Context Navigation

source: postlfs/security/openssh.xml@ 81a0948

Visit:

11.2 11.3 12.0 12.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk xry111/llvm18 xry111/soup3 xry111/xf86-video-removal

Last change on this file since 81a0948 was 81a0948, checked in by Bruce Dubbs <bdubbs@…>, 2 years ago
Update to openssh-9.0p1. Includes ssh-askpass.
Property mode set to `100644`
File size: 19.0 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY openssh-download-http
8	"https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9	<!ENTITY openssh-download-ftp
10	" "> <!-- at the moment, unable to connect via ftp: ken
11	"ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz"> -->
12	<!ENTITY openssh-md5sum "5ed8252a0ee379c0f7c9e0d25d32424d">
13	<!ENTITY openssh-size "1.7 MB">
14	<!ENTITY openssh-buildsize "44 MB (add 21 MB for tests)">
15	<!ENTITY openssh-time "0.2 SBU (Using parallelism=4;
16	running the tests takes about 28 minutes,
17	irrespective of processor speed)">
18	]>
19
20	<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
21	<?dbhtml filename="openssh.html"?>
22
23	<sect1info>
24	<date>$Date$</date>
25	</sect1info>
26
27	<title>OpenSSH-&openssh-version;</title>
28
29	<indexterm zone="openssh">
30	<primary sortas="a-OpenSSH">OpenSSH</primary>
31	</indexterm>
32
33	<sect2 role="package">
34	<title>Introduction to OpenSSH</title>
35
36	<para>
37	The <application>OpenSSH</application> package contains
38	<command>ssh</command> clients and the <command>sshd</command> daemon.
39	This is useful for encrypting authentication and subsequent traffic over
40	a network. The <command>ssh</command> and <command>scp</command> commands
41	are secure implementations of <command>telnet</command> and
42	<command>rcp</command> respectively.
43	</para>
44
45	&lfs111_checked;
46
47	<bridgehead renderas="sect3">Package Information</bridgehead>
48	<itemizedlist spacing="compact">
49	<listitem>
50	<para>
51	Download (HTTP): <ulink url="&openssh-download-http;"/>
52	</para>
53	</listitem>
54	<listitem>
55	<para>
56	Download (FTP): <ulink url="&openssh-download-ftp;"/>
57	</para>
58	</listitem>
59	<listitem>
60	<para>
61	Download MD5 sum: &openssh-md5sum;
62	</para>
63	</listitem>
64	<listitem>
65	<para>
66	Download size: &openssh-size;
67	</para>
68	</listitem>
69	<listitem>
70	<para>
71	Estimated disk space required: &openssh-buildsize;
72	</para>
73	</listitem>
74	<listitem>
75	<para>
76	Estimated build time: &openssh-time;
77	</para>
78	</listitem>
79	</itemizedlist>
80	<!--
81	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
82	<itemizedlist spacing="compact">
83	<listitem>
84	<para>
85	Required patch:
86	<ulink url="&patch-root;/openssh-&openssh-version;-glibc_2.31_fix-1.patch"/>
87	</para>
88	</listitem>
89	</itemizedlist>
90	-->
91	<bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
92
93	<bridgehead renderas="sect4">Optional</bridgehead>
94	<para role="optional">
95	<xref linkend="gdb"/> (for tests),
96	<xref linkend="linux-pam"/>,
97	<xref linkend="x-window-system"/>,
98	<xref linkend="mitkrb"/>,
99	<xref linkend="which"/> (for tests),
100	<ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>,
101	<ulink url="http://www.libressl.org/">LibreSSL Portable</ulink>,
102	<ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
103	<ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
104	</para>
105
106	<bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
107	<para role="optional">
108	<!--<xref role="runtime" linkend="openjdk"/>, Not seen in 8.8p1 -->
109	<xref role="runtime" linkend="net-tools"/>, and
110	<xref role="runtime" linkend="sysstat"/>
111	</para>
112
113	<para condition="html" role="usernotes">
114	User Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
115	</para>
116	</sect2>
117
118	<sect2 role="installation">
119	<title>Installation of OpenSSH</title>
120
121	<para>
122	<application>OpenSSH</application> runs as two processes when connecting
123	to other computers. The first process is a privileged process and controls
124	the issuance of privileges as necessary. The second process communicates
125	with the network. Additional installation steps are necessary to set up
126	the proper environment, which are performed by issuing the following
127	commands as the <systemitem class="username">root</systemitem> user:
128	</para>
129
130	<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &&
131	chown -v root:sys /var/lib/sshd &&
132
133	groupadd -g 50 sshd &&
134	useradd -c 'sshd PrivSep' \
135	-d /var/lib/sshd \
136	-g sshd \
137	-s /bin/false \
138	-u 50 sshd</userinput></screen>
139	<!--
140	<para>
141	Apply a patch to allow OpenSSH to build and function with
142	<application>Glibc-2.31</application> and later:
143	</para>
144
145	<screen><userinput remap="pre">patch -Np1 -i ../openssh-&openssh-version;-glibc_2.31_fix-1.patch</userinput></screen>
146	-->
147
148	<!-- Applied in 8.5p1
149	<para>
150	First, adapt <application>ssh-copy-id</application> to changes
151	in bash-5.1:
152	</para>
153
154	<screen><userinput remap="pre">sed -e '/INSTALLKEYS_SH/s/)//' -e '260a\ )' -i contrib/ssh-copy-id</userinput></screen>
155
156	<para>
157	Next, fix an issue on platforms other than x86_64:
158	</para>
159	<screen><userinput remap="pre">if [ "$(uname -m)" != "x86_64" ]; then
160	l1="#ifdef __NR_pselect6_time64"
161	l2=" SC_ALLOW(__NR_pselect6_time64),"
162	l3="#endif"
163	sed -e "/^#ifdef __NR_read$/ i $l1\n$l2\n$l3" \
164	-i sandbox-seccomp-filter.c
165	fi</userinput></screen>
166	-->
167	<para>
168	Install <application>OpenSSH</application> by running the following
169	commands:
170	</para>
171
172	<!-- -\-with-md5-passwords used to be here, but a comment inside of a <screen>
173	block leaves an eyesore. -->
174	<screen><userinput>./configure --prefix=/usr \
175	--sysconfdir=/etc/ssh \
176	--with-privsep-path=/var/lib/sshd \
177	--with-default-path=/usr/bin \
178	--with-superuser-path=/usr/sbin:/usr/bin \
179	--with-pid-dir=/run &&
180	make</userinput></screen>
181
182	<para>
183	The testsuite requires an installed copy of <command>scp</command> to
184	complete the multiplexing tests. To run the test suite, first copy the
185	<command>scp</command> program to
186	<filename class="directory">/usr/bin</filename>, making sure that you
187	backup any existing copy first.
188	</para>
189	<!-- I got all tests passed without this with 9.0p1. Apr 13, 2022.
190	<para>
191	If you wish to run the tests, remove a test suite that is not valid on
192	Linux-based platforms:
193	</para>
194
195	<screen><userinput>sed -i 's/conch-ciphers//' regress/Makefile</userinput></screen>
196	-->
197	<para>
198	To test the results, issue: <command>make -j1 tests</command>.
199	<!--One test, <filename>key options</filename>, fails when run in chroot.-->
200	</para>
201
202	<!-- commenting this, I get "all tests passed" [ ken ]
203	NB tests should be run as _user_ but the role in the comment is root
204
205	commenting [ bruce ]: There are a couple of tests that want root.
206	The log mentions that SUDO is not set. These skipped tests are
207	ignored and the end says 'all tests passed' even when not root
208
209	<para>
210	To run the test suite, issue the following commands:
211	</para>
212
213	<screen role="root"><userinput>make tests 2>&1 \| tee check.log
214	grep FATAL check.log</userinput></screen>
215
216	<para>
217	If the above command produces no 'FATAL' errors, then proceed with the
218	installation, as the <systemitem class="username">root</systemitem> user:
219	</para>-->
220	<para>
221	Now, as the <systemitem class="username">root</systemitem> user:
222	</para>
223
224	<screen role="root"><userinput>make install &&
225	install -v -m755 contrib/ssh-copy-id /usr/bin &&
226
227	install -v -m644 contrib/ssh-copy-id.1 \
228	/usr/share/man/man1 &&
229	install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &&
230	install -v -m644 INSTALL LICENCE OVERVIEW README* \
231	/usr/share/doc/openssh-&openssh-version;</userinput></screen>
232	</sect2>
233
234	<sect2 role="commands">
235	<title>Command Explanations</title>
236
237	<para>
238	<parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
239	configuration files from being installed in
240	<filename class="directory">/usr/etc</filename>.
241	</para>
242
243	<!--
244	<para>
245	<parameter>-\-with-md5-passwords</parameter>: This enables the use of MD5
246	passwords.
247	</para>
248	-->
249
250	<para>
251	<parameter>--with-default-path=/usr/bin</parameter> and
252	<parameter>--with-superuser-path=/usr/sbin:/usr/bin</parameter>:
253	These set <envar>PATH</envar> consistent with LFS and BLFS
254	<application>Shadow</application> package.
255	</para>
256
257	<para>
258	<parameter>--with-pid-dir=/run</parameter>: This prevents
259	<application>OpenSSH</application> from referring to deprecated
260	<filename class="directory">/var/run</filename>.
261	</para>
262
263	<para>
264	<option>--with-pam</option>: This parameter enables
265	<application>Linux-PAM</application> support in the build.
266	</para>
267
268	<para>
269	<option>--with-xauth=/usr/bin/xauth</option>: Set the default
270	location for the <command>xauth</command> binary for X authentication.
271	Change the location if <command>xauth</command> will be installed to a
272	different path. This can also be controlled from
273	<filename>sshd_config</filename> with the XAuthLocation keyword. You can
274	omit this switch if <application>Xorg</application> is already installed.
275	</para>
276
277	<para>
278	<option>--with-kerberos5=/usr</option>: This option is used to
279	include Kerberos 5 support in the build.
280	</para>
281
282	<para>
283	<option>--with-libedit</option>: This option enables line editing
284	and history features for <command>sftp</command>.
285	</para>
286
287	</sect2>
288
289	<sect2 role="configuration">
290	<title>Configuring OpenSSH</title>
291
292	<sect3 id="openssh-config">
293	<title>Config Files</title>
294
295	<para>
296	<filename>~/.ssh/*</filename>,
297	<filename>/etc/ssh/ssh_config</filename>, and
298	<filename>/etc/ssh/sshd_config</filename>
299	</para>
300
301	<indexterm zone="openssh openssh-config">
302	<primary sortas="e-AA.ssh">~/.ssh/*</primary>
303	</indexterm>
304
305	<indexterm zone="openssh openssh-config">
306	<primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
307	</indexterm>
308
309	<indexterm zone="openssh openssh-config">
310	<primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
311	</indexterm>
312
313	<para>
314	There are no required changes to any of these files. However,
315	you may wish to view the
316	<filename class='directory'>/etc/ssh/</filename> files and make any
317	changes appropriate for the security of your system. One recommended
318	change is that you disable
319	<systemitem class='username'>root</systemitem> login via
320	<command>ssh</command>. Execute the following command as the
321	<systemitem class='username'>root</systemitem> user to disable
322	<systemitem class='username'>root</systemitem> login via
323	<command>ssh</command>:
324	</para>
325
326	<screen role="root"><userinput>echo "PermitRootLogin no" >> /etc/ssh/sshd_config</userinput></screen>
327
328	<para>
329	If you want to be able to log in without typing in your password, first
330	create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
331	<command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
332	~/.ssh/authorized_keys on the remote computer that you want to log into.
333	You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
334	computer and you'll also need to enter your password for the ssh-copy-id command
335	to succeed:
336	</para>
337
338	<screen><userinput>ssh-keygen &&
339	ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
340
341	<para>
342	Once you've got passwordless logins working it's actually more secure
343	than logging in with a password (as the private key is much longer than
344	most people's passwords). If you would like to now disable password
345	logins, as the <systemitem class="username">root</systemitem> user:
346	</para>
347
348
349	<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &&
350	echo "KbdInteractiveAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
351
352	<para>
353	If you added <application>Linux-PAM</application> support and you want
354	ssh to use it then you will need to add a configuration file for
355	<application>sshd</application> and enable use of
356	<application>LinuxPAM</application>. Note, ssh only uses PAM to check
357	passwords, if you've disabled password logins these commands are not
358	needed. If you want to use PAM, issue the following commands as the
359	<systemitem class='username'>root</systemitem> user:
360	</para>
361
362	<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd &&
363	chmod 644 /etc/pam.d/sshd &&
364	echo "UsePAM yes" >> /etc/ssh/sshd_config</userinput></screen>
365
366	<para>
367	Additional configuration information can be found in the man
368	pages for <command>sshd</command>, <command>ssh</command> and
369	<command>ssh-agent</command>.
370	</para>
371	</sect3>
372
373	<sect3 id="openssh-init">
374	<title><phrase revision="sysv">Boot Script</phrase>
375	<phrase revision="systemd">Systemd Unit</phrase></title>
376
377	<para revision="sysv">
378	To start the SSH server at system boot, install the
379	<filename>/etc/rc.d/init.d/sshd</filename> init script included
380	in the <xref linkend="bootscripts"/> package.
381	</para>
382
383	<para revision="systemd">
384	To start the SSH server at system boot, install the
385	<filename>sshd.service</filename> unit included in the
386	<xref linkend="systemd-units"/> package.
387	</para>
388
389	<indexterm zone="openssh openssh-init">
390	<primary sortas="f-sshd">sshd</primary>
391	</indexterm>
392
393	<screen role="root"><userinput>make install-sshd</userinput></screen>
394	</sect3>
395	</sect2>
396
397	<sect2 role="content">
398	<title>Contents</title>
399
400	<segmentedlist>
401	<segtitle>Installed Programs</segtitle>
402	<segtitle>Installed Libraries</segtitle>
403	<segtitle>Installed Directories</segtitle>
404
405	<seglistitem>
406	<seg>
407	scp, sftp, <!--slogin (symlink to ssh),--> ssh, ssh-add, ssh-agent,
408	ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
409	</seg>
410	<seg>
411	None
412	</seg>
413	<seg>
414	/etc/ssh,
415	/usr/share/doc/openssh-&openssh-version;, and
416	/var/lib/sshd
417	</seg>
418	</seglistitem>
419	</segmentedlist>
420
421	<variablelist>
422	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
423	<?dbfo list-presentation="list"?>
424	<?dbhtml list-presentation="table"?>
425
426	<varlistentry id="scp">
427	<term><command>scp</command></term>
428	<listitem>
429	<para>
430	is a file copy program that acts like <command>rcp</command> except
431	it uses an encrypted protocol
432	</para>
433	<indexterm zone="openssh scp">
434	<primary sortas="b-scp">scp</primary>
435	</indexterm>
436	</listitem>
437	</varlistentry>
438
439	<varlistentry id="sftp">
440	<term><command>sftp</command></term>
441	<listitem>
442	<para>
443	is an FTP-like program that works over the SSH1 and SSH2 protocols
444	</para>
445	<indexterm zone="openssh sftp">
446	<primary sortas="b-sftp">sftp</primary>
447	</indexterm>
448	</listitem>
449	</varlistentry>
450	<!-- Not installed anymore as of 8.5p1
451	<varlistentry id="slogin">
452	<term><command>slogin</command></term>
453	<listitem>
454	<para>
455	is a symlink to <command>ssh</command>
456	</para>
457	<indexterm zone="openssh slogin">
458	<primary sortas="b-slogin">slogin</primary>
459	</indexterm>
460	</listitem>
461	</varlistentry>
462	-->
463	<varlistentry id="ssh">
464	<term><command>ssh</command></term>
465	<listitem>
466	<para>
467	is an <command>rlogin</command>/<command>rsh</command>-like client
468	program except it uses an encrypted protocol
469	</para>
470	<indexterm zone="openssh ssh">
471	<primary sortas="b-ssh">ssh</primary>
472	</indexterm>
473	</listitem>
474	</varlistentry>
475
476	<varlistentry id="sshd">
477	<term><command>sshd</command></term>
478	<listitem>
479	<para>
480	is a daemon that listens for <command>ssh</command> login requests
481	</para>
482	<indexterm zone="openssh sshd">
483	<primary sortas="b-sshd">sshd</primary>
484	</indexterm>
485	</listitem>
486	</varlistentry>
487
488	<varlistentry id="ssh-add">
489	<term><command>ssh-add</command></term>
490	<listitem>
491	<para>
492	is a tool which adds keys to the <command>ssh-agent</command>
493	</para>
494	<indexterm zone="openssh ssh-add">
495	<primary sortas="b-ssh-add">ssh-add</primary>
496	</indexterm>
497	</listitem>
498	</varlistentry>
499
500	<varlistentry id="ssh-agent">
501	<term><command>ssh-agent</command></term>
502	<listitem>
503	<para>
504	is an authentication agent that can store private keys
505	</para>
506	<indexterm zone="openssh ssh-agent">
507	<primary sortas="b-ssh-agent">ssh-agent</primary>
508	</indexterm>
509	</listitem>
510	</varlistentry>
511
512	<varlistentry id="ssh-copy-id">
513	<term><command>ssh-copy-id</command></term>
514	<listitem>
515	<para>
516	is a script that enables logins on remote machines using local keys
517	</para>
518	<indexterm zone="openssh ssh-copy-id">
519	<primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
520	</indexterm>
521	</listitem>
522	</varlistentry>
523
524	<varlistentry id="ssh-keygen">
525	<term><command>ssh-keygen</command></term>
526	<listitem>
527	<para>
528	is a key generation tool
529	</para>
530	<indexterm zone="openssh ssh-keygen">
531	<primary sortas="b-ssh-keygen">ssh-keygen</primary>
532	</indexterm>
533	</listitem>
534	</varlistentry>
535
536	<varlistentry id="ssh-keyscan">
537	<term><command>ssh-keyscan</command></term>
538	<listitem>
539	<para>
540	is a utility for gathering public host keys from a number of hosts
541	</para>
542	<indexterm zone="openssh ssh-keyscan">
543	<primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
544	</indexterm>
545	</listitem>
546	</varlistentry>
547
548	</variablelist>
549	</sect2>
550
551	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: