source: postlfs/security/openssh.xml@ a93f2f1

10.0 10.1 11.0 7.10 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind ken/refactor-virt lazarus nosym perl-modules qt5new trunk xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since a93f2f1 was a93f2f1, checked in by Ken Moffat <ken@…>, 5 years ago

openssh-7.3p1: I have commented the ftp link because at the moment it does not work.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@17621 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 17.2 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY openssh-download-http
8 "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9 <!ENTITY openssh-download-ftp
10 " "> <!-- at the moment, unable to connect via ftp: ken
11 "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz"> -->
12 <!ENTITY openssh-md5sum "dfadd9f035d38ce5d58a3bf130b86d08">
13 <!ENTITY openssh-size "1.5 MB">
14 <!ENTITY openssh-buildsize "46 MB (56 MB, with tests)">
15 <!ENTITY openssh-time "0.4 SBU (running the tests takes 10+ minutes,
16 irrespective of processor speed)">
17 <!-- fo is not running the tests-->
18]>
19
20<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
21 <?dbhtml filename="openssh.html"?>
22
23 <sect1info>
24 <othername>$LastChangedBy$</othername>
25 <date>$Date$</date>
26 </sect1info>
27
28 <title>OpenSSH-&openssh-version;</title>
29
30 <indexterm zone="openssh">
31 <primary sortas="a-OpenSSH">OpenSSH</primary>
32 </indexterm>
33
34 <sect2 role="package">
35 <title>Introduction to OpenSSH</title>
36
37 <para>
38 The <application>OpenSSH</application> package contains
39 <command>ssh</command> clients and the <command>sshd</command> daemon. This
40 is useful for encrypting authentication and subsequent traffic over a
41 network. The <command>ssh</command> and <command>scp</command> commands are
42 secure implementions of <command>telnet</command> and <command>rcp</command>
43 respectively.
44 </para>
45
46 &lfs79_checked;&gcc6_checked;
47
48 <bridgehead renderas="sect3">Package Information</bridgehead>
49 <itemizedlist spacing="compact">
50 <listitem>
51 <para>
52 Download (HTTP): <ulink url="&openssh-download-http;"/>
53 </para>
54 </listitem>
55 <listitem>
56 <para>
57 Download (FTP): <ulink url="&openssh-download-ftp;"/>
58 </para>
59 </listitem>
60 <listitem>
61 <para>
62 Download MD5 sum: &openssh-md5sum;
63 </para>
64 </listitem>
65 <listitem>
66 <para>
67 Download size: &openssh-size;
68 </para>
69 </listitem>
70 <listitem>
71 <para>
72 Estimated disk space required: &openssh-buildsize;
73 </para>
74 </listitem>
75 <listitem>
76 <para>
77 Estimated build time: &openssh-time;
78 </para>
79 </listitem>
80 </itemizedlist>
81
82 <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
83
84 <bridgehead renderas="sect4">Required</bridgehead>
85 <para role="required">
86 <xref linkend="openssl"/> or
87 <ulink url="http://www.libressl.org/">LibreSSL Portable</ulink></para>
88
89 <bridgehead renderas="sect4">Optional</bridgehead>
90 <para role="optional">
91 <xref linkend="linux-pam"/>,
92 <xref linkend="x-window-system"/>,
93 <xref linkend="mitkrb"/>,
94 <ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>,
95 <ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
96 <ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
97 </para>
98
99 <bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
100 <para role="optional">
101 <xref linkend="openjdk"/>,
102 <xref linkend="net-tools"/>, and
103 <xref linkend="sysstat"/>
104 </para>
105
106 <para condition="html" role="usernotes">
107 User Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
108 </para>
109 </sect2>
110
111 <sect2 role="installation">
112 <title>Installation of OpenSSH</title>
113
114 <warning revision="systemd">
115 <para>
116 If reinstalling over an <application>SSH</application> connection to
117 enable <xref linkend="linux-pam"/> support, be certain to temporarily set
118 <option>PermitRootLogin</option> to <parameter>yes</parameter> in
119 <filename>/etc/ssh/sshd_config</filename> until you complete
120 reinstallation of <xref linkend="systemd"/>, or you may find that you are
121 unable to login to the system remotely.
122 </para>
123 </warning>
124
125 <para>
126 <application>OpenSSH</application> runs as two processes when connecting
127 to other computers. The first process is a privileged process and controls
128 the issuance of privileges as necessary. The second process communicates
129 with the network. Additional installation steps are necessary to set up
130 the proper environment, which are performed by issuing the following
131 commands as the <systemitem class="username">root</systemitem> user:
132 </para>
133
134<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &amp;&amp;
135chown -v root:sys /var/lib/sshd &amp;&amp;
136
137groupadd -g 50 sshd &amp;&amp;
138useradd -c 'sshd PrivSep' \
139 -d /var/lib/sshd \
140 -g sshd \
141 -s /bin/false \
142 -u 50 sshd</userinput></screen>
143
144 <para>
145 Install <application>OpenSSH</application> by running the following
146 commands:
147 </para>
148
149<screen><userinput>./configure --prefix=/usr \
150 --sysconfdir=/etc/ssh \
151 --with-md5-passwords \
152 --with-privsep-path=/var/lib/sshd &amp;&amp;
153make</userinput></screen>
154
155 <para>
156 The testsuite requires an installed copy of <command>scp</command> to
157 complete the multiplexing tests. To run the test suite, first copy the
158 <command>scp</command> program to
159 <filename class="directory">/usr/bin</filename>, making sure that you
160 back up any existing copy first.
161 </para>
162
163 <para>
164 To test the results, issue: <command>make tests</command>.
165 </para>
166
167<!-- commenting this, I get "all tests passed" [ ken ]
168 NB tests should be run as _user_ but the role in the comment is root
169
170 commenting [ bruce ]: There are a couple of tests that want root.
171 The log mentions that SUDO is not set. These skipped tests are
172 ignored and the end says 'all tests passed' even when not root
173
174 <para>
175 To run the test suite, issue the following commands:
176 </para>
177
178<screen role="root"><userinput>make tests 2&gt;&amp;1 | tee check.log
179grep FATAL check.log</userinput></screen>
180
181 <para>
182 If the above command produces no 'FATAL' errors, then proceed with the
183 installation, as the <systemitem class="username">root</systemitem> user:
184 </para>-->
185 <para>
186 Now, as the <systemitem class="username">root</systemitem> user:
187 </para>
188
189<screen role="root"><userinput>make install &amp;&amp;
190install -v -m755 contrib/ssh-copy-id /usr/bin &amp;&amp;
191
192install -v -m644 contrib/ssh-copy-id.1 \
193 /usr/share/man/man1 &amp;&amp;
194install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &amp;&amp;
195install -v -m644 INSTALL LICENCE OVERVIEW README* \
196 /usr/share/doc/openssh-&openssh-version;</userinput></screen>
197 </sect2>
198
199 <sect2 role="commands">
200 <title>Command Explanations</title>
201
202 <para>
203 <parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
204 configuration files from being installed in
205 <filename class="directory">/usr/etc</filename>.
206 </para>
207
208 <para>
209 <parameter>--with-md5-passwords</parameter>: This enables the use of MD5
210 passwords.
211 </para>
212
213 <para>
214 <parameter>--with-pam</parameter>: This parameter enables
215 <application>Linux-PAM</application> support in the build.
216 </para>
217
218 <para>
219 <parameter>--with-xauth=/usr/bin/xauth</parameter>: Set the default
220 location for the <command>xauth</command> binary for X authentication.
221 Change the location if <command>xauth</command> will be installed to a
222 different path. This can also be controlled from
223 <filename>sshd_config</filename> with the XAuthLocation keyword. You can
224 omit this switch if <application>Xorg</application> is already installed.
225 </para>
226
227 <para>
228 <parameter>--with-kerberos5=/usr</parameter>: This option is used to
229 include Kerberos 5 support in the build.
230 </para>
231
232 <para>
233 <parameter>--with-libedit</parameter>: This option enables line editing
234 and history features for <command>sftp</command>.
235 </para>
236
237 </sect2>
238
239 <sect2 role="configuration">
240 <title>Configuring OpenSSH</title>
241
242 <sect3 id="openssh-config">
243 <title>Config Files</title>
244
245 <para>
246 <filename>~/.ssh/*</filename>,
247 <filename>/etc/ssh/ssh_config</filename>, and
248 <filename>/etc/ssh/sshd_config</filename>
249 </para>
250
251 <indexterm zone="openssh openssh-config">
252 <primary sortas="e-AA.ssh">~/.ssh/*</primary>
253 </indexterm>
254
255 <indexterm zone="openssh openssh-config">
256 <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
257 </indexterm>
258
259 <indexterm zone="openssh openssh-config">
260 <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
261 </indexterm>
262
263 <para>
264 There are no required changes to any of these files. However,
265 you may wish to view the
266 <filename class='directory'>/etc/ssh/</filename> files and make any
267 changes appropriate for the security of your system. One recommended
268 change is that you disable
269 <systemitem class='username'>root</systemitem> login via
270 <command>ssh</command>. Execute the following command as the
271 <systemitem class='username'>root</systemitem> user to disable
272 <systemitem class='username'>root</systemitem> login via
273 <command>ssh</command>:
274 </para>
275
276<screen role="root"><userinput>echo "PermitRootLogin no" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
277
278 <para>
279 If you want to be able to log in without typing in your password, first
280 create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
281 <command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
282 ~/.ssh/authorized_keys on the remote computer that you want to log into.
283 You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
284 computer and you'll also need to enter your password for the ssh-copy-id command
285 to succeed:
286 </para>
287
288<screen><userinput>ssh-keygen &amp;&amp;
289ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
290
291 <para>
292 Once you've got passwordless logins working it's actually more secure
293 than logging in with a password (as the private key is much longer than
294 most people's passwords). If you would like to now disable password
295 logins, as the <systemitem class="username">root</systemitem> user:
296 </para>
297
298
299<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &amp;&amp;
300echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
301
302 <para>
303 If you added <application>Linux-PAM</application> support and you want
304 ssh to use it then you will need to add a configuration file for
305 <application>sshd</application> and enable use of
306 <application>LinuxPAM</application>. Note, ssh only uses PAM to check
307 passwords, if you've disabled password logins these commands are not
308 needed. If you want to use PAM, issue the following commands as the
309 <systemitem class='username'>root</systemitem> user:
310 </para>
311
312<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login &gt; /etc/pam.d/sshd &amp;&amp;
313chmod 644 /etc/pam.d/sshd &amp;&amp;
314echo "UsePAM yes" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
315
316 <para>
317 Additional configuration information can be found in the man
318 pages for <command>sshd</command>, <command>ssh</command> and
319 <command>ssh-agent</command>.
320 </para>
321 </sect3>
322
323 <sect3 id="openssh-init">
324 <title><phrase revision="sysv">Boot Script</phrase>
325 <phrase revision="systemd">Systemd Unit</phrase></title>
326
327 <para revision="sysv">
328 To start the SSH server at system boot, install the
329 <filename>/etc/rc.d/init.d/sshd</filename> init script included
330 in the <xref linkend="bootscripts"/> package.
331 </para>
332
333 <para revision="systemd">
334 To start the SSH server at system boot, install the
335 <filename>sshd.service</filename> unit included in the
336 <xref linkend="systemd-units"/> package.
337 </para>
338
339 <indexterm zone="openssh openssh-init">
340 <primary sortas="f-sshd">sshd</primary>
341 </indexterm>
342
343<screen role="root"><userinput>make install-sshd</userinput></screen>
344 </sect3>
345 </sect2>
346
347 <sect2 role="content">
348 <title>Contents</title>
349
350 <segmentedlist>
351 <segtitle>Installed Programs</segtitle>
352 <segtitle>Installed Libraries</segtitle>
353 <segtitle>Installed Directories</segtitle>
354
355 <seglistitem>
356 <seg>
357 scp, sftp, slogin (symlink to ssh), ssh, ssh-add, ssh-agent,
358 ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
359 </seg>
360 <seg>
361 None
362 </seg>
363 <seg>
364 /etc/ssh,
365 /usr/share/doc/openssh-&openssh-version;, and
366 /var/lib/sshd
367 </seg>
368 </seglistitem>
369 </segmentedlist>
370
371 <variablelist>
372 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
373 <?dbfo list-presentation="list"?>
374 <?dbhtml list-presentation="table"?>
375
376 <varlistentry id="scp">
377 <term><command>scp</command></term>
378 <listitem>
379 <para>
380 is a file copy program that acts like <command>rcp</command> except
381 it uses an encrypted protocol.
382 </para>
383 <indexterm zone="openssh scp">
384 <primary sortas="b-scp">scp</primary>
385 </indexterm>
386 </listitem>
387 </varlistentry>
388
389 <varlistentry id="sftp">
390 <term><command>sftp</command></term>
391 <listitem>
392 <para>
393 is an FTP-like program that works over the SSH1 and SSH2 protocols.
394 </para>
395 <indexterm zone="openssh sftp">
396 <primary sortas="b-sftp">sftp</primary>
397 </indexterm>
398 </listitem>
399 </varlistentry>
400
401 <varlistentry id="slogin">
402 <term><command>slogin</command></term>
403 <listitem>
404 <para>
405 is a symlink to <command>ssh</command>.
406 </para>
407 <indexterm zone="openssh slogin">
408 <primary sortas="b-slogin">slogin</primary>
409 </indexterm>
410 </listitem>
411 </varlistentry>
412
413 <varlistentry id="ssh">
414 <term><command>ssh</command></term>
415 <listitem>
416 <para>
417 is an <command>rlogin</command>/<command>rsh</command>-like client
418 program except it uses an encrypted protocol.
419 </para>
420 <indexterm zone="openssh ssh">
421 <primary sortas="b-ssh">ssh</primary>
422 </indexterm>
423 </listitem>
424 </varlistentry>
425
426 <varlistentry id="sshd">
427 <term><command>sshd</command></term>
428 <listitem>
429 <para>
430 is a daemon that listens for <command>ssh</command> login requests.
431 </para>
432 <indexterm zone="openssh sshd">
433 <primary sortas="b-sshd">sshd</primary>
434 </indexterm>
435 </listitem>
436 </varlistentry>
437
438 <varlistentry id="ssh-add">
439 <term><command>ssh-add</command></term>
440 <listitem>
441 <para>
442 is a tool which adds keys to the <command>ssh-agent</command>.
443 </para>
444 <indexterm zone="openssh ssh-add">
445 <primary sortas="b-ssh-add">ssh-add</primary>
446 </indexterm>
447 </listitem>
448 </varlistentry>
449
450 <varlistentry id="ssh-agent">
451 <term><command>ssh-agent</command></term>
452 <listitem>
453 <para>
454 is an authentication agent that can store private keys.
455 </para>
456 <indexterm zone="openssh ssh-agent">
457 <primary sortas="b-ssh-agent">ssh-agent</primary>
458 </indexterm>
459 </listitem>
460 </varlistentry>
461
462 <varlistentry id="ssh-copy-id">
463 <term><command>ssh-copy-id</command></term>
464 <listitem>
465 <para>
466 is a script that enables logins on remote machine using local keys.
467 </para>
468 <indexterm zone="openssh ssh-copy-id">
469 <primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
470 </indexterm>
471 </listitem>
472 </varlistentry>
473
474 <varlistentry id="ssh-keygen">
475 <term><command>ssh-keygen</command></term>
476 <listitem>
477 <para>
478 is a key generation tool.
479 </para>
480 <indexterm zone="openssh ssh-keygen">
481 <primary sortas="b-ssh-keygen">ssh-keygen</primary>
482 </indexterm>
483 </listitem>
484 </varlistentry>
485
486 <varlistentry id="ssh-keyscan">
487 <term><command>ssh-keyscan</command></term>
488 <listitem>
489 <para>
490 is a utility for gathering public host keys from a number of hosts.
491 </para>
492 <indexterm zone="openssh ssh-keyscan">
493 <primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
494 </indexterm>
495 </listitem>
496 </varlistentry>
497
498 </variablelist>
499 </sect2>
500</sect1>
Note: See TracBrowser for help on using the repository browser.