Context Navigation

source: postlfs/security/openssh.xml@ eed39e3

Visit:

11.3 12.0 12.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk xry111/llvm18 xry111/xf86-video-removal

Last change on this file since eed39e3 was bed8f3ef, checked in by Bruce Dubbs <bdubbs@…>, 17 months ago
Synchronize openssh md5sums in multiple packages
Property mode set to `100644`
File size: 18.9 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY openssh-download-http
8	"https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9	<!ENTITY openssh-download-ftp
10	" "> <!-- at the moment, unable to connect via ftp: ken
11	"ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz"> -->
12	<!ENTITY openssh-md5sum "&openssh-md5sum;">
13	<!ENTITY openssh-size "1.8 MB">
14	<!ENTITY openssh-buildsize "44 MB (add 21 MB for tests)">
15	<!ENTITY openssh-time "0.2 SBU (Using parallelism=4;
16	running the tests takes about 28 minutes,
17	irrespective of processor speed)">
18	]>
19
20	<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
21	<?dbhtml filename="openssh.html"?>
22
23
24	<title>OpenSSH-&openssh-version;</title>
25
26	<indexterm zone="openssh">
27	<primary sortas="a-OpenSSH">OpenSSH</primary>
28	</indexterm>
29
30	<sect2 role="package">
31	<title>Introduction to OpenSSH</title>
32
33	<para>
34	The <application>OpenSSH</application> package contains
35	<command>ssh</command> clients and the <command>sshd</command> daemon.
36	This is useful for encrypting authentication and subsequent traffic over
37	a network. The <command>ssh</command> and <command>scp</command> commands
38	are secure implementations of <command>telnet</command> and
39	<command>rcp</command> respectively.
40	</para>
41
42	&lfs112_checked;
43
44	<bridgehead renderas="sect3">Package Information</bridgehead>
45	<itemizedlist spacing="compact">
46	<listitem>
47	<para>
48	Download (HTTP): <ulink url="&openssh-download-http;"/>
49	</para>
50	</listitem>
51	<listitem>
52	<para>
53	Download (FTP): <ulink url="&openssh-download-ftp;"/>
54	</para>
55	</listitem>
56	<listitem>
57	<para>
58	Download MD5 sum: &openssh-md5sum;
59	</para>
60	</listitem>
61	<listitem>
62	<para>
63	Download size: &openssh-size;
64	</para>
65	</listitem>
66	<listitem>
67	<para>
68	Estimated disk space required: &openssh-buildsize;
69	</para>
70	</listitem>
71	<listitem>
72	<para>
73	Estimated build time: &openssh-time;
74	</para>
75	</listitem>
76	</itemizedlist>
77	<!--
78	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
79	<itemizedlist spacing="compact">
80	<listitem>
81	<para>
82	Required patch:
83	<ulink url="&patch-root;/openssh-&openssh-version;-glibc_2.31_fix-1.patch"/>
84	</para>
85	</listitem>
86	</itemizedlist>
87	-->
88	<bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
89
90	<bridgehead renderas="sect4">Optional</bridgehead>
91	<para role="optional">
92	<xref linkend="gdb"/> (for tests),
93	<xref linkend="linux-pam"/>,
94	<xref linkend="x-window-system"/>,
95	<xref linkend="mitkrb"/>,
96	<xref linkend="which"/> (for tests),
97	<ulink url="https://www.thrysoee.dk/editline/">libedit</ulink>,
98	<ulink url="https://www.libressl.org/">LibreSSL Portable</ulink>,
99	<ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
100	<ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
101	</para>
102
103	<bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
104	<para role="optional">
105	<!--<xref role="runtime" linkend="openjdk"/>, Not seen in 8.8p1 -->
106	<xref role="runtime" linkend="net-tools"/>, and
107	<xref role="runtime" linkend="sysstat"/>
108	</para>
109
110	<para condition="html" role="usernotes">
111	User Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
112	</para>
113	</sect2>
114
115	<sect2 role="installation">
116	<title>Installation of OpenSSH</title>
117
118	<para>
119	<application>OpenSSH</application> runs as two processes when connecting
120	to other computers. The first process is a privileged process and controls
121	the issuance of privileges as necessary. The second process communicates
122	with the network. Additional installation steps are necessary to set up
123	the proper environment, which are performed by issuing the following
124	commands as the <systemitem class="username">root</systemitem> user:
125	</para>
126
127	<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &&
128	chown -v root:sys /var/lib/sshd &&
129
130	groupadd -g 50 sshd &&
131	useradd -c 'sshd PrivSep' \
132	-d /var/lib/sshd \
133	-g sshd \
134	-s /bin/false \
135	-u 50 sshd</userinput></screen>
136	<!--
137	<para>
138	Apply a patch to allow OpenSSH to build and function with
139	<application>Glibc-2.31</application> and later:
140	</para>
141
142	<screen><userinput remap="pre">patch -Np1 -i ../openssh-&openssh-version;-glibc_2.31_fix-1.patch</userinput></screen>
143	-->
144
145	<!-- Applied in 8.5p1
146	<para>
147	First, adapt <application>ssh-copy-id</application> to changes
148	in bash-5.1:
149	</para>
150
151	<screen><userinput remap="pre">sed -e '/INSTALLKEYS_SH/s/)//' -e '260a\ )' -i contrib/ssh-copy-id</userinput></screen>
152
153	<para>
154	Next, fix an issue on platforms other than x86_64:
155	</para>
156	<screen><userinput remap="pre">if [ "$(uname -m)" != "x86_64" ]; then
157	l1="#ifdef __NR_pselect6_time64"
158	l2=" SC_ALLOW(__NR_pselect6_time64),"
159	l3="#endif"
160	sed -e "/^#ifdef __NR_read$/ i $l1\n$l2\n$l3" \
161	-i sandbox-seccomp-filter.c
162	fi</userinput></screen>
163	-->
164	<para>
165	Install <application>OpenSSH</application> by running the following
166	commands:
167	</para>
168
169	<!-- -\-with-md5-passwords used to be here, but a comment inside of a <screen>
170	block leaves an eyesore. -->
171	<screen><userinput>./configure --prefix=/usr \
172	--sysconfdir=/etc/ssh \
173	--with-privsep-path=/var/lib/sshd \
174	--with-default-path=/usr/bin \
175	--with-superuser-path=/usr/sbin:/usr/bin \
176	--with-pid-dir=/run &&
177	make</userinput></screen>
178
179	<para>
180	The test suite requires an installed copy of <command>scp</command> to
181	complete the multiplexing tests. To run the test suite, first copy the
182	<command>scp</command> program to
183	<filename class="directory">/usr/bin</filename>, making sure that you
184	backup any existing copy first.
185	</para>
186	<!-- I got all tests passed without this with 9.0p1. Apr 13, 2022.
187	<para>
188	If you wish to run the tests, remove a test suite that is not valid on
189	Linux-based platforms:
190	</para>
191
192	<screen><userinput>sed -i 's/conch-ciphers//' regress/Makefile</userinput></screen>
193	-->
194	<para>
195	To test the results, issue: <command>make -j1 tests</command>.
196	<!--One test, <filename>key options</filename>, fails when run in chroot.-->
197	</para>
198
199	<!-- commenting this, I get "all tests passed" [ ken ]
200	NB tests should be run as _user_ but the role in the comment is root
201
202	commenting [ bruce ]: There are a couple of tests that want root.
203	The log mentions that SUDO is not set. These skipped tests are
204	ignored and the end says 'all tests passed' even when not root
205
206	<para>
207	To run the test suite, issue the following commands:
208	</para>
209
210	<screen role="root"><userinput>make tests 2>&1 \| tee check.log
211	grep FATAL check.log</userinput></screen>
212
213	<para>
214	If the above command produces no 'FATAL' errors, then proceed with the
215	installation, as the <systemitem class="username">root</systemitem> user:
216	</para>-->
217	<para>
218	Now, as the <systemitem class="username">root</systemitem> user:
219	</para>
220
221	<screen role="root"><userinput>make install &&
222	install -v -m755 contrib/ssh-copy-id /usr/bin &&
223
224	install -v -m644 contrib/ssh-copy-id.1 \
225	/usr/share/man/man1 &&
226	install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &&
227	install -v -m644 INSTALL LICENCE OVERVIEW README* \
228	/usr/share/doc/openssh-&openssh-version;</userinput></screen>
229	</sect2>
230
231	<sect2 role="commands">
232	<title>Command Explanations</title>
233
234	<para>
235	<parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
236	configuration files from being installed in
237	<filename class="directory">/usr/etc</filename>.
238	</para>
239
240	<!--
241	<para>
242	<parameter>-\-with-md5-passwords</parameter>: This enables the use of MD5
243	passwords.
244	</para>
245	-->
246
247	<para>
248	<parameter>--with-default-path=/usr/bin</parameter> and
249	<parameter>--with-superuser-path=/usr/sbin:/usr/bin</parameter>:
250	These set <envar>PATH</envar> consistent with LFS and BLFS
251	<application>Shadow</application> package.
252	</para>
253
254	<para>
255	<parameter>--with-pid-dir=/run</parameter>: This prevents
256	<application>OpenSSH</application> from referring to deprecated
257	<filename class="directory">/var/run</filename>.
258	</para>
259
260	<para>
261	<option>--with-pam</option>: This parameter enables
262	<application>Linux-PAM</application> support in the build.
263	</para>
264
265	<para>
266	<option>--with-xauth=/usr/bin/xauth</option>: Set the default
267	location for the <command>xauth</command> binary for X authentication.
268	Change the location if <command>xauth</command> will be installed to a
269	different path. This can also be controlled from
270	<filename>sshd_config</filename> with the XAuthLocation keyword. You can
271	omit this switch if <application>Xorg</application> is already installed.
272	</para>
273
274	<para>
275	<option>--with-kerberos5=/usr</option>: This option is used to
276	include Kerberos 5 support in the build.
277	</para>
278
279	<para>
280	<option>--with-libedit</option>: This option enables line editing
281	and history features for <command>sftp</command>.
282	</para>
283
284	</sect2>
285
286	<sect2 role="configuration">
287	<title>Configuring OpenSSH</title>
288
289	<sect3 id="openssh-config">
290	<title>Config Files</title>
291
292	<para>
293	<filename>~/.ssh/*</filename>,
294	<filename>/etc/ssh/ssh_config</filename>, and
295	<filename>/etc/ssh/sshd_config</filename>
296	</para>
297
298	<indexterm zone="openssh openssh-config">
299	<primary sortas="e-AA.ssh">~/.ssh/*</primary>
300	</indexterm>
301
302	<indexterm zone="openssh openssh-config">
303	<primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
304	</indexterm>
305
306	<indexterm zone="openssh openssh-config">
307	<primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
308	</indexterm>
309
310	<para>
311	There are no required changes to any of these files. However,
312	you may wish to view the
313	<filename class='directory'>/etc/ssh/</filename> files and make any
314	changes appropriate for the security of your system. One recommended
315	change is that you disable
316	<systemitem class='username'>root</systemitem> login via
317	<command>ssh</command>. Execute the following command as the
318	<systemitem class='username'>root</systemitem> user to disable
319	<systemitem class='username'>root</systemitem> login via
320	<command>ssh</command>:
321	</para>
322
323	<screen role="root"><userinput>echo "PermitRootLogin no" >> /etc/ssh/sshd_config</userinput></screen>
324
325	<para>
326	If you want to be able to log in without typing in your password, first
327	create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
328	<command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
329	~/.ssh/authorized_keys on the remote computer that you want to log into.
330	You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
331	computer and you'll also need to enter your password for the ssh-copy-id command
332	to succeed:
333	</para>
334
335	<screen><userinput>ssh-keygen &&
336	ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
337
338	<para>
339	Once you've got passwordless logins working it's actually more secure
340	than logging in with a password (as the private key is much longer than
341	most people's passwords). If you would like to now disable password
342	logins, as the <systemitem class="username">root</systemitem> user:
343	</para>
344
345
346	<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &&
347	echo "KbdInteractiveAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
348
349	<para>
350	If you added <application>Linux-PAM</application> support and you want
351	ssh to use it then you will need to add a configuration file for
352	<application>sshd</application> and enable use of
353	<application>LinuxPAM</application>. Note, ssh only uses PAM to check
354	passwords, if you've disabled password logins these commands are not
355	needed. If you want to use PAM, issue the following commands as the
356	<systemitem class='username'>root</systemitem> user:
357	</para>
358
359	<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd &&
360	chmod 644 /etc/pam.d/sshd &&
361	echo "UsePAM yes" >> /etc/ssh/sshd_config</userinput></screen>
362
363	<para>
364	Additional configuration information can be found in the man
365	pages for <command>sshd</command>, <command>ssh</command> and
366	<command>ssh-agent</command>.
367	</para>
368	</sect3>
369
370	<sect3 id="openssh-init">
371	<title><phrase revision="sysv">Boot Script</phrase>
372	<phrase revision="systemd">Systemd Unit</phrase></title>
373
374	<para revision="sysv">
375	To start the SSH server at system boot, install the
376	<filename>/etc/rc.d/init.d/sshd</filename> init script included
377	in the <xref linkend="bootscripts"/> package.
378	</para>
379
380	<para revision="systemd">
381	To start the SSH server at system boot, install the
382	<filename>sshd.service</filename> unit included in the
383	<xref linkend="systemd-units"/> package.
384	</para>
385
386	<indexterm zone="openssh openssh-init">
387	<primary sortas="f-sshd">sshd</primary>
388	</indexterm>
389
390	<screen role="root"><userinput>make install-sshd</userinput></screen>
391	</sect3>
392	</sect2>
393
394	<sect2 role="content">
395	<title>Contents</title>
396
397	<segmentedlist>
398	<segtitle>Installed Programs</segtitle>
399	<segtitle>Installed Libraries</segtitle>
400	<segtitle>Installed Directories</segtitle>
401
402	<seglistitem>
403	<seg>
404	scp, sftp, <!--slogin (symlink to ssh),--> ssh, ssh-add, ssh-agent,
405	ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
406	</seg>
407	<seg>
408	None
409	</seg>
410	<seg>
411	/etc/ssh,
412	/usr/share/doc/openssh-&openssh-version;, and
413	/var/lib/sshd
414	</seg>
415	</seglistitem>
416	</segmentedlist>
417
418	<variablelist>
419	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
420	<?dbfo list-presentation="list"?>
421	<?dbhtml list-presentation="table"?>
422
423	<varlistentry id="scp">
424	<term><command>scp</command></term>
425	<listitem>
426	<para>
427	is a file copy program that acts like <command>rcp</command> except
428	it uses an encrypted protocol
429	</para>
430	<indexterm zone="openssh scp">
431	<primary sortas="b-scp">scp</primary>
432	</indexterm>
433	</listitem>
434	</varlistentry>
435
436	<varlistentry id="sftp">
437	<term><command>sftp</command></term>
438	<listitem>
439	<para>
440	is an FTP-like program that works over the SSH1 and SSH2 protocols
441	</para>
442	<indexterm zone="openssh sftp">
443	<primary sortas="b-sftp">sftp</primary>
444	</indexterm>
445	</listitem>
446	</varlistentry>
447	<!-- Not installed anymore as of 8.5p1
448	<varlistentry id="slogin">
449	<term><command>slogin</command></term>
450	<listitem>
451	<para>
452	is a symlink to <command>ssh</command>
453	</para>
454	<indexterm zone="openssh slogin">
455	<primary sortas="b-slogin">slogin</primary>
456	</indexterm>
457	</listitem>
458	</varlistentry>
459	-->
460	<varlistentry id="ssh">
461	<term><command>ssh</command></term>
462	<listitem>
463	<para>
464	is an <command>rlogin</command>/<command>rsh</command>-like client
465	program except it uses an encrypted protocol
466	</para>
467	<indexterm zone="openssh ssh">
468	<primary sortas="b-ssh">ssh</primary>
469	</indexterm>
470	</listitem>
471	</varlistentry>
472
473	<varlistentry id="sshd">
474	<term><command>sshd</command></term>
475	<listitem>
476	<para>
477	is a daemon that listens for <command>ssh</command> login requests
478	</para>
479	<indexterm zone="openssh sshd">
480	<primary sortas="b-sshd">sshd</primary>
481	</indexterm>
482	</listitem>
483	</varlistentry>
484
485	<varlistentry id="ssh-add">
486	<term><command>ssh-add</command></term>
487	<listitem>
488	<para>
489	is a tool which adds keys to the <command>ssh-agent</command>
490	</para>
491	<indexterm zone="openssh ssh-add">
492	<primary sortas="b-ssh-add">ssh-add</primary>
493	</indexterm>
494	</listitem>
495	</varlistentry>
496
497	<varlistentry id="ssh-agent">
498	<term><command>ssh-agent</command></term>
499	<listitem>
500	<para>
501	is an authentication agent that can store private keys
502	</para>
503	<indexterm zone="openssh ssh-agent">
504	<primary sortas="b-ssh-agent">ssh-agent</primary>
505	</indexterm>
506	</listitem>
507	</varlistentry>
508
509	<varlistentry id="ssh-copy-id">
510	<term><command>ssh-copy-id</command></term>
511	<listitem>
512	<para>
513	is a script that enables logins on remote machines using local keys
514	</para>
515	<indexterm zone="openssh ssh-copy-id">
516	<primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
517	</indexterm>
518	</listitem>
519	</varlistentry>
520
521	<varlistentry id="ssh-keygen">
522	<term><command>ssh-keygen</command></term>
523	<listitem>
524	<para>
525	is a key generation tool
526	</para>
527	<indexterm zone="openssh ssh-keygen">
528	<primary sortas="b-ssh-keygen">ssh-keygen</primary>
529	</indexterm>
530	</listitem>
531	</varlistentry>
532
533	<varlistentry id="ssh-keyscan">
534	<term><command>ssh-keyscan</command></term>
535	<listitem>
536	<para>
537	is a utility for gathering public host keys from a number of hosts
538	</para>
539	<indexterm zone="openssh ssh-keyscan">
540	<primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
541	</indexterm>
542	</listitem>
543	</varlistentry>
544
545	</variablelist>
546	</sect2>
547
548	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: