source: postlfs/security/openssh.xml@ a934691

10.1 11.0 ken/refactor-virt lazarus qt5new trunk xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since a934691 was a934691, checked in by Bruce Dubbs <bdubbs@…>, 14 months ago

Update to openssh-8.4p1.
Update to cairomm-1.14.0.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@23770 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 17.3 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY openssh-download-http
8 "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9 <!ENTITY openssh-download-ftp
10 " "> <!-- at the moment, unable to connect via ftp: ken
11 "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz"> -->
12 <!ENTITY openssh-md5sum "8f897870404c088e4aa7d1c1c58b526b">
13 <!ENTITY openssh-size "1.7 MB">
14 <!ENTITY openssh-buildsize "48 MB (add 17 MB for tests)">
15 <!ENTITY openssh-time "0.2 SBU (Using parallelism=4;
16 running the tests takes 20+ minutes,
17 irrespective of processor speed)">
18]>
19
20<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
21 <?dbhtml filename="openssh.html"?>
22
23 <sect1info>
24 <othername>$LastChangedBy$</othername>
25 <date>$Date$</date>
26 </sect1info>
27
28 <title>OpenSSH-&openssh-version;</title>
29
30 <indexterm zone="openssh">
31 <primary sortas="a-OpenSSH">OpenSSH</primary>
32 </indexterm>
33
34 <sect2 role="package">
35 <title>Introduction to OpenSSH</title>
36
37 <para>
38 The <application>OpenSSH</application> package contains
39 <command>ssh</command> clients and the <command>sshd</command> daemon.
40 This is useful for encrypting authentication and subsequent traffic over
41 a network. The <command>ssh</command> and <command>scp</command> commands
42 are secure implementations of <command>telnet</command> and
43 <command>rcp</command> respectively.
44 </para>
45
46 &lfs10_checked;
47
48 <bridgehead renderas="sect3">Package Information</bridgehead>
49 <itemizedlist spacing="compact">
50 <listitem>
51 <para>
52 Download (HTTP): <ulink url="&openssh-download-http;"/>
53 </para>
54 </listitem>
55 <listitem>
56 <para>
57 Download (FTP): <ulink url="&openssh-download-ftp;"/>
58 </para>
59 </listitem>
60 <listitem>
61 <para>
62 Download MD5 sum: &openssh-md5sum;
63 </para>
64 </listitem>
65 <listitem>
66 <para>
67 Download size: &openssh-size;
68 </para>
69 </listitem>
70 <listitem>
71 <para>
72 Estimated disk space required: &openssh-buildsize;
73 </para>
74 </listitem>
75 <listitem>
76 <para>
77 Estimated build time: &openssh-time;
78 </para>
79 </listitem>
80 </itemizedlist>
81<!--
82 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
83 <itemizedlist spacing="compact">
84 <listitem>
85 <para>
86 Required patch:
87 <ulink url="&patch-root;/openssh-&openssh-version;-glibc_2.31_fix-1.patch"/>
88 </para>
89 </listitem>
90 </itemizedlist>
91-->
92 <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
93
94 <bridgehead renderas="sect4">Optional</bridgehead>
95 <para role="optional">
96 <xref linkend="gdb"/> (for tests),
97 <xref linkend="linux-pam"/>,
98 <xref linkend="x-window-system"/>,
99 <xref linkend="mitkrb"/>,
100 <ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>,
101 <ulink url="http://www.libressl.org/">LibreSSL Portable</ulink>,
102 <ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
103 <ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
104 </para>
105
106 <bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
107 <para role="optional">
108 <xref role="runtime" linkend="openjdk"/>,
109 <xref role="runtime" linkend="net-tools"/>, and
110 <xref role="runtime" linkend="sysstat"/>
111 </para>
112
113 <para condition="html" role="usernotes">
114 User Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
115 </para>
116 </sect2>
117
118 <sect2 role="installation">
119 <title>Installation of OpenSSH</title>
120
121 <para>
122 <application>OpenSSH</application> runs as two processes when connecting
123 to other computers. The first process is a privileged process and controls
124 the issuance of privileges as necessary. The second process communicates
125 with the network. Additional installation steps are necessary to set up
126 the proper environment, which are performed by issuing the following
127 commands as the <systemitem class="username">root</systemitem> user:
128 </para>
129
130<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &amp;&amp;
131chown -v root:sys /var/lib/sshd &amp;&amp;
132
133groupadd -g 50 sshd &amp;&amp;
134useradd -c 'sshd PrivSep' \
135 -d /var/lib/sshd \
136 -g sshd \
137 -s /bin/false \
138 -u 50 sshd</userinput></screen>
139<!--
140 <para>
141 Apply a patch to allow OpenSSH to build and function with
142 <application>Glibc-2.31</application> and later:
143 </para>
144
145<screen><userinput remap="pre">patch -Np1 -i ../openssh-&openssh-version;-glibc_2.31_fix-1.patch</userinput></screen>
146-->
147 <para>
148 Install <application>OpenSSH</application> by running the following
149 commands:
150 </para>
151
152<screen><userinput>./configure --prefix=/usr \
153 --sysconfdir=/etc/ssh \
154 --with-md5-passwords \
155 --with-privsep-path=/var/lib/sshd &amp;&amp;
156make</userinput></screen>
157
158 <para>
159 The testsuite requires an installed copy of <command>scp</command> to
160 complete the multiplexing tests. To run the test suite, first copy the
161 <command>scp</command> program to
162 <filename class="directory">/usr/bin</filename>, making sure that you
163 backup any existing copy first.
164 </para>
165
166 <para>
167 To test the results, issue: <command>make -j1 tests</command>.
168 <!--One test, <filename>key options</filename>, fails when run in chroot.-->
169 </para>
170
171<!-- commenting this, I get "all tests passed" [ ken ]
172 NB tests should be run as _user_ but the role in the comment is root
173
174 commenting [ bruce ]: There are a couple of tests that want root.
175 The log mentions that SUDO is not set. These skipped tests are
176 ignored and the end says 'all tests passed' even when not root
177
178 <para>
179 To run the test suite, issue the following commands:
180 </para>
181
182<screen role="root"><userinput>make tests 2&gt;&amp;1 | tee check.log
183grep FATAL check.log</userinput></screen>
184
185 <para>
186 If the above command produces no 'FATAL' errors, then proceed with the
187 installation, as the <systemitem class="username">root</systemitem> user:
188 </para>-->
189 <para>
190 Now, as the <systemitem class="username">root</systemitem> user:
191 </para>
192
193<screen role="root"><userinput>make install &amp;&amp;
194install -v -m755 contrib/ssh-copy-id /usr/bin &amp;&amp;
195
196install -v -m644 contrib/ssh-copy-id.1 \
197 /usr/share/man/man1 &amp;&amp;
198install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &amp;&amp;
199install -v -m644 INSTALL LICENCE OVERVIEW README* \
200 /usr/share/doc/openssh-&openssh-version;</userinput></screen>
201 </sect2>
202
203 <sect2 role="commands">
204 <title>Command Explanations</title>
205
206 <para>
207 <parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
208 configuration files from being installed in
209 <filename class="directory">/usr/etc</filename>.
210 </para>
211
212 <para>
213 <parameter>--with-md5-passwords</parameter>: This enables the use of MD5
214 passwords.
215 </para>
216
217 <para>
218 <option>--with-pam</option>: This parameter enables
219 <application>Linux-PAM</application> support in the build.
220 </para>
221
222 <para>
223 <option>--with-xauth=/usr/bin/xauth</option>: Set the default
224 location for the <command>xauth</command> binary for X authentication.
225 Change the location if <command>xauth</command> will be installed to a
226 different path. This can also be controlled from
227 <filename>sshd_config</filename> with the XAuthLocation keyword. You can
228 omit this switch if <application>Xorg</application> is already installed.
229 </para>
230
231 <para>
232 <option>--with-kerberos5=/usr</option>: This option is used to
233 include Kerberos 5 support in the build.
234 </para>
235
236 <para>
237 <option>--with-libedit</option>: This option enables line editing
238 and history features for <command>sftp</command>.
239 </para>
240
241 </sect2>
242
243 <sect2 role="configuration">
244 <title>Configuring OpenSSH</title>
245
246 <sect3 id="openssh-config">
247 <title>Config Files</title>
248
249 <para>
250 <filename>~/.ssh/*</filename>,
251 <filename>/etc/ssh/ssh_config</filename>, and
252 <filename>/etc/ssh/sshd_config</filename>
253 </para>
254
255 <indexterm zone="openssh openssh-config">
256 <primary sortas="e-AA.ssh">~/.ssh/*</primary>
257 </indexterm>
258
259 <indexterm zone="openssh openssh-config">
260 <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
261 </indexterm>
262
263 <indexterm zone="openssh openssh-config">
264 <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
265 </indexterm>
266
267 <para>
268 There are no required changes to any of these files. However,
269 you may wish to view the
270 <filename class='directory'>/etc/ssh/</filename> files and make any
271 changes appropriate for the security of your system. One recommended
272 change is that you disable
273 <systemitem class='username'>root</systemitem> login via
274 <command>ssh</command>. Execute the following command as the
275 <systemitem class='username'>root</systemitem> user to disable
276 <systemitem class='username'>root</systemitem> login via
277 <command>ssh</command>:
278 </para>
279
280<screen role="root"><userinput>echo "PermitRootLogin no" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
281
282 <para>
283 If you want to be able to log in without typing in your password, first
284 create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
285 <command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
286 ~/.ssh/authorized_keys on the remote computer that you want to log into.
287 You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
288 computer and you'll also need to enter your password for the ssh-copy-id command
289 to succeed:
290 </para>
291
292<screen><userinput>ssh-keygen &amp;&amp;
293ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
294
295 <para>
296 Once you've got passwordless logins working it's actually more secure
297 than logging in with a password (as the private key is much longer than
298 most people's passwords). If you would like to now disable password
299 logins, as the <systemitem class="username">root</systemitem> user:
300 </para>
301
302
303<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &amp;&amp;
304echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
305
306 <para>
307 If you added <application>Linux-PAM</application> support and you want
308 ssh to use it then you will need to add a configuration file for
309 <application>sshd</application> and enable use of
310 <application>LinuxPAM</application>. Note, ssh only uses PAM to check
311 passwords, if you've disabled password logins these commands are not
312 needed. If you want to use PAM, issue the following commands as the
313 <systemitem class='username'>root</systemitem> user:
314 </para>
315
316<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login &gt; /etc/pam.d/sshd &amp;&amp;
317chmod 644 /etc/pam.d/sshd &amp;&amp;
318echo "UsePAM yes" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
319
320 <para>
321 Additional configuration information can be found in the man
322 pages for <command>sshd</command>, <command>ssh</command> and
323 <command>ssh-agent</command>.
324 </para>
325 </sect3>
326
327 <sect3 id="openssh-init">
328 <title><phrase revision="sysv">Boot Script</phrase>
329 <phrase revision="systemd">Systemd Unit</phrase></title>
330
331 <para revision="sysv">
332 To start the SSH server at system boot, install the
333 <filename>/etc/rc.d/init.d/sshd</filename> init script included
334 in the <xref linkend="bootscripts"/> package.
335 </para>
336
337 <para revision="systemd">
338 To start the SSH server at system boot, install the
339 <filename>sshd.service</filename> unit included in the
340 <xref linkend="systemd-units"/> package.
341 </para>
342
343 <indexterm zone="openssh openssh-init">
344 <primary sortas="f-sshd">sshd</primary>
345 </indexterm>
346
347<screen role="root"><userinput>make install-sshd</userinput></screen>
348 </sect3>
349 </sect2>
350
351 <sect2 role="content">
352 <title>Contents</title>
353
354 <segmentedlist>
355 <segtitle>Installed Programs</segtitle>
356 <segtitle>Installed Libraries</segtitle>
357 <segtitle>Installed Directories</segtitle>
358
359 <seglistitem>
360 <seg>
361 scp, sftp, slogin (symlink to ssh), ssh, ssh-add, ssh-agent,
362 ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
363 </seg>
364 <seg>
365 None
366 </seg>
367 <seg>
368 /etc/ssh,
369 /usr/share/doc/openssh-&openssh-version;, and
370 /var/lib/sshd
371 </seg>
372 </seglistitem>
373 </segmentedlist>
374
375 <variablelist>
376 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
377 <?dbfo list-presentation="list"?>
378 <?dbhtml list-presentation="table"?>
379
380 <varlistentry id="scp">
381 <term><command>scp</command></term>
382 <listitem>
383 <para>
384 is a file copy program that acts like <command>rcp</command> except
385 it uses an encrypted protocol.
386 </para>
387 <indexterm zone="openssh scp">
388 <primary sortas="b-scp">scp</primary>
389 </indexterm>
390 </listitem>
391 </varlistentry>
392
393 <varlistentry id="sftp">
394 <term><command>sftp</command></term>
395 <listitem>
396 <para>
397 is an FTP-like program that works over the SSH1 and SSH2 protocols.
398 </para>
399 <indexterm zone="openssh sftp">
400 <primary sortas="b-sftp">sftp</primary>
401 </indexterm>
402 </listitem>
403 </varlistentry>
404
405 <varlistentry id="slogin">
406 <term><command>slogin</command></term>
407 <listitem>
408 <para>
409 is a symlink to <command>ssh</command>.
410 </para>
411 <indexterm zone="openssh slogin">
412 <primary sortas="b-slogin">slogin</primary>
413 </indexterm>
414 </listitem>
415 </varlistentry>
416
417 <varlistentry id="ssh">
418 <term><command>ssh</command></term>
419 <listitem>
420 <para>
421 is an <command>rlogin</command>/<command>rsh</command>-like client
422 program except it uses an encrypted protocol.
423 </para>
424 <indexterm zone="openssh ssh">
425 <primary sortas="b-ssh">ssh</primary>
426 </indexterm>
427 </listitem>
428 </varlistentry>
429
430 <varlistentry id="sshd">
431 <term><command>sshd</command></term>
432 <listitem>
433 <para>
434 is a daemon that listens for <command>ssh</command> login requests.
435 </para>
436 <indexterm zone="openssh sshd">
437 <primary sortas="b-sshd">sshd</primary>
438 </indexterm>
439 </listitem>
440 </varlistentry>
441
442 <varlistentry id="ssh-add">
443 <term><command>ssh-add</command></term>
444 <listitem>
445 <para>
446 is a tool which adds keys to the <command>ssh-agent</command>.
447 </para>
448 <indexterm zone="openssh ssh-add">
449 <primary sortas="b-ssh-add">ssh-add</primary>
450 </indexterm>
451 </listitem>
452 </varlistentry>
453
454 <varlistentry id="ssh-agent">
455 <term><command>ssh-agent</command></term>
456 <listitem>
457 <para>
458 is an authentication agent that can store private keys.
459 </para>
460 <indexterm zone="openssh ssh-agent">
461 <primary sortas="b-ssh-agent">ssh-agent</primary>
462 </indexterm>
463 </listitem>
464 </varlistentry>
465
466 <varlistentry id="ssh-copy-id">
467 <term><command>ssh-copy-id</command></term>
468 <listitem>
469 <para>
470 is a script that enables logins on remote machine using local keys.
471 </para>
472 <indexterm zone="openssh ssh-copy-id">
473 <primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
474 </indexterm>
475 </listitem>
476 </varlistentry>
477
478 <varlistentry id="ssh-keygen">
479 <term><command>ssh-keygen</command></term>
480 <listitem>
481 <para>
482 is a key generation tool.
483 </para>
484 <indexterm zone="openssh ssh-keygen">
485 <primary sortas="b-ssh-keygen">ssh-keygen</primary>
486 </indexterm>
487 </listitem>
488 </varlistentry>
489
490 <varlistentry id="ssh-keyscan">
491 <term><command>ssh-keyscan</command></term>
492 <listitem>
493 <para>
494 is a utility for gathering public host keys from a number of hosts.
495 </para>
496 <indexterm zone="openssh ssh-keyscan">
497 <primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
498 </indexterm>
499 </listitem>
500 </varlistentry>
501
502 </variablelist>
503 </sect2>
504</sect1>
Note: See TracBrowser for help on using the repository browser.