source: postlfs/security/openssh.xml@ a541e080

11.0 11.1 lazarus qt5new trunk upgradedb xry111/intltool xry111/test-20220226
Last change on this file since a541e080 was a541e080, checked in by Pierre Labastie <pierre.labastie@…>, 9 months ago

Updates and a security fix

Fix a security issue in apr-1.7.0 (with a sed)
libgcrypt-1.9.4 (security fix)
libcap-2.53
openssh-8.7p1
thunderbird-91.0.3
qemu-6.1.0

  • Property mode set to 100644
File size: 18.5 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY openssh-download-http
8 "https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9 <!ENTITY openssh-download-ftp
10 " "> <!-- at the moment, unable to connect via ftp: ken
11 "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz"> -->
12 <!ENTITY openssh-md5sum "f545230799f131aecca04da56e61990a">
13 <!ENTITY openssh-size "1.7 MB">
14 <!ENTITY openssh-buildsize "48 MB (add 18 MB for tests)">
15 <!ENTITY openssh-time "0.3 SBU (Using parallelism=4;
16 running the tests takes 20+ minutes,
17 irrespective of processor speed)">
18]>
19
20<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
21 <?dbhtml filename="openssh.html"?>
22
23 <sect1info>
24 <date>$Date$</date>
25 </sect1info>
26
27 <title>OpenSSH-&openssh-version;</title>
28
29 <indexterm zone="openssh">
30 <primary sortas="a-OpenSSH">OpenSSH</primary>
31 </indexterm>
32
33 <sect2 role="package">
34 <title>Introduction to OpenSSH</title>
35
36 <para>
37 The <application>OpenSSH</application> package contains
38 <command>ssh</command> clients and the <command>sshd</command> daemon.
39 This is useful for encrypting authentication and subsequent traffic over
40 a network. The <command>ssh</command> and <command>scp</command> commands
41 are secure implementations of <command>telnet</command> and
42 <command>rcp</command> respectively.
43 </para>
44
45 &lfs110_checked;
46
47 <bridgehead renderas="sect3">Package Information</bridgehead>
48 <itemizedlist spacing="compact">
49 <listitem>
50 <para>
51 Download (HTTP): <ulink url="&openssh-download-http;"/>
52 </para>
53 </listitem>
54 <listitem>
55 <para>
56 Download (FTP): <ulink url="&openssh-download-ftp;"/>
57 </para>
58 </listitem>
59 <listitem>
60 <para>
61 Download MD5 sum: &openssh-md5sum;
62 </para>
63 </listitem>
64 <listitem>
65 <para>
66 Download size: &openssh-size;
67 </para>
68 </listitem>
69 <listitem>
70 <para>
71 Estimated disk space required: &openssh-buildsize;
72 </para>
73 </listitem>
74 <listitem>
75 <para>
76 Estimated build time: &openssh-time;
77 </para>
78 </listitem>
79 </itemizedlist>
80<!--
81 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
82 <itemizedlist spacing="compact">
83 <listitem>
84 <para>
85 Required patch:
86 <ulink url="&patch-root;/openssh-&openssh-version;-glibc_2.31_fix-1.patch"/>
87 </para>
88 </listitem>
89 </itemizedlist>
90-->
91 <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
92
93 <bridgehead renderas="sect4">Optional</bridgehead>
94 <para role="optional">
95 <xref linkend="gdb"/> (for tests),
96 <xref linkend="linux-pam"/>,
97 <xref linkend="x-window-system"/>,
98 <xref linkend="mitkrb"/>,
99 <ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>,
100 <ulink url="http://www.libressl.org/">LibreSSL Portable</ulink>,
101 <ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
102 <ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
103 </para>
104
105 <bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
106 <para role="optional">
107 <xref role="runtime" linkend="openjdk"/>,
108 <xref role="runtime" linkend="net-tools"/>, and
109 <xref role="runtime" linkend="sysstat"/>
110 </para>
111
112 <para condition="html" role="usernotes">
113 User Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
114 </para>
115 </sect2>
116
117 <sect2 role="installation">
118 <title>Installation of OpenSSH</title>
119
120 <para>
121 <application>OpenSSH</application> runs as two processes when connecting
122 to other computers. The first process is a privileged process and controls
123 the issuance of privileges as necessary. The second process communicates
124 with the network. Additional installation steps are necessary to set up
125 the proper environment, which are performed by issuing the following
126 commands as the <systemitem class="username">root</systemitem> user:
127 </para>
128
129<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &amp;&amp;
130chown -v root:sys /var/lib/sshd &amp;&amp;
131
132groupadd -g 50 sshd &amp;&amp;
133useradd -c 'sshd PrivSep' \
134 -d /var/lib/sshd \
135 -g sshd \
136 -s /bin/false \
137 -u 50 sshd</userinput></screen>
138<!--
139 <para>
140 Apply a patch to allow OpenSSH to build and function with
141 <application>Glibc-2.31</application> and later:
142 </para>
143
144<screen><userinput remap="pre">patch -Np1 -i ../openssh-&openssh-version;-glibc_2.31_fix-1.patch</userinput></screen>
145-->
146
147<!-- Applied in 8.5p1
148 <para>
149 First, adapt <application>ssh-copy-id</application> to changes
150 in bash-5.1:
151 </para>
152
153<screen><userinput remap="pre">sed -e '/INSTALLKEYS_SH/s/)//' -e '260a\ )' -i contrib/ssh-copy-id</userinput></screen>
154
155 <para>
156 Next, fix an issue on platforms other than x86_64:
157 </para>
158 <screen><userinput remap="pre">if [ "$(uname -m)" != "x86_64" ]; then
159 l1="#ifdef __NR_pselect6_time64"
160 l2=" SC_ALLOW(__NR_pselect6_time64),"
161 l3="#endif"
162 sed -e "/^#ifdef __NR_read$/ i $l1\n$l2\n$l3" \
163 -i sandbox-seccomp-filter.c
164fi</userinput></screen>
165-->
166 <para>
167 Install <application>OpenSSH</application> by running the following
168 commands:
169 </para>
170
171<screen><userinput>./configure --prefix=/usr \
172 --sysconfdir=/etc/ssh \
173 --with-md5-passwords \
174 --with-privsep-path=/var/lib/sshd \
175 --with-default-path=/usr/bin \
176 --with-superuser-path=/usr/sbin:/usr/bin \
177 --with-pid-dir=/run
178make</userinput></screen>
179
180 <para>
181 The testsuite requires an installed copy of <command>scp</command> to
182 complete the multiplexing tests. To run the test suite, first copy the
183 <command>scp</command> program to
184 <filename class="directory">/usr/bin</filename>, making sure that you
185 backup any existing copy first.
186 </para>
187
188 <para>
189 To test the results, issue: <command>make -j1 tests</command>.
190 <!--One test, <filename>key options</filename>, fails when run in chroot.-->
191 </para>
192
193<!-- commenting this, I get "all tests passed" [ ken ]
194 NB tests should be run as _user_ but the role in the comment is root
195
196 commenting [ bruce ]: There are a couple of tests that want root.
197 The log mentions that SUDO is not set. These skipped tests are
198 ignored and the end says 'all tests passed' even when not root
199
200 <para>
201 To run the test suite, issue the following commands:
202 </para>
203
204<screen role="root"><userinput>make tests 2&gt;&amp;1 | tee check.log
205grep FATAL check.log</userinput></screen>
206
207 <para>
208 If the above command produces no 'FATAL' errors, then proceed with the
209 installation, as the <systemitem class="username">root</systemitem> user:
210 </para>-->
211 <para>
212 Now, as the <systemitem class="username">root</systemitem> user:
213 </para>
214
215<screen role="root"><userinput>make install &amp;&amp;
216install -v -m755 contrib/ssh-copy-id /usr/bin &amp;&amp;
217
218install -v -m644 contrib/ssh-copy-id.1 \
219 /usr/share/man/man1 &amp;&amp;
220install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &amp;&amp;
221install -v -m644 INSTALL LICENCE OVERVIEW README* \
222 /usr/share/doc/openssh-&openssh-version;</userinput></screen>
223 </sect2>
224
225 <sect2 role="commands">
226 <title>Command Explanations</title>
227
228 <para>
229 <parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
230 configuration files from being installed in
231 <filename class="directory">/usr/etc</filename>.
232 </para>
233
234 <para>
235 <parameter>--with-md5-passwords</parameter>: This enables the use of MD5
236 passwords.
237 </para>
238
239 <para>
240 <parameter>--with-default-path=/usr/bin</parameter> and
241 <parameter>--with-superuser-path=/usr/sbin:/usr/bin</parameter>:
242 These set <envar>PATH</envar> consistent with LFS and BLFS
243 <application>Shadow</application> package.
244 </para>
245
246 <para>
247 <parameter>--with-pid-dir=/run</parameter>: This prevents
248 <application>OpenSSH</application> from refering to deprecated
249 <filename class="directory">/var/run</filename>.
250 </para>
251
252 <para>
253 <option>--with-pam</option>: This parameter enables
254 <application>Linux-PAM</application> support in the build.
255 </para>
256
257 <para>
258 <option>--with-xauth=/usr/bin/xauth</option>: Set the default
259 location for the <command>xauth</command> binary for X authentication.
260 Change the location if <command>xauth</command> will be installed to a
261 different path. This can also be controlled from
262 <filename>sshd_config</filename> with the XAuthLocation keyword. You can
263 omit this switch if <application>Xorg</application> is already installed.
264 </para>
265
266 <para>
267 <option>--with-kerberos5=/usr</option>: This option is used to
268 include Kerberos 5 support in the build.
269 </para>
270
271 <para>
272 <option>--with-libedit</option>: This option enables line editing
273 and history features for <command>sftp</command>.
274 </para>
275
276 </sect2>
277
278 <sect2 role="configuration">
279 <title>Configuring OpenSSH</title>
280
281 <sect3 id="openssh-config">
282 <title>Config Files</title>
283
284 <para>
285 <filename>~/.ssh/*</filename>,
286 <filename>/etc/ssh/ssh_config</filename>, and
287 <filename>/etc/ssh/sshd_config</filename>
288 </para>
289
290 <indexterm zone="openssh openssh-config">
291 <primary sortas="e-AA.ssh">~/.ssh/*</primary>
292 </indexterm>
293
294 <indexterm zone="openssh openssh-config">
295 <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
296 </indexterm>
297
298 <indexterm zone="openssh openssh-config">
299 <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
300 </indexterm>
301
302 <para>
303 There are no required changes to any of these files. However,
304 you may wish to view the
305 <filename class='directory'>/etc/ssh/</filename> files and make any
306 changes appropriate for the security of your system. One recommended
307 change is that you disable
308 <systemitem class='username'>root</systemitem> login via
309 <command>ssh</command>. Execute the following command as the
310 <systemitem class='username'>root</systemitem> user to disable
311 <systemitem class='username'>root</systemitem> login via
312 <command>ssh</command>:
313 </para>
314
315<screen role="root"><userinput>echo "PermitRootLogin no" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
316
317 <para>
318 If you want to be able to log in without typing in your password, first
319 create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
320 <command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
321 ~/.ssh/authorized_keys on the remote computer that you want to log into.
322 You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
323 computer and you'll also need to enter your password for the ssh-copy-id command
324 to succeed:
325 </para>
326
327<screen><userinput>ssh-keygen &amp;&amp;
328ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
329
330 <para>
331 Once you've got passwordless logins working it's actually more secure
332 than logging in with a password (as the private key is much longer than
333 most people's passwords). If you would like to now disable password
334 logins, as the <systemitem class="username">root</systemitem> user:
335 </para>
336
337
338<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &amp;&amp;
339echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
340
341 <para>
342 If you added <application>Linux-PAM</application> support and you want
343 ssh to use it then you will need to add a configuration file for
344 <application>sshd</application> and enable use of
345 <application>LinuxPAM</application>. Note, ssh only uses PAM to check
346 passwords, if you've disabled password logins these commands are not
347 needed. If you want to use PAM, issue the following commands as the
348 <systemitem class='username'>root</systemitem> user:
349 </para>
350
351<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login &gt; /etc/pam.d/sshd &amp;&amp;
352chmod 644 /etc/pam.d/sshd &amp;&amp;
353echo "UsePAM yes" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
354
355 <para>
356 Additional configuration information can be found in the man
357 pages for <command>sshd</command>, <command>ssh</command> and
358 <command>ssh-agent</command>.
359 </para>
360 </sect3>
361
362 <sect3 id="openssh-init">
363 <title><phrase revision="sysv">Boot Script</phrase>
364 <phrase revision="systemd">Systemd Unit</phrase></title>
365
366 <para revision="sysv">
367 To start the SSH server at system boot, install the
368 <filename>/etc/rc.d/init.d/sshd</filename> init script included
369 in the <xref linkend="bootscripts"/> package.
370 </para>
371
372 <para revision="systemd">
373 To start the SSH server at system boot, install the
374 <filename>sshd.service</filename> unit included in the
375 <xref linkend="systemd-units"/> package.
376 </para>
377
378 <indexterm zone="openssh openssh-init">
379 <primary sortas="f-sshd">sshd</primary>
380 </indexterm>
381
382<screen role="root"><userinput>make install-sshd</userinput></screen>
383 </sect3>
384 </sect2>
385
386 <sect2 role="content">
387 <title>Contents</title>
388
389 <segmentedlist>
390 <segtitle>Installed Programs</segtitle>
391 <segtitle>Installed Libraries</segtitle>
392 <segtitle>Installed Directories</segtitle>
393
394 <seglistitem>
395 <seg>
396 scp, sftp, <!--slogin (symlink to ssh),--> ssh, ssh-add, ssh-agent,
397 ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
398 </seg>
399 <seg>
400 None
401 </seg>
402 <seg>
403 /etc/ssh,
404 /usr/share/doc/openssh-&openssh-version;, and
405 /var/lib/sshd
406 </seg>
407 </seglistitem>
408 </segmentedlist>
409
410 <variablelist>
411 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
412 <?dbfo list-presentation="list"?>
413 <?dbhtml list-presentation="table"?>
414
415 <varlistentry id="scp">
416 <term><command>scp</command></term>
417 <listitem>
418 <para>
419 is a file copy program that acts like <command>rcp</command> except
420 it uses an encrypted protocol
421 </para>
422 <indexterm zone="openssh scp">
423 <primary sortas="b-scp">scp</primary>
424 </indexterm>
425 </listitem>
426 </varlistentry>
427
428 <varlistentry id="sftp">
429 <term><command>sftp</command></term>
430 <listitem>
431 <para>
432 is an FTP-like program that works over the SSH1 and SSH2 protocols
433 </para>
434 <indexterm zone="openssh sftp">
435 <primary sortas="b-sftp">sftp</primary>
436 </indexterm>
437 </listitem>
438 </varlistentry>
439<!-- Not installed anymore as of 8.5p1
440 <varlistentry id="slogin">
441 <term><command>slogin</command></term>
442 <listitem>
443 <para>
444 is a symlink to <command>ssh</command>
445 </para>
446 <indexterm zone="openssh slogin">
447 <primary sortas="b-slogin">slogin</primary>
448 </indexterm>
449 </listitem>
450 </varlistentry>
451-->
452 <varlistentry id="ssh">
453 <term><command>ssh</command></term>
454 <listitem>
455 <para>
456 is an <command>rlogin</command>/<command>rsh</command>-like client
457 program except it uses an encrypted protocol
458 </para>
459 <indexterm zone="openssh ssh">
460 <primary sortas="b-ssh">ssh</primary>
461 </indexterm>
462 </listitem>
463 </varlistentry>
464
465 <varlistentry id="sshd">
466 <term><command>sshd</command></term>
467 <listitem>
468 <para>
469 is a daemon that listens for <command>ssh</command> login requests
470 </para>
471 <indexterm zone="openssh sshd">
472 <primary sortas="b-sshd">sshd</primary>
473 </indexterm>
474 </listitem>
475 </varlistentry>
476
477 <varlistentry id="ssh-add">
478 <term><command>ssh-add</command></term>
479 <listitem>
480 <para>
481 is a tool which adds keys to the <command>ssh-agent</command>
482 </para>
483 <indexterm zone="openssh ssh-add">
484 <primary sortas="b-ssh-add">ssh-add</primary>
485 </indexterm>
486 </listitem>
487 </varlistentry>
488
489 <varlistentry id="ssh-agent">
490 <term><command>ssh-agent</command></term>
491 <listitem>
492 <para>
493 is an authentication agent that can store private keys
494 </para>
495 <indexterm zone="openssh ssh-agent">
496 <primary sortas="b-ssh-agent">ssh-agent</primary>
497 </indexterm>
498 </listitem>
499 </varlistentry>
500
501 <varlistentry id="ssh-copy-id">
502 <term><command>ssh-copy-id</command></term>
503 <listitem>
504 <para>
505 is a script that enables logins on remote machines using local keys
506 </para>
507 <indexterm zone="openssh ssh-copy-id">
508 <primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
509 </indexterm>
510 </listitem>
511 </varlistentry>
512
513 <varlistentry id="ssh-keygen">
514 <term><command>ssh-keygen</command></term>
515 <listitem>
516 <para>
517 is a key generation tool
518 </para>
519 <indexterm zone="openssh ssh-keygen">
520 <primary sortas="b-ssh-keygen">ssh-keygen</primary>
521 </indexterm>
522 </listitem>
523 </varlistentry>
524
525 <varlistentry id="ssh-keyscan">
526 <term><command>ssh-keyscan</command></term>
527 <listitem>
528 <para>
529 is a utility for gathering public host keys from a number of hosts
530 </para>
531 <indexterm zone="openssh ssh-keyscan">
532 <primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
533 </indexterm>
534 </listitem>
535 </varlistentry>
536
537 </variablelist>
538 </sect2>
539
540</sect1>
Note: See TracBrowser for help on using the repository browser.