source: server/major/openssh.xml@ 56586e76

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since 56586e76 was 56586e76, checked in by Ag Hatzimanikas <ag@…>, 14 years ago

Updated to openssh-5.3p1

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@8181 af4574ff-66df-0310-9fd7-8a98e5e911e0
  • Property mode set to 100644
File size: 14.8 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY openssh-download-http "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
8 <!ENTITY openssh-download-ftp "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9 <!ENTITY openssh-md5sum "13563dbf61f36ca9a1e4254260131041">
10 <!ENTITY openssh-size "1.0 MB">
11 <!ENTITY openssh-buildsize "29 MB">
12 <!ENTITY openssh-time "0.5 SBU (additional 1.3 SBU to run the test suite)">
13]>
14
15<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
16 <?dbhtml filename="openssh.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>OpenSSH-&openssh-version;</title>
24
25 <indexterm zone="openssh">
26 <primary sortas="a-OpenSSH">OpenSSH</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to OpenSSH</title>
31
32 <para>The <application>OpenSSH</application> package contains
33 <command>ssh</command> clients and the <command>sshd</command> daemon.
34 This is useful for encrypting authentication and subsequent traffic
35 over a network.</para>
36
37 <bridgehead renderas="sect3">Package Information</bridgehead>
38 <itemizedlist spacing="compact">
39 <listitem>
40 <para>Download (HTTP): <ulink url="&openssh-download-http;"/></para>
41 </listitem>
42 <listitem>
43 <para>Download (FTP): <ulink url="&openssh-download-ftp;"/></para>
44 </listitem>
45 <listitem>
46 <para>Download MD5 sum: &openssh-md5sum;</para>
47 </listitem>
48 <listitem>
49 <para>Download size: &openssh-size;</para>
50 </listitem>
51 <listitem>
52 <para>Estimated disk space required: &openssh-buildsize;</para>
53 </listitem>
54 <listitem>
55 <para>Estimated build time: &openssh-time;</para>
56 </listitem>
57 </itemizedlist>
58
59 <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
60
61 <bridgehead renderas="sect4">Required</bridgehead>
62 <para role="required"><xref linkend="openssl"/></para>
63
64 <bridgehead renderas="sect4">Optional</bridgehead>
65 <para role="optional"><xref linkend="linux-pam"/>,
66 <xref linkend="tcpwrappers"/>,
67 <xref linkend="x-window-system"/>,
68 <xref linkend="mitkrb"/> or <xref linkend="heimdal"/>,
69 <ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>
70 (provides a command-line history feature to <command>sftp</command>),
71 <ulink url="http://www.opensc-project.org/">OpenSC</ulink>, and
72 <ulink
73 url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink></para>
74
75 <bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
76 <para role="optional"><xref linkend="jdk"/>,
77 <xref linkend="net-tools"/>, and
78 <xref linkend="sysstat"/>.</para>
79
80 <para condition="html" role="usernotes">User Notes:
81 <ulink url='&blfs-wiki;/OpenSSH'/></para>
82
83 </sect2>
84
85 <sect2 role="installation">
86 <title>Installation of OpenSSH</title>
87
88 <para><application>OpenSSH</application> runs as two processes when
89 connecting to other computers. The first process is a privileged process
90 and controls the issuance of privileges as necessary. The second process
91 communicates with the network. Additional installation steps are necessary
92 to set up the proper environment, which are performed by issuing the
93 following commands as the <systemitem class="username">root</systemitem>
94 user:</para>
95
96<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &amp;&amp;
97chown -v root:sys /var/lib/sshd &amp;&amp;
98groupadd -g 50 sshd &amp;&amp;
99useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd \
100 -s /bin/false -u 50 sshd</userinput></screen>
101
102 <para><application>OpenSSH</application> is very sensitive to changes in
103 the linked <application>OpenSSL</application> libraries. If you recompile
104 <application>OpenSSL</application>, <application>OpenSSH</application> may
105 fail to start up. An alternative is to link against the static
106 <application>OpenSSL</application> library. To link against the static
107 library, execute the following command:</para>
108
109<screen><userinput>sed -i 's@-lcrypto@/usr/lib/libcrypto.a -ldl@' configure</userinput></screen>
110
111 <para>Install <application>OpenSSH</application> by running
112 the following commands:</para>
113
114<screen><userinput>./configure --prefix=/usr --sysconfdir=/etc/ssh --datadir=/usr/share/sshd \
115 --libexecdir=/usr/lib/openssh --with-md5-passwords \
116 --with-privsep-path=/var/lib/sshd &amp;&amp;
117make</userinput></screen>
118
119 <para>If you linked <application>tcp_wrappers</application> into the
120 build using the <option>--with-tcp-wrappers</option> parameter, ensure
121 you add 127.0.0.1 to the sshd line in <filename>/etc/hosts.allow</filename>
122 if you have a restrictive <filename>/etc/hosts.deny</filename> file, or the
123 test suite will fail. Additionally, the testsuite requires an installed
124 copy of <command>scp</command> to complete the multiplexing tests. To
125 run the test suite, first copy the scp program to
126 <filename class="directory">/usr/bin</filename>, making sure that you
127 back up any existing copy first.</para>
128
129 <para>To run the test suite, issue the following commands:</para>
130
131<screen role="root"><userinput>make tests 2&gt;&amp;1 | tee check.log
132grep FATAL check.log</userinput></screen>
133
134 <para>If the above command produces no 'FATAL' errors, then proceed
135 with the installation, as the
136 <systemitem class="username">root</systemitem> user:</para>
137
138<screen role="root"><userinput>make install &amp;&amp;
139install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &amp;&amp;
140install -v -m644 INSTALL LICENCE OVERVIEW README* WARNING.RNG \
141 /usr/share/doc/openssh-&openssh-version;</userinput></screen>
142
143 </sect2>
144
145 <sect2 role="commands">
146 <title>Command Explanations</title>
147
148 <para><parameter>--sysconfdir=/etc/ssh</parameter>: This prevents
149 the configuration files from being installed in
150 <filename class="directory">/usr/etc</filename>.</para>
151
152 <para><parameter>--datadir=/usr/share/sshd</parameter>: This switch
153 puts the Ssh.bin file (used for SmartCard authentication) in
154 <filename class="directory">/usr/share/sshd</filename>.</para>
155
156 <para><parameter>--with-md5-passwords</parameter>: This is required
157 with the default configuration of Shadow password suite in LFS.</para>
158
159 <para><parameter>--libexecdir=/usr/lib/openssh</parameter>: This parameter
160 changes the installation path of some programs to
161 <filename class="directory">/usr/lib/openssh</filename> instead of
162 <filename class="directory">/usr/libexec</filename>.</para>
163
164 <para><parameter>--with-pam</parameter>: This parameter enables
165 <application>Linux-PAM</application> support in the build.</para>
166
167 <para><parameter>--with-xauth=/usr/bin/xauth</parameter>: Set the
168 default location for the <command>xauth</command> binary for X
169 authentication. Change the location if <command>xauth</command> will
170 be installed to a different path. This can also be controlled from
171 <filename>sshd_config</filename> with the XAuthLocation keyword.
172 You can omit this switch if <application>Xorg</application> is already
173 installed.
174 </para>
175
176 <para><parameter>--with-kerberos5=/usr</parameter>: This option is used to
177 include Heimdal support in the build.</para>
178
179 </sect2>
180
181 <sect2 role="configuration">
182 <title>Configuring OpenSSH</title>
183
184 <sect3 id="openssh-config">
185 <title>Config Files</title>
186
187 <para><filename>~/.ssh/*</filename>,
188 <filename>/etc/ssh/ssh_config</filename>, and
189 <filename>/etc/ssh/sshd_config</filename></para>
190
191 <indexterm zone="openssh openssh-config">
192 <primary sortas="e-AA.ssh">~/.ssh/*</primary>
193 </indexterm>
194
195 <indexterm zone="openssh openssh-config">
196 <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
197 </indexterm>
198
199 <indexterm zone="openssh openssh-config">
200 <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
201 </indexterm>
202
203 <para>There are no required changes to any of these files. However,
204 you may wish to view the <filename class='directory'>/etc/ssh/</filename>
205 files and make any changes appropriate for the security of your system.
206 One recommended change is that you disable
207 <systemitem class='username'>root</systemitem> login via
208 <command>ssh</command>. Execute the following command as the
209 <systemitem class='username'>root</systemitem> user to disable
210 <systemitem class='username'>root</systemitem> login via
211 <command>ssh</command>:</para>
212
213<screen role="root"><userinput>echo "PermitRootLogin no" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>
214
215 <para>If you added <application>LinuxPAM</application> support, then you
216 will need to add a configuration file for
217 <application>sshd</application>. Issue the following commands as the
218 <systemitem class='username'>root</systemitem> user:</para>
219
220<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login &gt; /etc/pam.d/sshd &amp;&amp;
221chmod 644 /etc/pam.d/sshd</userinput></screen>
222
223 <para>Additional configuration information can be found in the man
224 pages for <command>sshd</command>, <command>ssh</command> and
225 <command>ssh-agent</command>.</para>
226
227 </sect3>
228
229 <sect3 id="openssh-init">
230 <title>Boot Script</title>
231
232 <para>To start the SSH server at system boot, install the
233 <filename>/etc/rc.d/init.d/sshd</filename> init script included
234 in the <xref linkend="bootscripts"/> package.</para>
235
236 <indexterm zone="openssh openssh-init">
237 <primary sortas="f-sshd">sshd</primary>
238 </indexterm>
239
240<screen role="root"><userinput>make install-sshd</userinput></screen>
241
242 </sect3>
243
244 </sect2>
245
246 <sect2 role="content">
247 <title>Contents</title>
248
249 <segmentedlist>
250 <segtitle>Installed Programs</segtitle>
251 <segtitle>Installed Libraries</segtitle>
252 <segtitle>Installed Directories</segtitle>
253
254 <seglistitem>
255 <seg>scp, sftp, sftp-server, slogin, ssh, sshd, ssh-add, ssh-agent,
256 ssh-keygen, ssh-keyscan, and ssh-keysign</seg>
257 <seg>None</seg>
258 <seg>/etc/ssh, /var/lib/sshd, /usr/lib/openssh, and
259 /usr/share/doc/openssh-&openssh-version;</seg>
260 </seglistitem>
261 </segmentedlist>
262
263 <variablelist>
264 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
265 <?dbfo list-presentation="list"?>
266 <?dbhtml list-presentation="table"?>
267
268 <varlistentry id="scp">
269 <term><command>scp</command></term>
270 <listitem>
271 <para>is a file copy program that acts like <command>rcp</command>
272 except it uses an encrypted protocol.</para>
273 <indexterm zone="openssh scp">
274 <primary sortas="b-scp">scp</primary>
275 </indexterm>
276 </listitem>
277 </varlistentry>
278
279 <varlistentry id="sftp">
280 <term><command>sftp</command></term>
281 <listitem>
282 <para>is an FTP-like program that works over
283 SSH1 and SSH2 protocols.</para>
284 <indexterm zone="openssh sftp">
285 <primary sortas="b-sftp">sftp</primary>
286 </indexterm>
287 </listitem>
288 </varlistentry>
289
290 <varlistentry id="sftp-server">
291 <term><command>sftp-server</command></term>
292 <listitem>
293 <para>is an SFTP server subsystem. This program is not normally
294 called directly by the user.</para>
295 <indexterm zone="openssh sftp-server">
296 <primary sortas="b-sftp-server">sftp-server</primary>
297 </indexterm>
298 </listitem>
299 </varlistentry>
300
301 <varlistentry id="slogin">
302 <term><command>slogin</command></term>
303 <listitem>
304 <para>is a symlink to <command>ssh</command>.</para>
305 <indexterm zone="openssh slogin">
306 <primary sortas="g-slogin">slogin</primary>
307 </indexterm>
308 </listitem>
309 </varlistentry>
310
311 <varlistentry id="ssh">
312 <term><command>ssh</command></term>
313 <listitem>
314 <para>is an <command>rlogin</command>/<command>rsh</command>-like
315 client program except it uses an encrypted protocol.</para>
316 <indexterm zone="openssh ssh">
317 <primary sortas="b-ssh">ssh</primary>
318 </indexterm>
319 </listitem>
320 </varlistentry>
321
322 <varlistentry id="sshd">
323 <term><command>sshd</command></term>
324 <listitem>
325 <para>is a daemon that listens for <command>ssh</command> login
326 requests.</para>
327 <indexterm zone="openssh sshd">
328 <primary sortas="b-sshd">sshd</primary>
329 </indexterm>
330 </listitem>
331 </varlistentry>
332
333 <varlistentry id="ssh-add">
334 <term><command>ssh-add</command></term>
335 <listitem>
336 <para>is a tool which adds keys to the
337 <command>ssh-agent</command>.</para>
338 <indexterm zone="openssh ssh-add">
339 <primary sortas="b-ssh-add">ssh-add</primary>
340 </indexterm>
341 </listitem>
342 </varlistentry>
343
344 <varlistentry id="ssh-agent">
345 <term><command>ssh-agent</command></term>
346 <listitem>
347 <para>is an authentication agent that can store private keys.</para>
348 <indexterm zone="openssh ssh-agent">
349 <primary sortas="b-ssh-agent">ssh-agent</primary>
350 </indexterm>
351 </listitem>
352 </varlistentry>
353
354 <varlistentry id="ssh-keygen">
355 <term><command>ssh-keygen</command></term>
356 <listitem>
357 <para>is a key generation tool.</para>
358 <indexterm zone="openssh ssh-keygen">
359 <primary sortas="b-ssh-keygen">ssh-keygen</primary>
360 </indexterm>
361 </listitem>
362 </varlistentry>
363
364 <varlistentry id="ssh-keyscan">
365 <term><command>ssh-keyscan</command></term>
366 <listitem>
367 <para>is a utility for gathering public host keys from a
368 number of hosts.</para>
369 <indexterm zone="openssh ssh-keyscan">
370 <primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
371 </indexterm>
372 </listitem>
373 </varlistentry>
374
375 <varlistentry id="ssh-keysign">
376 <term><command>ssh-keysign</command></term>
377 <listitem>
378 <para>is used by <command>ssh</command> to access the local host
379 keys and generate the digital signature required during hostbased
380 authentication with SSH protocol version 2. This program is not normally
381 called directly by the user.</para>
382 <indexterm zone="openssh ssh-keysign">
383 <primary sortas="b-ssh-keysign">ssh-keysign</primary>
384 </indexterm>
385 </listitem>
386 </varlistentry>
387
388 </variablelist>
389
390 </sect2>
391
392</sect1>
Note: See TracBrowser for help on using the repository browser.