source: postlfs/security/openssh.xml@ 63a26be

10.0 10.1 11.0 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind ken/refactor-virt lazarus perl-modules qt5new trunk xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since 63a26be was 63a26be, checked in by Douglas R. Reno <renodr@…>, 5 years ago

Tags!

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@18306 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 17.1 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY openssh-download-http
8 "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9 <!ENTITY openssh-download-ftp
10 " "> <!-- at the moment, unable to connect via ftp: ken
11 "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz"> -->
12 <!ENTITY openssh-md5sum "b2db2a83caf66a208bb78d6d287cdaa3">
13 <!ENTITY openssh-size "1.4 MB">
14 <!ENTITY openssh-buildsize "47 MB (with tests)">
15 <!ENTITY openssh-time "0.4 SBU (running the tests takes 10+ minutes,
16 irrespective of processor speed)">
17]>
18
19<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
20 <?dbhtml filename="openssh.html"?>
21
22 <sect1info>
23 <othername>$LastChangedBy$</othername>
24 <date>$Date$</date>
25 </sect1info>
26
27 <title>OpenSSH-&openssh-version;</title>
28
29 <indexterm zone="openssh">
30 <primary sortas="a-OpenSSH">OpenSSH</primary>
31 </indexterm>
32
33 <sect2 role="package">
34 <title>Introduction to OpenSSH</title>
35
36 <para>
37 The <application>OpenSSH</application> package contains
38 <command>ssh</command> clients and the <command>sshd</command> daemon.
39 This is useful for encrypting authentication and subsequent traffic over
40 a network. The <command>ssh</command> and <command>scp</command> commands
41 are secure implementations of <command>telnet</command> and
42 <command>rcp</command> respectively.
43 </para>
44
45 &lfs80_checked;
46
47 <bridgehead renderas="sect3">Package Information</bridgehead>
48 <itemizedlist spacing="compact">
49 <listitem>
50 <para>
51 Download (HTTP): <ulink url="&openssh-download-http;"/>
52 </para>
53 </listitem>
54 <listitem>
55 <para>
56 Download (FTP): <ulink url="&openssh-download-ftp;"/>
57 </para>
58 </listitem>
59 <listitem>
60 <para>
61 Download MD5 sum: &openssh-md5sum;
62 </para>
63 </listitem>
64 <listitem>
65 <para>
66 Download size: &openssh-size;
67 </para>
68 </listitem>
69 <listitem>
70 <para>
71 Estimated disk space required: &openssh-buildsize;
72 </para>
73 </listitem>
74 <listitem>
75 <para>
76 Estimated build time: &openssh-time;
77 </para>
78 </listitem>
79 </itemizedlist>
80
81 <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
82
83 <bridgehead renderas="sect4">Required</bridgehead>
84 <para role="required">
85 <xref linkend="openssl"/> or
86 <ulink url="http://www.libressl.org/">LibreSSL Portable</ulink></para>
87
88 <bridgehead renderas="sect4">Optional</bridgehead>
89 <para role="optional">
90 <xref linkend="linux-pam"/>,
91 <xref linkend="x-window-system"/>,
92 <xref linkend="mitkrb"/>,
93 <ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>,
94 <ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
95 <ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
96 </para>
97
98 <bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
99 <para role="optional">
100 <xref linkend="openjdk"/>,
101 <xref linkend="net-tools"/>, and
102 <xref linkend="sysstat"/>
103 </para>
104
105 <para condition="html" role="usernotes">
106 User Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
107 </para>
108 </sect2>
109
110 <sect2 role="installation">
111 <title>Installation of OpenSSH</title>
112
113 <warning revision="systemd">
114 <para>
115 If reinstalling over an <application>SSH</application> connection to
116 enable <xref linkend="linux-pam"/> support, be certain to temporarily set
117 <option>PermitRootLogin</option> to <parameter>yes</parameter> in
118 <filename>/etc/ssh/sshd_config</filename> until you complete
119 reinstallation of <xref linkend="systemd"/>, or you may find that you are
120 unable to login to the system remotely.
121 </para>
122 </warning>
123
124 <para>
125 <application>OpenSSH</application> runs as two processes when connecting
126 to other computers. The first process is a privileged process and controls
127 the issuance of privileges as necessary. The second process communicates
128 with the network. Additional installation steps are necessary to set up
129 the proper environment, which are performed by issuing the following
130 commands as the <systemitem class="username">root</systemitem> user:
131 </para>
132
133<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &amp;&amp;
134chown -v root:sys /var/lib/sshd &amp;&amp;
135
136groupadd -g 50 sshd &amp;&amp;
137useradd -c 'sshd PrivSep' \
138 -d /var/lib/sshd \
139 -g sshd \
140 -s /bin/false \
141 -u 50 sshd</userinput></screen>
142
143 <para>
144 Install <application>OpenSSH</application> by running the following
145 commands:
146 </para>
147
148<screen><userinput>./configure --prefix=/usr \
149 --sysconfdir=/etc/ssh \
150 --with-md5-passwords \
151 --with-privsep-path=/var/lib/sshd &amp;&amp;
152make</userinput></screen>
153
154 <para>
155 The testsuite requires an installed copy of <command>scp</command> to
156 complete the multiplexing tests. To run the test suite, first copy the
157 <command>scp</command> program to
158 <filename class="directory">/usr/bin</filename>, making sure that you
159 backup any existing copy first.
160 </para>
161
162 <para>
163 To test the results, issue: <command>make tests</command>.
164 </para>
165
166<!-- commenting this, I get "all tests passed" [ ken ]
167 NB tests should be run as _user_ but the role in the comment is root
168
169 commenting [ bruce ]: There are a couple of tests that want root.
170 The log mentions that SUDO is not set. These skipped tests are
171 ignored and the end says 'all tests passed' even when not root
172
173 <para>
174 To run the test suite, issue the following commands:
175 </para>
176
177<screen role="root"><userinput>make tests 2&gt;&amp;1 | tee check.log
178grep FATAL check.log</userinput></screen>
179
180 <para>
181 If the above command produces no 'FATAL' errors, then proceed with the
182 installation, as the <systemitem class="username">root</systemitem> user:
183 </para>-->
184 <para>
185 Now, as the <systemitem class="username">root</systemitem> user:
186 </para>
187
188<screen role="root"><userinput>make install &amp;&amp;
189install -v -m755 contrib/ssh-copy-id /usr/bin &amp;&amp;
190
191install -v -m644 contrib/ssh-copy-id.1 \
192 /usr/share/man/man1 &amp;&amp;
193install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &amp;&amp;
194install -v -m644 INSTALL LICENCE OVERVIEW README* \
195 /usr/share/doc/openssh-&openssh-version;</userinput></screen>
196 </sect2>
197
198 <sect2 role="commands">
199 <title>Command Explanations</title>
200
201 <para>
202 <parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
203 configuration files from being installed in
204 <filename class="directory">/usr/etc</filename>.
205 </para>
206
207 <para>
208 <parameter>--with-md5-passwords</parameter>: This enables the use of MD5
209 passwords.
210 </para>
211
212 <para>
213 <option>--with-pam</option>: This parameter enables
214 <application>Linux-PAM</application> support in the build.
215 </para>
216
217 <para>
218 <option>--with-xauth=/usr/bin/xauth</option>: Set the default
219 location for the <command>xauth</command> binary for X authentication.
220 Change the location if <command>xauth</command> will be installed to a
221 different path. This can also be controlled from
222 <filename>sshd_config</filename> with the XAuthLocation keyword. You can
223 omit this switch if <application>Xorg</application> is already installed.
224 </para>
225
226 <para>
227 <option>--with-kerberos5=/usr</option>: This option is used to
228 include Kerberos 5 support in the build.
229 </para>
230
231 <para>
232 <option>--with-libedit</option>: This option enables line editing
233 and history features for <command>sftp</command>.
234 </para>
235
236 </sect2>
237
238 <sect2 role="configuration">
239 <title>Configuring OpenSSH</title>
240
241 <sect3 id="openssh-config">
242 <title>Config Files</title>
243
244 <para>
245 <filename>~/.ssh/*</filename>,
246 <filename>/etc/ssh/ssh_config</filename>, and
247 <filename>/etc/ssh/sshd_config</filename>
248 </para>
249
250 <indexterm zone="openssh openssh-config">
251 <primary sortas="e-AA.ssh">~/.ssh/*</primary>
252 </indexterm>
253
254 <indexterm zone="openssh openssh-config">
255 <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
256 </indexterm>
257
258 <indexterm zone="openssh openssh-config">
259 <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
260 </indexterm>
261
262 <para>
263 There are no required changes to any of these files. However,
264 you may wish to view the
265 <filename class='directory'>/etc/ssh/</filename> files and make any
266 changes appropriate for the security of your system. One recommended
267 change is that you disable
268 <systemitem class='username'>root</systemitem> login via
269 <command>ssh</command>. Execute the following command as the
270 <systemitem class='username'>root</systemitem> user to disable
271 <systemitem class='username'>root</systemitem> login via
272 <command>ssh</command>:
273 </para>
274
275<screen role="root"><userinput>echo "PermitRootLogin no" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
276
277 <para>
278 If you want to be able to log in without typing in your password, first
279 create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
280 <command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
281 ~/.ssh/authorized_keys on the remote computer that you want to log into.
282 You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
283 computer and you'll also need to enter your password for the ssh-copy-id command
284 to succeed:
285 </para>
286
287<screen><userinput>ssh-keygen &amp;&amp;
288ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
289
290 <para>
291 Once you've got passwordless logins working it's actually more secure
292 than logging in with a password (as the private key is much longer than
293 most people's passwords). If you would like to now disable password
294 logins, as the <systemitem class="username">root</systemitem> user:
295 </para>
296
297
298<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &amp;&amp;
299echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
300
301 <para>
302 If you added <application>Linux-PAM</application> support and you want
303 ssh to use it then you will need to add a configuration file for
304 <application>sshd</application> and enable use of
305 <application>LinuxPAM</application>. Note, ssh only uses PAM to check
306 passwords, if you've disabled password logins these commands are not
307 needed. If you want to use PAM, issue the following commands as the
308 <systemitem class='username'>root</systemitem> user:
309 </para>
310
311<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login &gt; /etc/pam.d/sshd &amp;&amp;
312chmod 644 /etc/pam.d/sshd &amp;&amp;
313echo "UsePAM yes" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
314
315 <para>
316 Additional configuration information can be found in the man
317 pages for <command>sshd</command>, <command>ssh</command> and
318 <command>ssh-agent</command>.
319 </para>
320 </sect3>
321
322 <sect3 id="openssh-init">
323 <title><phrase revision="sysv">Boot Script</phrase>
324 <phrase revision="systemd">Systemd Unit</phrase></title>
325
326 <para revision="sysv">
327 To start the SSH server at system boot, install the
328 <filename>/etc/rc.d/init.d/sshd</filename> init script included
329 in the <xref linkend="bootscripts"/> package.
330 </para>
331
332 <para revision="systemd">
333 To start the SSH server at system boot, install the
334 <filename>sshd.service</filename> unit included in the
335 <xref linkend="systemd-units"/> package.
336 </para>
337
338 <indexterm zone="openssh openssh-init">
339 <primary sortas="f-sshd">sshd</primary>
340 </indexterm>
341
342<screen role="root"><userinput>make install-sshd</userinput></screen>
343 </sect3>
344 </sect2>
345
346 <sect2 role="content">
347 <title>Contents</title>
348
349 <segmentedlist>
350 <segtitle>Installed Programs</segtitle>
351 <segtitle>Installed Libraries</segtitle>
352 <segtitle>Installed Directories</segtitle>
353
354 <seglistitem>
355 <seg>
356 scp, sftp, slogin (symlink to ssh), ssh, ssh-add, ssh-agent,
357 ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
358 </seg>
359 <seg>
360 None
361 </seg>
362 <seg>
363 /etc/ssh,
364 /usr/share/doc/openssh-&openssh-version;, and
365 /var/lib/sshd
366 </seg>
367 </seglistitem>
368 </segmentedlist>
369
370 <variablelist>
371 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
372 <?dbfo list-presentation="list"?>
373 <?dbhtml list-presentation="table"?>
374
375 <varlistentry id="scp">
376 <term><command>scp</command></term>
377 <listitem>
378 <para>
379 is a file copy program that acts like <command>rcp</command> except
380 it uses an encrypted protocol.
381 </para>
382 <indexterm zone="openssh scp">
383 <primary sortas="b-scp">scp</primary>
384 </indexterm>
385 </listitem>
386 </varlistentry>
387
388 <varlistentry id="sftp">
389 <term><command>sftp</command></term>
390 <listitem>
391 <para>
392 is an FTP-like program that works over the SSH1 and SSH2 protocols.
393 </para>
394 <indexterm zone="openssh sftp">
395 <primary sortas="b-sftp">sftp</primary>
396 </indexterm>
397 </listitem>
398 </varlistentry>
399
400 <varlistentry id="slogin">
401 <term><command>slogin</command></term>
402 <listitem>
403 <para>
404 is a symlink to <command>ssh</command>.
405 </para>
406 <indexterm zone="openssh slogin">
407 <primary sortas="b-slogin">slogin</primary>
408 </indexterm>
409 </listitem>
410 </varlistentry>
411
412 <varlistentry id="ssh">
413 <term><command>ssh</command></term>
414 <listitem>
415 <para>
416 is an <command>rlogin</command>/<command>rsh</command>-like client
417 program except it uses an encrypted protocol.
418 </para>
419 <indexterm zone="openssh ssh">
420 <primary sortas="b-ssh">ssh</primary>
421 </indexterm>
422 </listitem>
423 </varlistentry>
424
425 <varlistentry id="sshd">
426 <term><command>sshd</command></term>
427 <listitem>
428 <para>
429 is a daemon that listens for <command>ssh</command> login requests.
430 </para>
431 <indexterm zone="openssh sshd">
432 <primary sortas="b-sshd">sshd</primary>
433 </indexterm>
434 </listitem>
435 </varlistentry>
436
437 <varlistentry id="ssh-add">
438 <term><command>ssh-add</command></term>
439 <listitem>
440 <para>
441 is a tool which adds keys to the <command>ssh-agent</command>.
442 </para>
443 <indexterm zone="openssh ssh-add">
444 <primary sortas="b-ssh-add">ssh-add</primary>
445 </indexterm>
446 </listitem>
447 </varlistentry>
448
449 <varlistentry id="ssh-agent">
450 <term><command>ssh-agent</command></term>
451 <listitem>
452 <para>
453 is an authentication agent that can store private keys.
454 </para>
455 <indexterm zone="openssh ssh-agent">
456 <primary sortas="b-ssh-agent">ssh-agent</primary>
457 </indexterm>
458 </listitem>
459 </varlistentry>
460
461 <varlistentry id="ssh-copy-id">
462 <term><command>ssh-copy-id</command></term>
463 <listitem>
464 <para>
465 is a script that enables logins on remote machine using local keys.
466 </para>
467 <indexterm zone="openssh ssh-copy-id">
468 <primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
469 </indexterm>
470 </listitem>
471 </varlistentry>
472
473 <varlistentry id="ssh-keygen">
474 <term><command>ssh-keygen</command></term>
475 <listitem>
476 <para>
477 is a key generation tool.
478 </para>
479 <indexterm zone="openssh ssh-keygen">
480 <primary sortas="b-ssh-keygen">ssh-keygen</primary>
481 </indexterm>
482 </listitem>
483 </varlistentry>
484
485 <varlistentry id="ssh-keyscan">
486 <term><command>ssh-keyscan</command></term>
487 <listitem>
488 <para>
489 is a utility for gathering public host keys from a number of hosts.
490 </para>
491 <indexterm zone="openssh ssh-keyscan">
492 <primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
493 </indexterm>
494 </listitem>
495 </varlistentry>
496
497 </variablelist>
498 </sect2>
499</sect1>
Note: See TracBrowser for help on using the repository browser.