source: postlfs/security/openssh.xml@ f0948db

10.0 10.1 11.0 11.1 11.2 8.4 9.0 9.1 basic bdubbs/svn elogind lazarus perl-modules qt5new trunk upgradedb xry111/intltool xry111/soup3 xry111/test-20220226
Last change on this file since f0948db was f0948db, checked in by Bruce Dubbs <bdubbs@…>, 4 years ago

Update to openssh-7.8p1 (includes ssh-askpass-7.8p1).
Update to sudo-1.8.25.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@20449 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 17.1 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY openssh-download-http
8 "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9 <!ENTITY openssh-download-ftp
10 " "> <!-- at the moment, unable to connect via ftp: ken
11 "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz"> -->
12 <!ENTITY openssh-md5sum "ce1d090fa6239fd38eb989d5e983b074">
13 <!ENTITY openssh-size "1.5 MB">
14 <!ENTITY openssh-buildsize "44 MB (add 7 MB for tests)">
15 <!ENTITY openssh-time "0.4 SBU (running the tests takes 18+ minutes,
16 irrespective of processor speed)">
17]>
18
19<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
20 <?dbhtml filename="openssh.html"?>
21
22 <sect1info>
23 <othername>$LastChangedBy$</othername>
24 <date>$Date$</date>
25 </sect1info>
26
27 <title>OpenSSH-&openssh-version;</title>
28
29 <indexterm zone="openssh">
30 <primary sortas="a-OpenSSH">OpenSSH</primary>
31 </indexterm>
32
33 <sect2 role="package">
34 <title>Introduction to OpenSSH</title>
35
36 <para>
37 The <application>OpenSSH</application> package contains
38 <command>ssh</command> clients and the <command>sshd</command> daemon.
39 This is useful for encrypting authentication and subsequent traffic over
40 a network. The <command>ssh</command> and <command>scp</command> commands
41 are secure implementations of <command>telnet</command> and
42 <command>rcp</command> respectively.
43 </para>
44
45 &lfs83_checked;
46
47 <bridgehead renderas="sect3">Package Information</bridgehead>
48 <itemizedlist spacing="compact">
49 <listitem>
50 <para>
51 Download (HTTP): <ulink url="&openssh-download-http;"/>
52 </para>
53 </listitem>
54 <listitem>
55 <para>
56 Download (FTP): <ulink url="&openssh-download-ftp;"/>
57 </para>
58 </listitem>
59 <listitem>
60 <para>
61 Download MD5 sum: &openssh-md5sum;
62 </para>
63 </listitem>
64 <listitem>
65 <para>
66 Download size: &openssh-size;
67 </para>
68 </listitem>
69 <listitem>
70 <para>
71 Estimated disk space required: &openssh-buildsize;
72 </para>
73 </listitem>
74 <listitem>
75 <para>
76 Estimated build time: &openssh-time;
77 </para>
78 </listitem>
79 </itemizedlist>
80
81 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
82 <itemizedlist spacing="compact">
83 <listitem>
84 <para>Required patch: <ulink url="&patch-root;/openssh-&openssh-version;-openssl-1.1.0-1.patch"/></para>
85 </listitem>
86 </itemizedlist>
87
88 <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
89<!--
90 <bridgehead renderas="sect4">Required</bridgehead>
91 <para role="required">
92 <xref linkend="openssl"/> or
93 <ulink url="http://www.libressl.org/">LibreSSL Portable</ulink></para>
94-->
95 <bridgehead renderas="sect4">Optional</bridgehead>
96 <para role="optional">
97 <xref linkend="linux-pam"/>,
98 <xref linkend="x-window-system"/>,
99 <xref linkend="mitkrb"/>,
100 <ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>,
101 <ulink url="http://www.libressl.org/">LibreSSL Portable</ulink>,
102 <ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
103 <ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
104 </para>
105
106 <bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
107 <para role="optional">
108 <xref role="runtime" linkend="openjdk"/>,
109 <xref role="runtime" linkend="net-tools"/>, and
110 <xref role="runtime" linkend="sysstat"/>
111 </para>
112
113 <para condition="html" role="usernotes">
114 User Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
115 </para>
116 </sect2>
117
118 <sect2 role="installation">
119 <title>Installation of OpenSSH</title>
120
121 <para>
122 <application>OpenSSH</application> runs as two processes when connecting
123 to other computers. The first process is a privileged process and controls
124 the issuance of privileges as necessary. The second process communicates
125 with the network. Additional installation steps are necessary to set up
126 the proper environment, which are performed by issuing the following
127 commands as the <systemitem class="username">root</systemitem> user:
128 </para>
129
130<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &amp;&amp;
131chown -v root:sys /var/lib/sshd &amp;&amp;
132
133groupadd -g 50 sshd &amp;&amp;
134useradd -c 'sshd PrivSep' \
135 -d /var/lib/sshd \
136 -g sshd \
137 -s /bin/false \
138 -u 50 sshd</userinput></screen>
139
140 <para>
141 Install <application>OpenSSH</application> by running the following
142 commands:
143 </para>
144
145<screen><userinput>patch -Np1 -i ../openssh-&openssh-version;-openssl-1.1.0-1.patch &amp;&amp;
146
147./configure --prefix=/usr \
148 --sysconfdir=/etc/ssh \
149 --with-md5-passwords \
150 --with-privsep-path=/var/lib/sshd &amp;&amp;
151make</userinput></screen>
152
153 <para>
154 The testsuite requires an installed copy of <command>scp</command> to
155 complete the multiplexing tests. To run the test suite, first copy the
156 <command>scp</command> program to
157 <filename class="directory">/usr/bin</filename>, making sure that you
158 backup any existing copy first.
159 </para>
160
161 <para>
162 To test the results, issue: <command>make tests</command>.
163 </para>
164
165<!-- commenting this, I get "all tests passed" [ ken ]
166 NB tests should be run as _user_ but the role in the comment is root
167
168 commenting [ bruce ]: There are a couple of tests that want root.
169 The log mentions that SUDO is not set. These skipped tests are
170 ignored and the end says 'all tests passed' even when not root
171
172 <para>
173 To run the test suite, issue the following commands:
174 </para>
175
176<screen role="root"><userinput>make tests 2&gt;&amp;1 | tee check.log
177grep FATAL check.log</userinput></screen>
178
179 <para>
180 If the above command produces no 'FATAL' errors, then proceed with the
181 installation, as the <systemitem class="username">root</systemitem> user:
182 </para>-->
183 <para>
184 Now, as the <systemitem class="username">root</systemitem> user:
185 </para>
186
187<screen role="root"><userinput>make install &amp;&amp;
188install -v -m755 contrib/ssh-copy-id /usr/bin &amp;&amp;
189
190install -v -m644 contrib/ssh-copy-id.1 \
191 /usr/share/man/man1 &amp;&amp;
192install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &amp;&amp;
193install -v -m644 INSTALL LICENCE OVERVIEW README* \
194 /usr/share/doc/openssh-&openssh-version;</userinput></screen>
195 </sect2>
196
197 <sect2 role="commands">
198 <title>Command Explanations</title>
199
200 <para>
201 <parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
202 configuration files from being installed in
203 <filename class="directory">/usr/etc</filename>.
204 </para>
205
206 <para>
207 <parameter>--with-md5-passwords</parameter>: This enables the use of MD5
208 passwords.
209 </para>
210
211 <para>
212 <option>--with-pam</option>: This parameter enables
213 <application>Linux-PAM</application> support in the build.
214 </para>
215
216 <para>
217 <option>--with-xauth=/usr/bin/xauth</option>: Set the default
218 location for the <command>xauth</command> binary for X authentication.
219 Change the location if <command>xauth</command> will be installed to a
220 different path. This can also be controlled from
221 <filename>sshd_config</filename> with the XAuthLocation keyword. You can
222 omit this switch if <application>Xorg</application> is already installed.
223 </para>
224
225 <para>
226 <option>--with-kerberos5=/usr</option>: This option is used to
227 include Kerberos 5 support in the build.
228 </para>
229
230 <para>
231 <option>--with-libedit</option>: This option enables line editing
232 and history features for <command>sftp</command>.
233 </para>
234
235 </sect2>
236
237 <sect2 role="configuration">
238 <title>Configuring OpenSSH</title>
239
240 <sect3 id="openssh-config">
241 <title>Config Files</title>
242
243 <para>
244 <filename>~/.ssh/*</filename>,
245 <filename>/etc/ssh/ssh_config</filename>, and
246 <filename>/etc/ssh/sshd_config</filename>
247 </para>
248
249 <indexterm zone="openssh openssh-config">
250 <primary sortas="e-AA.ssh">~/.ssh/*</primary>
251 </indexterm>
252
253 <indexterm zone="openssh openssh-config">
254 <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
255 </indexterm>
256
257 <indexterm zone="openssh openssh-config">
258 <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
259 </indexterm>
260
261 <para>
262 There are no required changes to any of these files. However,
263 you may wish to view the
264 <filename class='directory'>/etc/ssh/</filename> files and make any
265 changes appropriate for the security of your system. One recommended
266 change is that you disable
267 <systemitem class='username'>root</systemitem> login via
268 <command>ssh</command>. Execute the following command as the
269 <systemitem class='username'>root</systemitem> user to disable
270 <systemitem class='username'>root</systemitem> login via
271 <command>ssh</command>:
272 </para>
273
274<screen role="root"><userinput>echo "PermitRootLogin no" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
275
276 <para>
277 If you want to be able to log in without typing in your password, first
278 create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
279 <command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
280 ~/.ssh/authorized_keys on the remote computer that you want to log into.
281 You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
282 computer and you'll also need to enter your password for the ssh-copy-id command
283 to succeed:
284 </para>
285
286<screen><userinput>ssh-keygen &amp;&amp;
287ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
288
289 <para>
290 Once you've got passwordless logins working it's actually more secure
291 than logging in with a password (as the private key is much longer than
292 most people's passwords). If you would like to now disable password
293 logins, as the <systemitem class="username">root</systemitem> user:
294 </para>
295
296
297<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &amp;&amp;
298echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
299
300 <para>
301 If you added <application>Linux-PAM</application> support and you want
302 ssh to use it then you will need to add a configuration file for
303 <application>sshd</application> and enable use of
304 <application>LinuxPAM</application>. Note, ssh only uses PAM to check
305 passwords, if you've disabled password logins these commands are not
306 needed. If you want to use PAM, issue the following commands as the
307 <systemitem class='username'>root</systemitem> user:
308 </para>
309
310<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login &gt; /etc/pam.d/sshd &amp;&amp;
311chmod 644 /etc/pam.d/sshd &amp;&amp;
312echo "UsePAM yes" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
313
314 <para>
315 Additional configuration information can be found in the man
316 pages for <command>sshd</command>, <command>ssh</command> and
317 <command>ssh-agent</command>.
318 </para>
319 </sect3>
320
321 <sect3 id="openssh-init">
322 <title><phrase revision="sysv">Boot Script</phrase>
323 <phrase revision="systemd">Systemd Unit</phrase></title>
324
325 <para revision="sysv">
326 To start the SSH server at system boot, install the
327 <filename>/etc/rc.d/init.d/sshd</filename> init script included
328 in the <xref linkend="bootscripts"/> package.
329 </para>
330
331 <para revision="systemd">
332 To start the SSH server at system boot, install the
333 <filename>sshd.service</filename> unit included in the
334 <xref linkend="systemd-units"/> package.
335 </para>
336
337 <indexterm zone="openssh openssh-init">
338 <primary sortas="f-sshd">sshd</primary>
339 </indexterm>
340
341<screen role="root"><userinput>make install-sshd</userinput></screen>
342 </sect3>
343 </sect2>
344
345 <sect2 role="content">
346 <title>Contents</title>
347
348 <segmentedlist>
349 <segtitle>Installed Programs</segtitle>
350 <segtitle>Installed Libraries</segtitle>
351 <segtitle>Installed Directories</segtitle>
352
353 <seglistitem>
354 <seg>
355 scp, sftp, slogin (symlink to ssh), ssh, ssh-add, ssh-agent,
356 ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
357 </seg>
358 <seg>
359 None
360 </seg>
361 <seg>
362 /etc/ssh,
363 /usr/share/doc/openssh-&openssh-version;, and
364 /var/lib/sshd
365 </seg>
366 </seglistitem>
367 </segmentedlist>
368
369 <variablelist>
370 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
371 <?dbfo list-presentation="list"?>
372 <?dbhtml list-presentation="table"?>
373
374 <varlistentry id="scp">
375 <term><command>scp</command></term>
376 <listitem>
377 <para>
378 is a file copy program that acts like <command>rcp</command> except
379 it uses an encrypted protocol.
380 </para>
381 <indexterm zone="openssh scp">
382 <primary sortas="b-scp">scp</primary>
383 </indexterm>
384 </listitem>
385 </varlistentry>
386
387 <varlistentry id="sftp">
388 <term><command>sftp</command></term>
389 <listitem>
390 <para>
391 is an FTP-like program that works over the SSH1 and SSH2 protocols.
392 </para>
393 <indexterm zone="openssh sftp">
394 <primary sortas="b-sftp">sftp</primary>
395 </indexterm>
396 </listitem>
397 </varlistentry>
398
399 <varlistentry id="slogin">
400 <term><command>slogin</command></term>
401 <listitem>
402 <para>
403 is a symlink to <command>ssh</command>.
404 </para>
405 <indexterm zone="openssh slogin">
406 <primary sortas="b-slogin">slogin</primary>
407 </indexterm>
408 </listitem>
409 </varlistentry>
410
411 <varlistentry id="ssh">
412 <term><command>ssh</command></term>
413 <listitem>
414 <para>
415 is an <command>rlogin</command>/<command>rsh</command>-like client
416 program except it uses an encrypted protocol.
417 </para>
418 <indexterm zone="openssh ssh">
419 <primary sortas="b-ssh">ssh</primary>
420 </indexterm>
421 </listitem>
422 </varlistentry>
423
424 <varlistentry id="sshd">
425 <term><command>sshd</command></term>
426 <listitem>
427 <para>
428 is a daemon that listens for <command>ssh</command> login requests.
429 </para>
430 <indexterm zone="openssh sshd">
431 <primary sortas="b-sshd">sshd</primary>
432 </indexterm>
433 </listitem>
434 </varlistentry>
435
436 <varlistentry id="ssh-add">
437 <term><command>ssh-add</command></term>
438 <listitem>
439 <para>
440 is a tool which adds keys to the <command>ssh-agent</command>.
441 </para>
442 <indexterm zone="openssh ssh-add">
443 <primary sortas="b-ssh-add">ssh-add</primary>
444 </indexterm>
445 </listitem>
446 </varlistentry>
447
448 <varlistentry id="ssh-agent">
449 <term><command>ssh-agent</command></term>
450 <listitem>
451 <para>
452 is an authentication agent that can store private keys.
453 </para>
454 <indexterm zone="openssh ssh-agent">
455 <primary sortas="b-ssh-agent">ssh-agent</primary>
456 </indexterm>
457 </listitem>
458 </varlistentry>
459
460 <varlistentry id="ssh-copy-id">
461 <term><command>ssh-copy-id</command></term>
462 <listitem>
463 <para>
464 is a script that enables logins on remote machine using local keys.
465 </para>
466 <indexterm zone="openssh ssh-copy-id">
467 <primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
468 </indexterm>
469 </listitem>
470 </varlistentry>
471
472 <varlistentry id="ssh-keygen">
473 <term><command>ssh-keygen</command></term>
474 <listitem>
475 <para>
476 is a key generation tool.
477 </para>
478 <indexterm zone="openssh ssh-keygen">
479 <primary sortas="b-ssh-keygen">ssh-keygen</primary>
480 </indexterm>
481 </listitem>
482 </varlistentry>
483
484 <varlistentry id="ssh-keyscan">
485 <term><command>ssh-keyscan</command></term>
486 <listitem>
487 <para>
488 is a utility for gathering public host keys from a number of hosts.
489 </para>
490 <indexterm zone="openssh ssh-keyscan">
491 <primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
492 </indexterm>
493 </listitem>
494 </varlistentry>
495
496 </variablelist>
497 </sect2>
498</sect1>
Note: See TracBrowser for help on using the repository browser.