</option>: This parameter enables
218 <application>Linux-PAM</application> support in the build.
219 </para>
220
221 <para>
222 <option>--with-xauth=/usr/bin/xauth</option>: Set the default
223 location for the <command>xauth</command> binary for X authentication.
224 Change the location if <command>xauth</command> will be installed to a
225 different path. This can also be controlled from
226 <filename>sshd_config</filename> with the XAuthLocation keyword. You can
227 omit this switch if <application>Xorg</application> is already installed.
228 </para>
229
230 <para>
231 <option>--with-kerberos5=/usr</option>: This option is used to
232 include Kerberos 5 support in the build.
233 </para>
234
235 <para>
236 <option>--with-libedit</option>: This option enables line editing
237 and history features for <command>sftp</command>.
238 </para>
239
240 </sect2>
241
242 <sect2 role="configuration">
243 <title>Configuring OpenSSH</title>
244
245 <sect3 id="openssh-config">
246 <title>Config Files</title>
247
248 <para>
249 <filename>~/.ssh/*</filename>,
250 <filename>/etc/ssh/ssh_config</filename>, and
251 <filename>/etc/ssh/sshd_config</filename>
252 </para>
253
254 <indexterm zone="openssh openssh-config">
255 <primary sortas="e-AA.ssh">~/.ssh/*</primary>
256 </indexterm>
257
258 <indexterm zone="openssh openssh-config">
259 <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
260 </indexterm>
261
262 <indexterm zone="openssh openssh-config">
263 <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
264 </indexterm>
265
266 <para>
267 There are no required changes to any of these files. However,
268 you may wish to view the
269 <filename class='directory'>/etc/ssh/</filename> files and make any
270 changes appropriate for the security of your system. One recommended
271 change is that you disable
272 <systemitem class='username'>root</systemitem> login via
273 <command>ssh</command>. Execute the following command as the
274 <systemitem class='username'>root</systemitem> user to disable
275 <systemitem class='username'>root</systemitem> login via
276 <command>ssh</command>:
277 </para>
278
279<screen role="root"><userinput>echo "PermitRootLogin no" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
280
281 <para>
282 If you want to be able to log in without typing in your password, first
283 create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
284 <command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
285 ~/.ssh/authorized_keys on the remote computer that you want to log into.
286 You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
287 computer and you'll also need to enter your password for the ssh-copy-id command
288 to succeed:
289 </para>
290
291<screen><userinput>ssh-keygen &amp;&amp;
292ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
293
294 <para>
295 Once you've got passwordless logins working it's actually more secure
296 than logging in with a password (as the private key is much longer than
297 most people's passwords). If you would like to now disable password
298 logins, as the <systemitem class="username">root</systemitem> user:
299 </para>
300
301
302<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &amp;&amp;
303echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
304
305 <para>
306 If you added <application>Linux-PAM</application> support and you want
307 ssh to use it then you will need to add a configuration file for
308 <application>sshd</application> and enable use of
309 <application>LinuxPAM</application>. Note, ssh only uses PAM to check
310 passwords, if you've disabled password logins these commands are not
311 needed. If you want to use PAM, issue the following commands as the
312 <systemitem class='username'>root</systemitem> user:
313 </para>
314
315<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login &gt; /etc/pam.d/sshd &amp;&amp;
316chmod 644 /etc/pam.d/sshd &amp;&amp;
317echo "UsePAM yes" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
318
319 <para>
320 Additional configuration information can be found in the man
321 pages for <command>sshd</command>, <command>ssh</command> and
322 <command>ssh-agent</command>.
323 </para>
324 </sect3>
325
326 <sect3 id="openssh-init">
327 <title><phrase revision="sysv">Boot Script</phrase>
328 <phrase revision="systemd">Systemd Unit</phrase></title>
329
330 <para revision="sysv">
331 To start the SSH server at system boot, install the
332 <filename>/etc/rc.d/init.d/sshd</filename> init script included
333 in the <xref linkend="bootscripts"/> package.
334 </para>
335
336 <para revision="systemd">
337 To start the SSH server at system boot, install the
338 <filename>sshd.service</filename> unit included in the
339 <xref linkend="systemd-units"/> package.
340 </para>
341
342 <indexterm zone="openssh openssh-init">
343 <primary sortas="f-sshd">sshd</primary>
344 </indexterm>
345
346<screen role="root"><userinput>make install-sshd</userinput></screen>
347 </sect3>
348 </sect2>
349
350 <sect2 role="content">
351 <title>Contents</title>
352
353 <segmentedlist>
354 <segtitle>Installed Programs</segtitle>
355 <segtitle>Installed Libraries</segtitle>
356 <segtitle>Installed Directories</segtitle>
357
358 <seglistitem>
359 <seg>
360 scp, sftp, slogin (symlink to ssh), ssh, ssh-add, ssh-agent,
361 ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
362 </seg>
363 <seg>
364 None
365 </seg>
366 <seg>
367 /etc/ssh,
368 /usr/share/doc/openssh-&openssh-version;, and
369 /var/lib/sshd
370 </seg>
371 </seglistitem>
372 </segmentedlist>
373
374 <variablelist>
375 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
376 <?dbfo list-presentation="list"?>
377 <?dbhtml list-presentation="table"?>
378
379 <varlistentry id="scp">
380 <term><command>scp</command></term>
381 <listitem>
382 <para>
383 is a file copy program that acts like <command>rcp</command> except
384 it uses an encrypted protocol.
385 </para>
386 <indexterm zone="openssh scp">
387 <primary sortas="b-scp">scp</primary>
388 </indexterm>
389 </listitem>
390 </varlistentry>
391
392 <varlistentry id="sftp">
393 <term><command>sftp</command></term>
394 <listitem>
395 <para>
396 is an FTP-like program that works over the SSH1 and SSH2 protocols.
397 </para>
398 <indexterm zone="openssh sftp">
399 <primary sortas="b-sftp">sftp</primary>
400 </indexterm>
401 </listitem>
402 </varlistentry>
403
404 <varlistentry id="slogin">
405 <term><command>slogin</command></term>
406 <listitem>
407 <para>
408 is a symlink to <command>ssh</command>.
409 </para>
410 <indexterm zone="openssh slogin">
411 <primary sortas="b-slogin">slogin</primary>
412 </indexterm>
413 </listitem>
414 </varlistentry>
415
416 <varlistentry id="ssh">
417 <term><command>ssh</command></term>
418 <listitem>
419 <para>
420 is an <command>rlogin</command>/<command>rsh</command>-like client
421 program except it uses an encrypted protocol.
422 </para>
423 <indexterm zone="openssh ssh">
424 <primary sortas="b-ssh">ssh</primary>
425 </indexterm>
426 </listitem>
427 </varlistentry>
428
429 <varlistentry id="sshd">
430 <term><command>sshd</command></term>
431 <listitem>
432 <para>
433 is a daemon that listens for <command>ssh</command> login requests.
434 </para>
435 <indexterm zone="openssh sshd">
436 <primary sortas="b-sshd">sshd</primary>
437 </indexterm>
438 </listitem>
439 </varlistentry>
440
441 <varlistentry id="ssh-add">
442 <term><command>ssh-add</command></term>
443 <listitem>
444 <para>
445 is a tool which adds keys to the <command>ssh-agent</command>.
446 </para>
447 <indexterm zone="openssh ssh-add">
448 <primary sortas="b-ssh-add">ssh-add</primary>
449 </indexterm>
450 </listitem>
451 </varlistentry>
452
453 <varlistentry id="ssh-agent">
454 <term><command>ssh-agent</command></term>
455 <listitem>
456 <para>
457 is an authentication agent that can store private keys.
458 </para>
459 <indexterm zone="openssh ssh-agent">
460 <primary sortas="b-ssh-agent">ssh-agent</primary>
461 </indexterm>
462 </listitem>
463 </varlistentry>
464
465 <varlistentry id="ssh-copy-id">
466 <term><command>ssh-copy-id</command></term>
467 <listitem>
468 <para>
469 is a script that enables logins on remote machine using local keys.
470 </para>
471 <indexterm zone="openssh ssh-copy-id">
472 <primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
473 </indexterm>
474 </listitem>
475 </varlistentry>
476
477 <varlistentry id="ssh-keygen">
478 <term><command>ssh-keygen</command></term>
479 <listitem>
480 <para>
481 is a key generation tool.
482 </para>
483 <indexterm zone="openssh ssh-keygen">
484 <primary sortas="b-ssh-keygen">ssh-keygen</primary>
485 </indexterm>
486 </listitem>
487 </varlistentry>
488
489 <varlistentry id="ssh-keyscan">
490 <term><command>ssh-keyscan</command></term>
491 <listitem>
492 <para>
493 is a utility for gathering public host keys from a number of hosts.
494 </para>
495 <indexterm zone="openssh ssh-keyscan">
496 <primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
497 </indexterm>
498 </listitem>
499 </varlistentry>
500
501 </variablelist>
502 </sect2>
503</sect1>
Note: See TracBrowser for help on using the repository browser.