source: postlfs/security/openssh.xml@ a2c3ec79

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 7.10 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since a2c3ec79 was a2c3ec79, checked in by Pierre Labastie <pieere@…>, 8 years ago

GCC 6 tags

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@17334 af4574ff-66df-0310-9fd7-8a98e5e911e0
  • Property mode set to 100644
File size: 16.3 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY openssh-download-http
8 "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9 <!ENTITY openssh-download-ftp
10 "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
11 <!ENTITY openssh-md5sum "13009a9156510d8f27e752659075cced">
12 <!ENTITY openssh-size "1.5 MB">
13 <!ENTITY openssh-buildsize "43 MB (51 MB, with tests)">
14 <!ENTITY openssh-time "0.4 SBU (running the tests takes 10+ minutes,
15 irrespective of processor speed)">
16 <!-- fo is not running the tests-->
17]>
18
19<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
20 <?dbhtml filename="openssh.html"?>
21
22 <sect1info>
23 <othername>$LastChangedBy$</othername>
24 <date>$Date$</date>
25 </sect1info>
26
27 <title>OpenSSH-&openssh-version;</title>
28
29 <indexterm zone="openssh">
30 <primary sortas="a-OpenSSH">OpenSSH</primary>
31 </indexterm>
32
33 <sect2 role="package">
34 <title>Introduction to OpenSSH</title>
35
36 <para>
37 The <application>OpenSSH</application> package contains
38 <command>ssh</command> clients and the <command>sshd</command> daemon. This
39 is useful for encrypting authentication and subsequent traffic over a
40 network. The <command>ssh</command> and <command>scp</command> commands are
41 secure implementions of <command>telnet</command> and <command>rcp</command>
42 respectively.
43 </para>
44
45 &lfs79_checked;&gcc6_checked;
46
47 <bridgehead renderas="sect3">Package Information</bridgehead>
48 <itemizedlist spacing="compact">
49 <listitem>
50 <para>
51 Download (HTTP): <ulink url="&openssh-download-http;"/>
52 </para>
53 </listitem>
54 <listitem>
55 <para>
56 Download (FTP): <ulink url="&openssh-download-ftp;"/>
57 </para>
58 </listitem>
59 <listitem>
60 <para>
61 Download MD5 sum: &openssh-md5sum;
62 </para>
63 </listitem>
64 <listitem>
65 <para>
66 Download size: &openssh-size;
67 </para>
68 </listitem>
69 <listitem>
70 <para>
71 Estimated disk space required: &openssh-buildsize;
72 </para>
73 </listitem>
74 <listitem>
75 <para>
76 Estimated build time: &openssh-time;
77 </para>
78 </listitem>
79 </itemizedlist>
80
81 <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
82
83 <bridgehead renderas="sect4">Required</bridgehead>
84 <para role="required">
85 <xref linkend="openssl"/> or
86 <ulink url="http://www.libressl.org/">LibreSSL Portable</ulink></para>
87
88 <bridgehead renderas="sect4">Optional</bridgehead>
89 <para role="optional">
90 <xref linkend="linux-pam"/>,
91 <xref linkend="x-window-system"/>,
92 <xref linkend="mitkrb"/>,
93 <ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>,
94 <ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
95 <ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
96 </para>
97
98 <bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
99 <para role="optional">
100 <xref linkend="openjdk"/>,
101 <xref linkend="net-tools"/>, and
102 <xref linkend="sysstat"/>
103 </para>
104
105 <para condition="html" role="usernotes">
106 User Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
107 </para>
108 </sect2>
109
110 <sect2 role="installation">
111 <title>Installation of OpenSSH</title>
112
113 <para>
114 <application>OpenSSH</application> runs as two processes when connecting
115 to other computers. The first process is a privileged process and controls
116 the issuance of privileges as necessary. The second process communicates
117 with the network. Additional installation steps are necessary to set up
118 the proper environment, which are performed by issuing the following
119 commands as the <systemitem class="username">root</systemitem> user:
120 </para>
121
122<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &amp;&amp;
123chown -v root:sys /var/lib/sshd &amp;&amp;
124
125groupadd -g 50 sshd &amp;&amp;
126useradd -c 'sshd PrivSep' \
127 -d /var/lib/sshd \
128 -g sshd \
129 -s /bin/false \
130 -u 50 sshd</userinput></screen>
131
132 <para>
133 Install <application>OpenSSH</application> by running the following
134 commands:
135 </para>
136
137<screen><userinput>./configure --prefix=/usr \
138 --sysconfdir=/etc/ssh \
139 --with-md5-passwords \
140 --with-privsep-path=/var/lib/sshd &amp;&amp;
141make</userinput></screen>
142
143 <para>
144 The testsuite requires an installed copy of <command>scp</command> to
145 complete the multiplexing tests. To run the test suite, first copy the
146 <command>scp</command> program to
147 <filename class="directory">/usr/bin</filename>, making sure that you
148 back up any existing copy first.
149 </para>
150
151 <para>
152 To test the results, issue: <command>make tests</command>.
153 </para>
154
155<!-- commenting this, I get "all tests passed" [ ken ]
156 NB tests should be run as _user_ but the role in the comment is root
157
158 commenting [ bruce ]: There are a couple of tests that want root.
159 The log mentions that SUDO is not set. These skipped tests are
160 ignored and the end says 'all tests passed' even when not root
161
162 <para>
163 To run the test suite, issue the following commands:
164 </para>
165
166<screen role="root"><userinput>make tests 2&gt;&amp;1 | tee check.log
167grep FATAL check.log</userinput></screen>
168
169 <para>
170 If the above command produces no 'FATAL' errors, then proceed with the
171 installation, as the <systemitem class="username">root</systemitem> user:
172 </para>-->
173 <para>
174 Now, as the <systemitem class="username">root</systemitem> user:
175 </para>
176
177<screen role="root"><userinput>make install &amp;&amp;
178install -v -m755 contrib/ssh-copy-id /usr/bin &amp;&amp;
179
180install -v -m644 contrib/ssh-copy-id.1 \
181 /usr/share/man/man1 &amp;&amp;
182install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &amp;&amp;
183install -v -m644 INSTALL LICENCE OVERVIEW README* \
184 /usr/share/doc/openssh-&openssh-version;</userinput></screen>
185 </sect2>
186
187 <sect2 role="commands">
188 <title>Command Explanations</title>
189
190 <para>
191 <parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
192 configuration files from being installed in
193 <filename class="directory">/usr/etc</filename>.
194 </para>
195
196 <para>
197 <parameter>--with-md5-passwords</parameter>: This enables the use of MD5
198 passwords.
199 </para>
200
201 <para>
202 <parameter>--with-pam</parameter>: This parameter enables
203 <application>Linux-PAM</application> support in the build.
204 </para>
205
206 <para>
207 <parameter>--with-xauth=/usr/bin/xauth</parameter>: Set the default
208 location for the <command>xauth</command> binary for X authentication.
209 Change the location if <command>xauth</command> will be installed to a
210 different path. This can also be controlled from
211 <filename>sshd_config</filename> with the XAuthLocation keyword. You can
212 omit this switch if <application>Xorg</application> is already installed.
213 </para>
214
215 <para>
216 <parameter>--with-kerberos5=/usr</parameter>: This option is used to
217 include Kerberos 5 support in the build.
218 </para>
219
220 <para>
221 <parameter>--with-libedit</parameter>: This option enables line editing
222 and history features for <command>sftp</command>.
223 </para>
224
225 </sect2>
226
227 <sect2 role="configuration">
228 <title>Configuring OpenSSH</title>
229
230 <sect3 id="openssh-config">
231 <title>Config Files</title>
232
233 <para>
234 <filename>~/.ssh/*</filename>,
235 <filename>/etc/ssh/ssh_config</filename>, and
236 <filename>/etc/ssh/sshd_config</filename>
237 </para>
238
239 <indexterm zone="openssh openssh-config">
240 <primary sortas="e-AA.ssh">~/.ssh/*</primary>
241 </indexterm>
242
243 <indexterm zone="openssh openssh-config">
244 <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
245 </indexterm>
246
247 <indexterm zone="openssh openssh-config">
248 <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
249 </indexterm>
250
251 <para>
252 There are no required changes to any of these files. However,
253 you may wish to view the
254 <filename class='directory'>/etc/ssh/</filename> files and make any
255 changes appropriate for the security of your system. One recommended
256 change is that you disable
257 <systemitem class='username'>root</systemitem> login via
258 <command>ssh</command>. Execute the following command as the
259 <systemitem class='username'>root</systemitem> user to disable
260 <systemitem class='username'>root</systemitem> login via
261 <command>ssh</command>:
262 </para>
263
264<screen role="root"><userinput>echo "PermitRootLogin no" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
265
266 <para>
267 If you want to be able to log in without typing in your password, first
268 create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
269 <command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
270 ~/.ssh/authorized_keys on the remote computer that you want to log into.
271 You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
272 computer and you'll also need to enter your password for the ssh-copy-id command
273 to succeed:
274 </para>
275
276<screen><userinput>ssh-keygen &amp;&amp;
277ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
278
279 <para>
280 Once you've got passwordless logins working it's actually more secure
281 than logging in with a password (as the private key is much longer than
282 most people's passwords). If you would like to now disable password
283 logins, as the <systemitem class="username">root</systemitem> user:
284 </para>
285
286
287<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &amp;&amp;
288echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
289
290 <para>
291 If you added <application>LinuxPAM</application> support and you want
292 ssh to use it then you will need to add a configuration file for
293 <application>sshd</application> and enable use of
294 <application>LinuxPAM</application>. Note, ssh only uses PAM to check
295 passwords, if you've disabled password logins these commands are not
296 needed. If you want to use PAM issue the following commands as the
297 <systemitem class='username'>root</systemitem> user:
298 </para>
299
300<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login &gt; /etc/pam.d/sshd &amp;&amp;
301chmod 644 /etc/pam.d/sshd &amp;&amp;
302echo "UsePAM yes" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
303
304 <para>
305 Additional configuration information can be found in the man
306 pages for <command>sshd</command>, <command>ssh</command> and
307 <command>ssh-agent</command>.
308 </para>
309 </sect3>
310
311 <sect3 id="openssh-init">
312 <title>Boot Script</title>
313
314 <para>
315 To start the SSH server at system boot, install the
316 <filename>/etc/rc.d/init.d/sshd</filename> init script included
317 in the <xref linkend="bootscripts"/> package.
318 </para>
319
320 <indexterm zone="openssh openssh-init">
321 <primary sortas="f-sshd">sshd</primary>
322 </indexterm>
323
324<screen role="root"><userinput>make install-sshd</userinput></screen>
325 </sect3>
326 </sect2>
327
328 <sect2 role="content">
329 <title>Contents</title>
330
331 <segmentedlist>
332 <segtitle>Installed Programs</segtitle>
333 <segtitle>Installed Libraries</segtitle>
334 <segtitle>Installed Directories</segtitle>
335
336 <seglistitem>
337 <seg>
338 scp, sftp, slogin (symlink to ssh), ssh, ssh-add, ssh-agent,
339 ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
340 </seg>
341 <seg>
342 None
343 </seg>
344 <seg>
345 /etc/ssh,
346 /usr/share/doc/openssh-&openssh-version;, and
347 /var/lib/sshd
348 </seg>
349 </seglistitem>
350 </segmentedlist>
351
352 <variablelist>
353 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
354 <?dbfo list-presentation="list"?>
355 <?dbhtml list-presentation="table"?>
356
357 <varlistentry id="scp">
358 <term><command>scp</command></term>
359 <listitem>
360 <para>
361 is a file copy program that acts like <command>rcp</command> except
362 it uses an encrypted protocol.
363 </para>
364 <indexterm zone="openssh scp">
365 <primary sortas="b-scp">scp</primary>
366 </indexterm>
367 </listitem>
368 </varlistentry>
369
370 <varlistentry id="sftp">
371 <term><command>sftp</command></term>
372 <listitem>
373 <para>
374 is an FTP-like program that works over the SSH1 and SSH2 protocols.
375 </para>
376 <indexterm zone="openssh sftp">
377 <primary sortas="b-sftp">sftp</primary>
378 </indexterm>
379 </listitem>
380 </varlistentry>
381
382 <varlistentry id="slogin">
383 <term><command>slogin</command></term>
384 <listitem>
385 <para>
386 is a symlink to <command>ssh</command>.
387 </para>
388 <indexterm zone="openssh slogin">
389 <primary sortas="b-slogin">slogin</primary>
390 </indexterm>
391 </listitem>
392 </varlistentry>
393
394 <varlistentry id="ssh">
395 <term><command>ssh</command></term>
396 <listitem>
397 <para>
398 is an <command>rlogin</command>/<command>rsh</command>-like client
399 program except it uses an encrypted protocol.
400 </para>
401 <indexterm zone="openssh ssh">
402 <primary sortas="b-ssh">ssh</primary>
403 </indexterm>
404 </listitem>
405 </varlistentry>
406
407 <varlistentry id="sshd">
408 <term><command>sshd</command></term>
409 <listitem>
410 <para>
411 is a daemon that listens for <command>ssh</command> login requests.
412 </para>
413 <indexterm zone="openssh sshd">
414 <primary sortas="b-sshd">sshd</primary>
415 </indexterm>
416 </listitem>
417 </varlistentry>
418
419 <varlistentry id="ssh-add">
420 <term><command>ssh-add</command></term>
421 <listitem>
422 <para>
423 is a tool which adds keys to the <command>ssh-agent</command>.
424 </para>
425 <indexterm zone="openssh ssh-add">
426 <primary sortas="b-ssh-add">ssh-add</primary>
427 </indexterm>
428 </listitem>
429 </varlistentry>
430
431 <varlistentry id="ssh-agent">
432 <term><command>ssh-agent</command></term>
433 <listitem>
434 <para>
435 is an authentication agent that can store private keys.
436 </para>
437 <indexterm zone="openssh ssh-agent">
438 <primary sortas="b-ssh-agent">ssh-agent</primary>
439 </indexterm>
440 </listitem>
441 </varlistentry>
442
443 <varlistentry id="ssh-copy-id">
444 <term><command>ssh-copy-id</command></term>
445 <listitem>
446 <para>
447 is a script that enables logins on remote machine using local keys.
448 </para>
449 <indexterm zone="openssh ssh-copy-id">
450 <primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
451 </indexterm>
452 </listitem>
453 </varlistentry>
454
455 <varlistentry id="ssh-keygen">
456 <term><command>ssh-keygen</command></term>
457 <listitem>
458 <para>
459 is a key generation tool.
460 </para>
461 <indexterm zone="openssh ssh-keygen">
462 <primary sortas="b-ssh-keygen">ssh-keygen</primary>
463 </indexterm>
464 </listitem>
465 </varlistentry>
466
467 <varlistentry id="ssh-keyscan">
468 <term><command>ssh-keyscan</command></term>
469 <listitem>
470 <para>
471 is a utility for gathering public host keys from a number of hosts.
472 </para>
473 <indexterm zone="openssh ssh-keyscan">
474 <primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
475 </indexterm>
476 </listitem>
477 </varlistentry>
478
479 </variablelist>
480 </sect2>
481</sect1>
Note: See TracBrowser for help on using the repository browser.