%general-entities; ]> $LastChangedBy$ $Date$ OpenSSH The OpenSSH package contains ssh clients and the sshd daemon. This is useful for encrypting authentication and subsequent traffic over a network. Download (HTTP): Download (FTP): Download MD5 sum: &openssh-md5sum; Download size: &openssh-size; Estimated disk space required: &openssh-buildsize; Estimated build time: &openssh-time; , , X ( or ), or , , , OpenSC and libedit OpenSSH runs as two processes when connecting to other computers. The first process is a privileged process and controls the issuance of privileges as necessary. The second process communicates with the network. Additional installation steps are necessary to set up the proper environment, which are performed by the following commands: install -v -d -m700 /var/lib/sshd && chown root:sys /var/lib/sshd && groupadd sshd && useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd -s /bin/false sshd OpenSSH is very sensitive to changes in the linked OpenSSL libraries. If you recompile OpenSSL, OpenSSH may fail to startup. An alternative is to link against the static OpenSSL library. To link against the static library, execute the following command: sed -i "s:-lcrypto:/usr/lib/libcrypto.a:g" configure Install OpenSSH by running the following commands: ./configure --prefix=/usr --sysconfdir=/etc/ssh \ --libexecdir=/usr/sbin --with-md5-passwords \ --with-privsep-path=/var/lib/sshd If you use Heimdal as your Kerberos5 implementation and you linked the Heimdal libraries into the build using the --with-kerberos5 parameter, you'll need to modify the Makefile or the build will fail. Use the following command: sed -i -e "s/lkrb5 -ldes/lkrb5/" Makefile Continue the build: make If you linked tcp_wrappers into the build using the --with-tcp-wrappers parameter, ensure you add 127.0.0.1 to the sshd line in /etc/hosts.allow if you have a restrictive /etc/hosts.deny file, or the testsuite will fail. To run the testsuite, issue: make -k tests. Now, as the root user: make install --sysconfdir=/etc/ssh: This prevents the configuration files from being installed in /usr/etc. --with-md5-passwords: This is required if you made the changes recommended by the shadowpasswd_plus LFS hint on your SSH server when you installed the Shadow Password Suite or if you access a SSH server that authenticates by user passwords encrypted with md5. --libexecdir=/usr/sbin: This parameter changes the installation path of some programs to /usr/sbin instead of /usr/libexec. ~/.ssh/*, /etc/ssh/ssh_config and /etc/ssh/sshd_config ~/.ssh/* /etc/ssh/ssh_config /etc/ssh/sshd_config There are no required changes to any of these files. However, you may wish to view the /etc/ssh/ files and make any changes appropriate for the security of your system. One recomended change is that you disable root login via ssh. Execute the following command to disable root login via ssh: echo "PermitRootLogin no" >> /etc/ssh/sshd_config Additional configuration information can be found in the man pages for sshd, ssh and ssh-agent. To start the SSH server at system boot, install the /etc/rc.d/init.d/sshd init script included in the package. sshd make install-sshd Installed Programs Installed Libraries Installed Directories scp, sftp, sftp-server, slogin, ssh, sshd, ssh-add, ssh-agent, ssh-keygen, ssh-keyscan and ssh-keysign None /etc/ssh and /var/lib/sshd Short Descriptions scp is a file copy program that acts like rcp except it uses an encrypted protocol. scp sftp is an FTP-like program that works over SSH1 and SSH2 protocols. sftp sftp-server is an SFTP server subsystem. sftp-server slogin is a symlink to ssh. slogin ssh is an rlogin/rsh-like client program except it uses an encrypted protocol. ssh sshd is a daemon that listens for ssh login requests. sshd ssh-add is a tool which adds keys to the ssh-agent. ssh-add ssh-agent is an authentication agent that can store private keys. ssh-agent ssh-keygen is a key generation tool. ssh-keygen ssh-keyscan is a utility for gathering public host keys from a number of hosts. ssh-keyscan ssh-keysign is used by ssh to access the local host keys and generate the digital signature required during hostbased authentication with SSH protocol version 2. ssh-keysign