| 1 |
1. Prerequisites |
| 2 |
---------------- |
| 3 |
|
| 4 |
You will need working installations of Zlib and OpenSSL. |
| 5 |
|
| 6 |
Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems): |
| 7 |
http://www.gzip.org/zlib/ |
| 8 |
|
| 9 |
OpenSSL 0.9.6 or greater: |
| 10 |
http://www.openssl.org/ |
| 11 |
|
| 12 |
(OpenSSL 0.9.5a is partially supported, but some ciphers (SSH protocol 1 |
| 13 |
Blowfish) do not work correctly.) |
| 14 |
|
| 15 |
The remaining items are optional. |
| 16 |
|
| 17 |
OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system |
| 18 |
supports it. PAM is standard on Redhat and Debian Linux, Solaris and |
| 19 |
HP-UX 11. |
| 20 |
|
| 21 |
NB. If you operating system supports /dev/random, you should configure |
| 22 |
OpenSSL to use it. OpenSSH relies on OpenSSL's direct support of |
| 23 |
/dev/random. If you don't you will have to rely on ssh-rand-helper, which |
| 24 |
is inferior to a good kernel-based solution. |
| 25 |
|
| 26 |
PAM: |
| 27 |
http://www.kernel.org/pub/linux/libs/pam/ |
| 28 |
|
| 29 |
If you wish to build the GNOME passphrase requester, you will need the GNOME |
| 30 |
libraries and headers. |
| 31 |
|
| 32 |
GNOME: |
| 33 |
http://www.gnome.org/ |
| 34 |
|
| 35 |
Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11 |
| 36 |
passphrase requester. This is maintained separately at: |
| 37 |
|
| 38 |
http://www.jmknoble.net/software/x11-ssh-askpass/ |
| 39 |
|
| 40 |
PRNGD: |
| 41 |
|
| 42 |
If your system lacks Kernel based random collection, the use of Lutz |
| 43 |
Jaenicke's PRNGd is recommended. |
| 44 |
|
| 45 |
http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html |
| 46 |
|
| 47 |
EGD: |
| 48 |
|
| 49 |
The Entropy Gathering Daemon (EGD) is supported if you have a system which |
| 50 |
lacks /dev/random and don't want to use OpenSSH's internal entropy collection. |
| 51 |
|
| 52 |
http://www.lothar.com/tech/crypto/ |
| 53 |
|
| 54 |
S/Key Libraries: |
| 55 |
|
| 56 |
If you wish to use --with-skey then you will need the library below |
| 57 |
installed. No other S/Key library is currently known to be supported. |
| 58 |
|
| 59 |
http://www.sparc.spb.su/solaris/skey/ |
| 60 |
|
| 61 |
LibEdit: |
| 62 |
|
| 63 |
sftp supports command-line editing via NetBSD's libedit. If your platform |
| 64 |
has it available natively you can use that, alternatively you might try |
| 65 |
these multi-platform ports: |
| 66 |
|
| 67 |
http://www.thrysoee.dk/editline/ |
| 68 |
http://sourceforge.net/projects/libedit/ |
| 69 |
|
| 70 |
Autoconf: |
| 71 |
|
| 72 |
If you modify configure.ac or configure doesn't exist (eg if you checked |
| 73 |
the code out of CVS yourself) then you will need autoconf-2.60 to rebuild |
| 74 |
the automatically generated files by running "autoreconf". |
| 75 |
|
| 76 |
http://www.gnu.org/software/autoconf/ |
| 77 |
|
| 78 |
Basic Security Module (BSM): |
| 79 |
|
| 80 |
Native BSM support is know to exist in Solaris from at least 2.5.1, |
| 81 |
FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM |
| 82 |
implementation (http://www.openbsm.org). |
| 83 |
|
| 84 |
|
| 85 |
2. Building / Installation |
| 86 |
-------------------------- |
| 87 |
|
| 88 |
To install OpenSSH with default options: |
| 89 |
|
| 90 |
./configure |
| 91 |
make |
| 92 |
make install |
| 93 |
|
| 94 |
This will install the OpenSSH binaries in /usr/local/bin, configuration files |
| 95 |
in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different |
| 96 |
installation prefix, use the --prefix option to configure: |
| 97 |
|
| 98 |
./configure --prefix=/opt |
| 99 |
make |
| 100 |
make install |
| 101 |
|
| 102 |
Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override |
| 103 |
specific paths, for example: |
| 104 |
|
| 105 |
./configure --prefix=/opt --sysconfdir=/etc/ssh |
| 106 |
make |
| 107 |
make install |
| 108 |
|
| 109 |
This will install the binaries in /opt/{bin,lib,sbin}, but will place the |
| 110 |
configuration files in /etc/ssh. |
| 111 |
|
| 112 |
If you are using Privilege Separation (which is enabled by default) |
| 113 |
then you will also need to create the user, group and directory used by |
| 114 |
sshd for privilege separation. See README.privsep for details. |
| 115 |
|
| 116 |
If you are using PAM, you may need to manually install a PAM control |
| 117 |
file as "/etc/pam.d/sshd" (or wherever your system prefers to keep |
| 118 |
them). Note that the service name used to start PAM is __progname, |
| 119 |
which is the basename of the path of your sshd (e.g., the service name |
| 120 |
for /usr/sbin/osshd will be osshd). If you have renamed your sshd |
| 121 |
executable, your PAM configuration may need to be modified. |
| 122 |
|
| 123 |
A generic PAM configuration is included as "contrib/sshd.pam.generic", |
| 124 |
you may need to edit it before using it on your system. If you are |
| 125 |
using a recent version of Red Hat Linux, the config file in |
| 126 |
contrib/redhat/sshd.pam should be more useful. Failure to install a |
| 127 |
valid PAM file may result in an inability to use password |
| 128 |
authentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf |
| 129 |
configuration will work with sshd (sshd will match the other service |
| 130 |
name). |
| 131 |
|
| 132 |
There are a few other options to the configure script: |
| 133 |
|
| 134 |
--with-audit=[module] enable additional auditing via the specified module. |
| 135 |
Currently, drivers for "debug" (additional info via syslog) and "bsm" |
| 136 |
(Sun's Basic Security Module) are supported. |
| 137 |
|
| 138 |
--with-pam enables PAM support. If PAM support is compiled in, it must |
| 139 |
also be enabled in sshd_config (refer to the UsePAM directive). |
| 140 |
|
| 141 |
--with-prngd-socket=/some/file allows you to enable EGD or PRNGD |
| 142 |
support and to specify a PRNGd socket. Use this if your Unix lacks |
| 143 |
/dev/random and you don't want to use OpenSSH's builtin entropy |
| 144 |
collection support. |
| 145 |
|
| 146 |
--with-prngd-port=portnum allows you to enable EGD or PRNGD support |
| 147 |
and to specify a EGD localhost TCP port. Use this if your Unix lacks |
| 148 |
/dev/random and you don't want to use OpenSSH's builtin entropy |
| 149 |
collection support. |
| 150 |
|
| 151 |
--with-lastlog=FILE will specify the location of the lastlog file. |
| 152 |
./configure searches a few locations for lastlog, but may not find |
| 153 |
it if lastlog is installed in a different place. |
| 154 |
|
| 155 |
--without-lastlog will disable lastlog support entirely. |
| 156 |
|
| 157 |
--with-osfsia, --without-osfsia will enable or disable OSF1's Security |
| 158 |
Integration Architecture. The default for OSF1 machines is enable. |
| 159 |
|
| 160 |
--with-skey=PATH will enable S/Key one time password support. You will |
| 161 |
need the S/Key libraries and header files installed for this to work. |
| 162 |
|
| 163 |
--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) |
| 164 |
support. You will need libwrap.a and tcpd.h installed. |
| 165 |
|
| 166 |
--with-md5-passwords will enable the use of MD5 passwords. Enable this |
| 167 |
if your operating system uses MD5 passwords and the system crypt() does |
| 168 |
not support them directly (see the crypt(3/3c) man page). If enabled, the |
| 169 |
resulting binary will support both MD5 and traditional crypt passwords. |
| 170 |
|
| 171 |
--with-utmpx enables utmpx support. utmpx support is automatic for |
| 172 |
some platforms. |
| 173 |
|
| 174 |
--without-shadow disables shadow password support. |
| 175 |
|
| 176 |
--with-ipaddr-display forces the use of a numeric IP address in the |
| 177 |
$DISPLAY environment variable. Some broken systems need this. |
| 178 |
|
| 179 |
--with-default-path=PATH allows you to specify a default $PATH for sessions |
| 180 |
started by sshd. This replaces the standard path entirely. |
| 181 |
|
| 182 |
--with-pid-dir=PATH specifies the directory in which the ssh.pid file is |
| 183 |
created. |
| 184 |
|
| 185 |
--with-xauth=PATH specifies the location of the xauth binary |
| 186 |
|
| 187 |
--with-ssl-dir=DIR allows you to specify where your OpenSSL libraries |
| 188 |
are installed. |
| 189 |
|
| 190 |
--with-ssl-engine enables OpenSSL's (hardware) ENGINE support |
| 191 |
|
| 192 |
--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to |
| 193 |
real (AF_INET) IPv4 addresses. Works around some quirks on Linux. |
| 194 |
|
| 195 |
--with-opensc=DIR |
| 196 |
--with-sectok=DIR allows for OpenSC or sectok smartcard libraries to |
| 197 |
be used with OpenSSH. See 'README.smartcard' for more details. |
| 198 |
|
| 199 |
If you need to pass special options to the compiler or linker, you |
| 200 |
can specify these as environment variables before running ./configure. |
| 201 |
For example: |
| 202 |
|
| 203 |
CFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure |
| 204 |
|
| 205 |
3. Configuration |
| 206 |
---------------- |
| 207 |
|
| 208 |
The runtime configuration files are installed by in ${prefix}/etc or |
| 209 |
whatever you specified as your --sysconfdir (/usr/local/etc by default). |
| 210 |
|
| 211 |
The default configuration should be instantly usable, though you should |
| 212 |
review it to ensure that it matches your security requirements. |
| 213 |
|
| 214 |
To generate a host key, run "make host-key". Alternately you can do so |
| 215 |
manually using the following commands: |
| 216 |
|
| 217 |
ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" |
| 218 |
ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" |
| 219 |
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" |
| 220 |
|
| 221 |
Replacing /etc/ssh with the correct path to the configuration directory. |
| 222 |
(${prefix}/etc or whatever you specified with --sysconfdir during |
| 223 |
configuration) |
| 224 |
|
| 225 |
If you have configured OpenSSH with EGD support, ensure that EGD is |
| 226 |
running and has collected some Entropy. |
| 227 |
|
| 228 |
For more information on configuration, please refer to the manual pages |
| 229 |
for sshd, ssh and ssh-agent. |
| 230 |
|
| 231 |
4. (Optional) Send survey |
| 232 |
------------------------- |
| 233 |
|
| 234 |
$ make survey |
| 235 |
[check the contents of the file "survey" to ensure there's no information |
| 236 |
that you consider sensitive] |
| 237 |
$ make send-survey |
| 238 |
|
| 239 |
This will send configuration information for the currently configured |
| 240 |
host to a survey address. This will help determine which configurations |
| 241 |
are actually in use, and what valid combinations of configure options |
| 242 |
exist. The raw data is available only to the OpenSSH developers, however |
| 243 |
summary data may be published. |
| 244 |
|
| 245 |
5. Problems? |
| 246 |
------------ |
| 247 |
|
| 248 |
If you experience problems compiling, installing or running OpenSSH. |
| 249 |
Please refer to the "reporting bugs" section of the webpage at |
| 250 |
http://www.openssh.com/ |
| 251 |
|
| 252 |
|
| 253 |
$Id: INSTALL,v 1.1.1.3 2006-10-03 02:03:03 raven Exp $ |
