Context Navigation

openssh.xml@ 9556a94

Visit:

11.1 11.2 11.3 12.0 12.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since 9556a94 was 9556a94, checked in by Douglas R. Reno <renodr@…>, 2 years ago

Package updates:

Update to libinput-1.19.1
Update to openssh-8.8p1 (alongside ssh-askpass-8.8p1)
Update to cifs-utils-6.14
Update to NetworkManager-1.32.12

Property mode set to 100644

File size: 18.8 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY openssh-download-http
8	"https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9	<!ENTITY openssh-download-ftp
10	" "> <!-- at the moment, unable to connect via ftp: ken
11	"ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz"> -->
12	<!ENTITY openssh-md5sum "8ce5f390958baeeab635aafd0ef41453">
13	<!ENTITY openssh-size "1.7 MB">
14	<!ENTITY openssh-buildsize "48 MB (add 34 MB for tests)">
15	<!ENTITY openssh-time "0.3 SBU (Using parallelism=4;
16	running the tests takes 20+ minutes,
17	irrespective of processor speed)">
18	]>
19
20	<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
21	<?dbhtml filename="openssh.html"?>
22
23	<sect1info>
24	<date>$Date$</date>
25	</sect1info>
26
27	<title>OpenSSH-&openssh-version;</title>
28
29	<indexterm zone="openssh">
30	<primary sortas="a-OpenSSH">OpenSSH</primary>
31	</indexterm>
32
33	<sect2 role="package">
34	<title>Introduction to OpenSSH</title>
35
36	<para>
37	The <application>OpenSSH</application> package contains
38	<command>ssh</command> clients and the <command>sshd</command> daemon.
39	This is useful for encrypting authentication and subsequent traffic over
40	a network. The <command>ssh</command> and <command>scp</command> commands
41	are secure implementations of <command>telnet</command> and
42	<command>rcp</command> respectively.
43	</para>
44
45	&lfs110a_checked;
46
47	<bridgehead renderas="sect3">Package Information</bridgehead>
48	<itemizedlist spacing="compact">
49	<listitem>
50	<para>
51	Download (HTTP): <ulink url="&openssh-download-http;"/>
52	</para>
53	</listitem>
54	<listitem>
55	<para>
56	Download (FTP): <ulink url="&openssh-download-ftp;"/>
57	</para>
58	</listitem>
59	<listitem>
60	<para>
61	Download MD5 sum: &openssh-md5sum;
62	</para>
63	</listitem>
64	<listitem>
65	<para>
66	Download size: &openssh-size;
67	</para>
68	</listitem>
69	<listitem>
70	<para>
71	Estimated disk space required: &openssh-buildsize;
72	</para>
73	</listitem>
74	<listitem>
75	<para>
76	Estimated build time: &openssh-time;
77	</para>
78	</listitem>
79	</itemizedlist>
80	<!--
81	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
82	<itemizedlist spacing="compact">
83	<listitem>
84	<para>
85	Required patch:
86	<ulink url="&patch-root;/openssh-&openssh-version;-glibc_2.31_fix-1.patch"/>
87	</para>
88	</listitem>
89	</itemizedlist>
90	-->
91	<bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
92
93	<bridgehead renderas="sect4">Optional</bridgehead>
94	<para role="optional">
95	<xref linkend="gdb"/> (for tests),
96	<xref linkend="linux-pam"/>,
97	<xref linkend="x-window-system"/>,
98	<xref linkend="mitkrb"/>,
99	<ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>,
100	<ulink url="http://www.libressl.org/">LibreSSL Portable</ulink>,
101	<ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
102	<ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
103	</para>
104
105	<bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
106	<para role="optional">
107	<xref role="runtime" linkend="openjdk"/>,
108	<xref role="runtime" linkend="net-tools"/>, and
109	<xref role="runtime" linkend="sysstat"/>
110	</para>
111
112	<para condition="html" role="usernotes">
113	User Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
114	</para>
115	</sect2>
116
117	<sect2 role="installation">
118	<title>Installation of OpenSSH</title>
119
120	<para>
121	<application>OpenSSH</application> runs as two processes when connecting
122	to other computers. The first process is a privileged process and controls
123	the issuance of privileges as necessary. The second process communicates
124	with the network. Additional installation steps are necessary to set up
125	the proper environment, which are performed by issuing the following
126	commands as the <systemitem class="username">root</systemitem> user:
127	</para>
128
129	<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &&
130	chown -v root:sys /var/lib/sshd &&
131
132	groupadd -g 50 sshd &&
133	useradd -c 'sshd PrivSep' \
134	-d /var/lib/sshd \
135	-g sshd \
136	-s /bin/false \
137	-u 50 sshd</userinput></screen>
138	<!--
139	<para>
140	Apply a patch to allow OpenSSH to build and function with
141	<application>Glibc-2.31</application> and later:
142	</para>
143
144	<screen><userinput remap="pre">patch -Np1 -i ../openssh-&openssh-version;-glibc_2.31_fix-1.patch</userinput></screen>
145	-->
146
147	<!-- Applied in 8.5p1
148	<para>
149	First, adapt <application>ssh-copy-id</application> to changes
150	in bash-5.1:
151	</para>
152
153	<screen><userinput remap="pre">sed -e '/INSTALLKEYS_SH/s/)//' -e '260a\ )' -i contrib/ssh-copy-id</userinput></screen>
154
155	<para>
156	Next, fix an issue on platforms other than x86_64:
157	</para>
158	<screen><userinput remap="pre">if [ "$(uname -m)" != "x86_64" ]; then
159	l1="#ifdef __NR_pselect6_time64"
160	l2=" SC_ALLOW(__NR_pselect6_time64),"
161	l3="#endif"
162	sed -e "/^#ifdef __NR_read$/ i $l1\n$l2\n$l3" \
163	-i sandbox-seccomp-filter.c
164	fi</userinput></screen>
165	-->
166	<para>
167	Install <application>OpenSSH</application> by running the following
168	commands:
169	</para>
170
171	<screen><userinput>./configure --prefix=/usr \
172	--sysconfdir=/etc/ssh \
173	--with-md5-passwords \
174	--with-privsep-path=/var/lib/sshd \
175	--with-default-path=/usr/bin \
176	--with-superuser-path=/usr/sbin:/usr/bin \
177	--with-pid-dir=/run
178	make</userinput></screen>
179
180	<para>
181	The testsuite requires an installed copy of <command>scp</command> to
182	complete the multiplexing tests. To run the test suite, first copy the
183	<command>scp</command> program to
184	<filename class="directory">/usr/bin</filename>, making sure that you
185	backup any existing copy first.
186	</para>
187
188	<para>
189	If you wish to run the tests, remove a test suite that is not valid on
190	Linux-based platforms:
191	</para>
192
193	<screen><userinput>sed -i 's/conch-ciphers//' regress/Makefile</userinput></screen>
194
195	<para>
196	To test the results, issue: <command>make -j1 tests</command>.
197	<!--One test, <filename>key options</filename>, fails when run in chroot.-->
198	</para>
199
200	<!-- commenting this, I get "all tests passed" [ ken ]
201	NB tests should be run as _user_ but the role in the comment is root
202
203	commenting [ bruce ]: There are a couple of tests that want root.
204	The log mentions that SUDO is not set. These skipped tests are
205	ignored and the end says 'all tests passed' even when not root
206
207	<para>
208	To run the test suite, issue the following commands:
209	</para>
210
211	<screen role="root"><userinput>make tests 2>&1 \| tee check.log
212	grep FATAL check.log</userinput></screen>
213
214	<para>
215	If the above command produces no 'FATAL' errors, then proceed with the
216	installation, as the <systemitem class="username">root</systemitem> user:
217	</para>-->
218	<para>
219	Now, as the <systemitem class="username">root</systemitem> user:
220	</para>
221
222	<screen role="root"><userinput>make install &&
223	install -v -m755 contrib/ssh-copy-id /usr/bin &&
224
225	install -v -m644 contrib/ssh-copy-id.1 \
226	/usr/share/man/man1 &&
227	install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &&
228	install -v -m644 INSTALL LICENCE OVERVIEW README* \
229	/usr/share/doc/openssh-&openssh-version;</userinput></screen>
230	</sect2>
231
232	<sect2 role="commands">
233	<title>Command Explanations</title>
234
235	<para>
236	<parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
237	configuration files from being installed in
238	<filename class="directory">/usr/etc</filename>.
239	</para>
240
241	<para>
242	<parameter>--with-md5-passwords</parameter>: This enables the use of MD5
243	passwords.
244	</para>
245
246	<para>
247	<parameter>--with-default-path=/usr/bin</parameter> and
248	<parameter>--with-superuser-path=/usr/sbin:/usr/bin</parameter>:
249	These set <envar>PATH</envar> consistent with LFS and BLFS
250	<application>Shadow</application> package.
251	</para>
252
253	<para>
254	<parameter>--with-pid-dir=/run</parameter>: This prevents
255	<application>OpenSSH</application> from refering to deprecated
256	<filename class="directory">/var/run</filename>.
257	</para>
258
259	<para>
260	<option>--with-pam</option>: This parameter enables
261	<application>Linux-PAM</application> support in the build.
262	</para>
263
264	<para>
265	<option>--with-xauth=/usr/bin/xauth</option>: Set the default
266	location for the <command>xauth</command> binary for X authentication.
267	Change the location if <command>xauth</command> will be installed to a
268	different path. This can also be controlled from
269	<filename>sshd_config</filename> with the XAuthLocation keyword. You can
270	omit this switch if <application>Xorg</application> is already installed.
271	</para>
272
273	<para>
274	<option>--with-kerberos5=/usr</option>: This option is used to
275	include Kerberos 5 support in the build.
276	</para>
277
278	<para>
279	<option>--with-libedit</option>: This option enables line editing
280	and history features for <command>sftp</command>.
281	</para>
282
283	</sect2>
284
285	<sect2 role="configuration">
286	<title>Configuring OpenSSH</title>
287
288	<sect3 id="openssh-config">
289	<title>Config Files</title>
290
291	<para>
292	<filename>~/.ssh/*</filename>,
293	<filename>/etc/ssh/ssh_config</filename>, and
294	<filename>/etc/ssh/sshd_config</filename>
295	</para>
296
297	<indexterm zone="openssh openssh-config">
298	<primary sortas="e-AA.ssh">~/.ssh/*</primary>
299	</indexterm>
300
301	<indexterm zone="openssh openssh-config">
302	<primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
303	</indexterm>
304
305	<indexterm zone="openssh openssh-config">
306	<primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
307	</indexterm>
308
309	<para>
310	There are no required changes to any of these files. However,
311	you may wish to view the
312	<filename class='directory'>/etc/ssh/</filename> files and make any
313	changes appropriate for the security of your system. One recommended
314	change is that you disable
315	<systemitem class='username'>root</systemitem> login via
316	<command>ssh</command>. Execute the following command as the
317	<systemitem class='username'>root</systemitem> user to disable
318	<systemitem class='username'>root</systemitem> login via
319	<command>ssh</command>:
320	</para>
321
322	<screen role="root"><userinput>echo "PermitRootLogin no" >> /etc/ssh/sshd_config</userinput></screen>
323
324	<para>
325	If you want to be able to log in without typing in your password, first
326	create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
327	<command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
328	~/.ssh/authorized_keys on the remote computer that you want to log into.
329	You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
330	computer and you'll also need to enter your password for the ssh-copy-id command
331	to succeed:
332	</para>
333
334	<screen><userinput>ssh-keygen &&
335	ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
336
337	<para>
338	Once you've got passwordless logins working it's actually more secure
339	than logging in with a password (as the private key is much longer than
340	most people's passwords). If you would like to now disable password
341	logins, as the <systemitem class="username">root</systemitem> user:
342	</para>
343
344
345	<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &&
346	echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
347
348	<para>
349	If you added <application>Linux-PAM</application> support and you want
350	ssh to use it then you will need to add a configuration file for
351	<application>sshd</application> and enable use of
352	<application>LinuxPAM</application>. Note, ssh only uses PAM to check
353	passwords, if you've disabled password logins these commands are not
354	needed. If you want to use PAM, issue the following commands as the
355	<systemitem class='username'>root</systemitem> user:
356	</para>
357
358	<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd &&
359	chmod 644 /etc/pam.d/sshd &&
360	echo "UsePAM yes" >> /etc/ssh/sshd_config</userinput></screen>
361
362	<para>
363	Additional configuration information can be found in the man
364	pages for <command>sshd</command>, <command>ssh</command> and
365	<command>ssh-agent</command>.
366	</para>
367	</sect3>
368
369	<sect3 id="openssh-init">
370	<title><phrase revision="sysv">Boot Script</phrase>
371	<phrase revision="systemd">Systemd Unit</phrase></title>
372
373	<para revision="sysv">
374	To start the SSH server at system boot, install the
375	<filename>/etc/rc.d/init.d/sshd</filename> init script included
376	in the <xref linkend="bootscripts"/> package.
377	</para>
378
379	<para revision="systemd">
380	To start the SSH server at system boot, install the
381	<filename>sshd.service</filename> unit included in the
382	<xref linkend="systemd-units"/> package.
383	</para>
384
385	<indexterm zone="openssh openssh-init">
386	<primary sortas="f-sshd">sshd</primary>
387	</indexterm>
388
389	<screen role="root"><userinput>make install-sshd</userinput></screen>
390	</sect3>
391	</sect2>
392
393	<sect2 role="content">
394	<title>Contents</title>
395
396	<segmentedlist>
397	<segtitle>Installed Programs</segtitle>
398	<segtitle>Installed Libraries</segtitle>
399	<segtitle>Installed Directories</segtitle>
400
401	<seglistitem>
402	<seg>
403	scp, sftp, <!--slogin (symlink to ssh),--> ssh, ssh-add, ssh-agent,
404	ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
405	</seg>
406	<seg>
407	None
408	</seg>
409	<seg>
410	/etc/ssh,
411	/usr/share/doc/openssh-&openssh-version;, and
412	/var/lib/sshd
413	</seg>
414	</seglistitem>
415	</segmentedlist>
416
417	<variablelist>
418	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
419	<?dbfo list-presentation="list"?>
420	<?dbhtml list-presentation="table"?>
421
422	<varlistentry id="scp">
423	<term><command>scp</command></term>
424	<listitem>
425	<para>
426	is a file copy program that acts like <command>rcp</command> except
427	it uses an encrypted protocol
428	</para>
429	<indexterm zone="openssh scp">
430	<primary sortas="b-scp">scp</primary>
431	</indexterm>
432	</listitem>
433	</varlistentry>
434
435	<varlistentry id="sftp">
436	<term><command>sftp</command></term>
437	<listitem>
438	<para>
439	is an FTP-like program that works over the SSH1 and SSH2 protocols
440	</para>
441	<indexterm zone="openssh sftp">
442	<primary sortas="b-sftp">sftp</primary>
443	</indexterm>
444	</listitem>
445	</varlistentry>
446	<!-- Not installed anymore as of 8.5p1
447	<varlistentry id="slogin">
448	<term><command>slogin</command></term>
449	<listitem>
450	<para>
451	is a symlink to <command>ssh</command>
452	</para>
453	<indexterm zone="openssh slogin">
454	<primary sortas="b-slogin">slogin</primary>
455	</indexterm>
456	</listitem>
457	</varlistentry>
458	-->
459	<varlistentry id="ssh">
460	<term><command>ssh</command></term>
461	<listitem>
462	<para>
463	is an <command>rlogin</command>/<command>rsh</command>-like client
464	program except it uses an encrypted protocol
465	</para>
466	<indexterm zone="openssh ssh">
467	<primary sortas="b-ssh">ssh</primary>
468	</indexterm>
469	</listitem>
470	</varlistentry>
471
472	<varlistentry id="sshd">
473	<term><command>sshd</command></term>
474	<listitem>
475	<para>
476	is a daemon that listens for <command>ssh</command> login requests
477	</para>
478	<indexterm zone="openssh sshd">
479	<primary sortas="b-sshd">sshd</primary>
480	</indexterm>
481	</listitem>
482	</varlistentry>
483
484	<varlistentry id="ssh-add">
485	<term><command>ssh-add</command></term>
486	<listitem>
487	<para>
488	is a tool which adds keys to the <command>ssh-agent</command>
489	</para>
490	<indexterm zone="openssh ssh-add">
491	<primary sortas="b-ssh-add">ssh-add</primary>
492	</indexterm>
493	</listitem>
494	</varlistentry>
495
496	<varlistentry id="ssh-agent">
497	<term><command>ssh-agent</command></term>
498	<listitem>
499	<para>
500	is an authentication agent that can store private keys
501	</para>
502	<indexterm zone="openssh ssh-agent">
503	<primary sortas="b-ssh-agent">ssh-agent</primary>
504	</indexterm>
505	</listitem>
506	</varlistentry>
507
508	<varlistentry id="ssh-copy-id">
509	<term><command>ssh-copy-id</command></term>
510	<listitem>
511	<para>
512	is a script that enables logins on remote machines using local keys
513	</para>
514	<indexterm zone="openssh ssh-copy-id">
515	<primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
516	</indexterm>
517	</listitem>
518	</varlistentry>
519
520	<varlistentry id="ssh-keygen">
521	<term><command>ssh-keygen</command></term>
522	<listitem>
523	<para>
524	is a key generation tool
525	</para>
526	<indexterm zone="openssh ssh-keygen">
527	<primary sortas="b-ssh-keygen">ssh-keygen</primary>
528	</indexterm>
529	</listitem>
530	</varlistentry>
531
532	<varlistentry id="ssh-keyscan">
533	<term><command>ssh-keyscan</command></term>
534	<listitem>
535	<para>
536	is a utility for gathering public host keys from a number of hosts
537	</para>
538	<indexterm zone="openssh ssh-keyscan">
539	<primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
540	</indexterm>
541	</listitem>
542	</varlistentry>
543
544	</variablelist>
545	</sect2>
546
547	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/openssh.xml@ 9556a94

Download in other formats: