source: server/major/openssh.xml@ ba7a0ce

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY openssh-download-http "http://sunsite.ualberta.ca/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
  <!ENTITY openssh-download-ftp  "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
  <!ENTITY openssh-md5sum        "50a800fd2c6def9e9a53068837e87b91">
  <!ENTITY openssh-size          "968 KB">
  <!ENTITY openssh-buildsize     "16.2 MB">
  <!ENTITY openssh-time          "0.5 SBU (additional 1.2 SBU to run the test suite)">
]>

<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
  <?dbhtml filename="openssh.html"?>

  <sect1info>
    <othername>$LastChangedBy$</othername>
    <date>$Date$</date>
  </sect1info>

  <title>OpenSSH-&openssh-version;</title>

  <indexterm zone="openssh">
    <primary sortas="a-OpenSSH">OpenSSH</primary>
  </indexterm>

  <sect2 role="package">
    <title>Introduction to OpenSSH</title>

    <para>The <application>OpenSSH</application> package contains
    <command>ssh</command> clients and the <command>sshd</command> daemon.
    This is useful for encrypting authentication and subsequent traffic
    over a network.</para>

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>Download (HTTP): <ulink url="&openssh-download-http;"/></para>
      </listitem>
      <listitem>
        <para>Download (FTP): <ulink url="&openssh-download-ftp;"/></para>
      </listitem>
      <listitem>
        <para>Download MD5 sum: &openssh-md5sum;</para>
      </listitem>
      <listitem>
        <para>Download size: &openssh-size;</para>
      </listitem>
      <listitem>
        <para>Estimated disk space required: &openssh-buildsize;</para>
      </listitem>
      <listitem>
        <para>Estimated build time: &openssh-time;</para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>

    <bridgehead renderas="sect4">Required</bridgehead>
    <para role="required"><xref linkend="openssl"/></para>

    <bridgehead renderas="sect4">Optional</bridgehead>
    <para role="optional"><xref linkend="linux-pam"/>,
    <xref linkend="tcpwrappers"/>,
    <xref linkend="x-window-system"/>,
    <xref linkend="mitkrb"/> or <xref linkend="heimdal"/>,
    <xref linkend="net-tools"/>,
    <xref linkend="sysstat"/>,
    <ulink url="http://www.opensc-project.org/">OpenSC</ulink>, and
    <ulink
    url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink></para>

    <para condition="html" role="usernotes">User Notes:
    <ulink url='&blfs-wiki;/OpenSSH'/></para>

  </sect2>

  <sect2 role="installation">
    <title>Installation of OpenSSH</title>

    <para><application>OpenSSH</application> runs as two processes when
    connecting to other computers. The first process is a privileged process
    and controls the issuance of privileges as necessary. The second process
    communicates with the network. Additional installation steps are necessary
    to set up the proper environment, which are performed by issuing the
    following commands as the <systemitem class="username">root</systemitem>
    user:</para>

<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &amp;&amp;
chown -v root:sys /var/lib/sshd &amp;&amp;
groupadd -g 50 sshd &amp;&amp;
useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd \
    -s /bin/false -u 50 sshd</userinput></screen>

    <para><application>OpenSSH</application> is very sensitive to changes in
    the linked <application>OpenSSL</application> libraries. If you recompile
    <application>OpenSSL</application>, <application>OpenSSH</application> may
    fail to startup. An alternative is to link against the static
    <application>OpenSSL</application> library. To link against the static
    library, execute the following command:</para>

<screen><userinput>sed -i 's@-lcrypto@/usr/lib/libcrypto.a -ldl@' configure</userinput></screen>

    <para>Install <application>OpenSSH</application> by running
    the following commands:</para>

<screen><userinput>sed -i 's@ -ldes@@' configure &amp;&amp;
./configure --prefix=/usr --sysconfdir=/etc/ssh --datadir=/usr/share/sshd \
    --libexecdir=/usr/lib/openssh --with-md5-passwords \
    --with-privsep-path=/var/lib/sshd &amp;&amp;
make</userinput></screen>

    <para>If you linked <application>tcp_wrappers</application> into the
    build using the <option>--with-tcp-wrappers</option> parameter, ensure
    you add 127.0.0.1 to the sshd line in <filename>/etc/hosts.allow</filename>
    if you have a restrictive <filename>/etc/hosts.deny</filename> file, or the
    test suite will fail. To run the test suite, as the
    <systemitem class="username">root</systemitem> user, issue: 
    <command>make -k tests 2&gt;&amp;1 | tee check.log</command>.  Review the
    <filename>check.log</filename> file for 'FATAL' tests.</para>

    <note><para>The test suite is currently broken, in that it will try to
    test against the installed <filename>sshd</filename>, which is why we
    pass <parameter>-k</parameter> to the <command>make</command> command
    above.  You should run the test suite again after completing the 
    installation and configuration, without the <parameter>-k</parameter>
    flag.</para></note>

    <para>Now, as the <systemitem class="username">root</systemitem> user:</para>

<screen role="root"><userinput>make install &amp;&amp;
install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &amp;&amp;
install -v -m644 INSTALL LICENCE OVERVIEW README* WARNING.RNG \
    /usr/share/doc/openssh-&openssh-version;</userinput></screen>

  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para><command>sed -i 's@ -ldes@@' configure</command>:
    This command fixes a build crash if you used the
    <option>--with-kerberos5</option> parameter and you built the
    <application>Heimdal</application> package in accordance with the BLFS
    instructions. The command is harmless in all other instances.</para>

    <para><parameter>--sysconfdir=/etc/ssh</parameter>: This prevents
    the configuration files from being installed in
    <filename class="directory">/usr/etc</filename>.</para>

    <para><parameter>--datadir=/usr/share/sshd</parameter>: This switch
    puts the Ssh.bin file (used for SmartCard authentication) in 
    <filename class="directory">/usr/share/sshd</filename>.</para>

<!-- WOW, this description is really old, IIRC it was obsolete shortly
     before I was an editor, as the hint became a part of both books.
     I'll leave it in for now JIC - Delete Later
    <para><parameter>- -with-md5-passwords</parameter>: This is required
    if you made the changes recommended by the shadowpasswd_plus
    LFS hint on your SSH server when you installed the Shadow Password
    Suite or if you access a SSH server that authenticates by
    user passwords encrypted with md5.</para>
-->

    <para><parameter>--with-md5-passwords</parameter>: This is required
    with the default configuration of Shadow password suite in LFS.</para>

    <para><parameter>--libexecdir=/usr/lib/openssh</parameter>: This parameter
    changes the installation path of some programs to
    <filename class="directory">/usr/lib/openssh</filename> instead of
    <filename class="directory">/usr/libexec</filename>.</para>

    <para><parameter>--with-pam</parameter>: This parameter enables
    <application>Linux-PAM</application> support in the build.</para>

  </sect2>

  <sect2 role="configuration">
    <title>Configuring OpenSSH</title>

    <sect3 id="openssh-config">
      <title>Config Files</title>

      <para><filename>~/.ssh/*</filename>,
      <filename>/etc/ssh/ssh_config</filename>, and
      <filename>/etc/ssh/sshd_config</filename></para>

      <indexterm zone="openssh openssh-config">
        <primary sortas="e-AA.ssh">~/.ssh/*</primary>
      </indexterm>

      <indexterm zone="openssh openssh-config">
        <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
      </indexterm>

      <indexterm zone="openssh openssh-config">
        <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
      </indexterm>

      <para>There are no required changes to any of these files. However,
      you may wish to view the <filename class='directory'>/etc/ssh/</filename>
      files and make any changes appropriate for the security of your system.
      One recommended change is that you disable
      <systemitem class='username'>root</systemitem> login via
      <command>ssh</command>. Execute the following command as the
      <systemitem class='username'>root</systemitem> user to disable
      <systemitem class='username'>root</systemitem> login via
      <command>ssh</command>:</para>

<screen role="root"><userinput>echo "PermitRootLogin no" &gt;&gt; /etc/ssh/sshd_config</userinput></screen>

      <para>If you added <application>LinuxPAM</application> support, then you
      will need to add a configuration file for 
      <application>sshd</application>.  Issue the following commands as the
      <systemitem class='username'>root</systemitem> user:</para>

<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login &gt; /etc/pam.d/sshd &amp;&amp;
chmod 644 /etc/pam.d/sshd</userinput></screen>

      <para>Additional configuration information can be found in the man
      pages for <command>sshd</command>, <command>ssh</command> and
      <command>ssh-agent</command>.</para>

    </sect3>

    <sect3  id="openssh-init">
      <title>Boot Script</title>

      <para>To start the SSH server at system boot, install the
      <filename>/etc/rc.d/init.d/sshd</filename> init script included
      in the <xref linkend="bootscripts"/> package.</para>

      <indexterm zone="openssh openssh-init">
        <primary sortas="f-sshd">sshd</primary>
      </indexterm>

<screen role="root"><userinput>make install-sshd</userinput></screen>

    </sect3>

  </sect2>

  <sect2 role="content">
    <title>Contents</title>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>
      <segtitle>Installed Libraries</segtitle>
      <segtitle>Installed Directories</segtitle>

      <seglistitem>
        <seg>scp, sftp, sftp-server, slogin, ssh, sshd, ssh-add, ssh-agent,
        ssh-keygen, ssh-keyscan, and ssh-keysign</seg>
        <seg>None</seg>
        <seg>/etc/ssh, /var/lib/sshd and
        /usr/share/doc/openssh-&openssh-version;</seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="scp">
        <term><command>scp</command></term>
        <listitem>
          <para>is a file copy program that acts like <command>rcp</command>
          except it uses an encrypted protocol.</para>
          <indexterm zone="openssh scp">
            <primary sortas="b-scp">scp</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sftp">
        <term><command>sftp</command></term>
        <listitem>
          <para>is an FTP-like program that works over
          SSH1 and SSH2 protocols.</para>
          <indexterm zone="openssh sftp">
            <primary sortas="b-sftp">sftp</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sftp-server">
        <term><command>sftp-server</command></term>
        <listitem>
          <para>is an SFTP server subsystem. This program is not normally
          called directly by the user.</para>
          <indexterm zone="openssh sftp-server">
            <primary sortas="b-sftp-server">sftp-server</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="slogin">
        <term><command>slogin</command></term>
        <listitem>
          <para>is a symlink to <command>ssh</command>.</para>
          <indexterm zone="openssh slogin">
            <primary sortas="g-slogin">slogin</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ssh">
        <term><command>ssh</command></term>
        <listitem>
          <para>is an <command>rlogin</command>/<command>rsh</command>-like
          client program except it uses an encrypted protocol.</para>
          <indexterm zone="openssh ssh">
            <primary sortas="b-ssh">ssh</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sshd">
        <term><command>sshd</command></term>
        <listitem>
          <para>is a daemon that listens for <command>ssh</command> login
          requests.</para>
          <indexterm zone="openssh sshd">
            <primary sortas="b-sshd">sshd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ssh-add">
        <term><command>ssh-add</command></term>
        <listitem>
          <para>is a tool which adds keys to the
          <command>ssh-agent</command>.</para>
          <indexterm zone="openssh ssh-add">
            <primary sortas="b-ssh-add">ssh-add</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ssh-agent">
        <term><command>ssh-agent</command></term>
        <listitem>
          <para>is an authentication agent that can store private keys.</para>
          <indexterm zone="openssh ssh-agent">
            <primary sortas="b-ssh-agent">ssh-agent</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ssh-keygen">
        <term><command>ssh-keygen</command></term>
        <listitem>
          <para>is a key generation tool.</para>
          <indexterm zone="openssh ssh-keygen">
            <primary sortas="b-ssh-keygen">ssh-keygen</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ssh-keyscan">
        <term><command>ssh-keyscan</command></term>
        <listitem>
          <para>is a utility for gathering public host keys from a
          number of hosts.</para>
          <indexterm zone="openssh ssh-keyscan">
            <primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ssh-keysign">
        <term><command>ssh-keysign</command></term>
        <listitem>
          <para>is used by <command>ssh</command> to access the local host
          keys and generate the digital signature required during hostbased
          authentication with SSH protocol version 2. This program is not normally
          called directly by the user.</para>
          <indexterm zone="openssh ssh-keysign">
            <primary sortas="b-ssh-keysign">ssh-keysign</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>