Context Navigation

source: postlfs/security/openssh.xml@ ac1f23de

Visit:

12.2 gimp3 lazarus trunk xry111/for-12.3 xry111/spidermonkey128

Last change on this file since ac1f23de was f37d3102, checked in by Bruce Dubbs <bdubbs@…>, 3 months ago
Update to openssh-9.8p1 (Security Update).
Property mode set to `100644`
File size: 19.3 KB

Line
1	<?xml version="1.0" encoding="UTF-8"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY openssh-download-http
8	"https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9	<!ENTITY openssh-download-ftp " ">
10	<!ENTITY openssh-md5sum "&openssh-md5sum;">
11	<!ENTITY openssh-size "1.8 MB">
12	<!ENTITY openssh-buildsize "44 MB (add 22 MB for tests)">
13	<!ENTITY openssh-time "0.3 SBU (Using parallelism=4;
14	running the tests takes about 20 minutes,
15	irrespective of processor speed)">
16	]>
17
18	<!-- make check: real 18m13.005s; 9.2p1 3 Feb 2023 -->
19	<!-- make check: real 18m08.654s; 9.3p1 17 Mar 2023 -->
20	<!-- make check: real 18m25.324s; 9.8p1 1 Jul 2024 -->
21
22	<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
23	<?dbhtml filename="openssh.html"?>
24
25	<title>OpenSSH-&openssh-version;</title>
26
27	<indexterm zone="openssh">
28	<primary sortas="a-OpenSSH">OpenSSH</primary>
29	</indexterm>
30
31	<sect2 role="package">
32	<title>Introduction to OpenSSH</title>
33
34	<para>
35	The <application>OpenSSH</application> package contains
36	<command>ssh</command> clients and the <command>sshd</command> daemon.
37	This is useful for encrypting authentication and subsequent traffic over
38	a network. The <command>ssh</command> and <command>scp</command> commands
39	are secure implementations of <command>telnet</command> and
40	<command>rcp</command> respectively.
41	</para>
42
43	&lfs121_checked;
44
45	<bridgehead renderas="sect3">Package Information</bridgehead>
46	<itemizedlist spacing="compact">
47	<listitem>
48	<para>
49	Download (HTTP): <ulink url="&openssh-download-http;"/>
50	</para>
51	</listitem>
52	<listitem>
53	<para>
54	Download (FTP): <ulink url="&openssh-download-ftp;"/>
55	</para>
56	</listitem>
57	<listitem>
58	<para>
59	Download MD5 sum: &openssh-md5sum;
60	</para>
61	</listitem>
62	<listitem>
63	<para>
64	Download size: &openssh-size;
65	</para>
66	</listitem>
67	<listitem>
68	<para>
69	Estimated disk space required: &openssh-buildsize;
70	</para>
71	</listitem>
72	<listitem>
73	<para>
74	Estimated build time: &openssh-time;
75	</para>
76	</listitem>
77	</itemizedlist>
78	<!--
79	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
80	<itemizedlist spacing="compact">
81	<listitem>
82	<para>
83	Required patch:
84	<ulink url="&patch-root;/openssh-&openssh-version;-glibc_2.31_fix-1.patch"/>
85	</para>
86	</listitem>
87	</itemizedlist>
88	-->
89	<bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
90
91	<bridgehead renderas="sect4">Optional</bridgehead>
92	<para role="optional">
93	<xref linkend="gdb"/> (for tests),
94	<xref linkend="linux-pam"/> (PAM configuration files from
95	<xref linkend="shadow"/> are used to create openssh ones),
96	<xref linkend="xorg7-app"/> (or
97	<xref linkend='xorg-env' role='nodep'/>, see Command Explanations),
98	<xref linkend="mitkrb"/>,
99	<xref linkend="which"/> (for tests),
100	<ulink url="https://www.thrysoee.dk/editline/">libedit</ulink>,
101	<ulink url="https://www.libressl.org/">LibreSSL Portable</ulink>,
102	<ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
103	<ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
104	</para>
105
106	<bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
107	<para role="optional">
108	<!--<xref role="runtime" linkend="openjdk"/>, Not seen in 8.8p1 -->
109	<xref role="runtime" linkend="net-tools"/>, and
110	<xref role="runtime" linkend="sysstat"/>
111	</para>
112
113	</sect2>
114
115	<sect2 role="installation">
116	<title>Installation of OpenSSH</title>
117
118	<para>
119	<application>OpenSSH</application> runs as two processes when connecting
120	to other computers. The first process is a privileged process and controls
121	the issuance of privileges as necessary. The second process communicates
122	with the network. Additional installation steps are necessary to set up
123	the proper environment, which are performed by issuing the following
124	commands as the <systemitem class="username">root</systemitem> user:
125	</para>
126
127	<screen role="root"><userinput>install -v -g sys -m700 -d /var/lib/sshd &&
128
129	groupadd -g 50 sshd &&
130	useradd -c 'sshd PrivSep' \
131	-d /var/lib/sshd \
132	-g sshd \
133	-s /bin/false \
134	-u 50 sshd</userinput></screen>
135	<!--
136	<para>
137	Apply a patch to allow OpenSSH to build and function with
138	<application>Glibc-2.31</application> and later:
139	</para>
140
141	<screen><userinput remap="pre">patch -Np1 -i ../openssh-&openssh-version;-glibc_2.31_fix-1.patch</userinput></screen>
142	-->
143
144	<!-- Applied in 8.5p1
145	<para>
146	First, adapt <application>ssh-copy-id</application> to changes
147	in bash-5.1:
148	</para>
149
150	<screen><userinput remap="pre">sed -e '/INSTALLKEYS_SH/s/)//' -e '260a\ )' -i contrib/ssh-copy-id</userinput></screen>
151
152	<para>
153	Next, fix an issue on platforms other than x86_64:
154	</para>
155	<screen><userinput remap="pre">if [ "$(uname -m)" != "x86_64" ]; then
156	l1="#ifdef __NR_pselect6_time64"
157	l2=" SC_ALLOW(__NR_pselect6_time64),"
158	l3="#endif"
159	sed -e "/^#ifdef __NR_read$/ i $l1\n$l2\n$l3" \
160	-i sandbox-seccomp-filter.c
161	fi</userinput></screen>
162	-->
163	<para>
164	Install <application>OpenSSH</application> by running the following
165	commands:
166	</para>
167
168	<!-- -\-with-md5-passwords used to be here, but a comment inside of a <screen>
169	block leaves an eyesore. -->
170	<screen><userinput>./configure --prefix=/usr \
171	--sysconfdir=/etc/ssh \
172	--with-privsep-path=/var/lib/sshd \
173	--with-default-path=/usr/bin \
174	--with-superuser-path=/usr/sbin:/usr/bin \
175	--with-pid-dir=/run &&
176	make</userinput></screen>
177
178	<!-- I got all tests passed without this with 9.3p1, June 12, 2023.
179	<para>
180	The test suite requires an installed copy of <command>scp</command> to
181	complete the multiplexing tests. To run the test suite, first copy the
182	<command>scp</command> program to
183	<filename class="directory">/usr/bin</filename>, making sure that you
184	backup any existing copy first.
185	</para>
186	-->
187	<!-- I got all tests passed without this with 9.0p1. Apr 13, 2022.
188	<para>
189	If you wish to run the tests, remove a test suite that is not valid on
190	Linux-based platforms:
191	</para>
192
193	<screen><userinput>sed -i 's/conch-ciphers//' regress/Makefile</userinput></screen>
194	-->
195	<para>
196	To test the results, issue: <command>make -j1 tests</command>.
197	<!--One test, <filename>key options</filename>, fails when run in chroot.-->
198	</para>
199
200	<!-- commenting this, I get "all tests passed" [ ken ]
201	NB tests should be run as _user_ but the role in the comment is root
202
203	commenting [ bruce ]: There are a couple of tests that want root.
204	The log mentions that SUDO is not set. These skipped tests are
205	ignored and the end says 'all tests passed' even when not root
206
207	<para>
208	To run the test suite, issue the following commands:
209	</para>
210
211	<screen role="root"><userinput>make tests 2>&1 \| tee check.log
212	grep FATAL check.log</userinput></screen>
213
214	<para>
215	If the above command produces no 'FATAL' errors, then proceed with the
216	installation, as the <systemitem class="username">root</systemitem> user:
217	</para>-->
218	<para>
219	Now, as the <systemitem class="username">root</systemitem> user:
220	</para>
221
222	<screen role="root"><userinput>make install &&
223	install -v -m755 contrib/ssh-copy-id /usr/bin &&
224
225	install -v -m644 contrib/ssh-copy-id.1 \
226	/usr/share/man/man1 &&
227	install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &&
228	install -v -m644 INSTALL LICENCE OVERVIEW README* \
229	/usr/share/doc/openssh-&openssh-version;</userinput></screen>
230	</sect2>
231
232	<sect2 role="commands">
233	<title>Command Explanations</title>
234
235	<para>
236	<parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
237	configuration files from being installed in
238	<filename class="directory">/usr/etc</filename>.
239	</para>
240
241	<para>
242	<parameter>--with-default-path=/usr/bin</parameter> and
243	<parameter>--with-superuser-path=/usr/sbin:/usr/bin</parameter>:
244	These set <envar>PATH</envar> consistent with LFS and BLFS
245	<application>Shadow</application> package.
246	</para>
247
248	<para>
249	<parameter>--with-pid-dir=/run</parameter>: This prevents
250	<application>OpenSSH</application> from referring to deprecated
251	<filename class="directory">/var/run</filename>.
252	</para>
253	<!--
254	<para>
255	<parameter>- -without-zlib-version-check</parameter>: This prevents
256	<application>OpenSSH</application> from checking the version of
257	the system <application>Zlib</application>. We need to use this
258	switch or the version check would mistakenly report the latest
259	<application>Zlib</application> 1.13 <quote>too old</quote> and
260	reject it.
261	</para>
262	-->
263	<para>
264	<option>--with-pam</option>: This parameter enables
265	<application>Linux-PAM</application> support in the build.
266	</para>
267
268	<para>
269	<option>--with-xauth=$XORG_PREFIX/bin/xauth</option>: Set the default
270	location for the <command>xauth</command> binary for X authentication.
271	The environment variable <envar>XORG_PREFIX</envar> should be set
272	following <xref linkend='xorg-env'/>. This can also be controlled from
273	<filename>sshd_config</filename> with the XAuthLocation keyword. You can
274	omit this switch if <application>Xorg</application> is already installed.
275	</para>
276
277	<para>
278	<option>--with-kerberos5=/usr</option>: This option is used to
279	include Kerberos 5 support in the build.
280	</para>
281
282	<para>
283	<option>--with-libedit</option>: This option enables line editing
284	and history features for <command>sftp</command>.
285	</para>
286
287	</sect2>
288
289	<sect2 role="configuration">
290	<title>Configuring OpenSSH</title>
291
292	<sect3 id="openssh-config">
293	<title>Config Files</title>
294
295	<para>
296	<filename>~/.ssh/*</filename>,
297	<filename>/etc/ssh/ssh_config</filename>, and
298	<filename>/etc/ssh/sshd_config</filename>
299	</para>
300
301	<indexterm zone="openssh openssh-config">
302	<primary sortas="e-AA.ssh">~/.ssh/*</primary>
303	</indexterm>
304
305	<indexterm zone="openssh openssh-config">
306	<primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
307	</indexterm>
308
309	<indexterm zone="openssh openssh-config">
310	<primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
311	</indexterm>
312
313	<para>
314	There are no required changes to any of these files. However,
315	you may wish to view the
316	<filename class='directory'>/etc/ssh/</filename> files and make any
317	changes appropriate for the security of your system. One recommended
318	change is that you disable
319	<systemitem class='username'>root</systemitem> login via
320	<command>ssh</command>. Execute the following command as the
321	<systemitem class='username'>root</systemitem> user to disable
322	<systemitem class='username'>root</systemitem> login via
323	<command>ssh</command>:
324	</para>
325
326	<screen role="root"><userinput>echo "PermitRootLogin no" >> /etc/ssh/sshd_config</userinput></screen>
327
328	<para>
329	If you want to be able to log in without typing in your password, first
330	create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
331	<command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
332	~/.ssh/authorized_keys on the remote computer that you want to log into.
333	You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
334	computer and you'll also need to enter your password for the ssh-copy-id command
335	to succeed:
336	</para>
337
338	<screen role='nodump'><userinput>ssh-keygen &&
339	ssh-copy-id -i ~/.ssh/id_ed25519.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
340
341	<para>
342	Once you've got passwordless logins working it's actually more secure
343	than logging in with a password (as the private key is much longer than
344	most people's passwords). If you would like to now disable password
345	logins, as the <systemitem class="username">root</systemitem> user:
346	</para>
347
348
349	<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &&
350	echo "KbdInteractiveAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
351
352	<para>
353	If you added <application>Linux-PAM</application> support and you want
354	ssh to use it then you will need to add a configuration file for
355	<application>sshd</application> and enable use of
356	<application>LinuxPAM</application>. Note, ssh only uses PAM to check
357	passwords, if you've disabled password logins these commands are not
358	needed. If you want to use PAM, issue the following commands as the
359	<systemitem class='username'>root</systemitem> user:
360	</para>
361
362	<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd &&
363	chmod 644 /etc/pam.d/sshd &&
364	echo "UsePAM yes" >> /etc/ssh/sshd_config</userinput></screen>
365
366	<para>
367	Additional configuration information can be found in the man
368	pages for <command>sshd</command>, <command>ssh</command> and
369	<command>ssh-agent</command>.
370	</para>
371	</sect3>
372
373	<sect3 id="openssh-init">
374	<title><phrase revision="sysv">Boot Script</phrase>
375	<phrase revision="systemd">Systemd Unit</phrase></title>
376
377	<para revision="sysv">
378	To start the SSH server at system boot, install the
379	<filename>/etc/rc.d/init.d/sshd</filename> init script included
380	in the <xref linkend="bootscripts"/> package.
381	</para>
382
383	<para revision="systemd">
384	To start the SSH server at system boot, install the
385	<filename>sshd.service</filename> unit included in the
386	<xref linkend="systemd-units"/> package.
387	</para>
388
389	<indexterm zone="openssh openssh-init">
390	<primary sortas="f-sshd">sshd</primary>
391	</indexterm>
392
393	<screen role="root"><userinput>make install-sshd</userinput></screen>
394	</sect3>
395	</sect2>
396
397	<sect2 role="content">
398	<title>Contents</title>
399
400	<segmentedlist>
401	<segtitle>Installed Programs</segtitle>
402	<segtitle>Installed Libraries</segtitle>
403	<segtitle>Installed Directories</segtitle>
404
405	<seglistitem>
406	<seg>
407	scp, sftp, <!--slogin (symlink to ssh),--> ssh, ssh-add, ssh-agent,
408	ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
409	</seg>
410	<seg>
411	None
412	</seg>
413	<seg>
414	/etc/ssh,
415	/usr/share/doc/openssh-&openssh-version;, and
416	/var/lib/sshd
417	</seg>
418	</seglistitem>
419	</segmentedlist>
420
421	<variablelist>
422	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
423	<?dbfo list-presentation="list"?>
424	<?dbhtml list-presentation="table"?>
425
426	<varlistentry id="scp">
427	<term><command>scp</command></term>
428	<listitem>
429	<para>
430	is a file copy program that acts like <command>rcp</command> except
431	it uses an encrypted protocol
432	</para>
433	<indexterm zone="openssh scp">
434	<primary sortas="b-scp">scp</primary>
435	</indexterm>
436	</listitem>
437	</varlistentry>
438
439	<varlistentry id="sftp">
440	<term><command>sftp</command></term>
441	<listitem>
442	<para>
443	is an FTP-like program that works over the SSH1 and SSH2 protocols
444	</para>
445	<indexterm zone="openssh sftp">
446	<primary sortas="b-sftp">sftp</primary>
447	</indexterm>
448	</listitem>
449	</varlistentry>
450	<!-- Not installed anymore as of 8.5p1
451	<varlistentry id="slogin">
452	<term><command>slogin</command></term>
453	<listitem>
454	<para>
455	is a symlink to <command>ssh</command>
456	</para>
457	<indexterm zone="openssh slogin">
458	<primary sortas="b-slogin">slogin</primary>
459	</indexterm>
460	</listitem>
461	</varlistentry>
462	-->
463	<varlistentry id="ssh">
464	<term><command>ssh</command></term>
465	<listitem>
466	<para>
467	is an <command>rlogin</command>/<command>rsh</command>-like client
468	program except it uses an encrypted protocol
469	</para>
470	<indexterm zone="openssh ssh">
471	<primary sortas="b-ssh">ssh</primary>
472	</indexterm>
473	</listitem>
474	</varlistentry>
475
476	<varlistentry id="sshd">
477	<term><command>sshd</command></term>
478	<listitem>
479	<para>
480	is a daemon that listens for <command>ssh</command> login requests
481	</para>
482	<indexterm zone="openssh sshd">
483	<primary sortas="b-sshd">sshd</primary>
484	</indexterm>
485	</listitem>
486	</varlistentry>
487
488	<varlistentry id="ssh-add">
489	<term><command>ssh-add</command></term>
490	<listitem>
491	<para>
492	is a tool which adds keys to the <command>ssh-agent</command>
493	</para>
494	<indexterm zone="openssh ssh-add">
495	<primary sortas="b-ssh-add">ssh-add</primary>
496	</indexterm>
497	</listitem>
498	</varlistentry>
499
500	<varlistentry id="ssh-agent">
501	<term><command>ssh-agent</command></term>
502	<listitem>
503	<para>
504	is an authentication agent that can store private keys
505	</para>
506	<indexterm zone="openssh ssh-agent">
507	<primary sortas="b-ssh-agent">ssh-agent</primary>
508	</indexterm>
509	</listitem>
510	</varlistentry>
511
512	<varlistentry id="ssh-copy-id">
513	<term><command>ssh-copy-id</command></term>
514	<listitem>
515	<para>
516	is a script that enables logins on remote machines using local keys
517	</para>
518	<indexterm zone="openssh ssh-copy-id">
519	<primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
520	</indexterm>
521	</listitem>
522	</varlistentry>
523
524	<varlistentry id="ssh-keygen">
525	<term><command>ssh-keygen</command></term>
526	<listitem>
527	<para>
528	is a key generation tool
529	</para>
530	<indexterm zone="openssh ssh-keygen">
531	<primary sortas="b-ssh-keygen">ssh-keygen</primary>
532	</indexterm>
533	</listitem>
534	</varlistentry>
535
536	<varlistentry id="ssh-keyscan">
537	<term><command>ssh-keyscan</command></term>
538	<listitem>
539	<para>
540	is a utility for gathering public host keys from a number of hosts
541	</para>
542	<indexterm zone="openssh ssh-keyscan">
543	<primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
544	</indexterm>
545	</listitem>
546	</varlistentry>
547
548	</variablelist>
549	</sect2>
550
551	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: