source: postlfs/security/openssh.xml@ acf7e2c

basic
Last change on this file since acf7e2c was acf7e2c, checked in by Bruce Dubbs <bdubbs@…>, 4 years ago

Updates to Basic BLFS Chapter 3

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/branches/basic@20519 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 17.1 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY openssh-download-http
8 "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9 <!ENTITY openssh-download-ftp
10 " "> <!-- at the moment, unable to connect via ftp: ken
11 "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz"> -->
12 <!ENTITY openssh-md5sum "ce1d090fa6239fd38eb989d5e983b074">
13 <!ENTITY openssh-size "1.5 MB">
14 <!ENTITY openssh-buildsize "44 MB (add 7 MB for tests)">
15 <!ENTITY openssh-time "0.4 SBU (running the tests takes 18+ minutes,
16 irrespective of processor speed)">
17]>
18
19<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
20 <?dbhtml filename="openssh.html"?>
21
22 <sect1info>
23 <othername>$LastChangedBy$</othername>
24 <date>$Date$</date>
25 </sect1info>
26
27 <title>OpenSSH-&openssh-version;</title>
28
29 <indexterm zone="openssh">
30 <primary sortas="a-OpenSSH">OpenSSH</primary>
31 </indexterm>
32
33 <sect2 role="package">
34 <title>Introduction to OpenSSH</title>
35
36 <para>
37 The <application>OpenSSH</application> package contains
38 <command>ssh</command> clients and the <command>sshd</command> daemon.
39 This is useful for encrypting authentication and subsequent traffic over
40 a network. The <command>ssh</command> and <command>scp</command> commands
41 are secure implementations of <command>telnet</command> and
42 <command>rcp</command> respectively.
43 </para>
44
45 &lfs83_checked;
46
47 <bridgehead renderas="sect3">Package Information</bridgehead>
48 <itemizedlist spacing="compact">
49 <listitem>
50 <para>
51 Download (HTTP): <ulink url="&openssh-download-http;"/>
52 </para>
53 </listitem>
54 <listitem>
55 <para>
56 Download (FTP): <ulink url="&openssh-download-ftp;"/>
57 </para>
58 </listitem>
59 <listitem>
60 <para>
61 Download MD5 sum: &openssh-md5sum;
62 </para>
63 </listitem>
64 <listitem>
65 <para>
66 Download size: &openssh-size;
67 </para>
68 </listitem>
69 <listitem>
70 <para>
71 Estimated disk space required: &openssh-buildsize;
72 </para>
73 </listitem>
74 <listitem>
75 <para>
76 Estimated build time: &openssh-time;
77 </para>
78 </listitem>
79 </itemizedlist>
80
81 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
82 <itemizedlist spacing="compact">
83 <listitem>
84 <para>Required patch: <ulink url="&patch-root;/openssh-&openssh-version;-openssl-1.1.0-1.patch"/></para>
85 </listitem>
86 </itemizedlist>
87
88 <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
89
90 <bridgehead renderas="sect4">Optional</bridgehead>
91 <para role="optional">
92 <ulink url="&blfs-book;/postlfs/linux-pam.html">linux-pam</ulink>,
93 <ulink url="&blfs-book;x/installing.html">x-window-system</ulink>,
94 <ulink url="&blfs-book;postlfs/mitkrb.html">MIT Kerberos</ulink>,
95 <ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>,
96 <ulink url="http://www.libressl.org/">LibreSSL Portable</ulink>,
97 <ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
98 <ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
99 </para>
100
101 <bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
102 <para role="optional">
103 <ulink role="runtime" url="&blfs-book;general/openjdk.html">OpenJDK</ulink>,
104 <ulink role="runtime" url="&blfs-book;basicnet/net-tools.html">net-tools</ulink>, and
105 <ulink role="runtime" url="&blfs-book;general/sysstat.html">sysstat</ulink>
106 </para>
107
108 <para condition="html" role="usernotes">
109 User Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
110 </para>
111 </sect2>
112
113 <sect2 role="installation">
114 <title>Installation of OpenSSH</title>
115
116 <para>
117 <application>OpenSSH</application> runs as two processes when connecting
118 to other computers. The first process is a privileged process and controls
119 the issuance of privileges as necessary. The second process communicates
120 with the network. Additional installation steps are necessary to set up
121 the proper environment, which are performed by issuing the following
122 commands as the <systemitem class="username">root</systemitem> user:
123 </para>
124
125<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &amp;&amp;
126chown -v root:sys /var/lib/sshd &amp;&amp;
127
128groupadd -g 50 sshd &amp;&amp;
129useradd -c 'sshd PrivSep' \
130 -d /var/lib/sshd \
131 -g sshd \
132 -s /bin/false \
133 -u 50 sshd</userinput></screen>
134
135 <para>
136 Install <application>OpenSSH</application> by running the following
137 commands:
138 </para>
139
140<screen><userinput>patch -Np1 -i ../openssh-&openssh-version;-openssl-1.1.0-1.patch &amp;&amp;
141
142./configure --prefix=/usr \
143 --sysconfdir=/etc/ssh \
144 --with-md5-passwords \
145 --with-privsep-path=/var/lib/sshd &amp;&amp;
146make</userinput></screen>
147
148 <para>
149 The testsuite requires an installed copy of <command>scp</command> to
150 complete the multiplexing tests. To run the test suite, first copy the
151 <command>scp</command> program to
152 <filename class="directory">/usr/bin</filename>, making sure that you
153 backup any existing copy first.
154 </para>
155
156 <para>
157 To test the results, issue: <command>make tests</command>.
158 </para>
159
160<!-- commenting this, I get "all tests passed" [ ken ]
161 NB tests should be run as _user_ but the role in the comment is root
162
163 commenting [ bruce ]: There are a couple of tests that want root.
164 The log mentions that SUDO is not set. These skipped tests are
165 ignored and the end says 'all tests passed' even when not root
166
167 <para>
168 To run the test suite, issue the following commands:
169 </para>
170
171<screen role="root"><userinput>make tests 2&gt;&amp;1 | tee check.log
172grep FATAL check.log</userinput></screen>
173
174 <para>
175 If the above command produces no 'FATAL' errors, then proceed with the
176 installation, as the <systemitem class="username">root</systemitem> user:
177 </para>-->
178 <para>
179 Now, as the <systemitem class="username">root</systemitem> user:
180 </para>
181
182<screen role="root"><userinput>make install &amp;&amp;
183install -v -m755 contrib/ssh-copy-id /usr/bin &amp;&amp;
184
185install -v -m644 contrib/ssh-copy-id.1 \
186 /usr/share/man/man1 &amp;&amp;
187install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &amp;&amp;
188install -v -m644 INSTALL LICENCE OVERVIEW README* \
189 /usr/share/doc/openssh-&openssh-version;</userinput></screen>
190 </sect2>
191
192 <sect2 role="commands">
193 <title>Command Explanations</title>
194
195 <para>
196 <parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
197 configuration files from being installed in
198 <filename class="directory">/usr/etc</filename>.
199 </para>
200
201 <para>
202 <parameter>--with-md5-passwords</parameter>: This enables the use of MD5
203 passwords.
204 </para>
205
206 <para>
207 <option>--with-pam</option>: This parameter enables
208 <application>Linux-PAM</application> support in the build.
209 </para>
210
211 <para>
212 <option>--with-xauth=/usr/bin/xauth</option>: Set the default
213 location for the <command>xauth</command> binary for X authentication.
214 Change the location if <command>xauth</command> will be installed to a
215 different path. This can also be controlled from
216 <filename>sshd_config</filename> with the XAuthLocation keyword. You can
217 omit this switch if <application>Xorg</application> is already installed.
218 </para>
219
220 <para>
221 <option>--with-kerberos5=/usr</option>: This option is used to
222 include Kerberos 5 support in the build.
223 </para>
224
225 <para>
226 <option>--with-libedit</option>: This option enables line editing
227 and history features for <command>sftp</command>.
228 </para>
229
230 </sect2>
231
232 <sect2 role="configuration">
233 <title>Configuring OpenSSH</title>
234
235 <sect3 id="openssh-config">
236 <title>Config Files</title>
237
238 <para>
239 <filename>~/.ssh/*</filename>,
240 <filename>/etc/ssh/ssh_config</filename>, and
241 <filename>/etc/ssh/sshd_config</filename>
242 </para>
243
244 <indexterm zone="openssh openssh-config">
245 <primary sortas="e-AA.ssh">~/.ssh/*</primary>
246 </indexterm>
247
248 <indexterm zone="openssh openssh-config">
249 <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
250 </indexterm>
251
252 <indexterm zone="openssh openssh-config">
253 <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
254 </indexterm>
255
256 <para>
257 There are no required changes to any of these files. However,
258 you may wish to view the
259 <filename class='directory'>/etc/ssh/</filename> files and make any
260 changes appropriate for the security of your system. One recommended
261 change is that you disable
262 <systemitem class='username'>root</systemitem> login via
263 <command>ssh</command>. Execute the following command as the
264 <systemitem class='username'>root</systemitem> user to disable
265 <systemitem class='username'>root</systemitem> login via
266 <command>ssh</command>:
267 </para>
268
269<screen role="root"><userinput>echo "PermitRootLogin no" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
270
271 <para>
272 If you want to be able to log in without typing in your password, first
273 create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
274 <command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
275 ~/.ssh/authorized_keys on the remote computer that you want to log into.
276 You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
277 computer and you'll also need to enter your password for the ssh-copy-id command
278 to succeed:
279 </para>
280
281<screen><userinput>ssh-keygen &amp;&amp;
282ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
283
284 <para>
285 Once you've got passwordless logins working it's actually more secure
286 than logging in with a password (as the private key is much longer than
287 most people's passwords). If you would like to now disable password
288 logins, as the <systemitem class="username">root</systemitem> user:
289 </para>
290
291
292<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &amp;&amp;
293echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
294
295 <para>
296 If you added <application>Linux-PAM</application> support and you want
297 ssh to use it then you will need to add a configuration file for
298 <application>sshd</application> and enable use of
299 <application>LinuxPAM</application>. Note, ssh only uses PAM to check
300 passwords, if you've disabled password logins these commands are not
301 needed. If you want to use PAM, issue the following commands as the
302 <systemitem class='username'>root</systemitem> user:
303 </para>
304
305<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login &gt; /etc/pam.d/sshd &amp;&amp;
306chmod 644 /etc/pam.d/sshd &amp;&amp;
307echo "UsePAM yes" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
308
309 <para>
310 Additional configuration information can be found in the man
311 pages for <command>sshd</command>, <command>ssh</command> and
312 <command>ssh-agent</command>.
313 </para>
314 </sect3>
315
316 <sect3 id="openssh-init">
317 <title>Installing the Boot Script or Systemd Unit</title>
318
319 <para>
320 If using the System V version of LFS, you can start the SSH server at
321 system boot by installing the
322 <filename>/etc/rc.d/init.d/sshd</filename> init script included
323 in the <xref linkend="bootscripts"/> package.
324 </para>
325
326 <para>
327 If using the systemd version of LFS, you can start the SSH server at
328 system boot by installing the
329 <filename>sshd.service</filename> unit included in the
330 <xref linkend="systemd-units"/> package.
331 </para>
332
333 <indexterm zone="openssh openssh-init">
334 <primary sortas="f-sshd">sshd</primary>
335 </indexterm>
336
337<screen role="root"><userinput>make install-sshd</userinput></screen>
338 </sect3>
339 </sect2>
340
341 <sect2 role="content">
342 <title>Contents</title>
343
344 <segmentedlist>
345 <segtitle>Installed Programs</segtitle>
346 <segtitle>Installed Libraries</segtitle>
347 <segtitle>Installed Directories</segtitle>
348
349 <seglistitem>
350 <seg>
351 scp, sftp, slogin (symlink to ssh), ssh, ssh-add, ssh-agent,
352 ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
353 </seg>
354 <seg>
355 None
356 </seg>
357 <seg>
358 /etc/ssh,
359 /usr/share/doc/openssh-&openssh-version;, and
360 /var/lib/sshd
361 </seg>
362 </seglistitem>
363 </segmentedlist>
364
365 <variablelist>
366 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
367 <?dbfo list-presentation="list"?>
368 <?dbhtml list-presentation="table"?>
369
370 <varlistentry id="scp">
371 <term><command>scp</command></term>
372 <listitem>
373 <para>
374 is a file copy program that acts like <command>rcp</command> except
375 it uses an encrypted protocol.
376 </para>
377 <indexterm zone="openssh scp">
378 <primary sortas="b-scp">scp</primary>
379 </indexterm>
380 </listitem>
381 </varlistentry>
382
383 <varlistentry id="sftp">
384 <term><command>sftp</command></term>
385 <listitem>
386 <para>
387 is an FTP-like program that works over the SSH1 and SSH2 protocols.
388 </para>
389 <indexterm zone="openssh sftp">
390 <primary sortas="b-sftp">sftp</primary>
391 </indexterm>
392 </listitem>
393 </varlistentry>
394
395 <varlistentry id="slogin">
396 <term><command>slogin</command></term>
397 <listitem>
398 <para>
399 is a symlink to <command>ssh</command>.
400 </para>
401 <indexterm zone="openssh slogin">
402 <primary sortas="b-slogin">slogin</primary>
403 </indexterm>
404 </listitem>
405 </varlistentry>
406
407 <varlistentry id="ssh">
408 <term><command>ssh</command></term>
409 <listitem>
410 <para>
411 is an <command>rlogin</command>/<command>rsh</command>-like client
412 program except it uses an encrypted protocol.
413 </para>
414 <indexterm zone="openssh ssh">
415 <primary sortas="b-ssh">ssh</primary>
416 </indexterm>
417 </listitem>
418 </varlistentry>
419
420 <varlistentry id="sshd">
421 <term><command>sshd</command></term>
422 <listitem>
423 <para>
424 is a daemon that listens for <command>ssh</command> login requests.
425 </para>
426 <indexterm zone="openssh sshd">
427 <primary sortas="b-sshd">sshd</primary>
428 </indexterm>
429 </listitem>
430 </varlistentry>
431
432 <varlistentry id="ssh-add">
433 <term><command>ssh-add</command></term>
434 <listitem>
435 <para>
436 is a tool which adds keys to the <command>ssh-agent</command>.
437 </para>
438 <indexterm zone="openssh ssh-add">
439 <primary sortas="b-ssh-add">ssh-add</primary>
440 </indexterm>
441 </listitem>
442 </varlistentry>
443
444 <varlistentry id="ssh-agent">
445 <term><command>ssh-agent</command></term>
446 <listitem>
447 <para>
448 is an authentication agent that can store private keys.
449 </para>
450 <indexterm zone="openssh ssh-agent">
451 <primary sortas="b-ssh-agent">ssh-agent</primary>
452 </indexterm>
453 </listitem>
454 </varlistentry>
455
456 <varlistentry id="ssh-copy-id">
457 <term><command>ssh-copy-id</command></term>
458 <listitem>
459 <para>
460 is a script that enables logins on remote machine using local keys.
461 </para>
462 <indexterm zone="openssh ssh-copy-id">
463 <primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
464 </indexterm>
465 </listitem>
466 </varlistentry>
467
468 <varlistentry id="ssh-keygen">
469 <term><command>ssh-keygen</command></term>
470 <listitem>
471 <para>
472 is a key generation tool.
473 </para>
474 <indexterm zone="openssh ssh-keygen">
475 <primary sortas="b-ssh-keygen">ssh-keygen</primary>
476 </indexterm>
477 </listitem>
478 </varlistentry>
479
480 <varlistentry id="ssh-keyscan">
481 <term><command>ssh-keyscan</command></term>
482 <listitem>
483 <para>
484 is a utility for gathering public host keys from a number of hosts.
485 </para>
486 <indexterm zone="openssh ssh-keyscan">
487 <primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
488 </indexterm>
489 </listitem>
490 </varlistentry>
491
492 </variablelist>
493 </sect2>
494</sect1>
Note: See TracBrowser for help on using the repository browser.