1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
1 |
1. Prerequisites
|
2 |
----------------
|
|
3 |
||
4 |
You will need working installations of Zlib and OpenSSL. |
|
5 |
||
1.1.2
by Colin Watson
Import upstream version 4.1p1 |
6 |
Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems): |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
7 |
http://www.gzip.org/zlib/ |
8 |
||
9 |
OpenSSL 0.9.6 or greater: |
|
10 |
http://www.openssl.org/ |
|
11 |
||
12 |
(OpenSSL 0.9.5a is partially supported, but some ciphers (SSH protocol 1 |
|
13 |
Blowfish) do not work correctly.) |
|
14 |
||
15 |
OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system |
|
16 |
supports it. PAM is standard on Redhat and Debian Linux, Solaris and |
|
17 |
HP-UX 11. |
|
18 |
||
19 |
NB. If you operating system supports /dev/random, you should configure |
|
20 |
OpenSSL to use it. OpenSSH relies on OpenSSL's direct support of |
|
21 |
/dev/random. If you don't you will have to rely on ssh-rand-helper, which |
|
22 |
is inferior to a good kernel-based solution. |
|
23 |
||
24 |
PAM: |
|
25 |
http://www.kernel.org/pub/linux/libs/pam/ |
|
26 |
||
27 |
If you wish to build the GNOME passphrase requester, you will need the GNOME |
|
28 |
libraries and headers. |
|
29 |
||
30 |
GNOME: |
|
31 |
http://www.gnome.org/ |
|
32 |
||
1.1.1
by Colin Watson
Import upstream version 3.9p1 |
33 |
Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11 |
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
34 |
passphrase requester. This is maintained separately at: |
35 |
||
36 |
http://www.jmknoble.net/software/x11-ssh-askpass/ |
|
37 |
||
38 |
PRNGD: |
|
39 |
||
40 |
If your system lacks Kernel based random collection, the use of Lutz |
|
41 |
Jaenicke's PRNGd is recommended. |
|
42 |
||
43 |
http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html |
|
44 |
||
45 |
EGD: |
|
46 |
||
47 |
The Entropy Gathering Daemon (EGD) is supported if you have a system which |
|
48 |
lacks /dev/random and don't want to use OpenSSH's internal entropy collection. |
|
49 |
||
50 |
http://www.lothar.com/tech/crypto/ |
|
51 |
||
52 |
S/Key Libraries: |
|
1.1.2
by Colin Watson
Import upstream version 4.1p1 |
53 |
|
54 |
If you wish to use --with-skey then you will need the library below |
|
55 |
installed. No other S/Key library is currently known to be supported. |
|
56 |
||
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
57 |
http://www.sparc.spb.su/solaris/skey/ |
58 |
||
1.1.2
by Colin Watson
Import upstream version 4.1p1 |
59 |
LibEdit: |
60 |
sftp now supports command-line editing via NetBSD's libedit. If your |
|
61 |
platform has it available natively you can use that, alternatively |
|
62 |
you might try these multi-platform ports: |
|
63 |
||
64 |
http://www.thrysoee.dk/editline/ |
|
65 |
http://sourceforge.net/projects/libedit/ |
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
66 |
|
67 |
2. Building / Installation
|
|
68 |
-------------------------- |
|
69 |
||
70 |
To install OpenSSH with default options: |
|
71 |
||
72 |
./configure |
|
73 |
make |
|
74 |
make install |
|
75 |
||
76 |
This will install the OpenSSH binaries in /usr/local/bin, configuration files |
|
77 |
in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different |
|
78 |
installation prefix, use the --prefix option to configure: |
|
79 |
||
80 |
./configure --prefix=/opt |
|
81 |
make |
|
82 |
make install |
|
83 |
||
84 |
Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override |
|
85 |
specific paths, for example: |
|
86 |
||
87 |
./configure --prefix=/opt --sysconfdir=/etc/ssh |
|
88 |
make |
|
89 |
make install |
|
90 |
||
91 |
This will install the binaries in /opt/{bin,lib,sbin}, but will place the |
|
92 |
configuration files in /etc/ssh. |
|
93 |
||
1.1.2
by Colin Watson
Import upstream version 4.1p1 |
94 |
If you are using Privilege Separation (which is enabled by default) |
95 |
then you will also need to create the user, group and directory used by |
|
96 |
sshd for privilege separation. See README.privsep for details. |
|
97 |
||
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
98 |
If you are using PAM, you may need to manually install a PAM control |
99 |
file as "/etc/pam.d/sshd" (or wherever your system prefers to keep |
|
100 |
them). Note that the service name used to start PAM is __progname, |
|
101 |
which is the basename of the path of your sshd (e.g., the service name |
|
102 |
for /usr/sbin/osshd will be osshd). If you have renamed your sshd |
|
103 |
executable, your PAM configuration may need to be modified. |
|
104 |
||
105 |
A generic PAM configuration is included as "contrib/sshd.pam.generic", |
|
106 |
you may need to edit it before using it on your system. If you are |
|
107 |
using a recent version of Red Hat Linux, the config file in |
|
108 |
contrib/redhat/sshd.pam should be more useful. Failure to install a |
|
109 |
valid PAM file may result in an inability to use password |
|
110 |
authentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf |
|
111 |
configuration will work with sshd (sshd will match the other service |
|
112 |
name). |
|
113 |
||
114 |
There are a few other options to the configure script: |
|
115 |
||
116 |
--with-pam enables PAM support. If PAM support is compiled in, it must |
|
117 |
also be enabled in sshd_config (refer to the UsePAM directive). |
|
118 |
||
119 |
--with-prngd-socket=/some/file allows you to enable EGD or PRNGD |
|
120 |
support and to specify a PRNGd socket. Use this if your Unix lacks |
|
121 |
/dev/random and you don't want to use OpenSSH's builtin entropy |
|
122 |
collection support. |
|
123 |
||
124 |
--with-prngd-port=portnum allows you to enable EGD or PRNGD support |
|
125 |
and to specify a EGD localhost TCP port. Use this if your Unix lacks |
|
126 |
/dev/random and you don't want to use OpenSSH's builtin entropy |
|
127 |
collection support. |
|
128 |
||
129 |
--with-lastlog=FILE will specify the location of the lastlog file. |
|
130 |
./configure searches a few locations for lastlog, but may not find |
|
131 |
it if lastlog is installed in a different place. |
|
132 |
||
133 |
--without-lastlog will disable lastlog support entirely. |
|
134 |
||
135 |
--with-osfsia, --without-osfsia will enable or disable OSF1's Security |
|
136 |
Integration Architecture. The default for OSF1 machines is enable. |
|
137 |
||
138 |
--with-skey=PATH will enable S/Key one time password support. You will |
|
139 |
need the S/Key libraries and header files installed for this to work. |
|
140 |
||
141 |
--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) |
|
142 |
support. You will need libwrap.a and tcpd.h installed. |
|
143 |
||
144 |
--with-md5-passwords will enable the use of MD5 passwords. Enable this |
|
145 |
if your operating system uses MD5 passwords and the system crypt() does |
|
146 |
not support them directly (see the crypt(3/3c) man page). If enabled, the |
|
147 |
resulting binary will support both MD5 and traditional crypt passwords. |
|
148 |
||
149 |
--with-utmpx enables utmpx support. utmpx support is automatic for |
|
150 |
some platforms. |
|
151 |
||
152 |
--without-shadow disables shadow password support. |
|
153 |
||
154 |
--with-ipaddr-display forces the use of a numeric IP address in the |
|
155 |
$DISPLAY environment variable. Some broken systems need this. |
|
156 |
||
157 |
--with-default-path=PATH allows you to specify a default $PATH for sessions |
|
158 |
started by sshd. This replaces the standard path entirely. |
|
159 |
||
160 |
--with-pid-dir=PATH specifies the directory in which the ssh.pid file is |
|
161 |
created. |
|
162 |
||
163 |
--with-xauth=PATH specifies the location of the xauth binary |
|
164 |
||
165 |
--with-ssl-dir=DIR allows you to specify where your OpenSSL libraries |
|
166 |
are installed. |
|
167 |
||
168 |
--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to |
|
169 |
real (AF_INET) IPv4 addresses. Works around some quirks on Linux. |
|
170 |
||
171 |
--with-opensc=DIR |
|
172 |
--with-sectok=DIR allows for OpenSC or sectok smartcard libraries to |
|
173 |
be used with OpenSSH. See 'README.smartcard' for more details. |
|
174 |
||
175 |
If you need to pass special options to the compiler or linker, you |
|
176 |
can specify these as environment variables before running ./configure. |
|
177 |
For example: |
|
178 |
||
179 |
CFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure |
|
180 |
||
181 |
3. Configuration
|
|
182 |
---------------- |
|
183 |
||
184 |
The runtime configuration files are installed by in ${prefix}/etc or |
|
185 |
whatever you specified as your --sysconfdir (/usr/local/etc by default). |
|
186 |
||
187 |
The default configuration should be instantly usable, though you should |
|
188 |
review it to ensure that it matches your security requirements. |
|
189 |
||
190 |
To generate a host key, run "make host-key". Alternately you can do so |
|
191 |
manually using the following commands: |
|
192 |
||
193 |
ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" |
|
194 |
ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" |
|
195 |
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" |
|
196 |
||
197 |
Replacing /etc/ssh with the correct path to the configuration directory. |
|
198 |
(${prefix}/etc or whatever you specified with --sysconfdir during |
|
199 |
configuration) |
|
200 |
||
201 |
If you have configured OpenSSH with EGD support, ensure that EGD is |
|
202 |
running and has collected some Entropy. |
|
203 |
||
204 |
For more information on configuration, please refer to the manual pages |
|
205 |
for sshd, ssh and ssh-agent. |
|
206 |
||
1.1.2
by Colin Watson
Import upstream version 4.1p1 |
207 |
4. (Optional) Send survey
|
208 |
------------------------- |
|
209 |
||
210 |
$ make survey |
|
211 |
[check the contents and make sure there's no sensitive information] |
|
212 |
$ make send-survey |
|
213 |
||
214 |
This will send configuration information for the currently configured |
|
215 |
host to a survey address. This will help determine which configurations |
|
216 |
are actually in use, and what valid combinations of configure options |
|
217 |
exist. The raw data is available only to the OpenSSH developers, however |
|
218 |
summary data may be published. |
|
219 |
||
220 |
5. Problems?
|
|
1
by Noah Meyerhans
Import upstream version 3.8.1p1 |
221 |
------------ |
222 |
||
223 |
If you experience problems compiling, installing or running OpenSSH. |
|
224 |
Please refer to the "reporting bugs" section of the webpage at |
|
225 |
http://www.openssh.com/ |
|
226 |
||
227 |
||
1.1.2
by Colin Watson
Import upstream version 4.1p1 |
228 |
$Id: INSTALL,v 1.70 2005/04/24 07:52:23 dtucker Exp $ |