Context Navigation

openssh.xml@ c6b192c

Visit:

11.0 11.1 11.2 11.3 12.0 12.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since c6b192c was c6b192c, checked in by Xi Ruoyao <xry111@…>, 3 years ago

secure package download URLs

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@24436 af4574ff-66df-0310-9fd7-8a98e5e911e0

Property mode set to 100644

File size: 18.0 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY openssh-download-http
8	"https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9	<!ENTITY openssh-download-ftp
10	" "> <!-- at the moment, unable to connect via ftp: ken
11	"ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz"> -->
12	<!ENTITY openssh-md5sum "9eb9420cf587edc26f8998ab679ad390">
13	<!ENTITY openssh-size "1.7 MB">
14	<!ENTITY openssh-buildsize "51 MB (add 40 MB for tests)">
15	<!ENTITY openssh-time "0.2 SBU (Using parallelism=4;
16	running the tests takes 20+ minutes,
17	irrespective of processor speed)">
18	]>
19
20	<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
21	<?dbhtml filename="openssh.html"?>
22
23	<sect1info>
24	<othername>$LastChangedBy$</othername>
25	<date>$Date$</date>
26	</sect1info>
27
28	<title>OpenSSH-&openssh-version;</title>
29
30	<indexterm zone="openssh">
31	<primary sortas="a-OpenSSH">OpenSSH</primary>
32	</indexterm>
33
34	<sect2 role="package">
35	<title>Introduction to OpenSSH</title>
36
37	<para>
38	The <application>OpenSSH</application> package contains
39	<command>ssh</command> clients and the <command>sshd</command> daemon.
40	This is useful for encrypting authentication and subsequent traffic over
41	a network. The <command>ssh</command> and <command>scp</command> commands
42	are secure implementations of <command>telnet</command> and
43	<command>rcp</command> respectively.
44	</para>
45
46	&lfs101_checked;
47
48	<bridgehead renderas="sect3">Package Information</bridgehead>
49	<itemizedlist spacing="compact">
50	<listitem>
51	<para>
52	Download (HTTP): <ulink url="&openssh-download-http;"/>
53	</para>
54	</listitem>
55	<listitem>
56	<para>
57	Download (FTP): <ulink url="&openssh-download-ftp;"/>
58	</para>
59	</listitem>
60	<listitem>
61	<para>
62	Download MD5 sum: &openssh-md5sum;
63	</para>
64	</listitem>
65	<listitem>
66	<para>
67	Download size: &openssh-size;
68	</para>
69	</listitem>
70	<listitem>
71	<para>
72	Estimated disk space required: &openssh-buildsize;
73	</para>
74	</listitem>
75	<listitem>
76	<para>
77	Estimated build time: &openssh-time;
78	</para>
79	</listitem>
80	</itemizedlist>
81	<!--
82	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
83	<itemizedlist spacing="compact">
84	<listitem>
85	<para>
86	Required patch:
87	<ulink url="&patch-root;/openssh-&openssh-version;-glibc_2.31_fix-1.patch"/>
88	</para>
89	</listitem>
90	</itemizedlist>
91	-->
92	<bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
93
94	<bridgehead renderas="sect4">Optional</bridgehead>
95	<para role="optional">
96	<xref linkend="gdb"/> (for tests),
97	<xref linkend="linux-pam"/>,
98	<xref linkend="x-window-system"/>,
99	<xref linkend="mitkrb"/>,
100	<ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>,
101	<ulink url="http://www.libressl.org/">LibreSSL Portable</ulink>,
102	<ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
103	<ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
104	</para>
105
106	<bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
107	<para role="optional">
108	<xref role="runtime" linkend="openjdk"/>,
109	<xref role="runtime" linkend="net-tools"/>, and
110	<xref role="runtime" linkend="sysstat"/>
111	</para>
112
113	<para condition="html" role="usernotes">
114	User Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
115	</para>
116	</sect2>
117
118	<sect2 role="installation">
119	<title>Installation of OpenSSH</title>
120
121	<para>
122	<application>OpenSSH</application> runs as two processes when connecting
123	to other computers. The first process is a privileged process and controls
124	the issuance of privileges as necessary. The second process communicates
125	with the network. Additional installation steps are necessary to set up
126	the proper environment, which are performed by issuing the following
127	commands as the <systemitem class="username">root</systemitem> user:
128	</para>
129
130	<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &&
131	chown -v root:sys /var/lib/sshd &&
132
133	groupadd -g 50 sshd &&
134	useradd -c 'sshd PrivSep' \
135	-d /var/lib/sshd \
136	-g sshd \
137	-s /bin/false \
138	-u 50 sshd</userinput></screen>
139	<!--
140	<para>
141	Apply a patch to allow OpenSSH to build and function with
142	<application>Glibc-2.31</application> and later:
143	</para>
144
145	<screen><userinput remap="pre">patch -Np1 -i ../openssh-&openssh-version;-glibc_2.31_fix-1.patch</userinput></screen>
146	-->
147
148	<!-- Applied in 8.5p1
149	<para>
150	First, adapt <application>ssh-copy-id</application> to changes
151	in bash-5.1:
152	</para>
153
154	<screen><userinput remap="pre">sed -e '/INSTALLKEYS_SH/s/)//' -e '260a\ )' -i contrib/ssh-copy-id</userinput></screen>
155
156	<para>
157	Next, fix an issue on platforms other than x86_64:
158	</para>
159	<screen><userinput remap="pre">if [ "$(uname -m)" != "x86_64" ]; then
160	l1="#ifdef __NR_pselect6_time64"
161	l2=" SC_ALLOW(__NR_pselect6_time64),"
162	l3="#endif"
163	sed -e "/^#ifdef __NR_read$/ i $l1\n$l2\n$l3" \
164	-i sandbox-seccomp-filter.c
165	fi</userinput></screen>
166	-->
167	<para>
168	Install <application>OpenSSH</application> by running the following
169	commands:
170	</para>
171
172	<screen><userinput>./configure --prefix=/usr \
173	--sysconfdir=/etc/ssh \
174	--with-md5-passwords \
175	--with-privsep-path=/var/lib/sshd &&
176	make</userinput></screen>
177
178	<para>
179	The testsuite requires an installed copy of <command>scp</command> to
180	complete the multiplexing tests. To run the test suite, first copy the
181	<command>scp</command> program to
182	<filename class="directory">/usr/bin</filename>, making sure that you
183	backup any existing copy first.
184	</para>
185
186	<para>
187	To test the results, issue: <command>make -j1 tests</command>.
188	<!--One test, <filename>key options</filename>, fails when run in chroot.-->
189	</para>
190
191	<!-- commenting this, I get "all tests passed" [ ken ]
192	NB tests should be run as _user_ but the role in the comment is root
193
194	commenting [ bruce ]: There are a couple of tests that want root.
195	The log mentions that SUDO is not set. These skipped tests are
196	ignored and the end says 'all tests passed' even when not root
197
198	<para>
199	To run the test suite, issue the following commands:
200	</para>
201
202	<screen role="root"><userinput>make tests 2>&1 \| tee check.log
203	grep FATAL check.log</userinput></screen>
204
205	<para>
206	If the above command produces no 'FATAL' errors, then proceed with the
207	installation, as the <systemitem class="username">root</systemitem> user:
208	</para>-->
209	<para>
210	Now, as the <systemitem class="username">root</systemitem> user:
211	</para>
212
213	<screen role="root"><userinput>make install &&
214	install -v -m755 contrib/ssh-copy-id /usr/bin &&
215
216	install -v -m644 contrib/ssh-copy-id.1 \
217	/usr/share/man/man1 &&
218	install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &&
219	install -v -m644 INSTALL LICENCE OVERVIEW README* \
220	/usr/share/doc/openssh-&openssh-version;</userinput></screen>
221	</sect2>
222
223	<sect2 role="commands">
224	<title>Command Explanations</title>
225
226	<para>
227	<parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
228	configuration files from being installed in
229	<filename class="directory">/usr/etc</filename>.
230	</para>
231
232	<para>
233	<parameter>--with-md5-passwords</parameter>: This enables the use of MD5
234	passwords.
235	</para>
236
237	<para>
238	<option>--with-pam</option>: This parameter enables
239	<application>Linux-PAM</application> support in the build.
240	</para>
241
242	<para>
243	<option>--with-xauth=/usr/bin/xauth</option>: Set the default
244	location for the <command>xauth</command> binary for X authentication.
245	Change the location if <command>xauth</command> will be installed to a
246	different path. This can also be controlled from
247	<filename>sshd_config</filename> with the XAuthLocation keyword. You can
248	omit this switch if <application>Xorg</application> is already installed.
249	</para>
250
251	<para>
252	<option>--with-kerberos5=/usr</option>: This option is used to
253	include Kerberos 5 support in the build.
254	</para>
255
256	<para>
257	<option>--with-libedit</option>: This option enables line editing
258	and history features for <command>sftp</command>.
259	</para>
260
261	</sect2>
262
263	<sect2 role="configuration">
264	<title>Configuring OpenSSH</title>
265
266	<sect3 id="openssh-config">
267	<title>Config Files</title>
268
269	<para>
270	<filename>~/.ssh/*</filename>,
271	<filename>/etc/ssh/ssh_config</filename>, and
272	<filename>/etc/ssh/sshd_config</filename>
273	</para>
274
275	<indexterm zone="openssh openssh-config">
276	<primary sortas="e-AA.ssh">~/.ssh/*</primary>
277	</indexterm>
278
279	<indexterm zone="openssh openssh-config">
280	<primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
281	</indexterm>
282
283	<indexterm zone="openssh openssh-config">
284	<primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
285	</indexterm>
286
287	<para>
288	There are no required changes to any of these files. However,
289	you may wish to view the
290	<filename class='directory'>/etc/ssh/</filename> files and make any
291	changes appropriate for the security of your system. One recommended
292	change is that you disable
293	<systemitem class='username'>root</systemitem> login via
294	<command>ssh</command>. Execute the following command as the
295	<systemitem class='username'>root</systemitem> user to disable
296	<systemitem class='username'>root</systemitem> login via
297	<command>ssh</command>:
298	</para>
299
300	<screen role="root"><userinput>echo "PermitRootLogin no" >> /etc/ssh/sshd_config</userinput></screen>
301
302	<para>
303	If you want to be able to log in without typing in your password, first
304	create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
305	<command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
306	~/.ssh/authorized_keys on the remote computer that you want to log into.
307	You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
308	computer and you'll also need to enter your password for the ssh-copy-id command
309	to succeed:
310	</para>
311
312	<screen><userinput>ssh-keygen &&
313	ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
314
315	<para>
316	Once you've got passwordless logins working it's actually more secure
317	than logging in with a password (as the private key is much longer than
318	most people's passwords). If you would like to now disable password
319	logins, as the <systemitem class="username">root</systemitem> user:
320	</para>
321
322
323	<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &&
324	echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
325
326	<para>
327	If you added <application>Linux-PAM</application> support and you want
328	ssh to use it then you will need to add a configuration file for
329	<application>sshd</application> and enable use of
330	<application>LinuxPAM</application>. Note, ssh only uses PAM to check
331	passwords, if you've disabled password logins these commands are not
332	needed. If you want to use PAM, issue the following commands as the
333	<systemitem class='username'>root</systemitem> user:
334	</para>
335
336	<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd &&
337	chmod 644 /etc/pam.d/sshd &&
338	echo "UsePAM yes" >> /etc/ssh/sshd_config</userinput></screen>
339
340	<para>
341	Additional configuration information can be found in the man
342	pages for <command>sshd</command>, <command>ssh</command> and
343	<command>ssh-agent</command>.
344	</para>
345	</sect3>
346
347	<sect3 id="openssh-init">
348	<title><phrase revision="sysv">Boot Script</phrase>
349	<phrase revision="systemd">Systemd Unit</phrase></title>
350
351	<para revision="sysv">
352	To start the SSH server at system boot, install the
353	<filename>/etc/rc.d/init.d/sshd</filename> init script included
354	in the <xref linkend="bootscripts"/> package.
355	</para>
356
357	<para revision="systemd">
358	To start the SSH server at system boot, install the
359	<filename>sshd.service</filename> unit included in the
360	<xref linkend="systemd-units"/> package.
361	</para>
362
363	<indexterm zone="openssh openssh-init">
364	<primary sortas="f-sshd">sshd</primary>
365	</indexterm>
366
367	<screen role="root"><userinput>make install-sshd</userinput></screen>
368	</sect3>
369	</sect2>
370
371	<sect2 role="content">
372	<title>Contents</title>
373
374	<segmentedlist>
375	<segtitle>Installed Programs</segtitle>
376	<segtitle>Installed Libraries</segtitle>
377	<segtitle>Installed Directories</segtitle>
378
379	<seglistitem>
380	<seg>
381	scp, sftp, <!--slogin (symlink to ssh),--> ssh, ssh-add, ssh-agent,
382	ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
383	</seg>
384	<seg>
385	None
386	</seg>
387	<seg>
388	/etc/ssh,
389	/usr/share/doc/openssh-&openssh-version;, and
390	/var/lib/sshd
391	</seg>
392	</seglistitem>
393	</segmentedlist>
394
395	<variablelist>
396	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
397	<?dbfo list-presentation="list"?>
398	<?dbhtml list-presentation="table"?>
399
400	<varlistentry id="scp">
401	<term><command>scp</command></term>
402	<listitem>
403	<para>
404	is a file copy program that acts like <command>rcp</command> except
405	it uses an encrypted protocol
406	</para>
407	<indexterm zone="openssh scp">
408	<primary sortas="b-scp">scp</primary>
409	</indexterm>
410	</listitem>
411	</varlistentry>
412
413	<varlistentry id="sftp">
414	<term><command>sftp</command></term>
415	<listitem>
416	<para>
417	is an FTP-like program that works over the SSH1 and SSH2 protocols
418	</para>
419	<indexterm zone="openssh sftp">
420	<primary sortas="b-sftp">sftp</primary>
421	</indexterm>
422	</listitem>
423	</varlistentry>
424	<!-- Not installed anymore as of 8.5p1
425	<varlistentry id="slogin">
426	<term><command>slogin</command></term>
427	<listitem>
428	<para>
429	is a symlink to <command>ssh</command>
430	</para>
431	<indexterm zone="openssh slogin">
432	<primary sortas="b-slogin">slogin</primary>
433	</indexterm>
434	</listitem>
435	</varlistentry>
436	-->
437	<varlistentry id="ssh">
438	<term><command>ssh</command></term>
439	<listitem>
440	<para>
441	is an <command>rlogin</command>/<command>rsh</command>-like client
442	program except it uses an encrypted protocol
443	</para>
444	<indexterm zone="openssh ssh">
445	<primary sortas="b-ssh">ssh</primary>
446	</indexterm>
447	</listitem>
448	</varlistentry>
449
450	<varlistentry id="sshd">
451	<term><command>sshd</command></term>
452	<listitem>
453	<para>
454	is a daemon that listens for <command>ssh</command> login requests
455	</para>
456	<indexterm zone="openssh sshd">
457	<primary sortas="b-sshd">sshd</primary>
458	</indexterm>
459	</listitem>
460	</varlistentry>
461
462	<varlistentry id="ssh-add">
463	<term><command>ssh-add</command></term>
464	<listitem>
465	<para>
466	is a tool which adds keys to the <command>ssh-agent</command>
467	</para>
468	<indexterm zone="openssh ssh-add">
469	<primary sortas="b-ssh-add">ssh-add</primary>
470	</indexterm>
471	</listitem>
472	</varlistentry>
473
474	<varlistentry id="ssh-agent">
475	<term><command>ssh-agent</command></term>
476	<listitem>
477	<para>
478	is an authentication agent that can store private keys
479	</para>
480	<indexterm zone="openssh ssh-agent">
481	<primary sortas="b-ssh-agent">ssh-agent</primary>
482	</indexterm>
483	</listitem>
484	</varlistentry>
485
486	<varlistentry id="ssh-copy-id">
487	<term><command>ssh-copy-id</command></term>
488	<listitem>
489	<para>
490	is a script that enables logins on remote machines using local keys
491	</para>
492	<indexterm zone="openssh ssh-copy-id">
493	<primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
494	</indexterm>
495	</listitem>
496	</varlistentry>
497
498	<varlistentry id="ssh-keygen">
499	<term><command>ssh-keygen</command></term>
500	<listitem>
501	<para>
502	is a key generation tool
503	</para>
504	<indexterm zone="openssh ssh-keygen">
505	<primary sortas="b-ssh-keygen">ssh-keygen</primary>
506	</indexterm>
507	</listitem>
508	</varlistentry>
509
510	<varlistentry id="ssh-keyscan">
511	<term><command>ssh-keyscan</command></term>
512	<listitem>
513	<para>
514	is a utility for gathering public host keys from a number of hosts
515	</para>
516	<indexterm zone="openssh ssh-keyscan">
517	<primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
518	</indexterm>
519	</listitem>
520	</varlistentry>
521
522	</variablelist>
523	</sect2>
524
525	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/openssh.xml@ c6b192c

Download in other formats: