source: postlfs/security/openssh.xml@ bc6e56d

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY openssh-download-http
    "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
  <!ENTITY openssh-download-ftp
    "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
  <!ENTITY openssh-md5sum        "3c9347aa67862881c5da3f3b1c08da7b">
  <!ENTITY openssh-size          "1.1 MB">
  <!ENTITY openssh-buildsize     "31 MB">
  <!ENTITY openssh-time          "0.6 SBU">
]>

<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
  <?dbhtml filename="openssh.html"?>

  <sect1info>
    <othername>$LastChangedBy$</othername>
    <date>$Date$</date>
  </sect1info>

  <title>OpenSSH-&openssh-version;</title>

  <para>
    The <application>OpenSSH</application> package contains
    <command>ssh</command> clients and the <command>sshd</command> daemon. This
    is useful for encrypting authentication and subsequent traffic over a
    network. The <command>ssh</command> and <command>scp</command> commands are
    secure implementions of <command>telnet</command> and <command>rcp</command>
    respectively.
  </para>

  &lfs71_checked;

  <indexterm zone="openssh">
    <primary sortas="a-OpenSSH">OpenSSH</primary>
  </indexterm>

  <sect2 role="package">
    <title>Introduction to OpenSSH</title>

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
          Download (HTTP): <ulink url="&openssh-download-http;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download (FTP): <ulink url="&openssh-download-ftp;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download MD5 sum: &openssh-md5sum;
        </para>
      </listitem>
      <listitem>
        <para>
          Download size: &openssh-size;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated disk space required: &openssh-buildsize;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated build time: &openssh-time;
        </para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>

    <bridgehead renderas="sect4">Required</bridgehead>
    <para role="required"><xref linkend="openssl"/></para>

    <bridgehead renderas="sect4">Optional</bridgehead>
    <para role="optional">
      <xref linkend="linux-pam"/>,
      <xref linkend="x-window-system"/>,
      <xref linkend="mitkrb"/>,
      <ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>
      (provides a command-line history feature to <command>sftp</command>),
      <ulink url="http://www.opensc-project.org/">OpenSC</ulink> and
      <ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
    </para>

    <bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
    <para role="optional">
      <xref linkend="openjdk"/>,
      <xref linkend="net-tools"/> and
      <xref linkend="sysstat"/>.
    </para>

    <para condition="html" role="usernotes">
        User Notes: <ulink url='&blfs-wiki;/OpenSSH'/>
    </para>
  </sect2>

  <sect2 role="installation">
    <title>Installation of OpenSSH</title>

    <para>
      <application>OpenSSH</application> runs as two processes when connecting
      to other computers. The first process is a privileged process and controls
      the issuance of privileges as necessary. The second process communicates
      with the network. Additional installation steps are necessary to set up
      the proper environment, which are performed by issuing the following
      commands as the <systemitem class="username">root</systemitem> user:
    </para>

<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &amp;&amp;
chown -v root:sys /var/lib/sshd &amp;&amp;
groupadd -g 50 sshd &amp;&amp;
useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd \
    -s /bin/false -u 50 sshd</userinput></screen>

    <para>
      Install <application>OpenSSH</application> by running the following
      commands:
    </para>

<screen><userinput>sed -i.bak '/K5LIBS=/s/ -ldes//' configure &amp;&amp;
./configure --prefix=/usr \
            --sysconfdir=/etc/ssh \
            --datadir=/usr/share/sshd \
            --with-md5-passwords \
            --with-privsep-path=/var/lib/sshd &amp;&amp;
make</userinput></screen>

    <para>
      The testsuite requires an installed copy of <command>scp</command> to
      complete the multiplexing tests. To run the test suite, first copy the
      <command>scp</command> program to
      <filename class="directory">/usr/bin</filename>, making sure that you
      back up any existing copy first.
    </para>

    <para>
      To run the test suite, issue the following commands:
    </para>

<screen role="root"><userinput>make tests 2&gt;&amp;1 | tee check.log
grep FATAL check.log</userinput></screen>

    <para>
      If the above command produces no 'FATAL' errors, then proceed with the
      installation, as the <systemitem class="username">root</systemitem> user:
    </para>

<screen role="root"><userinput>make install &amp;&amp;
install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &amp;&amp;
install -v -m644 INSTALL LICENCE OVERVIEW README* \
    /usr/share/doc/openssh-&openssh-version;</userinput></screen>
  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para>
      <command>sed -i.bak '/K5LIBS=/s/ -ldes//' configure</command>: This sed
      fixes a build crash if you used the <option>--with-kerberos5</option>
      option. The command is harmless in all other instances.
    </para>

    <para>
      <parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
      configuration files from being installed in
      <filename class="directory">/usr/etc</filename>.
    </para>

    <para>
      <parameter>--datadir=/usr/share/sshd</parameter>: This switch puts the
      Ssh.bin file (used for SmartCard authentication) in
      <filename class="directory">/usr/share/sshd</filename>.
    </para>

    <para>
      <parameter>--with-md5-passwords</parameter>: This enables the use of MD5
      passwords.
    </para>

    <para>
      <parameter>--with-pam</parameter>: This parameter enables
      <application>Linux-PAM</application> support in the build.
    </para>

    <para>
      <parameter>--with-xauth=/usr/bin/xauth</parameter>: Set the default
      location for the <command>xauth</command> binary for X authentication.
      Change the location if <command>xauth</command> will be installed to a
      different path. This can also be controlled from
      <filename>sshd_config</filename> with the XAuthLocation keyword. You can
      omit this switch if <application>Xorg</application> is already installed.
    </para>

    <para>
      <parameter>--with-kerberos5=/usr</parameter>: This option is used to
      include Kerberos 5 support in the build.
    </para>

  </sect2>

  <sect2 role="configuration">
    <title>Configuring OpenSSH</title>

    <sect3 id="openssh-config">
      <title>Config Files</title>

      <para>
        <filename>~/.ssh/*</filename>,
      <filename>/etc/ssh/ssh_config</filename>, and
      <filename>/etc/ssh/sshd_config</filename>
        </para>

      <indexterm zone="openssh openssh-config">
        <primary sortas="e-AA.ssh">~/.ssh/*</primary>
      </indexterm>

      <indexterm zone="openssh openssh-config">
        <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
      </indexterm>

      <indexterm zone="openssh openssh-config">
        <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
      </indexterm>

      <para>
        There are no required changes to any of these files. However,
        you may wish to view the
        <filename class='directory'>/etc/ssh/</filename> files and make any
        changes appropriate for the security of your system. One recommended
        change is that you disable
        <systemitem class='username'>root</systemitem> login via
        <command>ssh</command>. Execute the following command as the
        <systemitem class='username'>root</systemitem> user to disable
        <systemitem class='username'>root</systemitem> login via
        <command>ssh</command>:
      </para>

<screen role="root"><userinput>echo "PermitRootLogin no" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>

      <para>
        If you want to be able to log in without typing in your password, first
        create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
        <command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
        ~/.ssh/authorized_keys on the remote computer that you want to log into.
        You'll need to change REMOTE_HOSTNAME for the hostname of the remote
        computer and you'll also need to enter you password for the ssh command
        to succeed:
      </para>

<screen><userinput>ssh-keygen &amp;&amp;
public_key="$(cat ~/.ssh/id_rsa.pub)" &amp;&amp;
ssh REMOTE_HOSTNAME "echo ${public_key} &gt;&gt; ~/.ssh/authorized_keys" &amp;&amp;
unset public_key</userinput></screen>

      <para>
        Once you've got passwordless logins working it's actually more secure
        than logging in with a password (as the private key is much longer than
        most people's passwords). If you would like to now disable password
        logins, as the <systemitem class="username">root</systemitem> user:
      </para>


<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &amp;&amp;
echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>

      <para>
        If you added <application>LinuxPAM</application> support and you want
        ssh to use it then you will need to add a configuration file for
        <application>sshd</application> and enable use of
        <application>LinuxPAM</application>. Note, ssh only uses PAM to check
        passwords, if you've disabled password logins these commands are not
        needed. If you want to use PAM issue the following commands as the
        <systemitem class='username'>root</systemitem> user:
      </para>

<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login &gt; /etc/pam.d/sshd &amp;&amp;
chmod 644 /etc/pam.d/sshd &amp;&amp;
echo "USEPAM yes" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>

      <para>
        Additional configuration information can be found in the man
        pages for <command>sshd</command>, <command>ssh</command> and
        <command>ssh-agent</command>.
      </para>
    </sect3>

    <sect3  id="openssh-init">
      <title>Boot Script</title>

      <para>
        To start the SSH server at system boot, install the
      <filename>/etc/rc.d/init.d/sshd</filename> init script included
      in the <xref linkend="bootscripts"/> package.
        </para>

      <indexterm zone="openssh openssh-init">
        <primary sortas="f-sshd">sshd</primary>
      </indexterm>

<screen role="root"><userinput>make install-sshd</userinput></screen>
    </sect3>
  </sect2>

  <sect2 role="content">
    <title>Contents</title>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>
      <segtitle>Installed Directories</segtitle>

      <seglistitem>
        <seg>
          scp, sftp, sftp-server, slogin, ssh, sshd, ssh-add, ssh-agent,
          ssh-keygen, ssh-keyscan and ssh-keysign.
        </seg>
        <seg>
          /etc/ssh,
          /var/lib/sshd,
          /usr/lib/openssh and
          /usr/share/doc/openssh-&openssh-version;.
        </seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="scp">
        <term><command>scp</command></term>
        <listitem>
          <para>
            is a file copy program that acts like <command>rcp</command> except
            it uses an encrypted protocol.
          </para>
          <indexterm zone="openssh scp">
            <primary sortas="b-scp">scp</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sftp">
        <term><command>sftp</command></term>
        <listitem>
          <para>
            is an FTP-like program that works over the SSH1 and SSH2 protocols.
          </para>
          <indexterm zone="openssh sftp">
            <primary sortas="b-sftp">sftp</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sftp-server">
        <term><command>sftp-server</command></term>
        <listitem>
          <para>
            is an SFTP server subsystem. This program is not normally called
            directly by the user.
          </para>
          <indexterm zone="openssh sftp-server">
            <primary sortas="b-sftp-server">sftp-server</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="slogin">
        <term><command>slogin</command></term>
        <listitem>
          <para>
            is a symlink to <command>ssh</command>.
          </para>
          <indexterm zone="openssh slogin">
            <primary sortas="b-slogin">slogin</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ssh">
        <term><command>ssh</command></term>
        <listitem>
          <para>
            is an <command>rlogin</command>/<command>rsh</command>-like client
            program except it uses an encrypted protocol.
          </para>
          <indexterm zone="openssh ssh">
            <primary sortas="b-ssh">ssh</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sshd">
        <term><command>sshd</command></term>
        <listitem>
          <para>
            is a daemon that listens for <command>ssh</command> login requests.
          </para>
          <indexterm zone="openssh sshd">
            <primary sortas="b-sshd">sshd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ssh-add">
        <term><command>ssh-add</command></term>
        <listitem>
          <para>
            is a tool which adds keys to the <command>ssh-agent</command>.
          </para>
          <indexterm zone="openssh ssh-add">
            <primary sortas="b-ssh-add">ssh-add</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ssh-agent">
        <term><command>ssh-agent</command></term>
        <listitem>
          <para>
            is an authentication agent that can store private keys.
          </para>
          <indexterm zone="openssh ssh-agent">
            <primary sortas="b-ssh-agent">ssh-agent</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ssh-keygen">
        <term><command>ssh-keygen</command></term>
        <listitem>
          <para>
            is a key generation tool.
          </para>
          <indexterm zone="openssh ssh-keygen">
            <primary sortas="b-ssh-keygen">ssh-keygen</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ssh-keyscan">
        <term><command>ssh-keyscan</command></term>
        <listitem>
          <para>
            is a utility for gathering public host keys from a number of hosts.
          </para>
          <indexterm zone="openssh ssh-keyscan">
            <primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ssh-keysign">
        <term><command>ssh-keysign</command></term>
        <listitem>
          <para>
            is used by <command>ssh</command> to access the local host keys and
            generate the digital signature required during hostbased
            authentication with SSH protocol version 2. This program is not
            normally called directly by the user.
          </para>
          <indexterm zone="openssh ssh-keysign">
            <primary sortas="b-ssh-keysign">ssh-keysign</primary>
          </indexterm>
        </listitem>
      </varlistentry>
    </variablelist>
  </sect2>
</sect1>