Context Navigation

openssh.xml@ 7b66ed2

Visit:

11.0 11.1 11.2 11.3 12.0 12.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since 7b66ed2 was 79eec369, checked in by Thomas Trepl <thomas@…>, 3 years ago

Fix a seccomp issue in OpenSSH

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@24325 af4574ff-66df-0310-9fd7-8a98e5e911e0

Property mode set to 100644

File size: 17.9 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY openssh-download-http
8	"http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9	<!ENTITY openssh-download-ftp
10	" "> <!-- at the moment, unable to connect via ftp: ken
11	"ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz"> -->
12	<!ENTITY openssh-md5sum "8f897870404c088e4aa7d1c1c58b526b">
13	<!ENTITY openssh-size "1.7 MB">
14	<!ENTITY openssh-buildsize "48 MB (add 17 MB for tests)">
15	<!ENTITY openssh-time "0.2 SBU (Using parallelism=4;
16	running the tests takes 20+ minutes,
17	irrespective of processor speed)">
18	]>
19
20	<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
21	<?dbhtml filename="openssh.html"?>
22
23	<sect1info>
24	<othername>$LastChangedBy$</othername>
25	<date>$Date$</date>
26	</sect1info>
27
28	<title>OpenSSH-&openssh-version;</title>
29
30	<indexterm zone="openssh">
31	<primary sortas="a-OpenSSH">OpenSSH</primary>
32	</indexterm>
33
34	<sect2 role="package">
35	<title>Introduction to OpenSSH</title>
36
37	<para>
38	The <application>OpenSSH</application> package contains
39	<command>ssh</command> clients and the <command>sshd</command> daemon.
40	This is useful for encrypting authentication and subsequent traffic over
41	a network. The <command>ssh</command> and <command>scp</command> commands
42	are secure implementations of <command>telnet</command> and
43	<command>rcp</command> respectively.
44	</para>
45
46	&lfs101_checked;
47
48	<bridgehead renderas="sect3">Package Information</bridgehead>
49	<itemizedlist spacing="compact">
50	<listitem>
51	<para>
52	Download (HTTP): <ulink url="&openssh-download-http;"/>
53	</para>
54	</listitem>
55	<listitem>
56	<para>
57	Download (FTP): <ulink url="&openssh-download-ftp;"/>
58	</para>
59	</listitem>
60	<listitem>
61	<para>
62	Download MD5 sum: &openssh-md5sum;
63	</para>
64	</listitem>
65	<listitem>
66	<para>
67	Download size: &openssh-size;
68	</para>
69	</listitem>
70	<listitem>
71	<para>
72	Estimated disk space required: &openssh-buildsize;
73	</para>
74	</listitem>
75	<listitem>
76	<para>
77	Estimated build time: &openssh-time;
78	</para>
79	</listitem>
80	</itemizedlist>
81	<!--
82	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
83	<itemizedlist spacing="compact">
84	<listitem>
85	<para>
86	Required patch:
87	<ulink url="&patch-root;/openssh-&openssh-version;-glibc_2.31_fix-1.patch"/>
88	</para>
89	</listitem>
90	</itemizedlist>
91	-->
92	<bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
93
94	<bridgehead renderas="sect4">Optional</bridgehead>
95	<para role="optional">
96	<xref linkend="gdb"/> (for tests),
97	<xref linkend="linux-pam"/>,
98	<xref linkend="x-window-system"/>,
99	<xref linkend="mitkrb"/>,
100	<ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>,
101	<ulink url="http://www.libressl.org/">LibreSSL Portable</ulink>,
102	<ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
103	<ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
104	</para>
105
106	<bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
107	<para role="optional">
108	<xref role="runtime" linkend="openjdk"/>,
109	<xref role="runtime" linkend="net-tools"/>, and
110	<xref role="runtime" linkend="sysstat"/>
111	</para>
112
113	<para condition="html" role="usernotes">
114	User Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
115	</para>
116	</sect2>
117
118	<sect2 role="installation">
119	<title>Installation of OpenSSH</title>
120
121	<para>
122	<application>OpenSSH</application> runs as two processes when connecting
123	to other computers. The first process is a privileged process and controls
124	the issuance of privileges as necessary. The second process communicates
125	with the network. Additional installation steps are necessary to set up
126	the proper environment, which are performed by issuing the following
127	commands as the <systemitem class="username">root</systemitem> user:
128	</para>
129
130	<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &&
131	chown -v root:sys /var/lib/sshd &&
132
133	groupadd -g 50 sshd &&
134	useradd -c 'sshd PrivSep' \
135	-d /var/lib/sshd \
136	-g sshd \
137	-s /bin/false \
138	-u 50 sshd</userinput></screen>
139	<!--
140	<para>
141	Apply a patch to allow OpenSSH to build and function with
142	<application>Glibc-2.31</application> and later:
143	</para>
144
145	<screen><userinput remap="pre">patch -Np1 -i ../openssh-&openssh-version;-glibc_2.31_fix-1.patch</userinput></screen>
146	-->
147	<para>
148	First, adapt <application>ssh-copy-id</application> to changes
149	in bash-5.1:
150	</para>
151
152	<screen><userinput remap="pre">sed -e '/INSTALLKEYS_SH/s/)//' -e '260a\ )' -i contrib/ssh-copy-id</userinput></screen>
153
154	<para>
155	Next, fix an issue on platforms other than x86_64:
156	</para>
157	<screen><userinput remap="pre">if [ "$(uname -m)" != "x86_64" ]; then
158	l1="#ifdef __NR_pselect6_time64"
159	l2=" SC_ALLOW(__NR_pselect6_time64),"
160	l3="#endif"
161	sed -e "/^#ifdef __NR_read$/ i $l1\n$l2\n$l3" \
162	-i sandbox-seccomp-filter.c
163	fi</userinput></screen>
164
165	<para>
166	Install <application>OpenSSH</application> by running the following
167	commands:
168	</para>
169
170	<screen><userinput>./configure --prefix=/usr \
171	--sysconfdir=/etc/ssh \
172	--with-md5-passwords \
173	--with-privsep-path=/var/lib/sshd &&
174	make</userinput></screen>
175
176	<para>
177	The testsuite requires an installed copy of <command>scp</command> to
178	complete the multiplexing tests. To run the test suite, first copy the
179	<command>scp</command> program to
180	<filename class="directory">/usr/bin</filename>, making sure that you
181	backup any existing copy first.
182	</para>
183
184	<para>
185	To test the results, issue: <command>make -j1 tests</command>.
186	<!--One test, <filename>key options</filename>, fails when run in chroot.-->
187	</para>
188
189	<!-- commenting this, I get "all tests passed" [ ken ]
190	NB tests should be run as _user_ but the role in the comment is root
191
192	commenting [ bruce ]: There are a couple of tests that want root.
193	The log mentions that SUDO is not set. These skipped tests are
194	ignored and the end says 'all tests passed' even when not root
195
196	<para>
197	To run the test suite, issue the following commands:
198	</para>
199
200	<screen role="root"><userinput>make tests 2>&1 \| tee check.log
201	grep FATAL check.log</userinput></screen>
202
203	<para>
204	If the above command produces no 'FATAL' errors, then proceed with the
205	installation, as the <systemitem class="username">root</systemitem> user:
206	</para>-->
207	<para>
208	Now, as the <systemitem class="username">root</systemitem> user:
209	</para>
210
211	<screen role="root"><userinput>make install &&
212	install -v -m755 contrib/ssh-copy-id /usr/bin &&
213
214	install -v -m644 contrib/ssh-copy-id.1 \
215	/usr/share/man/man1 &&
216	install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &&
217	install -v -m644 INSTALL LICENCE OVERVIEW README* \
218	/usr/share/doc/openssh-&openssh-version;</userinput></screen>
219	</sect2>
220
221	<sect2 role="commands">
222	<title>Command Explanations</title>
223
224	<para>
225	<parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
226	configuration files from being installed in
227	<filename class="directory">/usr/etc</filename>.
228	</para>
229
230	<para>
231	<parameter>--with-md5-passwords</parameter>: This enables the use of MD5
232	passwords.
233	</para>
234
235	<para>
236	<option>--with-pam</option>: This parameter enables
237	<application>Linux-PAM</application> support in the build.
238	</para>
239
240	<para>
241	<option>--with-xauth=/usr/bin/xauth</option>: Set the default
242	location for the <command>xauth</command> binary for X authentication.
243	Change the location if <command>xauth</command> will be installed to a
244	different path. This can also be controlled from
245	<filename>sshd_config</filename> with the XAuthLocation keyword. You can
246	omit this switch if <application>Xorg</application> is already installed.
247	</para>
248
249	<para>
250	<option>--with-kerberos5=/usr</option>: This option is used to
