source: postlfs/security/openssh.xml@ f1fd714

11.0 ken/refactor-virt lazarus qt5new trunk
Last change on this file since f1fd714 was f1fd714, checked in by Thomas Trepl (Moody) <thomas@…>, 7 months ago

Upgrade openssh-8.6p1

  • Property mode set to 100644
File size: 17.9 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY openssh-download-http
8 "https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9 <!ENTITY openssh-download-ftp
10 " "> <!-- at the moment, unable to connect via ftp: ken
11 "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz"> -->
12 <!ENTITY openssh-md5sum "805f7048aec6dd752584e570383a6f00">
13 <!ENTITY openssh-size "1.7 MB">
14 <!ENTITY openssh-buildsize "51 MB (add 40 MB for tests)">
15 <!ENTITY openssh-time "0.2 SBU (Using parallelism=4;
16 running the tests takes 20+ minutes,
17 irrespective of processor speed)">
18]>
19
20<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
21 <?dbhtml filename="openssh.html"?>
22
23 <sect1info>
24 <date>$Date$</date>
25 </sect1info>
26
27 <title>OpenSSH-&openssh-version;</title>
28
29 <indexterm zone="openssh">
30 <primary sortas="a-OpenSSH">OpenSSH</primary>
31 </indexterm>
32
33 <sect2 role="package">
34 <title>Introduction to OpenSSH</title>
35
36 <para>
37 The <application>OpenSSH</application> package contains
38 <command>ssh</command> clients and the <command>sshd</command> daemon.
39 This is useful for encrypting authentication and subsequent traffic over
40 a network. The <command>ssh</command> and <command>scp</command> commands
41 are secure implementations of <command>telnet</command> and
42 <command>rcp</command> respectively.
43 </para>
44
45 &lfs101_checked;
46
47 <bridgehead renderas="sect3">Package Information</bridgehead>
48 <itemizedlist spacing="compact">
49 <listitem>
50 <para>
51 Download (HTTP): <ulink url="&openssh-download-http;"/>
52 </para>
53 </listitem>
54 <listitem>
55 <para>
56 Download (FTP): <ulink url="&openssh-download-ftp;"/>
57 </para>
58 </listitem>
59 <listitem>
60 <para>
61 Download MD5 sum: &openssh-md5sum;
62 </para>
63 </listitem>
64 <listitem>
65 <para>
66 Download size: &openssh-size;
67 </para>
68 </listitem>
69 <listitem>
70 <para>
71 Estimated disk space required: &openssh-buildsize;
72 </para>
73 </listitem>
74 <listitem>
75 <para>
76 Estimated build time: &openssh-time;
77 </para>
78 </listitem>
79 </itemizedlist>
80<!--
81 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
82 <itemizedlist spacing="compact">
83 <listitem>
84 <para>
85 Required patch:
86 <ulink url="&patch-root;/openssh-&openssh-version;-glibc_2.31_fix-1.patch"/>
87 </para>
88 </listitem>
89 </itemizedlist>
90-->
91 <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
92
93 <bridgehead renderas="sect4">Optional</bridgehead>
94 <para role="optional">
95 <xref linkend="gdb"/> (for tests),
96 <xref linkend="linux-pam"/>,
97 <xref linkend="x-window-system"/>,
98 <xref linkend="mitkrb"/>,
99 <ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>,
100 <ulink url="http://www.libressl.org/">LibreSSL Portable</ulink>,
101 <ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
102 <ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
103 </para>
104
105 <bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
106 <para role="optional">
107 <xref role="runtime" linkend="openjdk"/>,
108 <xref role="runtime" linkend="net-tools"/>, and
109 <xref role="runtime" linkend="sysstat"/>
110 </para>
111
112 <para condition="html" role="usernotes">
113 User Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
114 </para>
115 </sect2>
116
117 <sect2 role="installation">
118 <title>Installation of OpenSSH</title>
119
120 <para>
121 <application>OpenSSH</application> runs as two processes when connecting
122 to other computers. The first process is a privileged process and controls
123 the issuance of privileges as necessary. The second process communicates
124 with the network. Additional installation steps are necessary to set up
125 the proper environment, which are performed by issuing the following
126 commands as the <systemitem class="username">root</systemitem> user:
127 </para>
128
129<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &amp;&amp;
130chown -v root:sys /var/lib/sshd &amp;&amp;
131
132groupadd -g 50 sshd &amp;&amp;
133useradd -c 'sshd PrivSep' \
134 -d /var/lib/sshd \
135 -g sshd \
136 -s /bin/false \
137 -u 50 sshd</userinput></screen>
138<!--
139 <para>
140 Apply a patch to allow OpenSSH to build and function with
141 <application>Glibc-2.31</application> and later:
142 </para>
143
144<screen><userinput remap="pre">patch -Np1 -i ../openssh-&openssh-version;-glibc_2.31_fix-1.patch</userinput></screen>
145-->
146
147<!-- Applied in 8.5p1
148 <para>
149 First, adapt <application>ssh-copy-id</application> to changes
150 in bash-5.1:
151 </para>
152
153<screen><userinput remap="pre">sed -e '/INSTALLKEYS_SH/s/)//' -e '260a\ )' -i contrib/ssh-copy-id</userinput></screen>
154
155 <para>
156 Next, fix an issue on platforms other than x86_64:
157 </para>
158 <screen><userinput remap="pre">if [ "$(uname -m)" != "x86_64" ]; then
159 l1="#ifdef __NR_pselect6_time64"
160 l2=" SC_ALLOW(__NR_pselect6_time64),"
161 l3="#endif"
162 sed -e "/^#ifdef __NR_read$/ i $l1\n$l2\n$l3" \
163 -i sandbox-seccomp-filter.c
164fi</userinput></screen>
165-->
166 <para>
167 Install <application>OpenSSH</application> by running the following
168 commands:
169 </para>
170
171<screen><userinput>./configure --prefix=/usr \
172 --sysconfdir=/etc/ssh \
173 --with-md5-passwords \
174 --with-privsep-path=/var/lib/sshd &amp;&amp;
175make</userinput></screen>
176
177 <para>
178 The testsuite requires an installed copy of <command>scp</command> to
179 complete the multiplexing tests. To run the test suite, first copy the
180 <command>scp</command> program to
181 <filename class="directory">/usr/bin</filename>, making sure that you
182 backup any existing copy first.
183 </para>
184
185 <para>
186 To test the results, issue: <command>make -j1 tests</command>.
187 <!--One test, <filename>key options</filename>, fails when run in chroot.-->
188 </para>
189
190<!-- commenting this, I get "all tests passed" [ ken ]
191 NB tests should be run as _user_ but the role in the comment is root
192
193 commenting [ bruce ]: There are a couple of tests that want root.
194 The log mentions that SUDO is not set. These skipped tests are
195 ignored and the end says 'all tests passed' even when not root
196
197 <para>
198 To run the test suite, issue the following commands:
199 </para>
200
201<screen role="root"><userinput>make tests 2&gt;&amp;1 | tee check.log
202grep FATAL check.log</userinput></screen>
203
204 <para>
205 If the above command produces no 'FATAL' errors, then proceed with the
206 installation, as the <systemitem class="username">root</systemitem> user:
207 </para>-->
208 <para>
209 Now, as the <systemitem class="username">root</systemitem> user:
210 </para>
211
212<screen role="root"><userinput>make install &amp;&amp;
213install -v -m755 contrib/ssh-copy-id /usr/bin &amp;&amp;
214
215install -v -m644 contrib/ssh-copy-id.1 \
216 /usr/share/man/man1 &amp;&amp;
217install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &amp;&amp;
218install -v -m644 INSTALL LICENCE OVERVIEW README* \
219 /usr/share/doc/openssh-&openssh-version;</userinput></screen>
220 </sect2>
221
222 <sect2 role="commands">
223 <title>Command Explanations</title>
224
225 <para>
226 <parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
227 configuration files from being installed in
228 <filename class="directory">/usr/etc</filename>.
229 </para>
230
231 <para>
232 <parameter>--with-md5-passwords</parameter>: This enables the use of MD5
233 passwords.
234 </para>
235
236 <para>
237 <option>--with-pam</option>: This parameter enables
238 <application>Linux-PAM</application> support in the build.
239 </para>
240
241 <para>
242 <option>--with-xauth=/usr/bin/xauth</option>: Set the default
243 location for the <command>xauth</command> binary for X authentication.
244 Change the location if <command>xauth</command> will be installed to a
245 different path. This can also be controlled from
246 <filename>sshd_config</filename> with the XAuthLocation keyword. You can
247 omit this switch if <application>Xorg</application> is already installed.
248 </para>
249
250 <para>
251 <option>--with-kerberos5=/usr</option>: This option is used to
252 include Kerberos 5 support in the build.
253 </para>
254
255 <para>
256 <option>--with-libedit</option>: This option enables line editing
257 and history features for <command>sftp</command>.
258 </para>
259
260 </sect2>
261
262 <sect2 role="configuration">
263 <title>Configuring OpenSSH</title>
264
265 <sect3 id="openssh-config">
266 <title>Config Files</title>
267
268 <para>
269 <filename>~/.ssh/*</filename>,
270 <filename>/etc/ssh/ssh_config</filename>, and
271 <filename>/etc/ssh/sshd_config</filename>
272 </para>
273
274 <indexterm zone="openssh openssh-config">
275 <primary sortas="e-AA.ssh">~/.ssh/*</primary>
276 </indexterm>
277
278 <indexterm zone="openssh openssh-config">
279 <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
280 </indexterm>
281
282 <indexterm zone="openssh openssh-config">
283 <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
284 </indexterm>
285
286 <para>
287 There are no required changes to any of these files. However,
288 you may wish to view the
289 <filename class='directory'>/etc/ssh/</filename> files and make any
290 changes appropriate for the security of your system. One recommended
291 change is that you disable
292 <systemitem class='username'>root</systemitem> login via
293 <command>ssh</command>. Execute the following command as the
294 <systemitem class='username'>root</systemitem> user to disable
295 <systemitem class='username'>root</systemitem> login via
296 <command>ssh</command>:
297 </para>
298
299<screen role="root"><userinput>echo "PermitRootLogin no" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
300
301 <para>
302 If you want to be able to log in without typing in your password, first
303 create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
304 <command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
305 ~/.ssh/authorized_keys on the remote computer that you want to log into.
306 You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
307 computer and you'll also need to enter your password for the ssh-copy-id command
308 to succeed:
309 </para>
310
311<screen><userinput>ssh-keygen &amp;&amp;
312ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
313
314 <para>
315 Once you've got passwordless logins working it's actually more secure
316 than logging in with a password (as the private key is much longer than
317 most people's passwords). If you would like to now disable password
318 logins, as the <systemitem class="username">root</systemitem> user:
319 </para>
320
321
322<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &amp;&amp;
323echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
324
325 <para>
326 If you added <application>Linux-PAM</application> support and you want
327 ssh to use it then you will need to add a configuration file for
328 <application>sshd</application> and enable use of
329 <application>LinuxPAM</application>. Note, ssh only uses PAM to check
330 passwords, if you've disabled password logins these commands are not
331 needed. If you want to use PAM, issue the following commands as the
332 <systemitem class='username'>root</systemitem> user:
333 </para>
334
335<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login &gt; /etc/pam.d/sshd &amp;&amp;
336chmod 644 /etc/pam.d/sshd &amp;&amp;
337echo "UsePAM yes" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
338
339 <para>
340 Additional configuration information can be found in the man
341 pages for <command>sshd</command>, <command>ssh</command> and
342 <command>ssh-agent</command>.
343 </para>
344 </sect3>
345
346 <sect3 id="openssh-init">
347 <title><phrase revision="sysv">Boot Script</phrase>
348 <phrase revision="systemd">Systemd Unit</phrase></title>
349
350 <para revision="sysv">
351 To start the SSH server at system boot, install the
352 <filename>/etc/rc.d/init.d/sshd</filename> init script included
353 in the <xref linkend="bootscripts"/> package.
354 </para>
355
356 <para revision="systemd">
357 To start the SSH server at system boot, install the
358 <filename>sshd.service</filename> unit included in the
359 <xref linkend="systemd-units"/> package.
360 </para>
361
362 <indexterm zone="openssh openssh-init">
363 <primary sortas="f-sshd">sshd</primary>
364 </indexterm>
365
366<screen role="root"><userinput>make install-sshd</userinput></screen>
367 </sect3>
368 </sect2>
369
370 <sect2 role="content">
371 <title>Contents</title>
372
373 <segmentedlist>
374 <segtitle>Installed Programs</segtitle>
375 <segtitle>Installed Libraries</segtitle>
376 <segtitle>Installed Directories</segtitle>
377
378 <seglistitem>
379 <seg>
380 scp, sftp, <!--slogin (symlink to ssh),--> ssh, ssh-add, ssh-agent,
381 ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
382 </seg>
383 <seg>
384 None
385 </seg>
386 <seg>
387 /etc/ssh,
388 /usr/share/doc/openssh-&openssh-version;, and
389 /var/lib/sshd
390 </seg>
391 </seglistitem>
392 </segmentedlist>
393
394 <variablelist>
395 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
396 <?dbfo list-presentation="list"?>
397 <?dbhtml list-presentation="table"?>
398
399 <varlistentry id="scp">
400 <term><command>scp</command></term>
401 <listitem>
402 <para>
403 is a file copy program that acts like <command>rcp</command> except
404 it uses an encrypted protocol
405 </para>
406 <indexterm zone="openssh scp">
407 <primary sortas="b-scp">scp</primary>
408 </indexterm>
409 </listitem>
410 </varlistentry>
411
412 <varlistentry id="sftp">
413 <term><command>sftp</command></term>
414 <listitem>
415 <para>
416 is an FTP-like program that works over the SSH1 and SSH2 protocols
417 </para>
418 <indexterm zone="openssh sftp">
419 <primary sortas="b-sftp">sftp</primary>
420 </indexterm>
421 </listitem>
422 </varlistentry>
423<!-- Not installed anymore as of 8.5p1
424 <varlistentry id="slogin">
425 <term><command>slogin</command></term>
426 <listitem>
427 <para>
428 is a symlink to <command>ssh</command>
429 </para>
430 <indexterm zone="openssh slogin">
431 <primary sortas="b-slogin">slogin</primary>
432 </indexterm>
433 </listitem>
434 </varlistentry>
435-->
436 <varlistentry id="ssh">
437 <term><command>ssh</command></term>
438 <listitem>
439 <para>
440 is an <command>rlogin</command>/<command>rsh</command>-like client
441 program except it uses an encrypted protocol
442 </para>
443 <indexterm zone="openssh ssh">
444 <primary sortas="b-ssh">ssh</primary>
445 </indexterm>
446 </listitem>
447 </varlistentry>
448
449 <varlistentry id="sshd">
450 <term><command>sshd</command></term>
451 <listitem>
452 <para>
453 is a daemon that listens for <command>ssh</command> login requests
454 </para>
455 <indexterm zone="openssh sshd">
456 <primary sortas="b-sshd">sshd</primary>
457 </indexterm>
458 </listitem>
459 </varlistentry>
460
461 <varlistentry id="ssh-add">
462 <term><command>ssh-add</command></term>
463 <listitem>
464 <para>
465 is a tool which adds keys to the <command>ssh-agent</command>
466 </para>
467 <indexterm zone="openssh ssh-add">
468 <primary sortas="b-ssh-add">ssh-add</primary>
469 </indexterm>
470 </listitem>
471 </varlistentry>
472
473 <varlistentry id="ssh-agent">
474 <term><command>ssh-agent</command></term>
475 <listitem>
476 <para>
477 is an authentication agent that can store private keys
478 </para>
479 <indexterm zone="openssh ssh-agent">
480 <primary sortas="b-ssh-agent">ssh-agent</primary>
481 </indexterm>
482 </listitem>
483 </varlistentry>
484
485 <varlistentry id="ssh-copy-id">
486 <term><command>ssh-copy-id</command></term>
487 <listitem>
488 <para>
489 is a script that enables logins on remote machines using local keys
490 </para>
491 <indexterm zone="openssh ssh-copy-id">
492 <primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
493 </indexterm>
494 </listitem>
495 </varlistentry>
496
497 <varlistentry id="ssh-keygen">
498 <term><command>ssh-keygen</command></term>
499 <listitem>
500 <para>
501 is a key generation tool
502 </para>
503 <indexterm zone="openssh ssh-keygen">
504 <primary sortas="b-ssh-keygen">ssh-keygen</primary>
505 </indexterm>
506 </listitem>
507 </varlistentry>
508
509 <varlistentry id="ssh-keyscan">
510 <term><command>ssh-keyscan</command></term>
511 <listitem>
512 <para>
513 is a utility for gathering public host keys from a number of hosts
514 </para>
515 <indexterm zone="openssh ssh-keyscan">
516 <primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
517 </indexterm>
518 </listitem>
519 </varlistentry>
520
521 </variablelist>
522 </sect2>
523
524</sect1>
Note: See TracBrowser for help on using the repository browser.