source: postlfs/security/openssh.xml@ 7fdeb26

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY openssh-download-http "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
  <!ENTITY openssh-download-ftp  "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
  <!ENTITY openssh-md5sum        "afe17eee7e98d3b8550cc349834a85d0">
  <!ENTITY openssh-size          "1.1 MB">
  <!ENTITY openssh-buildsize     "44 MB">
  <!ENTITY openssh-time          "3.5 SBU (including the test suite)">
]>

<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
  <?dbhtml filename="openssh.html"?>

  <sect1info>
    <othername>$LastChangedBy$</othername>
    <date>$Date$</date>
  </sect1info>

  <title>OpenSSH-&openssh-version;</title>

  <para>The <application>OpenSSH</application> package contains
  <command>ssh</command> clients and the <command>sshd</command> daemon.
  This is useful for encrypting authentication and subsequent traffic
  over a network. The <command>ssh</command> and <command>scp</command>
  commands are secure implementions of <command>telnet</command> and 
  <command>rcp</command> respectively.</para>

  &lfs70_checked;

  <indexterm zone="openssh">
    <primary sortas="a-OpenSSH">OpenSSH</primary>
  </indexterm>

  <sect2 role="package">
    <title>Introduction to OpenSSH</title>

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>Download (HTTP): <ulink url="&openssh-download-http;"/></para>
      </listitem>
      <listitem>
        <para>Download (FTP): <ulink url="&openssh-download-ftp;"/></para>
      </listitem>
      <listitem>
        <para>Download MD5 sum: &openssh-md5sum;</para>
      </listitem>
      <listitem>
        <para>Download size: &openssh-size;</para>
      </listitem>
      <listitem>
        <para>Estimated disk space required: &openssh-buildsize;</para>
      </listitem>
      <listitem>
        <para>Estimated build time: &openssh-time;</para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>

    <bridgehead renderas="sect4">Required</bridgehead>
    <para role="required"><xref linkend="openssl"/></para>

    <bridgehead renderas="sect4">Optional</bridgehead>
    <para role="optional"><xref linkend="linux-pam"/>,
    <xref linkend="tcpwrappers"/>,
    <xref linkend="x-window-system"/>,
    <xref linkend="mitkrb"/>,
    <ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>
    (provides a command-line history feature to <command>sftp</command>),
    <ulink url="http://www.opensc-project.org/">OpenSC</ulink>, and
    <ulink
    url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink></para>

    <bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
    <para role="optional"><xref linkend="icedtea6"/> or <xref linkend="jdk"/>,
    <xref linkend="net-tools"/>, and
    <xref linkend="sysstat"/>.</para>

    <para condition="html" role="usernotes">User Notes:
    <ulink url='&blfs-wiki;/OpenSSH'/></para>

  </sect2>

  <sect2 role="installation">
    <title>Installation of OpenSSH</title>

    <para><application>OpenSSH</application> runs as two processes when
    connecting to other computers. The first process is a privileged process
    and controls the issuance of privileges as necessary. The second process
    communicates with the network. Additional installation steps are necessary
    to set up the proper environment, which are performed by issuing the
    following commands as the <systemitem class="username">root</systemitem>
    user:</para>

<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &amp;&amp;
chown -v root:sys /var/lib/sshd &amp;&amp;
groupadd -g 50 sshd &amp;&amp;
useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd \
    -s /bin/false -u 50 sshd</userinput></screen>

    <para><application>OpenSSH</application> is very sensitive to changes in
    the linked <application>OpenSSL</application> libraries. If you recompile
    <application>OpenSSL</application>, <application>OpenSSH</application> may
    fail to start up. An alternative is to link against the static
    <application>OpenSSL</application> library. To link against the static
    library, execute the following command:</para>

<screen><userinput>sed -i 's@-lcrypto@/usr/lib/libcrypto.a -ldl@' configure</userinput></screen>

    <para>Install <application>OpenSSH</application> by running
    the following commands:</para>

<screen><userinput>sed -i.bak '/K5LIBS=/s/ -ldes//' configure &amp;&amp;
./configure --prefix=/usr \
            --sysconfdir=/etc/ssh \
            --datadir=/usr/share/sshd \
            --libexecdir=/usr/lib/openssh \
            --with-md5-passwords \
            --with-privsep-path=/var/lib/sshd &amp;&amp;
make</userinput></screen>

    <para>If you linked <application>tcp_wrappers</application> into the
    build using the <option>--with-tcp-wrappers</option> parameter, ensure
    you add 127.0.0.1 to the sshd line in <filename>/etc/hosts.allow</filename>
    if you have a restrictive <filename>/etc/hosts.deny</filename> file, or the
    test suite will fail. Additionally, the testsuite requires an installed
    copy of <command>scp</command> to complete the multiplexing tests.  To
    run the test suite, first copy the scp program to
    <filename class="directory">/usr/bin</filename>, making sure that you
    back up any existing copy first.</para>

    <para>To run the test suite, issue the following commands:</para>

<screen role="root"><userinput>make tests 2&gt;&amp;1 | tee check.log
grep FATAL check.log</userinput></screen>

    <para>If the above command produces no 'FATAL' errors, then proceed
    with the installation, as the
    <systemitem class="username">root</systemitem> user:</para>

<screen role="root"><userinput>make install &amp;&amp;
install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &amp;&amp;
install -v -m644 INSTALL LICENCE OVERVIEW README* \
    /usr/share/doc/openssh-&openssh-version;</userinput></screen>

  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para><command>sed -i.bak '/K5LIBS=/s/ -ldes//' configure</command>:
    This command fixes a build crash if you used the
    <option>--with-kerberos5</option> parameter and you built the
    <application>Heimdal</application> package in accordance with the BLFS
    instructions. The command is harmless in all other instances.</para>

    <para><parameter>--sysconfdir=/etc/ssh</parameter>: This prevents
    the configuration files from being installed in
    <filename class="directory">/usr/etc</filename>.</para>

    <para><parameter>--datadir=/usr/share/sshd</parameter>: This switch
    puts the Ssh.bin file (used for SmartCard authentication) in
    <filename class="directory">/usr/share/sshd</filename>.</para>

    <para><parameter>--with-md5-passwords</parameter>: This is required
    with the default configuration of Shadow password suite in LFS.</para>

    <para><parameter>--libexecdir=/usr/lib/openssh</parameter>: This parameter
    changes the installation path of some programs to
    <filename class="directory">/usr/lib/openssh</filename> instead of
    <filename class="directory">/usr/libexec</filename>.</para>

    <para><parameter>--with-pam</parameter>: This parameter enables
    <application>Linux-PAM</application> support in the build.</para>

    <para><parameter>--with-xauth=/usr/bin/xauth</parameter>: Set the
    default location for the <command>xauth</command> binary for X
    authentication. Change the location if <command>xauth</command> will
    be installed to a different path. This can also be controlled from
    <filename>sshd_config</filename> with the XAuthLocation keyword.
    You can omit this switch if <application>Xorg</application> is already
    installed.
    </para>

    <para><parameter>--with-kerberos5=/usr</parameter>: This option is used to
    include Heimdal support in the build.</para>

  </sect2>

  <sect2 role="configuration">
    <title>Configuring OpenSSH</title>

    <para>If you are only going to use the <command>ssh</command> or
    <command>scp</command> clients, no configuration or boot scripts are
    required.</para>

    <sect3 id="openssh-config">
      <title>Config Files</title>

      <para><filename>~/.ssh/*</filename>,
      <filename>/etc/ssh/ssh_config</filename>, and
      <filename>/etc/ssh/sshd_config</filename></para>

      <indexterm zone="openssh openssh-config">
        <primary sortas="e-AA.ssh">~/.ssh/*</primary>
      </indexterm>

      <indexterm zone="openssh openssh-config">
        <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
      </indexterm>

      <indexterm zone="openssh openssh-config">
        <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
      </indexterm>

      <para>There are no required changes to any of these files. However,
      you may wish to view the <filename class='directory'>/etc/ssh/</filename>
      files and make any changes appropriate for the security of your system.
      One recommended change is that you disable
      <systemitem class='username'>root</systemitem> login via
      <command>ssh</command>. Execute the following command as the
      <systemitem class='username'>root</systemitem> user to disable
      <systemitem class='username'>root</systemitem> login via
      <command>ssh</command>:</para>

<screen role="root"><userinput>echo "PermitRootLogin no" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>

      <para>If you added <application>LinuxPAM</application> support, then you
      will need to add a configuration file for
      <application>sshd</application> and enable use of
      <application>LinuxPAM</application>.  Issue the following commands as the
      <systemitem class='username'>root</systemitem> user:</para>

<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login &gt; /etc/pam.d/sshd &amp;&amp;
chmod 644 /etc/pam.d/sshd &amp;&amp;
echo "USEPAM yes" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>

      <para>Additional configuration information can be found in the man
      pages for <command>sshd</command>, <command>ssh</command> and
      <command>ssh-agent</command>.</para>

    </sect3>

    <sect3  id="openssh-init">
      <title>Boot Script</title>

      <para>To start the SSH server at system boot, install the
      <filename>/etc/rc.d/init.d/sshd</filename> init script included
      in the <xref linkend="bootscripts"/> package.</para>

      <indexterm zone="openssh openssh-init">
        <primary sortas="f-sshd">sshd</primary>
      </indexterm>

<screen role="root"><userinput>make install-sshd</userinput></screen>

    </sect3>

  </sect2>

  <sect2 role="content">
    <title>Contents</title>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>
      <segtitle>Installed Libraries</segtitle>
      <segtitle>Installed Directories</segtitle>

      <seglistitem>
        <seg>scp, sftp, sftp-server, slogin, ssh, sshd, ssh-add, ssh-agent,
        ssh-keygen, ssh-keyscan, and ssh-keysign</seg>
        <seg>None</seg>
        <seg>/etc/ssh, /var/lib/sshd, /usr/lib/openssh, and
        /usr/share/doc/openssh-&openssh-version;</seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="scp">
        <term><command>scp</command></term>
        <listitem>
          <para>is a file copy program that acts like <command>rcp</command>
          except it uses an encrypted protocol.</para>
          <indexterm zone="openssh scp">
            <primary sortas="b-scp">scp</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sftp">
        <term><command>sftp</command></term>
        <listitem>
          <para>is an FTP-like program that works over
          SSH1 and SSH2 protocols.</para>
          <indexterm zone="openssh sftp">
            <primary sortas="b-sftp">sftp</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sftp-server">
        <term><command>sftp-server</command></term>
        <listitem>
          <para>is an SFTP server subsystem. This program is not normally
          called directly by the user.</para>
          <indexterm zone="openssh sftp-server">
            <primary sortas="b-sftp-server">sftp-server</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="slogin">
        <term><command>slogin</command></term>
        <listitem>
          <para>is a symlink to <command>ssh</command>.</para>
          <indexterm zone="openssh slogin">
            <primary sortas="g-slogin">slogin</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ssh">
        <term><command>ssh</command></term>
        <listitem>
          <para>is an <command>rlogin</command>/<command>rsh</command>-like
          client program except it uses an encrypted protocol.</para>
          <indexterm zone="openssh ssh">
            <primary sortas="b-ssh">ssh</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sshd">
        <term><command>sshd</command></term>
        <listitem>
          <para>is a daemon that listens for <command>ssh</command> login
          requests.</para>
          <indexterm zone="openssh sshd">
            <primary sortas="b-sshd">sshd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ssh-add">
        <term><command>ssh-add</command></term>
        <listitem>
          <para>is a tool which adds keys to the
          <command>ssh-agent</command>.</para>
          <indexterm zone="openssh ssh-add">
            <primary sortas="b-ssh-add">ssh-add</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ssh-agent">
        <term><command>ssh-agent</command></term>
        <listitem>
          <para>is an authentication agent that can store private keys.</para>
          <indexterm zone="openssh ssh-agent">
            <primary sortas="b-ssh-agent">ssh-agent</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ssh-keygen">
        <term><command>ssh-keygen</command></term>
        <listitem>
          <para>is a key generation tool.</para>
          <indexterm zone="openssh ssh-keygen">
            <primary sortas="b-ssh-keygen">ssh-keygen</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ssh-keyscan">
        <term><command>ssh-keyscan</command></term>
        <listitem>
          <para>is a utility for gathering public host keys from a
          number of hosts.</para>
          <indexterm zone="openssh ssh-keyscan">
            <primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ssh-keysign">
        <term><command>ssh-keysign</command></term>
        <listitem>
          <para>is used by <command>ssh</command> to access the local host
          keys and generate the digital signature required during hostbased
          authentication with SSH protocol version 2. This program is not normally
          called directly by the user.</para>
          <indexterm zone="openssh ssh-keysign">
            <primary sortas="b-ssh-keysign">ssh-keysign</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>