source: server/major/openssh.xml@ 0aeb696

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since 0aeb696 was 0aeb696, checked in by Randy McMurchy <randy@…>, 18 years ago

Added a comment to each file that may need a mention of a test suite added to it, this allows closing of bug #1697

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@5951 af4574ff-66df-0310-9fd7-8a98e5e911e0
  • Property mode set to 100644
File size: 14.8 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
3 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!-- Inserted as a reminder to do this. The mention of a test suite
8 is usually right before the root user installation commands. Please
9 delete these 12 (including one blank) lines after you are done.-->
10
11 <!-- Use one of the two mentions below about a test suite,
12 delete the line that is not applicable. Of course, if the
13 test suite uses syntax other than "make check", revise the
14 line to reflect the actual syntax to run the test suite -->
15
16 <!-- <para>This package does not come with a test suite.</para> -->
17 <!-- <para>To test the results, issue: <command>make check</command>.</para> -->
18
19 <!ENTITY openssh-download-http "http://sunsite.ualberta.ca/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
20 <!ENTITY openssh-download-ftp "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
21 <!ENTITY openssh-md5sum "7e9880ac20a9b9db0d3fea30a9ff3d46">
22 <!ENTITY openssh-size "920 KB">
23 <!ENTITY openssh-buildsize "15.3 MB">
24 <!ENTITY openssh-time "0.5 SBU (additional 0.7 SBU to run the test suite)">
25]>
26
27<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
28 <?dbhtml filename="openssh.html"?>
29
30 <sect1info>
31 <othername>$LastChangedBy$</othername>
32 <date>$Date$</date>
33 <keywordset>
34 <keyword role="package">openssh-&openssh-version;.tar</keyword>
35 <keyword role="ftpdir">openssh</keyword>
36 </keywordset>
37 </sect1info>
38
39 <title>OpenSSH-&openssh-version;</title>
40
41 <indexterm zone="openssh">
42 <primary sortas="a-OpenSSH">OpenSSH</primary>
43 </indexterm>
44
45 <sect2 role="package">
46 <title>Introduction to OpenSSH</title>
47
48 <para>The <application>OpenSSH</application> package contains
49 <command>ssh</command> clients and the <command>sshd</command> daemon.
50 This is useful for encrypting authentication and subsequent traffic
51 over a network.</para>
52
53 <bridgehead renderas="sect3">Package Information</bridgehead>
54 <itemizedlist spacing="compact">
55 <listitem>
56 <para>Download (HTTP): <ulink url="&openssh-download-http;"/></para>
57 </listitem>
58 <listitem>
59 <para>Download (FTP): <ulink url="&openssh-download-ftp;"/></para>
60 </listitem>
61 <listitem>
62 <para>Download MD5 sum: &openssh-md5sum;</para>
63 </listitem>
64 <listitem>
65 <para>Download size: &openssh-size;</para>
66 </listitem>
67 <listitem>
68 <para>Estimated disk space required: &openssh-buildsize;</para>
69 </listitem>
70 <listitem>
71 <para>Estimated build time: &openssh-time;</para>
72 </listitem>
73 </itemizedlist>
74
75 <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
76
77 <bridgehead renderas="sect4">Required</bridgehead>
78 <para role="required"><xref linkend="openssl"/></para>
79
80 <bridgehead renderas="sect4">Optional</bridgehead>
81 <para role="optional"><xref linkend="linux-pam"/>,
82 <xref linkend="tcpwrappers"/>,
83 <xref linkend="x-window-system"/>,
84 <xref linkend="mitkrb"/> or <xref linkend="heimdal"/>,
85 <xref linkend="jdk"/>,
86 <xref linkend="net-tools"/>,
87 <xref linkend="sysstat"/>,
88 <ulink url="http://www.opensc-project.org/">OpenSC</ulink> and
89 <ulink
90 url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink></para>
91
92 <para condition="html" role="usernotes">User Notes:
93 <ulink url='&blfs-wiki;/OpenSSH'/></para>
94
95 </sect2>
96
97 <sect2 role="installation">
98 <title>Installation of OpenSSH</title>
99
100 <para><application>OpenSSH</application> runs as two processes when
101 connecting to other computers. The first process is a privileged process
102 and controls the issuance of privileges as necessary. The second process
103 communicates with the network. Additional installation steps are necessary
104 to set up the proper environment, which are performed by the following
105 commands:</para>
106
107<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &amp;&amp;
108chown -v root:sys /var/lib/sshd &amp;&amp;
109groupadd -g 50 sshd &amp;&amp;
110useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd \
111 -s /bin/false -u 50 sshd</userinput></screen>
112
113 <para><application>OpenSSH</application> is very sensitive to changes in
114 the linked <application>OpenSSL</application> libraries. If you recompile
115 <application>OpenSSL</application>, <application>OpenSSH</application> may
116 fail to startup. An alternative is to link against the static
117 <application>OpenSSL</application> library. To link against the static
118 library, execute the following command:</para>
119
120<screen><userinput>sed -i "s:-lcrypto:/usr/lib/libcrypto.a:g" configure</userinput></screen>
121
122 <para>Install <application>OpenSSH</application> by running
123 the following commands:</para>
124
125<screen><userinput>sed -i "s/lkrb5 -ldes/lkrb5/" configure &amp;&amp;
126./configure --prefix=/usr --sysconfdir=/etc/ssh \
127 --libexecdir=/usr/sbin --with-md5-passwords \
128 --with-privsep-path=/var/lib/sshd &amp;&amp;
129make</userinput></screen>
130
131 <!-- Leaving this bunch of stuff for now. The description of all
132 this is now in the Command Explanatations, however.
133 <para>If you use <application>Heimdal</application> as your Kerberos5
134 implementation and you linked the <application>Heimdal</application>
135 libraries into the <application>OpenSSH</application> build using the
136 <option>-with-kerberos5</option> parameter, you'll need to modify the
137 <filename>Makefile</filename> if you previously linked
138 <application>OpenSSL</application> into the
139 <application>Heimdal</application> build or the build will fail. The
140 <application>OpenSSH</application> default expects
141 <application>Heimdal</application> was built using the included
142 <filename class='libraryfile'>libdes</filename> library instead of
143 <application>OpenSSL</application>. Use the following command to modify
144 the <filename>Makefile</filename>:</para>
145 -->
146
147 <para>If you linked <application>tcp_wrappers</application> into the
148 build using the <option>--with-tcp-wrappers</option> parameter, ensure
149 you add 127.0.0.1 to the sshd line in <filename>/etc/hosts.allow</filename>
150 if you have a restrictive <filename>/etc/hosts.deny</filename> file, or the
151 test suite will fail. To run the test suite, issue: <command>make -k
152 tests</command>. The banner tests are known to fail.</para>
153
154 <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
155
156<screen role="root"><userinput>make install &amp;&amp;
157install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &amp;&amp;
158install -v -m644 INSTALL LICENCE OVERVIEW README* WARNING.RNG \
159 /usr/share/doc/openssh-&openssh-version;</userinput></screen>
160
161 </sect2>
162
163 <sect2 role="commands">
164 <title>Command Explanations</title>
165
166 <para><command>sed -i "s/lkrb5 -ldes/lkrb5/" configure</command>:
167 This command fixes a build crash if you used the
168 <option>--with-kerberos5</option> parameter and you built the
169 <application>Heimdal</application> package in accordance with the BLFS
170 instructions. The command is harmless in all other instances.</para>
171
172 <para><parameter>--sysconfdir=/etc/ssh</parameter>: This prevents
173 the configuration files from being installed in
174 <filename class="directory">/usr/etc</filename>.</para>
175
176 <para><parameter>--with-md5-passwords</parameter>: This is required
177 if you made the changes recommended by the shadowpasswd_plus
178 LFS hint on your SSH server when you installed the Shadow Password
179 Suite or if you access a SSH server that authenticates by
180 user passwords encrypted with md5.</para>
181
182 <para><parameter>--libexecdir=/usr/sbin</parameter>: This parameter
183 changes the installation path of some programs to
184 <filename class="directory">/usr/sbin</filename> instead of
185 <filename class="directory">/usr/libexec</filename>.</para>
186
187 </sect2>
188
189 <sect2 role="configuration">
190 <title>Configuring OpenSSH</title>
191
192 <sect3 id="openssh-config">
193 <title>Config Files</title>
194
195 <para><filename>~/.ssh/*</filename>,
196 <filename>/etc/ssh/ssh_config</filename>, and
197 <filename>/etc/ssh/sshd_config</filename></para>
198
199 <indexterm zone="openssh openssh-config">
200 <primary sortas="e-AA.ssh">~/.ssh/*</primary>
201 </indexterm>
202
203 <indexterm zone="openssh openssh-config">
204 <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
205 </indexterm>
206
207 <indexterm zone="openssh openssh-config">
208 <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
209 </indexterm>
210
211 <para>There are no required changes to any of these files. However,
212 you may wish to view the <filename class='directory'>/etc/ssh/</filename>
213 files and make any changes appropriate for the security of your system.
214 One recommended change is that you disable
215 <systemitem class='username'>root</systemitem> login via
216 <command>ssh</command>. Execute the following command as the
217 <systemitem class='username'>root</systemitem> user to disable
218 <systemitem class='username'>root</systemitem> login via
219 <command>ssh</command>:</para>
220
221<screen role="root"><userinput>echo "PermitRootLogin no" >> /etc/ssh/sshd_config</userinput></screen>
222
223 <para>Additional configuration information can be found in the man
224 pages for <command>sshd</command>, <command>ssh</command> and
225 <command>ssh-agent</command>.</para>
226
227 </sect3>
228
229 <sect3 id="openssh-init">
230 <title>Boot Script</title>
231
232 <para>To start the SSH server at system boot, install the
233 <filename>/etc/rc.d/init.d/sshd</filename> init script included
234 in the <xref linkend="bootscripts"/> package.</para>
235
236 <indexterm zone="openssh openssh-init">
237 <primary sortas="f-sshd">sshd</primary>
238 </indexterm>
239
240<screen role="root"><userinput>make install-sshd</userinput></screen>
241
242 </sect3>
243
244 </sect2>
245
246 <sect2 role="content">
247 <title>Contents</title>
248
249 <segmentedlist>
250 <segtitle>Installed Programs</segtitle>
251 <segtitle>Installed Libraries</segtitle>
252 <segtitle>Installed Directories</segtitle>
253
254 <seglistitem>
255 <seg>scp, sftp, sftp-server, slogin, ssh, sshd, ssh-add, ssh-agent,
256 ssh-keygen, ssh-keyscan, and ssh-keysign</seg>
257 <seg>None</seg>
258 <seg>/etc/ssh, /var/lib/sshd and
259 /usr/share/doc/openssh-&openssh-version;</seg>
260 </seglistitem>
261 </segmentedlist>
262
263 <variablelist>
264 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
265 <?dbfo list-presentation="list"?>
266 <?dbhtml list-presentation="table"?>
267
268 <varlistentry id="scp">
269 <term><command>scp</command></term>
270 <listitem>
271 <para>is a file copy program that acts like <command>rcp</command>
272 except it uses an encrypted protocol.</para>
273 <indexterm zone="openssh scp">
274 <primary sortas="b-scp">scp</primary>
275 </indexterm>
276 </listitem>
277 </varlistentry>
278
279 <varlistentry id="sftp">
280 <term><command>sftp</command></term>
281 <listitem>
282 <para>is an FTP-like program that works over
283 SSH1 and SSH2 protocols.</para>
284 <indexterm zone="openssh sftp">
285 <primary sortas="b-sftp">sftp</primary>
286 </indexterm>
287 </listitem>
288 </varlistentry>
289
290 <varlistentry id="sftp-server">
291 <term><command>sftp-server</command></term>
292 <listitem>
293 <para>is an SFTP server subsystem.</para>
294 <indexterm zone="openssh sftp-server">
295 <primary sortas="b-sftp-server">sftp-server</primary>
296 </indexterm>
297 </listitem>
298 </varlistentry>
299
300 <varlistentry id="slogin">
301 <term><command>slogin</command></term>
302 <listitem>
303 <para>is a symlink to <command>ssh</command>.</para>
304 <indexterm zone="openssh slogin">
305 <primary sortas="g-slogin">slogin</primary>
306 </indexterm>
307 </listitem>
308 </varlistentry>
309
310 <varlistentry id="ssh">
311 <term><command>ssh</command></term>
312 <listitem>
313 <para>is an <command>rlogin</command>/<command>rsh</command>-like
314 client program except it uses an encrypted protocol.</para>
315 <indexterm zone="openssh ssh">
316 <primary sortas="b-ssh">ssh</primary>
317 </indexterm>
318 </listitem>
319 </varlistentry>
320
321 <varlistentry id="sshd">
322 <term><command>sshd</command></term>
323 <listitem>
324 <para>is a daemon that listens for <command>ssh</command> login
325 requests.</para>
326 <indexterm zone="openssh sshd">
327 <primary sortas="b-sshd">sshd</primary>
328 </indexterm>
329 </listitem>
330 </varlistentry>
331
332 <varlistentry id="ssh-add">
333 <term><command>ssh-add</command></term>
334 <listitem>
335 <para>is a tool which adds keys to the
336 <command>ssh-agent</command>.</para>
337 <indexterm zone="openssh ssh-add">
338 <primary sortas="b-ssh-add">ssh-add</primary>
339 </indexterm>
340 </listitem>
341 </varlistentry>
342
343 <varlistentry id="ssh-agent">
344 <term><command>ssh-agent</command></term>
345 <listitem>
346 <para>is an authentication agent that can store private keys.</para>
347 <indexterm zone="openssh ssh-agent">
348 <primary sortas="b-ssh-agent">ssh-agent</primary>
349 </indexterm>
350 </listitem>
351 </varlistentry>
352
353 <varlistentry id="ssh-keygen">
354 <term><command>ssh-keygen</command></term>
355 <listitem>
356 <para>is a key generation tool.</para>
357 <indexterm zone="openssh ssh-keygen">
358 <primary sortas="b-ssh-keygen">ssh-keygen</primary>
359 </indexterm>
360 </listitem>
361 </varlistentry>
362
363 <varlistentry id="ssh-keyscan">
364 <term><command>ssh-keyscan</command></term>
365 <listitem>
366 <para>is a utility for gathering public host keys from a
367 number of hosts.</para>
368 <indexterm zone="openssh ssh-keyscan">
369 <primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
370 </indexterm>
371 </listitem>
372 </varlistentry>
373
374 <varlistentry id="ssh-keysign">
375 <term><command>ssh-keysign</command></term>
376 <listitem>
377 <para>is used by <command>ssh</command> to access the local host
378 keys and generate the digital signature required during hostbased
379 authentication with SSH protocol version 2.</para>
380 <indexterm zone="openssh ssh-keysign">
381 <primary sortas="b-ssh-keysign">ssh-keysign</primary>
382 </indexterm>
383 </listitem>
384 </varlistentry>
385
386 </variablelist>
387
388 </sect2>
389
390</sect1>
Note: See TracBrowser for help on using the repository browser.