source: server/major/openssh.xml@ 156b4f7

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since 156b4f7 was 3de6059, checked in by Randy McMurchy <randy@…>, 17 years ago

Added a note to run some commands in the OpenSSH instructions as the root user, thanks to ghylton for the report

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@6740 af4574ff-66df-0310-9fd7-8a98e5e911e0
  • Property mode set to 100644
File size: 13.3 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY openssh-download-http "http://sunsite.ualberta.ca/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
8 <!ENTITY openssh-download-ftp "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9 <!ENTITY openssh-md5sum "6a7fa99f44d9e1b5b04d15256e1405bb">
10 <!ENTITY openssh-size "967 KB">
11 <!ENTITY openssh-buildsize "18 MB">
12 <!ENTITY openssh-time "0.5 SBU (additional 0.3 SBU to run the test suite)">
13]>
14
15<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
16 <?dbhtml filename="openssh.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>OpenSSH-&openssh-version;</title>
24
25 <indexterm zone="openssh">
26 <primary sortas="a-OpenSSH">OpenSSH</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to OpenSSH</title>
31
32 <para>The <application>OpenSSH</application> package contains
33 <command>ssh</command> clients and the <command>sshd</command> daemon.
34 This is useful for encrypting authentication and subsequent traffic
35 over a network.</para>
36
37 <bridgehead renderas="sect3">Package Information</bridgehead>
38 <itemizedlist spacing="compact">
39 <listitem>
40 <para>Download (HTTP): <ulink url="&openssh-download-http;"/></para>
41 </listitem>
42 <listitem>
43 <para>Download (FTP): <ulink url="&openssh-download-ftp;"/></para>
44 </listitem>
45 <listitem>
46 <para>Download MD5 sum: &openssh-md5sum;</para>
47 </listitem>
48 <listitem>
49 <para>Download size: &openssh-size;</para>
50 </listitem>
51 <listitem>
52 <para>Estimated disk space required: &openssh-buildsize;</para>
53 </listitem>
54 <listitem>
55 <para>Estimated build time: &openssh-time;</para>
56 </listitem>
57 </itemizedlist>
58
59 <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
60
61 <bridgehead renderas="sect4">Required</bridgehead>
62 <para role="required"><xref linkend="openssl"/></para>
63
64 <bridgehead renderas="sect4">Optional</bridgehead>
65 <para role="optional"><xref linkend="linux-pam"/>,
66 <xref linkend="tcpwrappers"/>,
67 <xref linkend="x-window-system"/>,
68 <xref linkend="mitkrb"/> or <xref linkend="heimdal"/>,
69 <xref linkend="jdk"/>,
70 <xref linkend="net-tools"/>,
71 <xref linkend="sysstat"/>,
72 <ulink url="http://www.opensc-project.org/">OpenSC</ulink>, and
73 <ulink
74 url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink></para>
75
76 <para condition="html" role="usernotes">User Notes:
77 <ulink url='&blfs-wiki;/OpenSSH'/></para>
78
79 </sect2>
80
81 <sect2 role="installation">
82 <title>Installation of OpenSSH</title>
83
84 <para><application>OpenSSH</application> runs as two processes when
85 connecting to other computers. The first process is a privileged process
86 and controls the issuance of privileges as necessary. The second process
87 communicates with the network. Additional installation steps are necessary
88 to set up the proper environment, which are performed by issuing the
89 following commands as the <systemitem class="username">root</systemitem>
90 user:</para>
91
92<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &amp;&amp;
93chown -v root:sys /var/lib/sshd &amp;&amp;
94groupadd -g 50 sshd &amp;&amp;
95useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd \
96 -s /bin/false -u 50 sshd</userinput></screen>
97
98 <para><application>OpenSSH</application> is very sensitive to changes in
99 the linked <application>OpenSSL</application> libraries. If you recompile
100 <application>OpenSSL</application>, <application>OpenSSH</application> may
101 fail to startup. An alternative is to link against the static
102 <application>OpenSSL</application> library. To link against the static
103 library, execute the following command:</para>
104
105<screen><userinput>sed -i "s:-lcrypto:/usr/lib/libcrypto.a -ldl:g" configure</userinput></screen>
106
107 <para>Install <application>OpenSSH</application> by running
108 the following commands:</para>
109
110<screen><userinput>sed -i "s/lkrb5 -ldes/lkrb5/" configure &amp;&amp;
111./configure --prefix=/usr --sysconfdir=/etc/ssh \
112 --libexecdir=/usr/lib/openssh --with-md5-passwords \
113 --with-privsep-path=/var/lib/sshd &amp;&amp;
114make</userinput></screen>
115
116 <para>If you linked <application>tcp_wrappers</application> into the
117 build using the <option>--with-tcp-wrappers</option> parameter, ensure
118 you add 127.0.0.1 to the sshd line in <filename>/etc/hosts.allow</filename>
119 if you have a restrictive <filename>/etc/hosts.deny</filename> file, or the
120 test suite will fail. To run the test suite, issue: <command>make -k
121 tests</command>.</para>
122
123 <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
124
125<screen role="root"><userinput>make install &amp;&amp;
126install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &amp;&amp;
127install -v -m644 INSTALL LICENCE OVERVIEW README* WARNING.RNG \
128 /usr/share/doc/openssh-&openssh-version;</userinput></screen>
129
130 </sect2>
131
132 <sect2 role="commands">
133 <title>Command Explanations</title>
134
135 <para><command>sed -i "s/lkrb5 -ldes/lkrb5/" configure</command>:
136 This command fixes a build crash if you used the
137 <option>--with-kerberos5</option> parameter and you built the
138 <application>Heimdal</application> package in accordance with the BLFS
139 instructions. The command is harmless in all other instances.</para>
140
141 <para><parameter>--sysconfdir=/etc/ssh</parameter>: This prevents
142 the configuration files from being installed in
143 <filename class="directory">/usr/etc</filename>.</para>
144
145 <para><parameter>--with-md5-passwords</parameter>: This is required
146 if you made the changes recommended by the shadowpasswd_plus
147 LFS hint on your SSH server when you installed the Shadow Password
148 Suite or if you access a SSH server that authenticates by
149 user passwords encrypted with md5.</para>
150
151 <para><parameter>--libexecdir=/usr/lib/openssh</parameter>: This parameter
152 changes the installation path of some programs to
153 <filename class="directory">/usr/lib/openssh</filename> instead of
154 <filename class="directory">/usr/libexec</filename>.</para>
155
156 </sect2>
157
158 <sect2 role="configuration">
159 <title>Configuring OpenSSH</title>
160
161 <sect3 id="openssh-config">
162 <title>Config Files</title>
163
164 <para><filename>~/.ssh/*</filename>,
165 <filename>/etc/ssh/ssh_config</filename>, and
166 <filename>/etc/ssh/sshd_config</filename></para>
167
168 <indexterm zone="openssh openssh-config">
169 <primary sortas="e-AA.ssh">~/.ssh/*</primary>
170 </indexterm>
171
172 <indexterm zone="openssh openssh-config">
173 <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
174 </indexterm>
175
176 <indexterm zone="openssh openssh-config">
177 <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
178 </indexterm>
179
180 <para>There are no required changes to any of these files. However,
181 you may wish to view the <filename class='directory'>/etc/ssh/</filename>
182 files and make any changes appropriate for the security of your system.
183 One recommended change is that you disable
184 <systemitem class='username'>root</systemitem> login via
185 <command>ssh</command>. Execute the following command as the
186 <systemitem class='username'>root</systemitem> user to disable
187 <systemitem class='username'>root</systemitem> login via
188 <command>ssh</command>:</para>
189
190<screen role="root"><userinput>echo "PermitRootLogin no" >> /etc/ssh/sshd_config</userinput></screen>
191
192 <para>Additional configuration information can be found in the man
193 pages for <command>sshd</command>, <command>ssh</command> and
194 <command>ssh-agent</command>.</para>
195
196 </sect3>
197
198 <sect3 id="openssh-init">
199 <title>Boot Script</title>
200
201 <para>To start the SSH server at system boot, install the
202 <filename>/etc/rc.d/init.d/sshd</filename> init script included
203 in the <xref linkend="bootscripts"/> package.</para>
204
205 <indexterm zone="openssh openssh-init">
206 <primary sortas="f-sshd">sshd</primary>
207 </indexterm>
208
209<screen role="root"><userinput>make install-sshd</userinput></screen>
210
211 </sect3>
212
213 </sect2>
214
215 <sect2 role="content">
216 <title>Contents</title>
217
218 <segmentedlist>
219 <segtitle>Installed Programs</segtitle>
220 <segtitle>Installed Libraries</segtitle>
221 <segtitle>Installed Directories</segtitle>
222
223 <seglistitem>
224 <seg>scp, sftp, sftp-server, slogin, ssh, sshd, ssh-add, ssh-agent,
225 ssh-keygen, ssh-keyscan, and ssh-keysign</seg>
226 <seg>None</seg>
227 <seg>/etc/ssh, /var/lib/sshd and
228 /usr/share/doc/openssh-&openssh-version;</seg>
229 </seglistitem>
230 </segmentedlist>
231
232 <variablelist>
233 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
234 <?dbfo list-presentation="list"?>
235 <?dbhtml list-presentation="table"?>
236
237 <varlistentry id="scp">
238 <term><command>scp</command></term>
239 <listitem>
240 <para>is a file copy program that acts like <command>rcp</command>
241 except it uses an encrypted protocol.</para>
242 <indexterm zone="openssh scp">
243 <primary sortas="b-scp">scp</primary>
244 </indexterm>
245 </listitem>
246 </varlistentry>
247
248 <varlistentry id="sftp">
249 <term><command>sftp</command></term>
250 <listitem>
251 <para>is an FTP-like program that works over
252 SSH1 and SSH2 protocols.</para>
253 <indexterm zone="openssh sftp">
254 <primary sortas="b-sftp">sftp</primary>
255 </indexterm>
256 </listitem>
257 </varlistentry>
258
259 <varlistentry id="sftp-server">
260 <term><command>sftp-server</command></term>
261 <listitem>
262 <para>is an SFTP server subsystem. This program is not normally
263 called directly by the user.</para>
264 <indexterm zone="openssh sftp-server">
265 <primary sortas="b-sftp-server">sftp-server</primary>
266 </indexterm>
267 </listitem>
268 </varlistentry>
269
270 <varlistentry id="slogin">
271 <term><command>slogin</command></term>
272 <listitem>
273 <para>is a symlink to <command>ssh</command>.</para>
274 <indexterm zone="openssh slogin">
275 <primary sortas="g-slogin">slogin</primary>
276 </indexterm>
277 </listitem>
278 </varlistentry>
279
280 <varlistentry id="ssh">
281 <term><command>ssh</command></term>
282 <listitem>
283 <para>is an <command>rlogin</command>/<command>rsh</command>-like
284 client program except it uses an encrypted protocol.</para>
285 <indexterm zone="openssh ssh">
286 <primary sortas="b-ssh">ssh</primary>
287 </indexterm>
288 </listitem>
289 </varlistentry>
290
291 <varlistentry id="sshd">
292 <term><command>sshd</command></term>
293 <listitem>
294 <para>is a daemon that listens for <command>ssh</command> login
295 requests.</para>
296 <indexterm zone="openssh sshd">
297 <primary sortas="b-sshd">sshd</primary>
298 </indexterm>
299 </listitem>
300 </varlistentry>
301
302 <varlistentry id="ssh-add">
303 <term><command>ssh-add</command></term>
304 <listitem>
305 <para>is a tool which adds keys to the
306 <command>ssh-agent</command>.</para>
307 <indexterm zone="openssh ssh-add">
308 <primary sortas="b-ssh-add">ssh-add</primary>
309 </indexterm>
310 </listitem>
311 </varlistentry>
312
313 <varlistentry id="ssh-agent">
314 <term><command>ssh-agent</command></term>
315 <listitem>
316 <para>is an authentication agent that can store private keys.</para>
317 <indexterm zone="openssh ssh-agent">
318 <primary sortas="b-ssh-agent">ssh-agent</primary>
319 </indexterm>
320 </listitem>
321 </varlistentry>
322
323 <varlistentry id="ssh-keygen">
324 <term><command>ssh-keygen</command></term>
325 <listitem>
326 <para>is a key generation tool.</para>
327 <indexterm zone="openssh ssh-keygen">
328 <primary sortas="b-ssh-keygen">ssh-keygen</primary>
329 </indexterm>
330 </listitem>
331 </varlistentry>
332
333 <varlistentry id="ssh-keyscan">
334 <term><command>ssh-keyscan</command></term>
335 <listitem>
336 <para>is a utility for gathering public host keys from a
337 number of hosts.</para>
338 <indexterm zone="openssh ssh-keyscan">
339 <primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
340 </indexterm>
341 </listitem>
342 </varlistentry>
343
344 <varlistentry id="ssh-keysign">
345 <term><command>ssh-keysign</command></term>
346 <listitem>
347 <para>is used by <command>ssh</command> to access the local host
348 keys and generate the digital signature required during hostbased
349 authentication with SSH protocol version 2. This program is not normally
350 called directly by the user.</para>
351 <indexterm zone="openssh ssh-keysign">
352 <primary sortas="b-ssh-keysign">ssh-keysign</primary>
353 </indexterm>
354 </listitem>
355 </varlistentry>
356
357 </variablelist>
358
359 </sect2>
360
361</sect1>
Note: See TracBrowser for help on using the repository browser.