251	include Kerberos 5 support in the build.
252	</para>
253
254	<para>
255	<option>--with-libedit</option>: This option enables line editing
256	and history features for <command>sftp</command>.
257	</para>
258
259	</sect2>
260
261	<sect2 role="configuration">
262	<title>Configuring OpenSSH</title>
263
264	<sect3 id="openssh-config">
265	<title>Config Files</title>
266
267	<para>
268	<filename>~/.ssh/*</filename>,
269	<filename>/etc/ssh/ssh_config</filename>, and
270	<filename>/etc/ssh/sshd_config</filename>
271	</para>
272
273	<indexterm zone="openssh openssh-config">
274	<primary sortas="e-AA.ssh">~/.ssh/*</primary>
275	</indexterm>
276
277	<indexterm zone="openssh openssh-config">
278	<primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
279	</indexterm>
280
281	<indexterm zone="openssh openssh-config">
282	<primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
283	</indexterm>
284
285	<para>
286	There are no required changes to any of these files. However,
287	you may wish to view the
288	<filename class='directory'>/etc/ssh/</filename> files and make any
289	changes appropriate for the security of your system. One recommended
290	change is that you disable
291	<systemitem class='username'>root</systemitem> login via
292	<command>ssh</command>. Execute the following command as the
293	<systemitem class='username'>root</systemitem> user to disable
294	<systemitem class='username'>root</systemitem> login via
295	<command>ssh</command>:
296	</para>
297
298	<screen role="root"><userinput>echo "PermitRootLogin no" >> /etc/ssh/sshd_config</userinput></screen>
299
300	<para>
301	If you want to be able to log in without typing in your password, first
302	create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
303	<command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
304	~/.ssh/authorized_keys on the remote computer that you want to log into.
305	You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
306	computer and you'll also need to enter your password for the ssh-copy-id command
307	to succeed:
308	</para>
309
310	<screen><userinput>ssh-keygen &&
311	ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
312
313	<para>
314	Once you've got passwordless logins working it's actually more secure
315	than logging in with a password (as the private key is much longer than
316	most people's passwords). If you would like to now disable password
317	logins, as the <systemitem class="username">root</systemitem> user:
318	</para>
319
320
321	<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &&
322	echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
323
324	<para>
325	If you added <application>Linux-PAM</application> support and you want
326	ssh to use it then you will need to add a configuration file for
327	<application>sshd</application> and enable use of
328	<application>LinuxPAM</application>. Note, ssh only uses PAM to check
329	passwords, if you've disabled password logins these commands are not
330	needed. If you want to use PAM, issue the following commands as the
331	<systemitem class='username'>root</systemitem> user:
332	</para>
333
334	<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd &&
335	chmod 644 /etc/pam.d/sshd &&
336	echo "UsePAM yes" >> /etc/ssh/sshd_config</userinput></screen>
337
338	<para>
339	Additional configuration information can be found in the man
340	pages for <command>sshd</command>, <command>ssh</command> and
341	<command>ssh-agent</command>.
342	</para>
343	</sect3>
344
345	<sect3 id="openssh-init">
346	<title><phrase revision="sysv">Boot Script</phrase>
347	<phrase revision="systemd">Systemd Unit</phrase></title>
348
349	<para revision="sysv">
350	To start the SSH server at system boot, install the
351	<filename>/etc/rc.d/init.d/sshd</filename> init script included
352	in the <xref linkend="bootscripts"/> package.
353	</para>
354
355	<para revision="systemd">
356	To start the SSH server at system boot, install the
357	<filename>sshd.service</filename> unit included in the
358	<xref linkend="systemd-units"/> package.
359	</para>
360
361	<indexterm zone="openssh openssh-init">
362	<primary sortas="f-sshd">sshd</primary>
363	</indexterm>
364
365	<screen role="root"><userinput>make install-sshd</userinput></screen>
366	</sect3>
367	</sect2>
368
369	<sect2 role="content">
370	<title>Contents</title>
371
372	<segmentedlist>
373	<segtitle>Installed Programs</segtitle>
374	<segtitle>Installed Libraries</segtitle>
375	<segtitle>Installed Directories</segtitle>
376
377	<seglistitem>
378	<seg>
379	scp, sftp, slogin (symlink to ssh), ssh, ssh-add, ssh-agent,
380	ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
381	</seg>
382	<seg>
383	None
384	</seg>
385	<seg>
386	/etc/ssh,
387	/usr/share/doc/openssh-&openssh-version;, and
388	/var/lib/sshd
389	</seg>
390	</seglistitem>
391	</segmentedlist>
392
393	<variablelist>
394	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
395	<?dbfo list-presentation="list"?>
396	<?dbhtml list-presentation="table"?>
397
398	<varlistentry id="scp">
399	<term><command>scp</command></term>
400	<listitem>
401	<para>
402	is a file copy program that acts like <command>rcp</command> except
403	it uses an encrypted protocol
404	</para>
405	<indexterm zone="openssh scp">
406	<primary sortas="b-scp">scp</primary>
407	</indexterm>
408	</listitem>
409	</varlistentry>
410
411	<varlistentry id="sftp">
412	<term><command>sftp</command></term>
413	<listitem>
414	<para>
415	is an FTP-like program that works over the SSH1 and SSH2 protocols
416	</para>
417	<indexterm zone="openssh sftp">
418	<primary sortas="b-sftp">sftp</primary>
419	</indexterm>
420	</listitem>
421	</varlistentry>
422
423	<varlistentry id="slogin">
424	<term><command>slogin</command></term>
425	<listitem>
426	<para>
427	is a symlink to <command>ssh</command>
428	</para>
429	<indexterm zone="openssh slogin">
430	<primary sortas="b-slogin">slogin</primary>
431	</indexterm>
432	</listitem>
433	</varlistentry>
434
435	<varlistentry id="ssh">
436	<term><command>ssh</command></term>
437	<listitem>
438	<para>
439	is an <command>rlogin</command>/<command>rsh</command>-like client
440	program except it uses an encrypted protocol
441	</para>
442	<indexterm zone="openssh ssh">
443	<primary sortas="b-ssh">ssh</primary>
444	</indexterm>
445	</listitem>
446	</varlistentry>
447
448	<varlistentry id="sshd">
449	<term><command>sshd</command></term>
450	<listitem>
451	<para>
452	is a daemon that listens for <command>ssh</command> login requests
453	</para>
454	<indexterm zone="openssh sshd">
455	<primary sortas="b-sshd">sshd</primary>
456	</indexterm>
457	</listitem>
458	</varlistentry>
459
460	<varlistentry id="ssh-add">
461	<term><command>ssh-add</command></term>
462	<listitem>
463	<para>
464	is a tool which adds keys to the <command>ssh-agent</command>
465	</para>
466	<indexterm zone="openssh ssh-add">
467	<primary sortas="b-ssh-add">ssh-add</primary>
468	</indexterm>
469	</listitem>
470	</varlistentry>
471
472	<varlistentry id="ssh-agent">
473	<term><command>ssh-agent</command></term>
474	<listitem>
475	<para>
476	is an authentication agent that can store private keys
477	</para>
478	<indexterm zone="openssh ssh-agent">
479	<primary sortas="b-ssh-agent">ssh-agent</primary>
480	</indexterm>
481	</listitem>
482	</varlistentry>
483
484	<varlistentry id="ssh-copy-id">
485	<term><command>ssh-copy-id</command></term>
486	<listitem>
487	<para>
488	is a script that enables logins on remote machine using local keys
489	</para>
490	<indexterm zone="openssh ssh-copy-id">
491	<primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
492	</indexterm>
493	</listitem>
494	</varlistentry>
495
496	<varlistentry id="ssh-keygen">
497	<term><command>ssh-keygen</command></term>
498	<listitem>
499	<para>
500	is a key generation tool
501	</para>
502	<indexterm zone="openssh ssh-keygen">
503	<primary sortas="b-ssh-keygen">ssh-keygen</primary>
504	</indexterm>
505	</listitem>
506	</varlistentry>
507
508	<varlistentry id="ssh-keyscan">
509	<term><command>ssh-keyscan</command></term>
510	<listitem>
511	<para>
512	is a utility for gathering public host keys from a number of hosts
513	</para>
514	<indexterm zone="openssh ssh-keyscan">
515	<primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
516	</indexterm>
517	</listitem>
518	</varlistentry>
519
520	</variablelist>
521	</sect2>
522
523	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/openssh.xml@ 7b66ed2

Download in other formats: