Context Navigation

openssh.xml@ 8e93424

Visit:

12.1 ken/TL2024 lazarus plabs/newcss python3.11 rahul/power-profiles-daemon trunk xry111/llvm18

Last change on this file since 8e93424 was 875b3b57, checked in by Pierre Labastie <pierre.labastie@…>, 7 months ago

Fix various option vs parameter problems

Sometimes there is no really a problem, but alos avoids that
automatic detection with "make test-options" return false positives

Property mode set to 100644

File size: 19.4 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY openssh-download-http
8	"https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9	<!ENTITY openssh-download-ftp " ">
10	<!ENTITY openssh-md5sum "&openssh-md5sum;">
11	<!ENTITY openssh-size "1.7 MB">
12	<!ENTITY openssh-buildsize "45 MB (add 22 MB for tests)">
13	<!ENTITY openssh-time "0.2 SBU (Using parallelism=4;
14	running the tests takes about 20 minutes,
15	irrespective of processor speed)">
16	]>
17
18	<!-- make check: real 18m13.005s; 9.2p1 3 Feb 2023 -->
19	<!-- make check: real 18m08.654s; 9.3p1 17 Mar 2023 -->
20
21	<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
22	<?dbhtml filename="openssh.html"?>
23
24	<title>OpenSSH-&openssh-version;</title>
25
26	<indexterm zone="openssh">
27	<primary sortas="a-OpenSSH">OpenSSH</primary>
28	</indexterm>
29
30	<sect2 role="package">
31	<title>Introduction to OpenSSH</title>
32
33	<para>
34	The <application>OpenSSH</application> package contains
35	<command>ssh</command> clients and the <command>sshd</command> daemon.
36	This is useful for encrypting authentication and subsequent traffic over
37	a network. The <command>ssh</command> and <command>scp</command> commands
38	are secure implementations of <command>telnet</command> and
39	<command>rcp</command> respectively.
40	</para>
41
42	&lfs120_checked;
43
44	<bridgehead renderas="sect3">Package Information</bridgehead>
45	<itemizedlist spacing="compact">
46	<listitem>
47	<para>
48	Download (HTTP): <ulink url="&openssh-download-http;"/>
49	</para>
50	</listitem>
51	<listitem>
52	<para>
53	Download (FTP): <ulink url="&openssh-download-ftp;"/>
54	</para>
55	</listitem>
56	<listitem>
57	<para>
58	Download MD5 sum: &openssh-md5sum;
59	</para>
60	</listitem>
61	<listitem>
62	<para>
63	Download size: &openssh-size;
64	</para>
65	</listitem>
66	<listitem>
67	<para>
68	Estimated disk space required: &openssh-buildsize;
69	</para>
70	</listitem>
71	<listitem>
72	<para>
73	Estimated build time: &openssh-time;
74	</para>
75	</listitem>
76	</itemizedlist>
77	<!--
78	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
79	<itemizedlist spacing="compact">
80	<listitem>
81	<para>
82	Required patch:
83	<ulink url="&patch-root;/openssh-&openssh-version;-glibc_2.31_fix-1.patch"/>
84	</para>
85	</listitem>
86	</itemizedlist>
87	-->
88	<bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
89
90	<bridgehead renderas="sect4">Optional</bridgehead>
91	<para role="optional">
92	<xref linkend="gdb"/> (for tests),
93	<xref linkend="linux-pam"/> (PAM configuration files from
94	<xref linkend="shadow"/> are used to create openssh ones),
95	<xref linkend="xorg7-app"/> (or
96	<xref linkend='xorg-env' role='nodep'/>, see Command Explanations),
97	<xref linkend="mitkrb"/>,
98	<xref linkend="which"/> (for tests),
99	<ulink url="https://www.thrysoee.dk/editline/">libedit</ulink>,
100	<ulink url="https://www.libressl.org/">LibreSSL Portable</ulink>,
101	<ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
102	<ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
103	</para>
104
105	<bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
106	<para role="optional">
107	<!--<xref role="runtime" linkend="openjdk"/>, Not seen in 8.8p1 -->
108	<xref role="runtime" linkend="net-tools"/>, and
109	<xref role="runtime" linkend="sysstat"/>
110	</para>
111
112	<para condition="html" role="usernotes">
113	Editor Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
114	</para>
115	</sect2>
116
117	<sect2 role="installation">
118	<title>Installation of OpenSSH</title>
119
120	<para>
121	<application>OpenSSH</application> runs as two processes when connecting
122	to other computers. The first process is a privileged process and controls
123	the issuance of privileges as necessary. The second process communicates
124	with the network. Additional installation steps are necessary to set up
125	the proper environment, which are performed by issuing the following
126	commands as the <systemitem class="username">root</systemitem> user:
127	</para>
128
129	<screen role="root"><userinput>install -v -g sys -m700 -d /var/lib/sshd &&
130
131	groupadd -g 50 sshd &&
132	useradd -c 'sshd PrivSep' \
133	-d /var/lib/sshd \
134	-g sshd \
135	-s /bin/false \
136	-u 50 sshd</userinput></screen>
137	<!--
138	<para>
139	Apply a patch to allow OpenSSH to build and function with
140	<application>Glibc-2.31</application> and later:
141	</para>
142
143	<screen><userinput remap="pre">patch -Np1 -i ../openssh-&openssh-version;-glibc_2.31_fix-1.patch</userinput></screen>
144	-->
145
146	<!-- Applied in 8.5p1
147	<para>
148	First, adapt <application>ssh-copy-id</application> to changes
149	in bash-5.1:
150	</para>
151
152	<screen><userinput remap="pre">sed -e '/INSTALLKEYS_SH/s/)//' -e '260a\ )' -i contrib/ssh-copy-id</userinput></screen>
153
154	<para>
155	Next, fix an issue on platforms other than x86_64:
156	</para>
157	<screen><userinput remap="pre">if [ "$(uname -m)" != "x86_64" ]; then
158	l1="#ifdef __NR_pselect6_time64"
159	l2=" SC_ALLOW(__NR_pselect6_time64),"
160	l3="#endif"
161	sed -e "/^#ifdef __NR_read$/ i $l1\n$l2\n$l3" \
162	-i sandbox-seccomp-filter.c
163	fi</userinput></screen>
164	-->
165	<para>
166	Install <application>OpenSSH</application> by running the following
167	commands:
168	</para>
169
170	<!-- -\-with-md5-passwords used to be here, but a comment inside of a <screen>
171	block leaves an eyesore. -->
172	<screen><userinput>./configure --prefix=/usr \
173	--sysconfdir=/etc/ssh \
174	--with-privsep-path=/var/lib/sshd \
175	--with-default-path=/usr/bin \
176	--with-superuser-path=/usr/sbin:/usr/bin \
177	--with-pid-dir=/run &&
178	make</userinput></screen>
179
180	<!-- I got all tests passed without this with 9.3p1, June 12, 2023.
181	<para>
182	The test suite requires an installed copy of <command>scp</command> to
183	complete the multiplexing tests. To run the test suite, first copy the
184	<command>scp</command> program to
185	<filename class="directory">/usr/bin</filename>, making sure that you
186	backup any existing copy first.
187	</para>
188	-->
189	<!-- I got all tests passed without this with 9.0p1. Apr 13, 2022.
190	<para>
191	If you wish to run the tests, remove a test suite that is not valid on
192	Linux-based platforms:
193	</para>
194
195	<screen><userinput>sed -i 's/conch-ciphers//' regress/Makefile</userinput></screen>
196	-->
197	<para>
198	To test the results, issue: <command>make -j1 tests</command>.
199	<!--One test, <filename>key options</filename>, fails when run in chroot.-->
200	</para>
201
202	<!-- commenting this, I get "all tests passed" [ ken ]
203	NB tests should be run as _user_ but the role in the comment is root
204
205	commenting [ bruce ]: There are a couple of tests that want root.
206	The log mentions that SUDO is not set. These skipped tests are
207	ignored and the end says 'all tests passed' even when not root
208
209	<para>
210	To run the test suite, issue the following commands:
211	</para>
212
213	<screen role="root"><userinput>make tests 2>&1 \| tee check.log
214	grep FATAL check.log</userinput></screen>
215
216	<para>
217	If the above command produces no 'FATAL' errors, then proceed with the
218	installation, as the <systemitem class="username">root</systemitem> user:
219	</para>-->
220	<para>
221	Now, as the <systemitem class="username">root</systemitem> user:
222	</para>
223
224	<screen role="root"><userinput>make install &&
225	install -v -m755 contrib/ssh-copy-id /usr/bin &&
226
227	install -v -m644 contrib/ssh-copy-id.1 \
228	/usr/share/man/man1 &&
229	install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &&
230	install -v -m644 INSTALL LICENCE OVERVIEW README* \
231	/usr/share/doc/openssh-&openssh-version;</userinput></screen>
232	</sect2>
233
234	<sect2 role="commands">
235	<title>Command Explanations</title>
236
237	<para>
238	<parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
239	configuration files from being installed in
240	<filename class="directory">/usr/etc</filename>.
241	</para>
242
243	<para>
244	<parameter>--with-default-path=/usr/bin</parameter> and
245	<parameter>--with-superuser-path=/usr/sbin:/usr/bin</parameter>:
246	These set <envar>PATH</envar> consistent with LFS and BLFS
247	<application>Shadow</application> package.
248	</para>
249
250	<para>
251	<parameter>--with-pid-dir=/run</parameter>: This prevents
252	<application>OpenSSH</application> from referring to deprecated
253	<filename class="directory">/var/run</filename>.
254	</para>
255	<!--
256	<para>
257	<parameter>- -without-zlib-version-check</parameter>: This prevents
258	<application>OpenSSH</application> from checking the version of
259	the system <application>Zlib</application>. We need to use this
260	switch or the version check would mistakenly report the latest
261	<application>Zlib</application> 1.13 <quote>too old</quote> and
262	reject it.
263	</para>
264	-->
265	<para>
266	<option>--with-pam</option>: This parameter enables
267	<application>Linux-PAM</application> support in the build.
268	</para>
269
270	<para>
271	<option>--with-xauth=$XORG_PREFIX/bin/xauth</option>: Set the default
272	location for the <command>xauth</command> binary for X authentication.
273	The environment variable <envar>XORG_PREFIX</envar> should be set
274	following <xref linkend='xorg-env'/>. This can also be controlled from
275	<filename>sshd_config</filename> with the XAuthLocation keyword. You can
276	omit this switch if <application>Xorg</application> is already installed.
277	</para>
278
279	<para>
280	<option>--with-kerberos5=/usr</option>: This option is used to
281	include Kerberos 5 support in the build.
282	</para>
283
284	<para>
285	<option>--with-libedit</option>: This option enables line editing
286	and history features for <command>sftp</command>.
287	</para>
288
289	</sect2>
290
291	<sect2 role="configuration">
292	<title>Configuring OpenSSH</title>
293
294	<sect3 id="openssh-config">
295	<title>Config Files</title>
296
297	<para>
298	<filename>~/.ssh/*</filename>,
299	<filename>/etc/ssh/ssh_config</filename>, and
300	<filename>/etc/ssh/sshd_config</filename>
301	</para>
302
303	<indexterm zone="openssh openssh-config">
304	<primary sortas="e-AA.ssh">~/.ssh/*</primary>
305	</indexterm>
306
307	<indexterm zone="openssh openssh-config">
308	<primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
309	</indexterm>
310
311	<indexterm zone="openssh openssh-config">
312	<primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
313	</indexterm>
314
315	<para>
316	There are no required changes to any of these files. However,
317	you may wish to view the
318	<filename class='directory'>/etc/ssh/</filename> files and make any
319	changes appropriate for the security of your system. One recommended
320	change is that you disable
321	<systemitem class='username'>root</systemitem> login via
322	<command>ssh</command>. Execute the following command as the
323	<systemitem class='username'>root</systemitem> user to disable
324	<systemitem class='username'>root</systemitem> login via
325	<command>ssh</command>:
326	</para>
327
328	<screen role="root"><userinput>echo "PermitRootLogin no" >> /etc/ssh/sshd_config</userinput></screen>
329
330	<para>
331	If you want to be able to log in without typing in your password, first
332	create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
333	<command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
334	~/.ssh/authorized_keys on the remote computer that you want to log into.
335	You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
336	computer and you'll also need to enter your password for the ssh-copy-id command
337	to succeed:
338	</para>
339
340	<screen role='nodump'><userinput>ssh-keygen &&
341	ssh-copy-id -i ~/.ssh/id_ed25519.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
342
343	<para>
344	Once you've got passwordless logins working it's actually more secure
345	than logging in with a password (as the private key is much longer than
346	most people's passwords). If you would like to now disable password
347	logins, as the <systemitem class="username">root</systemitem> user:
348	</para>
349
350
351	<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &&
352	echo "KbdInteractiveAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
353
354	<para>
355	If you added <application>Linux-PAM</application> support and you want
356	ssh to use it then you will need to add a configuration file for
357	<application>sshd</application> and enable use of
358	<application>LinuxPAM</application>. Note, ssh only uses PAM to check
359	passwords, if you've disabled password logins these commands are not
360	needed. If you want to use PAM, issue the following commands as the
361	<systemitem class='username'>root</systemitem> user:
362	</para>
363
364	<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd &&
365	chmod 644 /etc/pam.d/sshd &&
366	echo "UsePAM yes" >> /etc/ssh/sshd_config</userinput></screen>
367
368	<para>
369	Additional configuration information can be found in the man
370	pages for <command>sshd</command>, <command>ssh</command> and
371	<command>ssh-agent</command>.
372	</para>
373	</sect3>
374
375	<sect3 id="openssh-init">
376	<title><phrase revision="sysv">Boot Script</phrase>
377	<phrase revision="systemd">Systemd Unit</phrase></title>
378
379	<para revision="sysv">
380	To start the SSH server at system boot, install the
381	<filename>/etc/rc.d/init.d/sshd</filename> init script included
382	in the <xref linkend="bootscripts"/> package.
383	</para>
384
385	<para revision="systemd">
386	To start the SSH server at system boot, install the
387	<filename>sshd.service</filename> unit included in the
388	<xref linkend="systemd-units"/> package.
389	</para>
390
391	<indexterm zone="openssh openssh-init">
392	<primary sortas="f-sshd">sshd</primary>
393	</indexterm>
394
395	<screen role="root"><userinput>make install-sshd</userinput></screen>
396	</sect3>
397	</sect2>
398
399	<sect2 role="content">
400	<title>Contents</title>
401
402	<segmentedlist>
403	<segtitle>Installed Programs</segtitle>
404	<segtitle>Installed Libraries</segtitle>
405	<segtitle>Installed Directories</segtitle>
406
407	<seglistitem>
408	<seg>
409	scp, sftp, <!--slogin (symlink to ssh),--> ssh, ssh-add, ssh-agent,
410	ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
411	</seg>
412	<seg>
413	None
414	</seg>
415	<seg>
416	/etc/ssh,
417	/usr/share/doc/openssh-&openssh-version;, and
418	/var/lib/sshd
419	</seg>
420	</seglistitem>
421	</segmentedlist>
422
423	<variablelist>
424	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
425	<?dbfo list-presentation="list"?>
426	<?dbhtml list-presentation="table"?>
427
428	<varlistentry id="scp">
429	<term><command>scp</command></term>
430	<listitem>
431	<para>
432	is a file copy program that acts like <command>rcp</command> except
433	it uses an encrypted protocol
434	</para>
435	<indexterm zone="openssh scp">
436	<primary sortas="b-scp">scp</primary>
437	</indexterm>
438	</listitem>
439	</varlistentry>
440
441	<varlistentry id="sftp">
442	<term><command>sftp</command></term>
443	<listitem>
444	<para>
445	is an FTP-like program that works over the SSH1 and SSH2 protocols
446	</para>
447	<indexterm zone="openssh sftp">
448	<primary sortas="b-sftp">sftp</primary>
449	</indexterm>
450	</listitem>
451	</varlistentry>
452	<!-- Not installed anymore as of 8.5p1
453	<varlistentry id="slogin">
454	<term><command>slogin</command></term>
455	<listitem>
456	<para>
457	is a symlink to <command>ssh</command>
458	</para>
459	<indexterm zone="openssh slogin">
460	<primary sortas="b-slogin">slogin</primary>
461	</indexterm>
462	</listitem>
463	</varlistentry>
464	-->
465	<varlistentry id="ssh">
466	<term><command>ssh</command></term>
467	<listitem>
468	<para>
469	is an <command>rlogin</command>/<command>rsh</command>-like client
470	program except it uses an encrypted protocol
471	</para>
472	<indexterm zone="openssh ssh">
473	<primary sortas="b-ssh">ssh</primary>
474	</indexterm>
475	</listitem>
476	</varlistentry>
477
478	<varlistentry id="sshd">
479	<term><command>sshd</command></term>
480	<listitem>
481	<para>
482	is a daemon that listens for <command>ssh</command> login requests
483	</para>
484	<indexterm zone="openssh sshd">
485	<primary sortas="b-sshd">sshd</primary>
486	</indexterm>
487	</listitem>
488	</varlistentry>
489
490	<varlistentry id="ssh-add">
491	<term><command>ssh-add</command></term>
492	<listitem>
493	<para>
494	is a tool which adds keys to the <command>ssh-agent</command>
495	</para>
496	<indexterm zone="openssh ssh-add">
497	<primary sortas="b-ssh-add">ssh-add</primary>
498	</indexterm>
499	</listitem>
500	</varlistentry>
501
502	<varlistentry id="ssh-agent">
503	<term><command>ssh-agent</command></term>
504	<listitem>
505	<para>
506	is an authentication agent that can store private keys
507	</para>
508	<indexterm zone="openssh ssh-agent">
509	<primary sortas="b-ssh-agent">ssh-agent</primary>
510	</indexterm>
511	</listitem>
512	</varlistentry>
513
514	<varlistentry id="ssh-copy-id">
515	<term><command>ssh-copy-id</command></term>
516	<listitem>
517	<para>
518	is a script that enables logins on remote machines using local keys
519	</para>
520	<indexterm zone="openssh ssh-copy-id">
521	<primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
522	</indexterm>
523	</listitem>
524	</varlistentry>
525
526	<varlistentry id="ssh-keygen">
527	<term><command>ssh-keygen</command></term>
528	<listitem>
529	<para>
530	is a key generation tool
531	</para>
532	<indexterm zone="openssh ssh-keygen">
533	<primary sortas="b-ssh-keygen">ssh-keygen</primary>
534	</indexterm>
535	</listitem>
536	</varlistentry>
537
538	<varlistentry id="ssh-keyscan">
539	<term><command>ssh-keyscan</command></term>
540	<listitem>
541	<para>
542	is a utility for gathering public host keys from a number of hosts
543	</para>
544	<indexterm zone="openssh ssh-keyscan">
545	<primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
546	</indexterm>
547	</listitem>
548	</varlistentry>
549
550	</variablelist>
551	</sect2>
552
553	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/openssh.xml@ 8e93424

Download in other formats: