source: postlfs/security/openssh.xml@ 57caa5f

10.0 10.1 11.0 11.1 7.10 7.6 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind krejzi/svn lazarus nosym perl-modules qt5new trunk upgradedb xry111/intltool xry111/test-20220226
Last change on this file since 57caa5f was 57caa5f, checked in by Fernando de Oliveira <fernando@…>, 8 years ago

openssh-6.6p1: small typo.
Update to LVM2.2.02.111.
Update to libpcap-1.6.2.
Update to libwnck 3.4.9.
Update to sysstat-11.1.1.
Update to pango-1.36.7.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@14201 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 17.6 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY openssh-download-http
8 "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9 <!ENTITY openssh-download-ftp
10 "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
11 <!ENTITY openssh-md5sum "3e9800e6bca1fbac0eea4d41baa7f239">
12 <!ENTITY openssh-size "1.3 MB">
13 <!ENTITY openssh-buildsize "32 MB (additional 2 MB if running the tests)">
14 <!ENTITY openssh-time "0.5 SBU (running the tests takes at least 10
15 minutes, irrespective of processor speed)">
16]>
17
18<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
19 <?dbhtml filename="openssh.html"?>
20
21 <sect1info>
22 <othername>$LastChangedBy$</othername>
23 <date>$Date$</date>
24 </sect1info>
25
26 <title>OpenSSH-&openssh-version;</title>
27
28 <indexterm zone="openssh">
29 <primary sortas="a-OpenSSH">OpenSSH</primary>
30 </indexterm>
31
32 <sect2 role="package">
33 <title>Introduction to OpenSSH</title>
34
35 <para>
36 The <application>OpenSSH</application> package contains
37 <command>ssh</command> clients and the <command>sshd</command> daemon. This
38 is useful for encrypting authentication and subsequent traffic over a
39 network. The <command>ssh</command> and <command>scp</command> commands are
40 secure implementions of <command>telnet</command> and <command>rcp</command>
41 respectively.
42 </para>
43
44 &lfs75_checked;
45
46 <bridgehead renderas="sect3">Package Information</bridgehead>
47 <itemizedlist spacing="compact">
48 <listitem>
49 <para>
50 Download (HTTP): <ulink url="&openssh-download-http;"/>
51 </para>
52 </listitem>
53 <listitem>
54 <para>
55 Download (FTP): <ulink url="&openssh-download-ftp;"/>
56 </para>
57 </listitem>
58 <listitem>
59 <para>
60 Download MD5 sum: &openssh-md5sum;
61 </para>
62 </listitem>
63 <listitem>
64 <para>
65 Download size: &openssh-size;
66 </para>
67 </listitem>
68 <listitem>
69 <para>
70 Estimated disk space required: &openssh-buildsize;
71 </para>
72 </listitem>
73 <listitem>
74 <para>
75 Estimated build time: &openssh-time;
76 </para>
77 </listitem>
78 </itemizedlist>
79
80 <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
81
82 <bridgehead renderas="sect4">Required</bridgehead>
83 <para role="required"><xref linkend="openssl"/></para>
84
85 <bridgehead renderas="sect4">Optional</bridgehead>
86 <para role="optional">
87 <xref linkend="linux-pam"/>,
88 <xref linkend="x-window-system"/>,
89 <xref linkend="mitkrb"/>,
90 <ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>,
91 <ulink url="http://www.opensc-project.org/">OpenSC</ulink>, and
92 <ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
93 </para>
94
95 <bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
96 <para role="optional">
97 <xref linkend="openjdk"/>,
98 <xref linkend="net-tools"/>, and
99 <xref linkend="sysstat"/>
100 </para>
101
102 <para condition="html" role="usernotes">
103 User Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
104 </para>
105 </sect2>
106
107 <sect2 role="installation">
108 <title>Installation of OpenSSH</title>
109
110 <para>
111 <application>OpenSSH</application> runs as two processes when connecting
112 to other computers. The first process is a privileged process and controls
113 the issuance of privileges as necessary. The second process communicates
114 with the network. Additional installation steps are necessary to set up
115 the proper environment, which are performed by issuing the following
116 commands as the <systemitem class="username">root</systemitem> user:
117 </para>
118
119<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &amp;&amp;
120chown -v root:sys /var/lib/sshd &amp;&amp;
121
122groupadd -g 50 sshd &amp;&amp;
123useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd -s /bin/false -u 50 sshd</userinput></screen>
124
125 <para>
126 Install <application>OpenSSH</application> by running the following
127 commands:
128 </para>
129
130<screen><userinput>./configure --prefix=/usr \
131 --sysconfdir=/etc/ssh \
132 --with-md5-passwords \
133 --with-privsep-path=/var/lib/sshd &amp;&amp;
134make</userinput></screen>
135
136 <para>
137 The testsuite requires an installed copy of <command>scp</command> to
138 complete the multiplexing tests. To run the test suite, first copy the
139 <command>scp</command> program to
140 <filename class="directory">/usr/bin</filename>, making sure that you
141 back up any existing copy first.
142 </para>
143
144 <para>
145 To test the results, issue: <command>make tests</command>.
146 </para>
147
148<!-- commenting this, I get "all tests passed" [ ken ]
149 NB tests should be run as _user_ but the role in the comment is root
150
151 commenting [ bruce ]: There are a couple of tests that want root.
152 The log mentions that SUDO is not set. These skipped tests are
153 ignored and the end says 'all tests passed' even when not root
154
155 <para>
156 To run the test suite, issue the following commands:
157 </para>
158
159<screen role="root"><userinput>make tests 2&gt;&amp;1 | tee check.log
160grep FATAL check.log</userinput></screen>
161
162 <para>
163 If the above command produces no 'FATAL' errors, then proceed with the
164 installation, as the <systemitem class="username">root</systemitem> user:
165 </para>-->
166 <para>
167 Now, as the <systemitem class="username">root</systemitem> user:
168 </para>
169
170<screen role="root"><userinput>make install &amp;&amp;
171install -v -m755 contrib/ssh-copy-id /usr/bin &amp;&amp;
172install -v -m644 contrib/ssh-copy-id.1 /usr/share/man/man1 &amp;&amp;
173install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &amp;&amp;
174install -v -m644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-&openssh-version;</userinput></screen>
175 </sect2>
176
177 <sect2 role="commands">
178 <title>Command Explanations</title>
179
180 <para>
181 <parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
182 configuration files from being installed in
183 <filename class="directory">/usr/etc</filename>.
184 </para>
185
186 <para>
187 <parameter>--with-md5-passwords</parameter>: This enables the use of MD5
188 passwords.
189 </para>
190
191 <para>
192 <parameter>--with-pam</parameter>: This parameter enables
193 <application>Linux-PAM</application> support in the build.
194 </para>
195
196 <para>
197 <parameter>--with-xauth=/usr/bin/xauth</parameter>: Set the default
198 location for the <command>xauth</command> binary for X authentication.
199 Change the location if <command>xauth</command> will be installed to a
200 different path. This can also be controlled from
201 <filename>sshd_config</filename> with the XAuthLocation keyword. You can
202 omit this switch if <application>Xorg</application> is already installed.
203 </para>
204
205 <para>
206 <parameter>--with-kerberos5=/usr</parameter>: This option is used to
207 include Kerberos 5 support in the build.
208 </para>
209
210 <para>
211 <parameter>--with-libedit</parameter>: This option enables line editing
212 and history features for <command>sftp</command>.
213 </para>
214
215 </sect2>
216
217 <sect2 role="configuration">
218 <title>Configuring OpenSSH</title>
219
220 <sect3 id="openssh-config">
221 <title>Config Files</title>
222
223 <para>
224 <filename>~/.ssh/*</filename>,
225 <filename>/etc/ssh/ssh_config</filename>, and
226 <filename>/etc/ssh/sshd_config</filename>
227 </para>
228
229 <indexterm zone="openssh openssh-config">
230 <primary sortas="e-AA.ssh">~/.ssh/*</primary>
231 </indexterm>
232
233 <indexterm zone="openssh openssh-config">
234 <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
235 </indexterm>
236
237 <indexterm zone="openssh openssh-config">
238 <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
239 </indexterm>
240
241 <para>
242 There are no required changes to any of these files. However,
243 you may wish to view the
244 <filename class='directory'>/etc/ssh/</filename> files and make any
245 changes appropriate for the security of your system. One recommended
246 change is that you disable
247 <systemitem class='username'>root</systemitem> login via
248 <command>ssh</command>. Execute the following command as the
249 <systemitem class='username'>root</systemitem> user to disable
250 <systemitem class='username'>root</systemitem> login via
251 <command>ssh</command>:
252 </para>
253
254<screen role="root"><userinput>echo "PermitRootLogin no" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
255
256 <para>
257 If you want to be able to log in without typing in your password, first
258 create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
259 <command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
260 ~/.ssh/authorized_keys on the remote computer that you want to log into.
261 You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
262 computer and you'll also need to enter your password for the ssh-copy-id command
263 to succeed:
264 </para>
265
266<screen><userinput>ssh-keygen &amp;&amp;
267ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
268
269 <para>
270 Once you've got passwordless logins working it's actually more secure
271 than logging in with a password (as the private key is much longer than
272 most people's passwords). If you would like to now disable password
273 logins, as the <systemitem class="username">root</systemitem> user:
274 </para>
275
276
277<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &amp;&amp;
278echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
279
280 <para>
281 If you added <application>LinuxPAM</application> support and you want
282 ssh to use it then you will need to add a configuration file for
283 <application>sshd</application> and enable use of
284 <application>LinuxPAM</application>. Note, ssh only uses PAM to check
285 passwords, if you've disabled password logins these commands are not
286 needed. If you want to use PAM issue the following commands as the
287 <systemitem class='username'>root</systemitem> user:
288 </para>
289
290<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login &gt; /etc/pam.d/sshd &amp;&amp;
291chmod 644 /etc/pam.d/sshd &amp;&amp;
292echo "UsePAM yes" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
293
294 <para>
295 Additional configuration information can be found in the man
296 pages for <command>sshd</command>, <command>ssh</command> and
297 <command>ssh-agent</command>.
298 </para>
299 </sect3>
300
301 <sect3 id="openssh-init">
302 <title>Boot Script</title>
303
304 <para>
305 To start the SSH server at system boot, install the
306 <filename>/etc/rc.d/init.d/sshd</filename> init script included
307 in the <xref linkend="bootscripts"/> package.
308 </para>
309
310 <indexterm zone="openssh openssh-init">
311 <primary sortas="f-sshd">sshd</primary>
312 </indexterm>
313
314<screen role="root"><userinput>make install-sshd</userinput></screen>
315 </sect3>
316 </sect2>
317
318 <sect2 role="content">
319 <title>Contents</title>
320
321 <segmentedlist>
322 <segtitle>Installed Programs</segtitle>
323 <segtitle>Installed Libraries</segtitle>
324 <segtitle>Installed Directories</segtitle>
325
326 <seglistitem>
327 <seg>
328 scp, sftp, sftp-server, slogin (symlink to ssh), ssh, sshd, ssh-add,
329 ssh-agent, ssh-copy-id, ssh-keygen, ssh-keyscan, ssh-keysign,
330 and ssh-pkcs11-helper
331 </seg>
332 <seg>
333 None
334 </seg>
335 <seg>
336 /etc/ssh,
337 /usr/libexec/openssh,
338 /usr/share/doc/openssh-&openssh-version;, and
339 /var/lib/sshd
340 </seg>
341 </seglistitem>
342 </segmentedlist>
343
344 <variablelist>
345 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
346 <?dbfo list-presentation="list"?>
347 <?dbhtml list-presentation="table"?>
348
349 <varlistentry id="scp">
350 <term><command>scp</command></term>
351 <listitem>
352 <para>
353 is a file copy program that acts like <command>rcp</command> except
354 it uses an encrypted protocol.
355 </para>
356 <indexterm zone="openssh scp">
357 <primary sortas="b-scp">scp</primary>
358 </indexterm>
359 </listitem>
360 </varlistentry>
361
362 <varlistentry id="sftp">
363 <term><command>sftp</command></term>
364 <listitem>
365 <para>
366 is an FTP-like program that works over the SSH1 and SSH2 protocols.
367 </para>
368 <indexterm zone="openssh sftp">
369 <primary sortas="b-sftp">sftp</primary>
370 </indexterm>
371 </listitem>
372 </varlistentry>
373
374 <varlistentry id="sftp-server">
375 <term><command>sftp-server</command></term>
376 <listitem>
377 <para>
378 is an SFTP server subsystem. This program is not normally called
379 directly by the user.
380 </para>
381 <indexterm zone="openssh sftp-server">
382 <primary sortas="b-sftp-server">sftp-server</primary>
383 </indexterm>
384 </listitem>
385 </varlistentry>
386
387 <varlistentry id="slogin">
388 <term><command>slogin</command></term>
389 <listitem>
390 <para>
391 is a symlink to <command>ssh</command>.
392 </para>
393 <indexterm zone="openssh slogin">
394 <primary sortas="b-slogin">slogin</primary>
395 </indexterm>
396 </listitem>
397 </varlistentry>
398
399 <varlistentry id="ssh">
400 <term><command>ssh</command></term>
401 <listitem>
402 <para>
403 is an <command>rlogin</command>/<command>rsh</command>-like client
404 program except it uses an encrypted protocol.
405 </para>
406 <indexterm zone="openssh ssh">
407 <primary sortas="b-ssh">ssh</primary>
408 </indexterm>
409 </listitem>
410 </varlistentry>
411
412 <varlistentry id="sshd">
413 <term><command>sshd</command></term>
414 <listitem>
415 <para>
416 is a daemon that listens for <command>ssh</command> login requests.
417 </para>
418 <indexterm zone="openssh sshd">
419 <primary sortas="b-sshd">sshd</primary>
420 </indexterm>
421 </listitem>
422 </varlistentry>
423
424 <varlistentry id="ssh-add">
425 <term><command>ssh-add</command></term>
426 <listitem>
427 <para>
428 is a tool which adds keys to the <command>ssh-agent</command>.
429 </para>
430 <indexterm zone="openssh ssh-add">
431 <primary sortas="b-ssh-add">ssh-add</primary>
432 </indexterm>
433 </listitem>
434 </varlistentry>
435
436 <varlistentry id="ssh-agent">
437 <term><command>ssh-agent</command></term>
438 <listitem>
439 <para>
440 is an authentication agent that can store private keys.
441 </para>
442 <indexterm zone="openssh ssh-agent">
443 <primary sortas="b-ssh-agent">ssh-agent</primary>
444 </indexterm>
445 </listitem>
446 </varlistentry>
447
448 <varlistentry id="ssh-copy-id">
449 <term><command>ssh-copy-id</command></term>
450 <listitem>
451 <para>
452 is a script that enables logins on remote machine using local keys.
453 </para>
454 <indexterm zone="openssh ssh-copy-id">
455 <primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
456 </indexterm>
457 </listitem>
458 </varlistentry>
459
460 <varlistentry id="ssh-keygen">
461 <term><command>ssh-keygen</command></term>
462 <listitem>
463 <para>
464 is a key generation tool.
465 </para>
466 <indexterm zone="openssh ssh-keygen">
467 <primary sortas="b-ssh-keygen">ssh-keygen</primary>
468 </indexterm>
469 </listitem>
470 </varlistentry>
471
472 <varlistentry id="ssh-keyscan">
473 <term><command>ssh-keyscan</command></term>
474 <listitem>
475 <para>
476 is a utility for gathering public host keys from a number of hosts.
477 </para>
478 <indexterm zone="openssh ssh-keyscan">
479 <primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
480 </indexterm>
481 </listitem>
482 </varlistentry>
483
484 <varlistentry id="ssh-keysign">
485 <term><command>ssh-keysign</command></term>
486 <listitem>
487 <para>
488 is used by <command>ssh</command> to access the local host keys and
489 generate the digital signature required during hostbased
490 authentication with SSH protocol version 2. This program is not
491 normally called directly by the user.
492 </para>
493 <indexterm zone="openssh ssh-keysign">
494 <primary sortas="b-ssh-keysign">ssh-keysign</primary>
495 </indexterm>
496 </listitem>
497 </varlistentry>
498
499 <varlistentry id="ssh-pkcs11-helper">
500 <term><command>ssh-pkcs11-helper</command></term>
501 <listitem>
502 <para>
503 is a <command>ssh-agent</command> helper program for PKCS#11 support.
504 </para>
505 <indexterm zone="openssh ssh-pkcs11-helper">
506 <primary sortas="b-ssh-pkcs11-helper">ssh-pkcs11-helper</primary>
507 </indexterm>
508 </listitem>
509 </varlistentry>
510
511 </variablelist>
512 </sect2>
513</sect1>
Note: See TracBrowser for help on using the repository browser.