Context Navigation

source: postlfs/security/openssh.xml@ f8dd4ec

Visit:

12.0 12.1 kea ken/TL2024 ken/tuningfonts lazarus lxqt plabs/newcss python3.11 rahul/power-profiles-daemon renodr/vulkan-addition trunk xry111/llvm18 xry111/xf86-video-removal

Last change on this file since f8dd4ec was e628e070, checked in by Bruce Dubbs <bdubbs@…>, 15 months ago
Update to openssh-9.3p1.
Property mode set to `100644`
File size: 19.0 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY openssh-download-http
8	"https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9	<!ENTITY openssh-download-ftp
10	" "> <!-- at the moment, unable to connect via ftp: ken
11	"ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz"> -->
12	<!ENTITY openssh-md5sum "&openssh-md5sum;">
13	<!ENTITY openssh-size "1.8 MB">
14	<!ENTITY openssh-buildsize "45 MB (add 22 MB for tests)">
15	<!ENTITY openssh-time "0.2 SBU (Using parallelism=4;
16	running the tests takes about 20 minutes,
17	irrespective of processor speed)">
18	]>
19
20	<!-- make check: real 18m13.005s; 9.2p1 3 Feb 2023 -->
21	<!-- make check: real 18m08.654s; 9.3p1 17 Mar 2023 -->
22
23	<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
24	<?dbhtml filename="openssh.html"?>
25
26	<title>OpenSSH-&openssh-version;</title>
27
28	<indexterm zone="openssh">
29	<primary sortas="a-OpenSSH">OpenSSH</primary>
30	</indexterm>
31
32	<sect2 role="package">
33	<title>Introduction to OpenSSH</title>
34
35	<para>
36	The <application>OpenSSH</application> package contains
37	<command>ssh</command> clients and the <command>sshd</command> daemon.
38	This is useful for encrypting authentication and subsequent traffic over
39	a network. The <command>ssh</command> and <command>scp</command> commands
40	are secure implementations of <command>telnet</command> and
41	<command>rcp</command> respectively.
42	</para>
43
44	&lfs113_checked;
45
46	<bridgehead renderas="sect3">Package Information</bridgehead>
47	<itemizedlist spacing="compact">
48	<listitem>
49	<para>
50	Download (HTTP): <ulink url="&openssh-download-http;"/>
51	</para>
52	</listitem>
53	<listitem>
54	<para>
55	Download (FTP): <ulink url="&openssh-download-ftp;"/>
56	</para>
57	</listitem>
58	<listitem>
59	<para>
60	Download MD5 sum: &openssh-md5sum;
61	</para>
62	</listitem>
63	<listitem>
64	<para>
65	Download size: &openssh-size;
66	</para>
67	</listitem>
68	<listitem>
69	<para>
70	Estimated disk space required: &openssh-buildsize;
71	</para>
72	</listitem>
73	<listitem>
74	<para>
75	Estimated build time: &openssh-time;
76	</para>
77	</listitem>
78	</itemizedlist>
79	<!--
80	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
81	<itemizedlist spacing="compact">
82	<listitem>
83	<para>
84	Required patch:
85	<ulink url="&patch-root;/openssh-&openssh-version;-glibc_2.31_fix-1.patch"/>
86	</para>
87	</listitem>
88	</itemizedlist>
89	-->
90	<bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
91
92	<bridgehead renderas="sect4">Optional</bridgehead>
93	<para role="optional">
94	<xref linkend="gdb"/> (for tests),
95	<xref linkend="linux-pam"/>,
96	<xref linkend="x-window-system"/>,
97	<xref linkend="mitkrb"/>,
98	<xref linkend="which"/> (for tests),
99	<ulink url="https://www.thrysoee.dk/editline/">libedit</ulink>,
100	<ulink url="https://www.libressl.org/">LibreSSL Portable</ulink>,
101	<ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
102	<ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
103	</para>
104
105	<bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
106	<para role="optional">
107	<!--<xref role="runtime" linkend="openjdk"/>, Not seen in 8.8p1 -->
108	<xref role="runtime" linkend="net-tools"/>, and
109	<xref role="runtime" linkend="sysstat"/>
110	</para>
111
112	<para condition="html" role="usernotes">
113	User Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
114	</para>
115	</sect2>
116
117	<sect2 role="installation">
118	<title>Installation of OpenSSH</title>
119
120	<para>
121	<application>OpenSSH</application> runs as two processes when connecting
122	to other computers. The first process is a privileged process and controls
123	the issuance of privileges as necessary. The second process communicates
124	with the network. Additional installation steps are necessary to set up
125	the proper environment, which are performed by issuing the following
126	commands as the <systemitem class="username">root</systemitem> user:
127	</para>
128
129	<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &&
130	chown -v root:sys /var/lib/sshd &&
131
132	groupadd -g 50 sshd &&
133	useradd -c 'sshd PrivSep' \
134	-d /var/lib/sshd \
135	-g sshd \
136	-s /bin/false \
137	-u 50 sshd</userinput></screen>
138	<!--
139	<para>
140	Apply a patch to allow OpenSSH to build and function with
141	<application>Glibc-2.31</application> and later:
142	</para>
143
144	<screen><userinput remap="pre">patch -Np1 -i ../openssh-&openssh-version;-glibc_2.31_fix-1.patch</userinput></screen>
145	-->
146
147	<!-- Applied in 8.5p1
148	<para>
149	First, adapt <application>ssh-copy-id</application> to changes
150	in bash-5.1:
151	</para>
152
153	<screen><userinput remap="pre">sed -e '/INSTALLKEYS_SH/s/)//' -e '260a\ )' -i contrib/ssh-copy-id</userinput></screen>
154
155	<para>
156	Next, fix an issue on platforms other than x86_64:
157	</para>
158	<screen><userinput remap="pre">if [ "$(uname -m)" != "x86_64" ]; then
159	l1="#ifdef __NR_pselect6_time64"
160	l2=" SC_ALLOW(__NR_pselect6_time64),"
161	l3="#endif"
162	sed -e "/^#ifdef __NR_read$/ i $l1\n$l2\n$l3" \
163	-i sandbox-seccomp-filter.c
164	fi</userinput></screen>
165	-->
166	<para>
167	Install <application>OpenSSH</application> by running the following
168	commands:
169	</para>
170
171	<!-- -\-with-md5-passwords used to be here, but a comment inside of a <screen>
172	block leaves an eyesore. -->
173	<screen><userinput>./configure --prefix=/usr \
174	--sysconfdir=/etc/ssh \
175	--with-privsep-path=/var/lib/sshd \
176	--with-default-path=/usr/bin \
177	--with-superuser-path=/usr/sbin:/usr/bin \
178	--with-pid-dir=/run &&
179	make</userinput></screen>
180
181	<para>
182	The test suite requires an installed copy of <command>scp</command> to
183	complete the multiplexing tests. To run the test suite, first copy the
184	<command>scp</command> program to
185	<filename class="directory">/usr/bin</filename>, making sure that you
186	backup any existing copy first.
187	</para>
188	<!-- I got all tests passed without this with 9.0p1. Apr 13, 2022.
189	<para>
190	If you wish to run the tests, remove a test suite that is not valid on
191	Linux-based platforms:
192	</para>
193
194	<screen><userinput>sed -i 's/conch-ciphers//' regress/Makefile</userinput></screen>
195	-->
196	<para>
197	To test the results, issue: <command>make -j1 tests</command>.
198	<!--One test, <filename>key options</filename>, fails when run in chroot.-->
199	</para>
200
201	<!-- commenting this, I get "all tests passed" [ ken ]
202	NB tests should be run as _user_ but the role in the comment is root
203
204	commenting [ bruce ]: There are a couple of tests that want root.
205	The log mentions that SUDO is not set. These skipped tests are
206	ignored and the end says 'all tests passed' even when not root
207
208	<para>
209	To run the test suite, issue the following commands:
210	</para>
211
212	<screen role="root"><userinput>make tests 2>&1 \| tee check.log
213	grep FATAL check.log</userinput></screen>
214
215	<para>
216	If the above command produces no 'FATAL' errors, then proceed with the
217	installation, as the <systemitem class="username">root</systemitem> user:
218	</para>-->
219	<para>
220	Now, as the <systemitem class="username">root</systemitem> user:
221	</para>
222
223	<screen role="root"><userinput>make install &&
224	install -v -m755 contrib/ssh-copy-id /usr/bin &&
225
226	install -v -m644 contrib/ssh-copy-id.1 \
227	/usr/share/man/man1 &&
228	install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &&
229	install -v -m644 INSTALL LICENCE OVERVIEW README* \
230	/usr/share/doc/openssh-&openssh-version;</userinput></screen>
231	</sect2>
232
233	<sect2 role="commands">
234	<title>Command Explanations</title>
235
236	<para>
237	<parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
238	configuration files from being installed in
239	<filename class="directory">/usr/etc</filename>.
240	</para>
241
242	<!--
243	<para>
244	<parameter>-\-with-md5-passwords</parameter>: This enables the use of MD5
245	passwords.
246	</para>
247	-->
248
249	<para>
250	<parameter>--with-default-path=/usr/bin</parameter> and
251	<parameter>--with-superuser-path=/usr/sbin:/usr/bin</parameter>:
252	These set <envar>PATH</envar> consistent with LFS and BLFS
253	<application>Shadow</application> package.
254	</para>
255
256	<para>
257	<parameter>--with-pid-dir=/run</parameter>: This prevents
258	<application>OpenSSH</application> from referring to deprecated
259	<filename class="directory">/var/run</filename>.
260	</para>
261
262	<para>
263	<option>--with-pam</option>: This parameter enables
264	<application>Linux-PAM</application> support in the build.
265	</para>
266
267	<para>
268	<option>--with-xauth=/usr/bin/xauth</option>: Set the default
269	location for the <command>xauth</command> binary for X authentication.
270	Change the location if <command>xauth</command> will be installed to a
271	different path. This can also be controlled from
272	<filename>sshd_config</filename> with the XAuthLocation keyword. You can
273	omit this switch if <application>Xorg</application> is already installed.
274	</para>
275
276	<para>
277	<option>--with-kerberos5=/usr</option>: This option is used to
278	include Kerberos 5 support in the build.
279	</para>
280
281	<para>
282	<option>--with-libedit</option>: This option enables line editing
283	and history features for <command>sftp</command>.
284	</para>
285
286	</sect2>
287
288	<sect2 role="configuration">
289	<title>Configuring OpenSSH</title>
290
291	<sect3 id="openssh-config">
292	<title>Config Files</title>
293
294	<para>
295	<filename>~/.ssh/*</filename>,
296	<filename>/etc/ssh/ssh_config</filename>, and
297	<filename>/etc/ssh/sshd_config</filename>
298	</para>
299
300	<indexterm zone="openssh openssh-config">
301	<primary sortas="e-AA.ssh">~/.ssh/*</primary>
302	</indexterm>
303
304	<indexterm zone="openssh openssh-config">
305	<primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
306	</indexterm>
307
308	<indexterm zone="openssh openssh-config">
309	<primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
310	</indexterm>
311
312	<para>
313	There are no required changes to any of these files. However,
314	you may wish to view the
315	<filename class='directory'>/etc/ssh/</filename> files and make any
316	changes appropriate for the security of your system. One recommended
317	change is that you disable
318	<systemitem class='username'>root</systemitem> login via
319	<command>ssh</command>. Execute the following command as the
320	<systemitem class='username'>root</systemitem> user to disable
321	<systemitem class='username'>root</systemitem> login via
322	<command>ssh</command>:
323	</para>
324
325	<screen role="root"><userinput>echo "PermitRootLogin no" >> /etc/ssh/sshd_config</userinput></screen>
326
327	<para>
328	If you want to be able to log in without typing in your password, first
329	create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
330	<command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
331	~/.ssh/authorized_keys on the remote computer that you want to log into.
332	You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
333	computer and you'll also need to enter your password for the ssh-copy-id command
334	to succeed:
335	</para>
336
337	<screen><userinput>ssh-keygen &&
338	ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
339
340	<para>
341	Once you've got passwordless logins working it's actually more secure
342	than logging in with a password (as the private key is much longer than
343	most people's passwords). If you would like to now disable password
344	logins, as the <systemitem class="username">root</systemitem> user:
345	</para>
346
347
348	<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &&
349	echo "KbdInteractiveAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
350
351	<para>
352	If you added <application>Linux-PAM</application> support and you want
353	ssh to use it then you will need to add a configuration file for
354	<application>sshd</application> and enable use of
355	<application>LinuxPAM</application>. Note, ssh only uses PAM to check
356	passwords, if you've disabled password logins these commands are not
357	needed. If you want to use PAM, issue the following commands as the
358	<systemitem class='username'>root</systemitem> user:
359	</para>
360
361	<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd &&
362	chmod 644 /etc/pam.d/sshd &&
363	echo "UsePAM yes" >> /etc/ssh/sshd_config</userinput></screen>
364
365	<para>
366	Additional configuration information can be found in the man
367	pages for <command>sshd</command>, <command>ssh</command> and
368	<command>ssh-agent</command>.
369	</para>
370	</sect3>
371
372	<sect3 id="openssh-init">
373	<title><phrase revision="sysv">Boot Script</phrase>
374	<phrase revision="systemd">Systemd Unit</phrase></title>
375
376	<para revision="sysv">
377	To start the SSH server at system boot, install the
378	<filename>/etc/rc.d/init.d/sshd</filename> init script included
379	in the <xref linkend="bootscripts"/> package.
380	</para>
381
382	<para revision="systemd">
383	To start the SSH server at system boot, install the
384	<filename>sshd.service</filename> unit included in the
385	<xref linkend="systemd-units"/> package.
386	</para>
387
388	<indexterm zone="openssh openssh-init">
389	<primary sortas="f-sshd">sshd</primary>
390	</indexterm>
391
392	<screen role="root"><userinput>make install-sshd</userinput></screen>
393	</sect3>
394	</sect2>
395
396	<sect2 role="content">
397	<title>Contents</title>
398
399	<segmentedlist>
400	<segtitle>Installed Programs</segtitle>
401	<segtitle>Installed Libraries</segtitle>
402	<segtitle>Installed Directories</segtitle>
403
404	<seglistitem>
405	<seg>
406	scp, sftp, <!--slogin (symlink to ssh),--> ssh, ssh-add, ssh-agent,
407	ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
408	</seg>
409	<seg>
410	None
411	</seg>
412	<seg>
413	/etc/ssh,
414	/usr/share/doc/openssh-&openssh-version;, and
415	/var/lib/sshd
416	</seg>
417	</seglistitem>
418	</segmentedlist>
419
420	<variablelist>
421	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
422	<?dbfo list-presentation="list"?>
423	<?dbhtml list-presentation="table"?>
424
425	<varlistentry id="scp">
426	<term><command>scp</command></term>
427	<listitem>
428	<para>
429	is a file copy program that acts like <command>rcp</command> except
430	it uses an encrypted protocol
431	</para>
432	<indexterm zone="openssh scp">
433	<primary sortas="b-scp">scp</primary>
434	</indexterm>
435	</listitem>
436	</varlistentry>
437
438	<varlistentry id="sftp">
439	<term><command>sftp</command></term>
440	<listitem>
441	<para>
442	is an FTP-like program that works over the SSH1 and SSH2 protocols
443	</para>
444	<indexterm zone="openssh sftp">
445	<primary sortas="b-sftp">sftp</primary>
446	</indexterm>
447	</listitem>
448	</varlistentry>
449	<!-- Not installed anymore as of 8.5p1
450	<varlistentry id="slogin">
451	<term><command>slogin</command></term>
452	<listitem>
453	<para>
454	is a symlink to <command>ssh</command>
455	</para>
456	<indexterm zone="openssh slogin">
457	<primary sortas="b-slogin">slogin</primary>
458	</indexterm>
459	</listitem>
460	</varlistentry>
461	-->
462	<varlistentry id="ssh">
463	<term><command>ssh</command></term>
464	<listitem>
465	<para>
466	is an <command>rlogin</command>/<command>rsh</command>-like client
467	program except it uses an encrypted protocol
468	</para>
469	<indexterm zone="openssh ssh">
470	<primary sortas="b-ssh">ssh</primary>
471	</indexterm>
472	</listitem>
473	</varlistentry>
474
475	<varlistentry id="sshd">
476	<term><command>sshd</command></term>
477	<listitem>
478	<para>
479	is a daemon that listens for <command>ssh</command> login requests
480	</para>
481	<indexterm zone="openssh sshd">
482	<primary sortas="b-sshd">sshd</primary>
483	</indexterm>
484	</listitem>
485	</varlistentry>
486
487	<varlistentry id="ssh-add">
488	<term><command>ssh-add</command></term>
489	<listitem>
490	<para>
491	is a tool which adds keys to the <command>ssh-agent</command>
492	</para>
493	<indexterm zone="openssh ssh-add">
494	<primary sortas="b-ssh-add">ssh-add</primary>
495	</indexterm>
496	</listitem>
497	</varlistentry>
498
499	<varlistentry id="ssh-agent">
500	<term><command>ssh-agent</command></term>
501	<listitem>
502	<para>
503	is an authentication agent that can store private keys
504	</para>
505	<indexterm zone="openssh ssh-agent">
506	<primary sortas="b-ssh-agent">ssh-agent</primary>
507	</indexterm>
508	</listitem>
509	</varlistentry>
510
511	<varlistentry id="ssh-copy-id">
512	<term><command>ssh-copy-id</command></term>
513	<listitem>
514	<para>
515	is a script that enables logins on remote machines using local keys
516	</para>
517	<indexterm zone="openssh ssh-copy-id">
518	<primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
519	</indexterm>
520	</listitem>
521	</varlistentry>
522
523	<varlistentry id="ssh-keygen">
524	<term><command>ssh-keygen</command></term>
525	<listitem>
526	<para>
527	is a key generation tool
528	</para>
529	<indexterm zone="openssh ssh-keygen">
530	<primary sortas="b-ssh-keygen">ssh-keygen</primary>
531	</indexterm>
532	</listitem>
533	</varlistentry>
534
535	<varlistentry id="ssh-keyscan">
536	<term><command>ssh-keyscan</command></term>
537	<listitem>
538	<para>
539	is a utility for gathering public host keys from a number of hosts
540	</para>
541	<indexterm zone="openssh ssh-keyscan">
542	<primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
543	</indexterm>
544	</listitem>
545	</varlistentry>
546
547	</variablelist>
548	</sect2>
549
550	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: