source: postlfs/security/openssh.xml@ 5c22cb01

systemd-13485
Last change on this file since 5c22cb01 was 5c22cb01, checked in by Douglas R. Reno <renodr@…>, 6 years ago

Updated lsof URL. Merged from trunk r17090
Updated PIN-Entry dependencies. Merged from trunk r17090
Updated Valgrind dependencies. Merged from trunk r17090
Added note about OpenSSL's Test Suite not supporting parallel make jobs. Merged from trunk r17090.
Restored autoconf to libva-intel-driver. Merged from trunk r17090
Updated to Sudo-1.8.16. Merged from trunk r17127
Changed the configure script in the GCC-5.3.0 page to use the new configure switch for the libstdc++ ABI.
Updated to OpenSSH-7.2p2. Merged from trunk r17106.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/branches/systemd@17199 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 17.8 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY openssh-download-http
8 "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9 <!ENTITY openssh-download-ftp
10 "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
11 <!ENTITY openssh-md5sum "13009a9156510d8f27e752659075cced">
12 <!ENTITY openssh-size "1.5 MB">
13 <!ENTITY openssh-buildsize "43 MB (51 MB with the test suite)">
14 <!ENTITY openssh-time "0.4 SBU (running the tests takes at least 10
15 minutes, irrespective of processor speed)">
16]>
17
18<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
19 <?dbhtml filename="openssh.html"?>
20
21 <sect1info>
22 <othername>$LastChangedBy$</othername>
23 <date>$Date$</date>
24 </sect1info>
25
26 <title>OpenSSH-&openssh-version;</title>
27
28 <indexterm zone="openssh">
29 <primary sortas="a-OpenSSH">OpenSSH</primary>
30 </indexterm>
31
32 <sect2 role="package">
33 <title>Introduction to OpenSSH</title>
34
35 <para>
36 The <application>OpenSSH</application> package contains
37 <command>ssh</command> clients and the <command>sshd</command> daemon. This
38 is useful for encrypting authentication and subsequent traffic over a
39 network. The <command>ssh</command> and <command>scp</command> commands are
40 secure implementions of <command>telnet</command> and <command>rcp</command>
41 respectively.
42 </para>
43
44 &lfs79_checked;
45
46 <bridgehead renderas="sect3">Package Information</bridgehead>
47 <itemizedlist spacing="compact">
48 <listitem>
49 <para>
50 Download (HTTP): <ulink url="&openssh-download-http;"/>
51 </para>
52 </listitem>
53 <listitem>
54 <para>
55 Download (FTP): <ulink url="&openssh-download-ftp;"/>
56 </para>
57 </listitem>
58 <listitem>
59 <para>
60 Download MD5 sum: &openssh-md5sum;
61 </para>
62 </listitem>
63 <listitem>
64 <para>
65 Download size: &openssh-size;
66 </para>
67 </listitem>
68 <listitem>
69 <para>
70 Estimated disk space required: &openssh-buildsize;
71 </para>
72 </listitem>
73 <listitem>
74 <para>
75 Estimated build time: &openssh-time;
76 </para>
77 </listitem>
78 </itemizedlist>
79
80 <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
81
82 <bridgehead renderas="sect4">Required</bridgehead>
83 <para role="required">
84 <xref linkend="openssl"/> or
85 <ulink url="http://www.libressl.org/">LibreSSL Portable</ulink>
86 </para>
87
88 <bridgehead renderas="sect4">Optional</bridgehead>
89 <para role="optional">
90 <xref linkend="linux-pam"/>,
91 <xref linkend="x-window-system"/>,
92 <xref linkend="mitkrb"/>,
93 <ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>,
94 <ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
95 <ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
96 </para>
97
98 <bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
99 <para role="optional">
100 <xref linkend="openjdk"/>,
101 <xref linkend="net-tools"/>, and
102 <xref linkend="sysstat"/>
103 </para>
104
105 <para condition="html" role="usernotes">
106 User Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
107 </para>
108 </sect2>
109
110 <sect2 role="installation">
111 <title>Installation of OpenSSH</title>
112
113 <warning>
114 <para>
115 If reinstalling over an <application>SSH</application> connection to
116 enable <xref linkend="linux-pam"/> support, be certain to temporarily set
117 <option>PermitRootLogin</option> to <parameter>yes</parameter> in
118 <filename>/etc/ssh/sshd_config</filename> until you complete
119 reinstallation of <xref linkend="systemd"/>, or you may find that you are
120 unable to login to the system remotely.
121 </para>
122 </warning>
123
124 <para>
125 <application>OpenSSH</application> runs as two processes when connecting
126 to other computers. The first process is a privileged process and controls
127 the issuance of privileges as necessary. The second process communicates
128 with the network. Additional installation steps are necessary to set up
129 the proper environment, which are performed by issuing the following
130 commands as the <systemitem class="username">root</systemitem> user:
131 </para>
132
133<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &amp;&amp;
134chown -v root:sys /var/lib/sshd &amp;&amp;
135
136groupadd -g 50 sshd &amp;&amp;
137useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd -s /bin/false -u 50 sshd</userinput></screen>
138
139 <para>
140 Install <application>OpenSSH</application> by running the following
141 commands:
142 </para>
143
144<screen><userinput>./configure --prefix=/usr \
145 --sysconfdir=/etc/ssh \
146 --with-md5-passwords \
147 --with-privsep-path=/var/lib/sshd &amp;&amp;
148make</userinput></screen>
149
150 <para>
151 The testsuite requires an installed copy of <command>scp</command> to
152 complete the multiplexing tests. To run the test suite, first copy the
153 <command>scp</command> program to
154 <filename class="directory">/usr/bin</filename>, making sure that you
155 back up any existing copy first.
156 </para>
157
158 <para>
159 To test the results, issue: <command>make tests</command>.
160 </para>
161
162<!-- commenting this, I get "all tests passed" [ ken ]
163 NB tests should be run as _user_ but the role in the comment is root
164
165 commenting [ bruce ]: There are a couple of tests that want root.
166 The log mentions that SUDO is not set. These skipped tests are
167 ignored and the end says 'all tests passed' even when not root
168
169 <para>
170 To run the test suite, issue the following commands:
171 </para>
172
173<screen role="root"><userinput>make tests 2&gt;&amp;1 | tee check.log
174grep FATAL check.log</userinput></screen>
175
176 <para>
177 If the above command produces no 'FATAL' errors, then proceed with the
178 installation, as the <systemitem class="username">root</systemitem> user:
179 </para>-->
180 <para>
181 Now, as the <systemitem class="username">root</systemitem> user:
182 </para>
183
184<screen role="root"><userinput>make install &amp;&amp;
185install -v -m755 contrib/ssh-copy-id /usr/bin &amp;&amp;
186install -v -m644 contrib/ssh-copy-id.1 /usr/share/man/man1 &amp;&amp;
187install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &amp;&amp;
188install -v -m644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-&openssh-version;</userinput></screen>
189 </sect2>
190
191 <sect2 role="commands">
192 <title>Command Explanations</title>
193
194 <para>
195 <parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
196 configuration files from being installed in
197 <filename class="directory">/usr/etc</filename>.
198 </para>
199
200 <para>
201 <parameter>--with-md5-passwords</parameter>: This enables the use of MD5
202 passwords.
203 </para>
204
205 <para>
206 <parameter>--with-pam</parameter>: This parameter enables
207 <application>Linux-PAM</application> support in the build.
208 </para>
209
210 <para>
211 <parameter>--with-xauth=/usr/bin/xauth</parameter>: Set the default
212 location for the <command>xauth</command> binary for X authentication.
213 Change the location if <command>xauth</command> will be installed to a
214 different path. This can also be controlled from
215 <filename>sshd_config</filename> with the XAuthLocation keyword. You can
216 omit this switch if <application>Xorg</application> is already installed.
217 </para>
218
219 <para>
220 <parameter>--with-kerberos5=/usr</parameter>: This option is used to
221 include Kerberos 5 support in the build.
222 </para>
223
224 <para>
225 <parameter>--with-libedit</parameter>: This option enables line editing
226 and history features for <command>sftp</command>.
227 </para>
228
229 </sect2>
230
231 <sect2 role="configuration">
232 <title>Configuring OpenSSH</title>
233
234 <sect3 id="openssh-config">
235 <title>Config Files</title>
236
237 <para>
238 <filename>~/.ssh/*</filename>,
239 <filename>/etc/ssh/ssh_config</filename>, and
240 <filename>/etc/ssh/sshd_config</filename>
241 </para>
242
243 <indexterm zone="openssh openssh-config">
244 <primary sortas="e-AA.ssh">~/.ssh/*</primary>
245 </indexterm>
246
247 <indexterm zone="openssh openssh-config">
248 <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
249 </indexterm>
250
251 <indexterm zone="openssh openssh-config">
252 <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
253 </indexterm>
254
255 <para>
256 There are no required changes to any of these files. However,
257 you may wish to view the
258 <filename class='directory'>/etc/ssh/</filename> files and make any
259 changes appropriate for the security of your system. One recommended
260 change is that you disable
261 <systemitem class='username'>root</systemitem> login via
262 <command>ssh</command>. Execute the following command as the
263 <systemitem class='username'>root</systemitem> user to disable
264 <systemitem class='username'>root</systemitem> login via
265 <command>ssh</command>:
266 </para>
267
268<screen role="root"><userinput>echo "PermitRootLogin no" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
269
270 <para>
271 If you want to be able to log in without typing in your password, first
272 create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
273 <command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
274 ~/.ssh/authorized_keys on the remote computer that you want to log into.
275 You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
276 computer and you'll also need to enter your password for the ssh-copy-id command
277 to succeed:
278 </para>
279
280<screen><userinput>ssh-keygen &amp;&amp;
281ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
282
283 <para>
284 Once you've got passwordless logins working it's actually more secure
285 than logging in with a password (as the private key is much longer than
286 most people's passwords). If you would like to now disable password
287 logins, as the <systemitem class="username">root</systemitem> user:
288 </para>
289
290
291<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &amp;&amp;
292echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
293
294 <para>
295 If you added <application>Linux-PAM</application> support and you want
296 ssh to use it then you will need to add a configuration file for
297 <application>sshd</application> and enable use of
298 <application>Linux-PAM</application>. Note that ssh only uses PAM to check
299 passwords, if you've disabled password logins these commands are not
300 needed. If you want to use PAM issue the following commands as the
301 <systemitem class='username'>root</systemitem> user:
302 </para>
303
304<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login &gt; /etc/pam.d/sshd &amp;&amp;
305chmod 644 /etc/pam.d/sshd &amp;&amp;
306echo "UsePAM yes" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
307
308 <para>
309 Additional configuration information can be found in the man
310 pages for <command>sshd</command>, <command>ssh</command>, and
311 <command>ssh-agent</command>.
312 </para>
313 </sect3>
314
315 <sect3 id="openssh-init">
316 <title>Systemd Units</title>
317
318 <para>
319 To start the <command>sshd</command> daemon at boot,
320 install the systemd units from the <xref linkend="bootscripts"/>
321 package by running the following command as the
322 <systemitem class="username">root</systemitem> user:
323 </para>
324
325 <indexterm zone="openssh openssh-init">
326 <primary sortas="f-sshd">sshd</primary>
327 </indexterm>
328
329<screen role="root"><userinput>make install-sshd</userinput></screen>
330
331 <note>
332 <para>
333 This package comes with two types of units: A service file and a socket file.
334 The service file will start sshd daemon once at boot and it will keep running until the
335 system shuts down. The socket file will make systemd listen on sshd port (Default port is 22, it needs
336 to be edited for anything else) and will start sshd daemon when something tries to connect
337 to that port and stop the daemon when the connection is terminated. This is
338 called socket activation.
339
340 By default, the first method is used - sshd daemon is started at boot and stopped at shutdown.
341 If the socket method is desired, you need to run as the
342 <systemitem class="username">root</systemitem> user:
343
344<screen role="root"><userinput>systemctl stop sshd &amp;&amp;
345systemctl disable sshd &amp;&amp;
346systemctl enable sshd.socket &amp;&amp;
347systemctl start sshd.socket</userinput></screen>
348 </para>
349 </note>
350
351 </sect3>
352 </sect2>
353
354 <sect2 role="content">
355 <title>Contents</title>
356
357 <segmentedlist>
358 <segtitle>Installed Programs</segtitle>
359 <segtitle>Installed Libraries</segtitle>
360 <segtitle>Installed Directories</segtitle>
361
362 <seglistitem>
363 <seg>
364 scp,
365 sftp,
366 slogin (symlink to ssh),
367 ssh,
368 ssh-add,
369 ssh-agent,
370 ssh-copy-id,
371 ssh-keygen,
372 ssh-keyscan,
373 and sshd
374 </seg>
375 <seg>
376 None
377 </seg>
378 <seg>
379 /etc/ssh,
380 /usr/share/doc/openssh-&openssh-version;, and
381 /var/lib/sshd
382 </seg>
383 </seglistitem>
384 </segmentedlist>
385
386 <variablelist>
387 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
388 <?dbfo list-presentation="list"?>
389 <?dbhtml list-presentation="table"?>
390
391 <varlistentry id="scp">
392 <term><command>scp</command></term>
393 <listitem>
394 <para>
395 is a file copy program that acts like <command>rcp</command> except
396 it uses an encrypted protocol.
397 </para>
398 <indexterm zone="openssh scp">
399 <primary sortas="b-scp">scp</primary>
400 </indexterm>
401 </listitem>
402 </varlistentry>
403
404 <varlistentry id="sftp">
405 <term><command>sftp</command></term>
406 <listitem>
407 <para>
408 is an FTP-like program that works over the SSH1 and SSH2 protocols.
409 </para>
410 <indexterm zone="openssh sftp">
411 <primary sortas="b-sftp">sftp</primary>
412 </indexterm>
413 </listitem>
414 </varlistentry>
415
416 <varlistentry id="slogin">
417 <term><command>slogin</command></term>
418 <listitem>
419 <para>
420 is a symlink to <command>ssh</command>.
421 </para>
422 <indexterm zone="openssh slogin">
423 <primary sortas="b-slogin">slogin</primary>
424 </indexterm>
425 </listitem>
426 </varlistentry>
427
428 <varlistentry id="ssh">
429 <term><command>ssh</command></term>
430 <listitem>
431 <para>
432 is an <command>rlogin</command>/<command>rsh</command>-like client
433 program except it uses an encrypted protocol.
434 </para>
435 <indexterm zone="openssh ssh">
436 <primary sortas="b-ssh">ssh</primary>
437 </indexterm>
438 </listitem>
439 </varlistentry>
440
441 <varlistentry id="sshd">
442 <term><command>sshd</command></term>
443 <listitem>
444 <para>
445 is a daemon that listens for <command>ssh</command> login requests.
446 </para>
447 <indexterm zone="openssh sshd">
448 <primary sortas="b-sshd">sshd</primary>
449 </indexterm>
450 </listitem>
451 </varlistentry>
452
453 <varlistentry id="ssh-add">
454 <term><command>ssh-add</command></term>
455 <listitem>
456 <para>
457 is a tool which adds keys to the <command>ssh-agent</command>.
458 </para>
459 <indexterm zone="openssh ssh-add">
460 <primary sortas="b-ssh-add">ssh-add</primary>
461 </indexterm>
462 </listitem>
463 </varlistentry>
464
465 <varlistentry id="ssh-agent">
466 <term><command>ssh-agent</command></term>
467 <listitem>
468 <para>
469 is an authentication agent that can store private keys.
470 </para>
471 <indexterm zone="openssh ssh-agent">
472 <primary sortas="b-ssh-agent">ssh-agent</primary>
473 </indexterm>
474 </listitem>
475 </varlistentry>
476
477 <varlistentry id="ssh-copy-id">
478 <term><command>ssh-copy-id</command></term>
479 <listitem>
480 <para>
481 is a script that enables logins on remote machine using local keys.
482 </para>
483 <indexterm zone="openssh ssh-copy-id">
484 <primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
485 </indexterm>
486 </listitem>
487 </varlistentry>
488
489 <varlistentry id="ssh-keygen">
490 <term><command>ssh-keygen</command></term>
491 <listitem>
492 <para>
493 is a key generation tool.
494 </para>
495 <indexterm zone="openssh ssh-keygen">
496 <primary sortas="b-ssh-keygen">ssh-keygen</primary>
497 </indexterm>
498 </listitem>
499 </varlistentry>
500
501 <varlistentry id="ssh-keyscan">
502 <term><command>ssh-keyscan</command></term>
503 <listitem>
504 <para>
505 is a utility for gathering public host keys from a number of hosts.
506 </para>
507 <indexterm zone="openssh ssh-keyscan">
508 <primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
509 </indexterm>
510 </listitem>
511 </varlistentry>
512
513 </variablelist>
514 </sect2>
515</sect1>
Note: See TracBrowser for help on using the repository browser.