Context Navigation

openssh.xml@ 8a11fa5

Visit:

12.1 ken/TL2024 ken/tuningfonts lazarus plabs/newcss python3.11 rahul/power-profiles-daemon renodr/vulkan-addition trunk xry111/llvm18

Last change on this file since 8a11fa5 was 0391649, checked in by Pierre Labastie <pierre.labastie@…>, 10 months ago

Mention shadow in openssh dependencies

PAM config file from shadow is used to create the sshd one.

Property mode set to 100644

File size: 19.6 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY openssh-download-http
8	"https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9	<!ENTITY openssh-download-ftp
10	" "> <!-- at the moment, unable to connect via ftp: ken
11	"ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz"> -->
12	<!ENTITY openssh-md5sum "&openssh-md5sum;">
13	<!ENTITY openssh-size "1.7 MB">
14	<!ENTITY openssh-buildsize "45 MB (add 22 MB for tests)">
15	<!ENTITY openssh-time "0.2 SBU (Using parallelism=4;
16	running the tests takes about 20 minutes,
17	irrespective of processor speed)">
18	]>
19
20	<!-- make check: real 18m13.005s; 9.2p1 3 Feb 2023 -->
21	<!-- make check: real 18m08.654s; 9.3p1 17 Mar 2023 -->
22
23	<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
24	<?dbhtml filename="openssh.html"?>
25
26	<title>OpenSSH-&openssh-version;</title>
27
28	<indexterm zone="openssh">
29	<primary sortas="a-OpenSSH">OpenSSH</primary>
30	</indexterm>
31
32	<sect2 role="package">
33	<title>Introduction to OpenSSH</title>
34
35	<para>
36	The <application>OpenSSH</application> package contains
37	<command>ssh</command> clients and the <command>sshd</command> daemon.
38	This is useful for encrypting authentication and subsequent traffic over
39	a network. The <command>ssh</command> and <command>scp</command> commands
40	are secure implementations of <command>telnet</command> and
41	<command>rcp</command> respectively.
42	</para>
43
44	&lfs120_checked;
45
46	<bridgehead renderas="sect3">Package Information</bridgehead>
47	<itemizedlist spacing="compact">
48	<listitem>
49	<para>
50	Download (HTTP): <ulink url="&openssh-download-http;"/>
51	</para>
52	</listitem>
53	<listitem>
54	<para>
55	Download (FTP): <ulink url="&openssh-download-ftp;"/>
56	</para>
57	</listitem>
58	<listitem>
59	<para>
60	Download MD5 sum: &openssh-md5sum;
61	</para>
62	</listitem>
63	<listitem>
64	<para>
65	Download size: &openssh-size;
66	</para>
67	</listitem>
68	<listitem>
69	<para>
70	Estimated disk space required: &openssh-buildsize;
71	</para>
72	</listitem>
73	<listitem>
74	<para>
75	Estimated build time: &openssh-time;
76	</para>
77	</listitem>
78	</itemizedlist>
79	<!--
80	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
81	<itemizedlist spacing="compact">
82	<listitem>
83	<para>
84	Required patch:
85	<ulink url="&patch-root;/openssh-&openssh-version;-glibc_2.31_fix-1.patch"/>
86	</para>
87	</listitem>
88	</itemizedlist>
89	-->
90	<bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
91
92	<bridgehead renderas="sect4">Optional</bridgehead>
93	<para role="optional">
94	<xref linkend="gdb"/> (for tests),
95	<xref linkend="linux-pam"/> (PAM configuration files from
96	<xref linkend="shadow"/> are used to create openssh ones),
97	<xref linkend="xorg7-app"/> (or
98	<xref linkend='xorg-env' role='nodep'/>, see Command Explanations),
99	<xref linkend="mitkrb"/>,
100	<xref linkend="which"/> (for tests),
101	<ulink url="https://www.thrysoee.dk/editline/">libedit</ulink>,
102	<ulink url="https://www.libressl.org/">LibreSSL Portable</ulink>,
103	<ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
104	<ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
105	</para>
106
107	<bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
108	<para role="optional">
109	<!--<xref role="runtime" linkend="openjdk"/>, Not seen in 8.8p1 -->
110	<xref role="runtime" linkend="net-tools"/>, and
111	<xref role="runtime" linkend="sysstat"/>
112	</para>
113
114	<para condition="html" role="usernotes">
115	Editor Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
116	</para>
117	</sect2>
118
119	<sect2 role="installation">
120	<title>Installation of OpenSSH</title>
121
122	<para>
123	<application>OpenSSH</application> runs as two processes when connecting
124	to other computers. The first process is a privileged process and controls
125	the issuance of privileges as necessary. The second process communicates
126	with the network. Additional installation steps are necessary to set up
127	the proper environment, which are performed by issuing the following
128	commands as the <systemitem class="username">root</systemitem> user:
129	</para>
130
131	<screen role="root"><userinput>install -v -g sys -m700 -d /var/lib/sshd &&
132
133	groupadd -g 50 sshd &&
134	useradd -c 'sshd PrivSep' \
135	-d /var/lib/sshd \
136	-g sshd \
137	-s /bin/false \
138	-u 50 sshd</userinput></screen>
139	<!--
140	<para>
141	Apply a patch to allow OpenSSH to build and function with
142	<application>Glibc-2.31</application> and later:
143	</para>
144
145	<screen><userinput remap="pre">patch -Np1 -i ../openssh-&openssh-version;-glibc_2.31_fix-1.patch</userinput></screen>
146	-->
147
148	<!-- Applied in 8.5p1
149	<para>
150	First, adapt <application>ssh-copy-id</application> to changes
151	in bash-5.1:
152	</para>
153
154	<screen><userinput remap="pre">sed -e '/INSTALLKEYS_SH/s/)//' -e '260a\ )' -i contrib/ssh-copy-id</userinput></screen>
155
156	<para>
157	Next, fix an issue on platforms other than x86_64:
158	</para>
159	<screen><userinput remap="pre">if [ "$(uname -m)" != "x86_64" ]; then
160	l1="#ifdef __NR_pselect6_time64"
161	l2=" SC_ALLOW(__NR_pselect6_time64),"
162	l3="#endif"
163	sed -e "/^#ifdef __NR_read$/ i $l1\n$l2\n$l3" \
164	-i sandbox-seccomp-filter.c
165	fi</userinput></screen>
166	-->
167	<para>
168	Install <application>OpenSSH</application> by running the following
169	commands:
170	</para>
171
172	<!-- -\-with-md5-passwords used to be here, but a comment inside of a <screen>
173	block leaves an eyesore. -->
174	<screen><userinput>./configure --prefix=/usr \
175	--sysconfdir=/etc/ssh \
176	--with-privsep-path=/var/lib/sshd \
177	--with-default-path=/usr/bin \
178	--with-superuser-path=/usr/sbin:/usr/bin \
179	--with-pid-dir=/run \
180	--without-zlib-version-check &&
181	make</userinput></screen>
182
183	<!-- I got all tests passed without this with 9.3p1, June 12, 2023.
184	<para>
185	The test suite requires an installed copy of <command>scp</command> to
186	complete the multiplexing tests. To run the test suite, first copy the
187	<command>scp</command> program to
188	<filename class="directory">/usr/bin</filename>, making sure that you
189	backup any existing copy first.
190	</para>
191	-->
192	<!-- I got all tests passed without this with 9.0p1. Apr 13, 2022.
193	<para>
194	If you wish to run the tests, remove a test suite that is not valid on
195	Linux-based platforms:
196	</para>
197
198	<screen><userinput>sed -i 's/conch-ciphers//' regress/Makefile</userinput></screen>
199	-->
200	<para>
201	To test the results, issue: <command>make -j1 tests</command>.
202	<!--One test, <filename>key options</filename>, fails when run in chroot.-->
203	</para>
204
205	<!-- commenting this, I get "all tests passed" [ ken ]
206	NB tests should be run as _user_ but the role in the comment is root
207
208	commenting [ bruce ]: There are a couple of tests that want root.
209	The log mentions that SUDO is not set. These skipped tests are
210	ignored and the end says 'all tests passed' even when not root
211
212	<para>
213	To run the test suite, issue the following commands:
214	</para>
215
216	<screen role="root"><userinput>make tests 2>&1 \| tee check.log
217	grep FATAL check.log</userinput></screen>
218
219	<para>
220	If the above command produces no 'FATAL' errors, then proceed with the
221	installation, as the <systemitem class="username">root</systemitem> user:
222	</para>-->
223	<para>
224	Now, as the <systemitem class="username">root</systemitem> user:
225	</para>
226
227	<screen role="root"><userinput>make install &&
228	install -v -m755 contrib/ssh-copy-id /usr/bin &&
229
230	install -v -m644 contrib/ssh-copy-id.1 \
231	/usr/share/man/man1 &&
232	install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &&
233	install -v -m644 INSTALL LICENCE OVERVIEW README* \
234	/usr/share/doc/openssh-&openssh-version;</userinput></screen>
235	</sect2>
236
237	<sect2 role="commands">
238	<title>Command Explanations</title>
239
240	<para>
241	<parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
242	configuration files from being installed in
243	<filename class="directory">/usr/etc</filename>.
244	</para>
245
246	<para>
247	<parameter>--with-default-path=/usr/bin</parameter> and
248	<parameter>--with-superuser-path=/usr/sbin:/usr/bin</parameter>:
249	These set <envar>PATH</envar> consistent with LFS and BLFS
250	<application>Shadow</application> package.
251	</para>
252
253	<para>
254	<parameter>--with-pid-dir=/run</parameter>: This prevents
255	<application>OpenSSH</application> from referring to deprecated
256	<filename class="directory">/var/run</filename>.
257	</para>
258
259	<para>
260	<parameter>--without-zlib-version-check</parameter>: This prevents
261	<application>OpenSSH</application> from checking the version of
262	the system <application>Zlib</application>. We need to use this
263	switch or the version check would mistakenly report the latest
264	<application>Zlib</application> 1.13 <quote>too old</quote> and
265	reject it.
266	</para>
267
268	<para>
269	<option>--with-pam</option>: This parameter enables
270	<application>Linux-PAM</application> support in the build.
271	</para>
272
273	<para>
274	<option>--with-xauth=$XORG_PREFIX/bin/xauth</option>: Set the default
275	location for the <command>xauth</command> binary for X authentication.
276	The environment variable <envar>XORG_PREFIX</envar> should be set
277	following <xref linkend='xorg-env'/>. This can also be controlled from
278	<filename>sshd_config</filename> with the XAuthLocation keyword. You can
279	omit this switch if <application>Xorg</application> is already installed.
280	</para>
281
282	<para>
283	<option>--with-kerberos5=/usr</option>: This option is used to
284	include Kerberos 5 support in the build.
285	</para>
286
287	<para>
288	<option>--with-libedit</option>: This option enables line editing
289	and history features for <command>sftp</command>.
290	</para>
291
292	</sect2>
293
294	<sect2 role="configuration">
295	<title>Configuring OpenSSH</title>
296
297	<sect3 id="openssh-config">
298	<title>Config Files</title>
299
300	<para>
301	<filename>~/.ssh/*</filename>,
302	<filename>/etc/ssh/ssh_config</filename>, and
303	<filename>/etc/ssh/sshd_config</filename>
304	</para>
305
306	<indexterm zone="openssh openssh-config">
307	<primary sortas="e-AA.ssh">~/.ssh/*</primary>
308	</indexterm>
309
310	<indexterm zone="openssh openssh-config">
311	<primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
312	</indexterm>
313
314	<indexterm zone="openssh openssh-config">
315	<primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
316	</indexterm>
317
318	<para>
319	There are no required changes to any of these files. However,
320	you may wish to view the
321	<filename class='directory'>/etc/ssh/</filename> files and make any
322	changes appropriate for the security of your system. One recommended
323	change is that you disable
324	<systemitem class='username'>root</systemitem> login via
325	<command>ssh</command>. Execute the following command as the
326	<systemitem class='username'>root</systemitem> user to disable
327	<systemitem class='username'>root</systemitem> login via
328	<command>ssh</command>:
329	</para>
330
331	<screen role="root"><userinput>echo "PermitRootLogin no" >> /etc/ssh/sshd_config</userinput></screen>
332
333	<para>
334	If you want to be able to log in without typing in your password, first
335	create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
336	<command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
337	~/.ssh/authorized_keys on the remote computer that you want to log into.
338	You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
339	computer and you'll also need to enter your password for the ssh-copy-id command
340	to succeed:
341	</para>
342
343	<screen><userinput>ssh-keygen &&
344	ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
345
346	<para>
347	Once you've got passwordless logins working it's actually more secure
348	than logging in with a password (as the private key is much longer than
349	most people's passwords). If you would like to now disable password
350	logins, as the <systemitem class="username">root</systemitem> user:
351	</para>
352
353
354	<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &&
355	echo "KbdInteractiveAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
356
357	<para>
358	If you added <application>Linux-PAM</application> support and you want
359	ssh to use it then you will need to add a configuration file for
360	<application>sshd</application> and enable use of
361	<application>LinuxPAM</application>. Note, ssh only uses PAM to check
362	passwords, if you've disabled password logins these commands are not
363	needed. If you want to use PAM, issue the following commands as the
364	<systemitem class='username'>root</systemitem> user:
365	</para>
366
367	<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd &&
368	chmod 644 /etc/pam.d/sshd &&
369	echo "UsePAM yes" >> /etc/ssh/sshd_config</userinput></screen>
370
371	<para>
372	Additional configuration information can be found in the man
373	pages for <command>sshd</command>, <command>ssh</command> and
374	<command>ssh-agent</command>.
375	</para>
376	</sect3>
377
378	<sect3 id="openssh-init">
379	<title><phrase revision="sysv">Boot Script</phrase>
380	<phrase revision="systemd">Systemd Unit</phrase></title>
381
382	<para revision="sysv">
383	To start the SSH server at system boot, install the
384	<filename>/etc/rc.d/init.d/sshd</filename> init script included
385	in the <xref linkend="bootscripts"/> package.
386	</para>
387
388	<para revision="systemd">
389	To start the SSH server at system boot, install the
390	<filename>sshd.service</filename> unit included in the
391	<xref linkend="systemd-units"/> package.
392	</para>
393
394	<indexterm zone="openssh openssh-init">
395	<primary sortas="f-sshd">sshd</primary>
396	</indexterm>
397
398	<screen role="root"><userinput>make install-sshd</userinput></screen>
399	</sect3>
400	</sect2>
401
402	<sect2 role="content">
403	<title>Contents</title>
404
405	<segmentedlist>
406	<segtitle>Installed Programs</segtitle>
407	<segtitle>Installed Libraries</segtitle>
408	<segtitle>Installed Directories</segtitle>
409
410	<seglistitem>
411	<seg>
412	scp, sftp, <!--slogin (symlink to ssh),--> ssh, ssh-add, ssh-agent,
413	ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
414	</seg>
415	<seg>
416	None
417	</seg>
418	<seg>
419	/etc/ssh,
420	/usr/share/doc/openssh-&openssh-version;, and
421	/var/lib/sshd
422	</seg>
423	</seglistitem>
424	</segmentedlist>
425
426	<variablelist>
427	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
428	<?dbfo list-presentation="list"?>
429	<?dbhtml list-presentation="table"?>
430
431	<varlistentry id="scp">
432	<term><command>scp</command></term>
433	<listitem>
434	<para>
435	is a file copy program that acts like <command>rcp</command> except
436	it uses an encrypted protocol
437	</para>
438	<indexterm zone="openssh scp">
439	<primary sortas="b-scp">scp</primary>
440	</indexterm>
441	</listitem>
442	</varlistentry>
443
444	<varlistentry id="sftp">
445	<term><command>sftp</command></term>
446	<listitem>
447	<para>
448	is an FTP-like program that works over the SSH1 and SSH2 protocols
449	</para>
450	<indexterm zone="openssh sftp">
451	<primary sortas="b-sftp">sftp</primary>
452	</indexterm>
453	</listitem>
454	</varlistentry>
455	<!-- Not installed anymore as of 8.5p1
456	<varlistentry id="slogin">
457	<term><command>slogin</command></term>
458	<listitem>
459	<para>
460	is a symlink to <command>ssh</command>
461	</para>
462	<indexterm zone="openssh slogin">
463	<primary sortas="b-slogin">slogin</primary>
464	</indexterm>
465	</listitem>
466	</varlistentry>
467	-->
468	<varlistentry id="ssh">
469	<term><command>ssh</command></term>
470	<listitem>
471	<para>
472	is an <command>rlogin</command>/<command>rsh</command>-like client
473	program except it uses an encrypted protocol
474	</para>
475	<indexterm zone="openssh ssh">
476	<primary sortas="b-ssh">ssh</primary>
477	</indexterm>
478	</listitem>
479	</varlistentry>
480
481	<varlistentry id="sshd">
482	<term><command>sshd</command></term>
483	<listitem>
484	<para>
485	is a daemon that listens for <command>ssh</command> login requests
486	</para>
487	<indexterm zone="openssh sshd">
488	<primary sortas="b-sshd">sshd</primary>
489	</indexterm>
490	</listitem>
491	</varlistentry>
492
493	<varlistentry id="ssh-add">
494	<term><command>ssh-add</command></term>
495	<listitem>
496	<para>
497	is a tool which adds keys to the <command>ssh-agent</command>
498	</para>
499	<indexterm zone="openssh ssh-add">
500	<primary sortas="b-ssh-add">ssh-add</primary>
501	</indexterm>
502	</listitem>
503	</varlistentry>
504
505	<varlistentry id="ssh-agent">
506	<term><command>ssh-agent</command></term>
507	<listitem>
508	<para>
509	is an authentication agent that can store private keys
510	</para>
511	<indexterm zone="openssh ssh-agent">
512	<primary sortas="b-ssh-agent">ssh-agent</primary>
513	</indexterm>
514	</listitem>
515	</varlistentry>
516
517	<varlistentry id="ssh-copy-id">
518	<term><command>ssh-copy-id</command></term>
519	<listitem>
520	<para>
521	is a script that enables logins on remote machines using local keys
522	</para>
523	<indexterm zone="openssh ssh-copy-id">
524	<primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
525	</indexterm>
526	</listitem>
527	</varlistentry>
528
529	<varlistentry id="ssh-keygen">
530	<term><command>ssh-keygen</command></term>
531	<listitem>
532	<para>
533	is a key generation tool
534	</para>
535	<indexterm zone="openssh ssh-keygen">
536	<primary sortas="b-ssh-keygen">ssh-keygen</primary>
537	</indexterm>
538	</listitem>
539	</varlistentry>
540
541	<varlistentry id="ssh-keyscan">
542	<term><command>ssh-keyscan</command></term>
543	<listitem>
544	<para>
545	is a utility for gathering public host keys from a number of hosts
546	</para>
547	<indexterm zone="openssh ssh-keyscan">
548	<primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
549	</indexterm>
550	</listitem>
551	</varlistentry>
552
553	</variablelist>
554	</sect2>
555
556	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/openssh.xml@ 8a11fa5

Download in other formats: