[0931098] | 1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
[6732c094] | 2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
| 3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
[0931098] | 4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
| 5 | %general-entities;
|
---|
| 6 |
|
---|
[e4e0d060] | 7 | <!ENTITY openssh-download-http "http://sunsite.ualberta.ca/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
|
---|
[3a3b19b] | 8 | <!ENTITY openssh-download-ftp "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
|
---|
[6c24da75] | 9 | <!ENTITY openssh-md5sum "50a800fd2c6def9e9a53068837e87b91">
|
---|
| 10 | <!ENTITY openssh-size "968 KB">
|
---|
| 11 | <!ENTITY openssh-buildsize "16.2 MB">
|
---|
| 12 | <!ENTITY openssh-time "0.5 SBU (additional 1.2 SBU to run the test suite)">
|
---|
[0931098] | 13 | ]>
|
---|
| 14 |
|
---|
[1708d1e9] | 15 | <sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
|
---|
[e4e0d060] | 16 | <?dbhtml filename="openssh.html"?>
|
---|
| 17 |
|
---|
| 18 | <sect1info>
|
---|
| 19 | <othername>$LastChangedBy$</othername>
|
---|
| 20 | <date>$Date$</date>
|
---|
| 21 | </sect1info>
|
---|
| 22 |
|
---|
| 23 | <title>OpenSSH-&openssh-version;</title>
|
---|
| 24 |
|
---|
| 25 | <indexterm zone="openssh">
|
---|
| 26 | <primary sortas="a-OpenSSH">OpenSSH</primary>
|
---|
| 27 | </indexterm>
|
---|
| 28 |
|
---|
| 29 | <sect2 role="package">
|
---|
| 30 | <title>Introduction to OpenSSH</title>
|
---|
| 31 |
|
---|
| 32 | <para>The <application>OpenSSH</application> package contains
|
---|
| 33 | <command>ssh</command> clients and the <command>sshd</command> daemon.
|
---|
| 34 | This is useful for encrypting authentication and subsequent traffic
|
---|
| 35 | over a network.</para>
|
---|
| 36 |
|
---|
| 37 | <bridgehead renderas="sect3">Package Information</bridgehead>
|
---|
| 38 | <itemizedlist spacing="compact">
|
---|
| 39 | <listitem>
|
---|
| 40 | <para>Download (HTTP): <ulink url="&openssh-download-http;"/></para>
|
---|
| 41 | </listitem>
|
---|
| 42 | <listitem>
|
---|
| 43 | <para>Download (FTP): <ulink url="&openssh-download-ftp;"/></para>
|
---|
| 44 | </listitem>
|
---|
| 45 | <listitem>
|
---|
| 46 | <para>Download MD5 sum: &openssh-md5sum;</para>
|
---|
| 47 | </listitem>
|
---|
| 48 | <listitem>
|
---|
| 49 | <para>Download size: &openssh-size;</para>
|
---|
| 50 | </listitem>
|
---|
| 51 | <listitem>
|
---|
| 52 | <para>Estimated disk space required: &openssh-buildsize;</para>
|
---|
| 53 | </listitem>
|
---|
| 54 | <listitem>
|
---|
| 55 | <para>Estimated build time: &openssh-time;</para>
|
---|
| 56 | </listitem>
|
---|
| 57 | </itemizedlist>
|
---|
| 58 |
|
---|
| 59 | <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
|
---|
| 60 |
|
---|
| 61 | <bridgehead renderas="sect4">Required</bridgehead>
|
---|
[a6ac43b] | 62 | <para role="required"><xref linkend="openssl"/></para>
|
---|
[e4e0d060] | 63 |
|
---|
| 64 | <bridgehead renderas="sect4">Optional</bridgehead>
|
---|
[a6ac43b] | 65 | <para role="optional"><xref linkend="linux-pam"/>,
|
---|
[e4e0d060] | 66 | <xref linkend="tcpwrappers"/>,
|
---|
[e77976f] | 67 | <xref linkend="x-window-system"/>,
|
---|
[e4e0d060] | 68 | <xref linkend="mitkrb"/> or <xref linkend="heimdal"/>,
|
---|
| 69 | <xref linkend="net-tools"/>,
|
---|
[b21c661] | 70 | <xref linkend="sysstat"/>,
|
---|
[608a225] | 71 | <ulink url="http://www.opensc-project.org/">OpenSC</ulink>, and
|
---|
[9561d7e] | 72 | <ulink
|
---|
| 73 | url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink></para>
|
---|
| 74 |
|
---|
[1663c2b5] | 75 | <para condition="html" role="usernotes">User Notes:
|
---|
| 76 | <ulink url='&blfs-wiki;/OpenSSH'/></para>
|
---|
[e4e0d060] | 77 |
|
---|
| 78 | </sect2>
|
---|
| 79 |
|
---|
| 80 | <sect2 role="installation">
|
---|
| 81 | <title>Installation of OpenSSH</title>
|
---|
| 82 |
|
---|
| 83 | <para><application>OpenSSH</application> runs as two processes when
|
---|
| 84 | connecting to other computers. The first process is a privileged process
|
---|
| 85 | and controls the issuance of privileges as necessary. The second process
|
---|
| 86 | communicates with the network. Additional installation steps are necessary
|
---|
[3de6059] | 87 | to set up the proper environment, which are performed by issuing the
|
---|
| 88 | following commands as the <systemitem class="username">root</systemitem>
|
---|
| 89 | user:</para>
|
---|
[e4e0d060] | 90 |
|
---|
[45f3870] | 91 | <screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &&
|
---|
| 92 | chown -v root:sys /var/lib/sshd &&
|
---|
[b21c661] | 93 | groupadd -g 50 sshd &&
|
---|
| 94 | useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd \
|
---|
| 95 | -s /bin/false -u 50 sshd</userinput></screen>
|
---|
[0931098] | 96 |
|
---|
[e4e0d060] | 97 | <para><application>OpenSSH</application> is very sensitive to changes in
|
---|
| 98 | the linked <application>OpenSSL</application> libraries. If you recompile
|
---|
| 99 | <application>OpenSSL</application>, <application>OpenSSH</application> may
|
---|
| 100 | fail to startup. An alternative is to link against the static
|
---|
| 101 | <application>OpenSSL</application> library. To link against the static
|
---|
| 102 | library, execute the following command:</para>
|
---|
[0931098] | 103 |
|
---|
[6c24da75] | 104 | <screen><userinput>sed -i 's@-lcrypto@/usr/lib/libcrypto.a -ldl@' configure</userinput></screen>
|
---|
[0931098] | 105 |
|
---|
[e4e0d060] | 106 | <para>Install <application>OpenSSH</application> by running
|
---|
| 107 | the following commands:</para>
|
---|
[0931098] | 108 |
|
---|
[6c24da75] | 109 | <screen><userinput>sed -i 's@ -ldes@@' configure &&
|
---|
| 110 | ./configure --prefix=/usr --sysconfdir=/etc/ssh --datadir=/usr/share/sshd \
|
---|
[03fea94] | 111 | --libexecdir=/usr/lib/openssh --with-md5-passwords \
|
---|
[3a3b19b] | 112 | --with-privsep-path=/var/lib/sshd &&
|
---|
| 113 | make</userinput></screen>
|
---|
[1b83a7c1] | 114 |
|
---|
[e4e0d060] | 115 | <para>If you linked <application>tcp_wrappers</application> into the
|
---|
| 116 | build using the <option>--with-tcp-wrappers</option> parameter, ensure
|
---|
| 117 | you add 127.0.0.1 to the sshd line in <filename>/etc/hosts.allow</filename>
|
---|
| 118 | if you have a restrictive <filename>/etc/hosts.deny</filename> file, or the
|
---|
[45f3870] | 119 | test suite will fail. To run the test suite, issue: <command>make -k
|
---|
[0c6194bb] | 120 | tests</command>.</para>
|
---|
[f45b1953] | 121 |
|
---|
[e4e0d060] | 122 | <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
|
---|
| 123 |
|
---|
[45f3870] | 124 | <screen role="root"><userinput>make install &&
|
---|
| 125 | install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &&
|
---|
| 126 | install -v -m644 INSTALL LICENCE OVERVIEW README* WARNING.RNG \
|
---|
| 127 | /usr/share/doc/openssh-&openssh-version;</userinput></screen>
|
---|
[e4e0d060] | 128 |
|
---|
| 129 | </sect2>
|
---|
| 130 |
|
---|
| 131 | <sect2 role="commands">
|
---|
| 132 | <title>Command Explanations</title>
|
---|
| 133 |
|
---|
[6c24da75] | 134 | <para><command>sed -i 's@ -ldes@@' configure</command>:
|
---|
[3a3b19b] | 135 | This command fixes a build crash if you used the
|
---|
| 136 | <option>--with-kerberos5</option> parameter and you built the
|
---|
| 137 | <application>Heimdal</application> package in accordance with the BLFS
|
---|
| 138 | instructions. The command is harmless in all other instances.</para>
|
---|
| 139 |
|
---|
[e4e0d060] | 140 | <para><parameter>--sysconfdir=/etc/ssh</parameter>: This prevents
|
---|
| 141 | the configuration files from being installed in
|
---|
| 142 | <filename class="directory">/usr/etc</filename>.</para>
|
---|
[f45b1953] | 143 |
|
---|
[6c24da75] | 144 | <para><parameter>--datadir=/usr/share/sshd</parameter>: This switch
|
---|
| 145 | puts the Ssh.bin file (used for SmartCard authentication) in
|
---|
| 146 | <filename class="directory">/usr/share/sshd</filename>.</para>
|
---|
| 147 |
|
---|
| 148 | <!-- WOW, this description is really old, IIRC it was obsolete shortly
|
---|
| 149 | before I was an editor, as the hint became a part of both books.
|
---|
| 150 | I'll leave it in for now JIC - Delete Later
|
---|
| 151 | <para><parameter>- -with-md5-passwords</parameter>: This is required
|
---|
[e4e0d060] | 152 | if you made the changes recommended by the shadowpasswd_plus
|
---|
| 153 | LFS hint on your SSH server when you installed the Shadow Password
|
---|
| 154 | Suite or if you access a SSH server that authenticates by
|
---|
| 155 | user passwords encrypted with md5.</para>
|
---|
[6c24da75] | 156 | -->
|
---|
| 157 |
|
---|
| 158 | <para><parameter>--with-md5-passwords</parameter>: This is required
|
---|
| 159 | with the default configuration of Shadow password suite in LFS.</para>
|
---|
[e4e0d060] | 160 |
|
---|
[1b744785] | 161 | <para><parameter>--libexecdir=/usr/lib/openssh</parameter>: This parameter
|
---|
[e4e0d060] | 162 | changes the installation path of some programs to
|
---|
[1b744785] | 163 | <filename class="directory">/usr/lib/openssh</filename> instead of
|
---|
[e4e0d060] | 164 | <filename class="directory">/usr/libexec</filename>.</para>
|
---|
| 165 |
|
---|
| 166 | </sect2>
|
---|
| 167 |
|
---|
| 168 | <sect2 role="configuration">
|
---|
| 169 | <title>Configuring OpenSSH</title>
|
---|
| 170 |
|
---|
| 171 | <sect3 id="openssh-config">
|
---|
| 172 | <title>Config Files</title>
|
---|
| 173 |
|
---|
| 174 | <para><filename>~/.ssh/*</filename>,
|
---|
| 175 | <filename>/etc/ssh/ssh_config</filename>, and
|
---|
| 176 | <filename>/etc/ssh/sshd_config</filename></para>
|
---|
| 177 |
|
---|
| 178 | <indexterm zone="openssh openssh-config">
|
---|
| 179 | <primary sortas="e-AA.ssh">~/.ssh/*</primary>
|
---|
| 180 | </indexterm>
|
---|
| 181 |
|
---|
| 182 | <indexterm zone="openssh openssh-config">
|
---|
| 183 | <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
|
---|
| 184 | </indexterm>
|
---|
| 185 |
|
---|
| 186 | <indexterm zone="openssh openssh-config">
|
---|
| 187 | <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
|
---|
| 188 | </indexterm>
|
---|
| 189 |
|
---|
| 190 | <para>There are no required changes to any of these files. However,
|
---|
| 191 | you may wish to view the <filename class='directory'>/etc/ssh/</filename>
|
---|
[823b1a3] | 192 | files and make any changes appropriate for the security of your system.
|
---|
[bfb7882] | 193 | One recommended change is that you disable
|
---|
[823b1a3] | 194 | <systemitem class='username'>root</systemitem> login via
|
---|
| 195 | <command>ssh</command>. Execute the following command as the
|
---|
| 196 | <systemitem class='username'>root</systemitem> user to disable
|
---|
| 197 | <systemitem class='username'>root</systemitem> login via
|
---|
[e4e0d060] | 198 | <command>ssh</command>:</para>
|
---|
| 199 |
|
---|
[6c24da75] | 200 | <screen role="root"><userinput>echo "PermitRootLogin no" >> /etc/ssh/sshd_config</userinput></screen>
|
---|
| 201 |
|
---|
| 202 | <para>If you added <application>LinuxPAM</application> support, then you
|
---|
| 203 | will need to add a configuration file for
|
---|
| 204 | <application>sshd</application>. Issue the following commands as the
|
---|
| 205 | <systemitem class='username'>root</systemitem> user:</para>
|
---|
| 206 |
|
---|
| 207 | <screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd &&
|
---|
| 208 | chmod 644 /etc/pam.d/sshd</userinput></screen>
|
---|
[e4e0d060] | 209 |
|
---|
| 210 | <para>Additional configuration information can be found in the man
|
---|
| 211 | pages for <command>sshd</command>, <command>ssh</command> and
|
---|
| 212 | <command>ssh-agent</command>.</para>
|
---|
| 213 |
|
---|
| 214 | </sect3>
|
---|
| 215 |
|
---|
| 216 | <sect3 id="openssh-init">
|
---|
| 217 | <title>Boot Script</title>
|
---|
| 218 |
|
---|
| 219 | <para>To start the SSH server at system boot, install the
|
---|
| 220 | <filename>/etc/rc.d/init.d/sshd</filename> init script included
|
---|
[5254d12] | 221 | in the <xref linkend="bootscripts"/> package.</para>
|
---|
[e4e0d060] | 222 |
|
---|
| 223 | <indexterm zone="openssh openssh-init">
|
---|
| 224 | <primary sortas="f-sshd">sshd</primary>
|
---|
| 225 | </indexterm>
|
---|
| 226 |
|
---|
| 227 | <screen role="root"><userinput>make install-sshd</userinput></screen>
|
---|
| 228 |
|
---|
| 229 | </sect3>
|
---|
| 230 |
|
---|
| 231 | </sect2>
|
---|
| 232 |
|
---|
| 233 | <sect2 role="content">
|
---|
| 234 | <title>Contents</title>
|
---|
| 235 |
|
---|
| 236 | <segmentedlist>
|
---|
| 237 | <segtitle>Installed Programs</segtitle>
|
---|
| 238 | <segtitle>Installed Libraries</segtitle>
|
---|
| 239 | <segtitle>Installed Directories</segtitle>
|
---|
| 240 |
|
---|
| 241 | <seglistitem>
|
---|
| 242 | <seg>scp, sftp, sftp-server, slogin, ssh, sshd, ssh-add, ssh-agent,
|
---|
| 243 | ssh-keygen, ssh-keyscan, and ssh-keysign</seg>
|
---|
| 244 | <seg>None</seg>
|
---|
[45f3870] | 245 | <seg>/etc/ssh, /var/lib/sshd and
|
---|
| 246 | /usr/share/doc/openssh-&openssh-version;</seg>
|
---|
[e4e0d060] | 247 | </seglistitem>
|
---|
| 248 | </segmentedlist>
|
---|
| 249 |
|
---|
| 250 | <variablelist>
|
---|
| 251 | <bridgehead renderas="sect3">Short Descriptions</bridgehead>
|
---|
| 252 | <?dbfo list-presentation="list"?>
|
---|
| 253 | <?dbhtml list-presentation="table"?>
|
---|
| 254 |
|
---|
| 255 | <varlistentry id="scp">
|
---|
| 256 | <term><command>scp</command></term>
|
---|
| 257 | <listitem>
|
---|
| 258 | <para>is a file copy program that acts like <command>rcp</command>
|
---|
| 259 | except it uses an encrypted protocol.</para>
|
---|
| 260 | <indexterm zone="openssh scp">
|
---|
| 261 | <primary sortas="b-scp">scp</primary>
|
---|
| 262 | </indexterm>
|
---|
| 263 | </listitem>
|
---|
| 264 | </varlistentry>
|
---|
| 265 |
|
---|
| 266 | <varlistentry id="sftp">
|
---|
| 267 | <term><command>sftp</command></term>
|
---|
| 268 | <listitem>
|
---|
| 269 | <para>is an FTP-like program that works over
|
---|
| 270 | SSH1 and SSH2 protocols.</para>
|
---|
| 271 | <indexterm zone="openssh sftp">
|
---|
| 272 | <primary sortas="b-sftp">sftp</primary>
|
---|
| 273 | </indexterm>
|
---|
| 274 | </listitem>
|
---|
| 275 | </varlistentry>
|
---|
| 276 |
|
---|
| 277 | <varlistentry id="sftp-server">
|
---|
| 278 | <term><command>sftp-server</command></term>
|
---|
| 279 | <listitem>
|
---|
[0c6194bb] | 280 | <para>is an SFTP server subsystem. This program is not normally
|
---|
| 281 | called directly by the user.</para>
|
---|
[e4e0d060] | 282 | <indexterm zone="openssh sftp-server">
|
---|
| 283 | <primary sortas="b-sftp-server">sftp-server</primary>
|
---|
| 284 | </indexterm>
|
---|
| 285 | </listitem>
|
---|
| 286 | </varlistentry>
|
---|
| 287 |
|
---|
| 288 | <varlistentry id="slogin">
|
---|
| 289 | <term><command>slogin</command></term>
|
---|
| 290 | <listitem>
|
---|
| 291 | <para>is a symlink to <command>ssh</command>.</para>
|
---|
| 292 | <indexterm zone="openssh slogin">
|
---|
| 293 | <primary sortas="g-slogin">slogin</primary>
|
---|
| 294 | </indexterm>
|
---|
| 295 | </listitem>
|
---|
| 296 | </varlistentry>
|
---|
| 297 |
|
---|
| 298 | <varlistentry id="ssh">
|
---|
| 299 | <term><command>ssh</command></term>
|
---|
| 300 | <listitem>
|
---|
| 301 | <para>is an <command>rlogin</command>/<command>rsh</command>-like
|
---|
| 302 | client program except it uses an encrypted protocol.</para>
|
---|
| 303 | <indexterm zone="openssh ssh">
|
---|
| 304 | <primary sortas="b-ssh">ssh</primary>
|
---|
| 305 | </indexterm>
|
---|
| 306 | </listitem>
|
---|
| 307 | </varlistentry>
|
---|
| 308 |
|
---|
| 309 | <varlistentry id="sshd">
|
---|
| 310 | <term><command>sshd</command></term>
|
---|
| 311 | <listitem>
|
---|
| 312 | <para>is a daemon that listens for <command>ssh</command> login
|
---|
| 313 | requests.</para>
|
---|
| 314 | <indexterm zone="openssh sshd">
|
---|
| 315 | <primary sortas="b-sshd">sshd</primary>
|
---|
| 316 | </indexterm>
|
---|
| 317 | </listitem>
|
---|
| 318 | </varlistentry>
|
---|
| 319 |
|
---|
| 320 | <varlistentry id="ssh-add">
|
---|
| 321 | <term><command>ssh-add</command></term>
|
---|
| 322 | <listitem>
|
---|
| 323 | <para>is a tool which adds keys to the
|
---|
| 324 | <command>ssh-agent</command>.</para>
|
---|
| 325 | <indexterm zone="openssh ssh-add">
|
---|
| 326 | <primary sortas="b-ssh-add">ssh-add</primary>
|
---|
| 327 | </indexterm>
|
---|
| 328 | </listitem>
|
---|
| 329 | </varlistentry>
|
---|
| 330 |
|
---|
| 331 | <varlistentry id="ssh-agent">
|
---|
| 332 | <term><command>ssh-agent</command></term>
|
---|
| 333 | <listitem>
|
---|
| 334 | <para>is an authentication agent that can store private keys.</para>
|
---|
| 335 | <indexterm zone="openssh ssh-agent">
|
---|
| 336 | <primary sortas="b-ssh-agent">ssh-agent</primary>
|
---|
| 337 | </indexterm>
|
---|
| 338 | </listitem>
|
---|
| 339 | </varlistentry>
|
---|
| 340 |
|
---|
| 341 | <varlistentry id="ssh-keygen">
|
---|
| 342 | <term><command>ssh-keygen</command></term>
|
---|
| 343 | <listitem>
|
---|
| 344 | <para>is a key generation tool.</para>
|
---|
| 345 | <indexterm zone="openssh ssh-keygen">
|
---|
| 346 | <primary sortas="b-ssh-keygen">ssh-keygen</primary>
|
---|
| 347 | </indexterm>
|
---|
| 348 | </listitem>
|
---|
| 349 | </varlistentry>
|
---|
| 350 |
|
---|
| 351 | <varlistentry id="ssh-keyscan">
|
---|
| 352 | <term><command>ssh-keyscan</command></term>
|
---|
| 353 | <listitem>
|
---|
| 354 | <para>is a utility for gathering public host keys from a
|
---|
| 355 | number of hosts.</para>
|
---|
| 356 | <indexterm zone="openssh ssh-keyscan">
|
---|
| 357 | <primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
|
---|
| 358 | </indexterm>
|
---|
| 359 | </listitem>
|
---|
| 360 | </varlistentry>
|
---|
| 361 |
|
---|
| 362 | <varlistentry id="ssh-keysign">
|
---|
| 363 | <term><command>ssh-keysign</command></term>
|
---|
| 364 | <listitem>
|
---|
| 365 | <para>is used by <command>ssh</command> to access the local host
|
---|
| 366 | keys and generate the digital signature required during hostbased
|
---|
[0c6194bb] | 367 | authentication with SSH protocol version 2. This program is not normally
|
---|
| 368 | called directly by the user.</para>
|
---|
[e4e0d060] | 369 | <indexterm zone="openssh ssh-keysign">
|
---|
| 370 | <primary sortas="b-ssh-keysign">ssh-keysign</primary>
|
---|
| 371 | </indexterm>
|
---|
| 372 | </listitem>
|
---|
| 373 | </varlistentry>
|
---|
| 374 |
|
---|
| 375 | </variablelist>
|
---|
| 376 |
|
---|
| 377 | </sect2>
|
---|
| 378 |
|
---|
| 379 | </sect1>
|
---|