1 |
1. Prerequisites |
2 |
---------------- |
3 |
|
4 |
You will need working installations of Zlib and OpenSSL. |
5 |
|
6 |
Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems): |
7 |
http://www.gzip.org/zlib/ |
8 |
|
9 |
OpenSSL 0.9.6 or greater: |
10 |
http://www.openssl.org/ |
11 |
|
12 |
(OpenSSL 0.9.5a is partially supported, but some ciphers (SSH protocol 1 |
13 |
Blowfish) do not work correctly.) |
14 |
|
15 |
The remaining items are optional. |
16 |
|
17 |
OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system |
18 |
supports it. PAM is standard on Redhat and Debian Linux, Solaris and |
19 |
HP-UX 11. |
20 |
|
21 |
NB. If you operating system supports /dev/random, you should configure |
22 |
OpenSSL to use it. OpenSSH relies on OpenSSL's direct support of |
23 |
/dev/random. If you don't you will have to rely on ssh-rand-helper, which |
24 |
is inferior to a good kernel-based solution. |
25 |
|
26 |
PAM: |
27 |
http://www.kernel.org/pub/linux/libs/pam/ |
28 |
|
29 |
If you wish to build the GNOME passphrase requester, you will need the GNOME |
30 |
libraries and headers. |
31 |
|
32 |
GNOME: |
33 |
http://www.gnome.org/ |
34 |
|
35 |
Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11 |
36 |
passphrase requester. This is maintained separately at: |
37 |
|
38 |
http://www.jmknoble.net/software/x11-ssh-askpass/ |
39 |
|
40 |
PRNGD: |
41 |
|
42 |
If your system lacks Kernel based random collection, the use of Lutz |
43 |
Jaenicke's PRNGd is recommended. |
44 |
|
45 |
http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html |
46 |
|
47 |
EGD: |
48 |
|
49 |
The Entropy Gathering Daemon (EGD) is supported if you have a system which |
50 |
lacks /dev/random and don't want to use OpenSSH's internal entropy collection. |
51 |
|
52 |
http://www.lothar.com/tech/crypto/ |
53 |
|
54 |
S/Key Libraries: |
55 |
|
56 |
If you wish to use --with-skey then you will need the library below |
57 |
installed. No other S/Key library is currently known to be supported. |
58 |
|
59 |
http://www.sparc.spb.su/solaris/skey/ |
60 |
|
61 |
LibEdit: |
62 |
|
63 |
sftp supports command-line editing via NetBSD's libedit. If your platform |
64 |
has it available natively you can use that, alternatively you might try |
65 |
these multi-platform ports: |
66 |
|
67 |
http://www.thrysoee.dk/editline/ |
68 |
http://sourceforge.net/projects/libedit/ |
69 |
|
70 |
Autoconf: |
71 |
|
72 |
If you modify configure.ac or configure doesn't exist (eg if you checked |
73 |
the code out of CVS yourself) then you will need autoconf-2.60 to rebuild |
74 |
the automatically generated files by running "autoreconf". |
75 |
|
76 |
http://www.gnu.org/software/autoconf/ |
77 |
|
78 |
Basic Security Module (BSM): |
79 |
|
80 |
Native BSM support is know to exist in Solaris from at least 2.5.1, |
81 |
FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM |
82 |
implementation (http://www.openbsm.org). |
83 |
|
84 |
|
85 |
2. Building / Installation |
86 |
-------------------------- |
87 |
|
88 |
To install OpenSSH with default options: |
89 |
|
90 |
./configure |
91 |
make |
92 |
make install |
93 |
|
94 |
This will install the OpenSSH binaries in /usr/local/bin, configuration files |
95 |
in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different |
96 |
installation prefix, use the --prefix option to configure: |
97 |
|
98 |
./configure --prefix=/opt |
99 |
make |
100 |
make install |
101 |
|
102 |
Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override |
103 |
specific paths, for example: |
104 |
|
105 |
./configure --prefix=/opt --sysconfdir=/etc/ssh |
106 |
make |
107 |
make install |
108 |
|
109 |
This will install the binaries in /opt/{bin,lib,sbin}, but will place the |
110 |
configuration files in /etc/ssh. |
111 |
|
112 |
If you are using Privilege Separation (which is enabled by default) |
113 |
then you will also need to create the user, group and directory used by |
114 |
sshd for privilege separation. See README.privsep for details. |
115 |
|
116 |
If you are using PAM, you may need to manually install a PAM control |
117 |
file as "/etc/pam.d/sshd" (or wherever your system prefers to keep |
118 |
them). Note that the service name used to start PAM is __progname, |
119 |
which is the basename of the path of your sshd (e.g., the service name |
120 |
for /usr/sbin/osshd will be osshd). If you have renamed your sshd |
121 |
executable, your PAM configuration may need to be modified. |
122 |
|
123 |
A generic PAM configuration is included as "contrib/sshd.pam.generic", |
124 |
you may need to edit it before using it on your system. If you are |
125 |
using a recent version of Red Hat Linux, the config file in |
126 |
contrib/redhat/sshd.pam should be more useful. Failure to install a |
127 |
valid PAM file may result in an inability to use password |
128 |
authentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf |
129 |
configuration will work with sshd (sshd will match the other service |
130 |
name). |
131 |
|
132 |
There are a few other options to the configure script: |
133 |
|
134 |
--with-audit=[module] enable additional auditing via the specified module. |
135 |
Currently, drivers for "debug" (additional info via syslog) and "bsm" |
136 |
(Sun's Basic Security Module) are supported. |
137 |
|
138 |
--with-pam enables PAM support. If PAM support is compiled in, it must |
139 |
also be enabled in sshd_config (refer to the UsePAM directive). |
140 |
|
141 |
--with-prngd-socket=/some/file allows you to enable EGD or PRNGD |
142 |
support and to specify a PRNGd socket. Use this if your Unix lacks |
143 |
/dev/random and you don't want to use OpenSSH's builtin entropy |
144 |
collection support. |
145 |
|
146 |
--with-prngd-port=portnum allows you to enable EGD or PRNGD support |
147 |
and to specify a EGD localhost TCP port. Use this if your Unix lacks |
148 |
/dev/random and you don't want to use OpenSSH's builtin entropy |
149 |
collection support. |
150 |
|
151 |
--with-lastlog=FILE will specify the location of the lastlog file. |
152 |
./configure searches a few locations for lastlog, but may not find |
153 |
it if lastlog is installed in a different place. |
154 |
|
155 |
--without-lastlog will disable lastlog support entirely. |
156 |
|
157 |
--with-osfsia, --without-osfsia will enable or disable OSF1's Security |
158 |
Integration Architecture. The default for OSF1 machines is enable. |
159 |
|
160 |
--with-skey=PATH will enable S/Key one time password support. You will |
161 |
need the S/Key libraries and header files installed for this to work. |
162 |
|
163 |
--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) |
164 |
support. You will need libwrap.a and tcpd.h installed. |
165 |
|
166 |
--with-md5-passwords will enable the use of MD5 passwords. Enable this |
167 |
if your operating system uses MD5 passwords and the system crypt() does |
168 |
not support them directly (see the crypt(3/3c) man page). If enabled, the |
169 |
resulting binary will support both MD5 and traditional crypt passwords. |
170 |
|
171 |
--with-utmpx enables utmpx support. utmpx support is automatic for |
172 |
some platforms. |
173 |
|
174 |
--without-shadow disables shadow password support. |
175 |
|
176 |
--with-ipaddr-display forces the use of a numeric IP address in the |
177 |
$DISPLAY environment variable. Some broken systems need this. |
178 |
|
179 |
--with-default-path=PATH allows you to specify a default $PATH for sessions |
180 |
started by sshd. This replaces the standard path entirely. |
181 |
|
182 |
--with-pid-dir=PATH specifies the directory in which the ssh.pid file is |
183 |
created. |
184 |
|
185 |
--with-xauth=PATH specifies the location of the xauth binary |
186 |
|
187 |
--with-ssl-dir=DIR allows you to specify where your OpenSSL libraries |
188 |
are installed. |
189 |
|
190 |
--with-ssl-engine enables OpenSSL's (hardware) ENGINE support |
191 |
|
192 |
--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to |
193 |
real (AF_INET) IPv4 addresses. Works around some quirks on Linux. |
194 |
|
195 |
--with-opensc=DIR |
196 |
--with-sectok=DIR allows for OpenSC or sectok smartcard libraries to |
197 |
be used with OpenSSH. See 'README.smartcard' for more details. |
198 |
|
199 |
If you need to pass special options to the compiler or linker, you |
200 |
can specify these as environment variables before running ./configure. |
201 |
For example: |
202 |
|
203 |
CFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure |
204 |
|
205 |
3. Configuration |
206 |
---------------- |
207 |
|
208 |
The runtime configuration files are installed by in ${prefix}/etc or |
209 |
whatever you specified as your --sysconfdir (/usr/local/etc by default). |
210 |
|
211 |
The default configuration should be instantly usable, though you should |
212 |
review it to ensure that it matches your security requirements. |
213 |
|
214 |
To generate a host key, run "make host-key". Alternately you can do so |
215 |
manually using the following commands: |
216 |
|
217 |
ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" |
218 |
ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" |
219 |
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" |
220 |
|
221 |
Replacing /etc/ssh with the correct path to the configuration directory. |
222 |
(${prefix}/etc or whatever you specified with --sysconfdir during |
223 |
configuration) |
224 |
|
225 |
If you have configured OpenSSH with EGD support, ensure that EGD is |
226 |
running and has collected some Entropy. |
227 |
|
228 |
For more information on configuration, please refer to the manual pages |
229 |
for sshd, ssh and ssh-agent. |
230 |
|
231 |
4. (Optional) Send survey |
232 |
------------------------- |
233 |
|
234 |
$ make survey |
235 |
[check the contents of the file "survey" to ensure there's no information |
236 |
that you consider sensitive] |
237 |
$ make send-survey |
238 |
|
239 |
This will send configuration information for the currently configured |
240 |
host to a survey address. This will help determine which configurations |
241 |
are actually in use, and what valid combinations of configure options |
242 |
exist. The raw data is available only to the OpenSSH developers, however |
243 |
summary data may be published. |
244 |
|
245 |
5. Problems? |
246 |
------------ |
247 |
|
248 |
If you experience problems compiling, installing or running OpenSSH. |
249 |
Please refer to the "reporting bugs" section of the webpage at |
250 |
http://www.openssh.com/ |
251 |
|
252 |
|
253 |
$Id: INSTALL,v 1.1.1.3 2006-10-03 02:03:03 raven Exp $ |