source: server/major/openssh.xml@ 6732c094

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since 6732c094 was 6732c094, checked in by Randy McMurchy <randy@…>, 17 years ago

Updated all the XML files (and the one stylesheet) to use the 4.5 version of DocBook XML DTD

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@6716 af4574ff-66df-0310-9fd7-8a98e5e911e0
  • Property mode set to 100644
File size: 13.2 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY openssh-download-http "http://sunsite.ualberta.ca/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
8 <!ENTITY openssh-download-ftp "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
9 <!ENTITY openssh-md5sum "6a7fa99f44d9e1b5b04d15256e1405bb">
10 <!ENTITY openssh-size "967 KB">
11 <!ENTITY openssh-buildsize "18 MB">
12 <!ENTITY openssh-time "0.5 SBU (additional 0.3 SBU to run the test suite)">
13]>
14
15<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
16 <?dbhtml filename="openssh.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>OpenSSH-&openssh-version;</title>
24
25 <indexterm zone="openssh">
26 <primary sortas="a-OpenSSH">OpenSSH</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to OpenSSH</title>
31
32 <para>The <application>OpenSSH</application> package contains
33 <command>ssh</command> clients and the <command>sshd</command> daemon.
34 This is useful for encrypting authentication and subsequent traffic
35 over a network.</para>
36
37 <bridgehead renderas="sect3">Package Information</bridgehead>
38 <itemizedlist spacing="compact">
39 <listitem>
40 <para>Download (HTTP): <ulink url="&openssh-download-http;"/></para>
41 </listitem>
42 <listitem>
43 <para>Download (FTP): <ulink url="&openssh-download-ftp;"/></para>
44 </listitem>
45 <listitem>
46 <para>Download MD5 sum: &openssh-md5sum;</para>
47 </listitem>
48 <listitem>
49 <para>Download size: &openssh-size;</para>
50 </listitem>
51 <listitem>
52 <para>Estimated disk space required: &openssh-buildsize;</para>
53 </listitem>
54 <listitem>
55 <para>Estimated build time: &openssh-time;</para>
56 </listitem>
57 </itemizedlist>
58
59 <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
60
61 <bridgehead renderas="sect4">Required</bridgehead>
62 <para role="required"><xref linkend="openssl"/></para>
63
64 <bridgehead renderas="sect4">Optional</bridgehead>
65 <para role="optional"><xref linkend="linux-pam"/>,
66 <xref linkend="tcpwrappers"/>,
67 <xref linkend="x-window-system"/>,
68 <xref linkend="mitkrb"/> or <xref linkend="heimdal"/>,
69 <xref linkend="jdk"/>,
70 <xref linkend="net-tools"/>,
71 <xref linkend="sysstat"/>,
72 <ulink url="http://www.opensc-project.org/">OpenSC</ulink>, and
73 <ulink
74 url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink></para>
75
76 <para condition="html" role="usernotes">User Notes:
77 <ulink url='&blfs-wiki;/OpenSSH'/></para>
78
79 </sect2>
80
81 <sect2 role="installation">
82 <title>Installation of OpenSSH</title>
83
84 <para><application>OpenSSH</application> runs as two processes when
85 connecting to other computers. The first process is a privileged process
86 and controls the issuance of privileges as necessary. The second process
87 communicates with the network. Additional installation steps are necessary
88 to set up the proper environment, which are performed by the following
89 commands:</para>
90
91<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &amp;&amp;
92chown -v root:sys /var/lib/sshd &amp;&amp;
93groupadd -g 50 sshd &amp;&amp;
94useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd \
95 -s /bin/false -u 50 sshd</userinput></screen>
96
97 <para><application>OpenSSH</application> is very sensitive to changes in
98 the linked <application>OpenSSL</application> libraries. If you recompile
99 <application>OpenSSL</application>, <application>OpenSSH</application> may
100 fail to startup. An alternative is to link against the static
101 <application>OpenSSL</application> library. To link against the static
102 library, execute the following command:</para>
103
104<screen><userinput>sed -i "s:-lcrypto:/usr/lib/libcrypto.a -ldl:g" configure</userinput></screen>
105
106 <para>Install <application>OpenSSH</application> by running
107 the following commands:</para>
108
109<screen><userinput>sed -i "s/lkrb5 -ldes/lkrb5/" configure &amp;&amp;
110./configure --prefix=/usr --sysconfdir=/etc/ssh \
111 --libexecdir=/usr/lib/openssh --with-md5-passwords \
112 --with-privsep-path=/var/lib/sshd &amp;&amp;
113make</userinput></screen>
114
115 <para>If you linked <application>tcp_wrappers</application> into the
116 build using the <option>--with-tcp-wrappers</option> parameter, ensure
117 you add 127.0.0.1 to the sshd line in <filename>/etc/hosts.allow</filename>
118 if you have a restrictive <filename>/etc/hosts.deny</filename> file, or the
119 test suite will fail. To run the test suite, issue: <command>make -k
120 tests</command>.</para>
121
122 <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
123
124<screen role="root"><userinput>make install &amp;&amp;
125install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &amp;&amp;
126install -v -m644 INSTALL LICENCE OVERVIEW README* WARNING.RNG \
127 /usr/share/doc/openssh-&openssh-version;</userinput></screen>
128
129 </sect2>
130
131 <sect2 role="commands">
132 <title>Command Explanations</title>
133
134 <para><command>sed -i "s/lkrb5 -ldes/lkrb5/" configure</command>:
135 This command fixes a build crash if you used the
136 <option>--with-kerberos5</option> parameter and you built the
137 <application>Heimdal</application> package in accordance with the BLFS
138 instructions. The command is harmless in all other instances.</para>
139
140 <para><parameter>--sysconfdir=/etc/ssh</parameter>: This prevents
141 the configuration files from being installed in
142 <filename class="directory">/usr/etc</filename>.</para>
143
144 <para><parameter>--with-md5-passwords</parameter>: This is required
145 if you made the changes recommended by the shadowpasswd_plus
146 LFS hint on your SSH server when you installed the Shadow Password
147 Suite or if you access a SSH server that authenticates by
148 user passwords encrypted with md5.</para>
149
150 <para><parameter>--libexecdir=/usr/lib/openssh</parameter>: This parameter
151 changes the installation path of some programs to
152 <filename class="directory">/usr/lib/openssh</filename> instead of
153 <filename class="directory">/usr/libexec</filename>.</para>
154
155 </sect2>
156
157 <sect2 role="configuration">
158 <title>Configuring OpenSSH</title>
159
160 <sect3 id="openssh-config">
161 <title>Config Files</title>
162
163 <para><filename>~/.ssh/*</filename>,
164 <filename>/etc/ssh/ssh_config</filename>, and
165 <filename>/etc/ssh/sshd_config</filename></para>
166
167 <indexterm zone="openssh openssh-config">
168 <primary sortas="e-AA.ssh">~/.ssh/*</primary>
169 </indexterm>
170
171 <indexterm zone="openssh openssh-config">
172 <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
173 </indexterm>
174
175 <indexterm zone="openssh openssh-config">
176 <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
177 </indexterm>
178
179 <para>There are no required changes to any of these files. However,
180 you may wish to view the <filename class='directory'>/etc/ssh/</filename>
181 files and make any changes appropriate for the security of your system.
182 One recommended change is that you disable
183 <systemitem class='username'>root</systemitem> login via
184 <command>ssh</command>. Execute the following command as the
185 <systemitem class='username'>root</systemitem> user to disable
186 <systemitem class='username'>root</systemitem> login via
187 <command>ssh</command>:</para>
188
189<screen role="root"><userinput>echo "PermitRootLogin no" >> /etc/ssh/sshd_config</userinput></screen>
190
191 <para>Additional configuration information can be found in the man
192 pages for <command>sshd</command>, <command>ssh</command> and
193 <command>ssh-agent</command>.</para>
194
195 </sect3>
196
197 <sect3 id="openssh-init">
198 <title>Boot Script</title>
199
200 <para>To start the SSH server at system boot, install the
201 <filename>/etc/rc.d/init.d/sshd</filename> init script included
202 in the <xref linkend="bootscripts"/> package.</para>
203
204 <indexterm zone="openssh openssh-init">
205 <primary sortas="f-sshd">sshd</primary>
206 </indexterm>
207
208<screen role="root"><userinput>make install-sshd</userinput></screen>
209
210 </sect3>
211
212 </sect2>
213
214 <sect2 role="content">
215 <title>Contents</title>
216
217 <segmentedlist>
218 <segtitle>Installed Programs</segtitle>
219 <segtitle>Installed Libraries</segtitle>
220 <segtitle>Installed Directories</segtitle>
221
222 <seglistitem>
223 <seg>scp, sftp, sftp-server, slogin, ssh, sshd, ssh-add, ssh-agent,
224 ssh-keygen, ssh-keyscan, and ssh-keysign</seg>
225 <seg>None</seg>
226 <seg>/etc/ssh, /var/lib/sshd and
227 /usr/share/doc/openssh-&openssh-version;</seg>
228 </seglistitem>
229 </segmentedlist>
230
231 <variablelist>
232 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
233 <?dbfo list-presentation="list"?>
234 <?dbhtml list-presentation="table"?>
235
236 <varlistentry id="scp">
237 <term><command>scp</command></term>
238 <listitem>
239 <para>is a file copy program that acts like <command>rcp</command>
240 except it uses an encrypted protocol.</para>
241 <indexterm zone="openssh scp">
242 <primary sortas="b-scp">scp</primary>
243 </indexterm>
244 </listitem>
245 </varlistentry>
246
247 <varlistentry id="sftp">
248 <term><command>sftp</command></term>
249 <listitem>
250 <para>is an FTP-like program that works over
251 SSH1 and SSH2 protocols.</para>
252 <indexterm zone="openssh sftp">
253 <primary sortas="b-sftp">sftp</primary>
254 </indexterm>
255 </listitem>
256 </varlistentry>
257
258 <varlistentry id="sftp-server">
259 <term><command>sftp-server</command></term>
260 <listitem>
261 <para>is an SFTP server subsystem. This program is not normally
262 called directly by the user.</para>
263 <indexterm zone="openssh sftp-server">
264 <primary sortas="b-sftp-server">sftp-server</primary>
265 </indexterm>
266 </listitem>
267 </varlistentry>
268
269 <varlistentry id="slogin">
270 <term><command>slogin</command></term>
271 <listitem>
272 <para>is a symlink to <command>ssh</command>.</para>
273 <indexterm zone="openssh slogin">
274 <primary sortas="g-slogin">slogin</primary>
275 </indexterm>
276 </listitem>
277 </varlistentry>
278
279 <varlistentry id="ssh">
280 <term><command>ssh</command></term>
281 <listitem>
282 <para>is an <command>rlogin</command>/<command>rsh</command>-like
283 client program except it uses an encrypted protocol.</para>
284 <indexterm zone="openssh ssh">
285 <primary sortas="b-ssh">ssh</primary>
286 </indexterm>
287 </listitem>
288 </varlistentry>
289
290 <varlistentry id="sshd">
291 <term><command>sshd</command></term>
292 <listitem>
293 <para>is a daemon that listens for <command>ssh</command> login
294 requests.</para>
295 <indexterm zone="openssh sshd">
296 <primary sortas="b-sshd">sshd</primary>
297 </indexterm>
298 </listitem>
299 </varlistentry>
300
301 <varlistentry id="ssh-add">
302 <term><command>ssh-add</command></term>
303 <listitem>
304 <para>is a tool which adds keys to the
305 <command>ssh-agent</command>.</para>
306 <indexterm zone="openssh ssh-add">
307 <primary sortas="b-ssh-add">ssh-add</primary>
308 </indexterm>
309 </listitem>
310 </varlistentry>
311
312 <varlistentry id="ssh-agent">
313 <term><command>ssh-agent</command></term>
314 <listitem>
315 <para>is an authentication agent that can store private keys.</para>
316 <indexterm zone="openssh ssh-agent">
317 <primary sortas="b-ssh-agent">ssh-agent</primary>
318 </indexterm>
319 </listitem>
320 </varlistentry>
321
322 <varlistentry id="ssh-keygen">
323 <term><command>ssh-keygen</command></term>
324 <listitem>
325 <para>is a key generation tool.</para>
326 <indexterm zone="openssh ssh-keygen">
327 <primary sortas="b-ssh-keygen">ssh-keygen</primary>
328 </indexterm>
329 </listitem>
330 </varlistentry>
331
332 <varlistentry id="ssh-keyscan">
333 <term><command>ssh-keyscan</command></term>
334 <listitem>
335 <para>is a utility for gathering public host keys from a
336 number of hosts.</para>
337 <indexterm zone="openssh ssh-keyscan">
338 <primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
339 </indexterm>
340 </listitem>
341 </varlistentry>
342
343 <varlistentry id="ssh-keysign">
344 <term><command>ssh-keysign</command></term>
345 <listitem>
346 <para>is used by <command>ssh</command> to access the local host
347 keys and generate the digital signature required during hostbased
348 authentication with SSH protocol version 2. This program is not normally
349 called directly by the user.</para>
350 <indexterm zone="openssh ssh-keysign">
351 <primary sortas="b-ssh-keysign">ssh-keysign</primary>
352 </indexterm>
353 </listitem>
354 </varlistentry>
355
356 </variablelist>
357
358 </sect2>
359
360</sect1>
Note: See TracBrowser for help on using the repository browser.