198937Sdes1. Prerequisites 298937Sdes---------------- 398937Sdes 498937SdesYou will need working installations of Zlib and OpenSSL. 598937Sdes 6147001SdesZlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems): 7126274Sdeshttp://www.gzip.org/zlib/ 898937Sdes 998937SdesOpenSSL 0.9.6 or greater: 1098937Sdeshttp://www.openssl.org/ 1198937Sdes 12126274Sdes(OpenSSL 0.9.5a is partially supported, but some ciphers (SSH protocol 1 13106121SdesBlowfish) do not work correctly.) 1498937Sdes 15162852SdesThe remaining items are optional. 16162852Sdes 17126274SdesNB. If you operating system supports /dev/random, you should configure 18126274SdesOpenSSL to use it. OpenSSH relies on OpenSSL's direct support of 19226046Sdes/dev/random, or failing that, either prngd or egd 2098937Sdes 21181111SdesPRNGD: 22181111Sdes 23181111SdesIf your system lacks kernel-based random collection, the use of Lutz 24181111SdesJaenicke's PRNGd is recommended. 25181111Sdes 26181111Sdeshttp://prngd.sourceforge.net/ 27181111Sdes 28181111SdesEGD: 29181111Sdes 30181111SdesThe Entropy Gathering Daemon (EGD) is supported if you have a system which 31181111Sdeslacks /dev/random and don't want to use OpenSSH's internal entropy collection. 32181111Sdes 33181111Sdeshttp://www.lothar.com/tech/crypto/ 34181111Sdes 3598937SdesPAM: 3698937Sdes 37181111SdesOpenSSH can utilise Pluggable Authentication Modules (PAM) if your 38181111Sdessystem supports it. PAM is standard most Linux distributions, Solaris, 39181111SdesHP-UX 11, AIX >= 5.2, FreeBSD and NetBSD. 40181111Sdes 41181111SdesInformation about the various PAM implementations are available: 42181111Sdes 43181111SdesSolaris PAM: http://www.sun.com/software/solaris/pam/ 44181111SdesLinux PAM: http://www.kernel.org/pub/linux/libs/pam/ 45181111SdesOpenPAM: http://www.openpam.org/ 46181111Sdes 4798937SdesIf you wish to build the GNOME passphrase requester, you will need the GNOME 4898937Sdeslibraries and headers. 4998937Sdes 5098937SdesGNOME: 5198937Sdeshttp://www.gnome.org/ 5298937Sdes 53137015SdesAlternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11 5498937Sdespassphrase requester. This is maintained separately at: 5598937Sdes 56124208Sdeshttp://www.jmknoble.net/software/x11-ssh-askpass/ 5798937Sdes 58181111SdesTCP Wrappers: 5998937Sdes 60181111SdesIf you wish to use the TCP wrappers functionality you will need at least 61181111Sdestcpd.h and libwrap.a, either in the standard include and library paths, 62181111Sdesor in the directory specified by --with-tcp-wrappers. Version 7.6 is 63181111Sdesknown to work. 6498937Sdes 65181111Sdeshttp://ftp.porcupine.org/pub/security/index.html 6698937Sdes 6798937SdesS/Key Libraries: 68147001Sdes 69147001SdesIf you wish to use --with-skey then you will need the library below 70147001Sdesinstalled. No other S/Key library is currently known to be supported. 71147001Sdes 7298937Sdeshttp://www.sparc.spb.su/solaris/skey/ 7398937Sdes 74146998SdesLibEdit: 75147001Sdes 76162852Sdessftp supports command-line editing via NetBSD's libedit. If your platform 77162852Sdeshas it available natively you can use that, alternatively you might try 78162852Sdesthese multi-platform ports: 79162852Sdes 80146998Sdeshttp://www.thrysoee.dk/editline/ 81146998Sdeshttp://sourceforge.net/projects/libedit/ 82146998Sdes 83240075SdesLDNS: 84240075Sdes 85240075SdesLDNS is a DNS BSD-licensed resolver library which supports DNSSEC. 86240075Sdes 87240075Sdeshttp://nlnetlabs.nl/projects/ldns/ 88240075Sdes 89162852SdesAutoconf: 90162852Sdes 91162852SdesIf you modify configure.ac or configure doesn't exist (eg if you checked 92248619Sdesthe code out of CVS yourself) then you will need autoconf-2.68 to rebuild 93181111Sdesthe automatically generated files by running "autoreconf". Earlier 94181111Sdesversions may also work but this is not guaranteed. 95162852Sdes 96162852Sdeshttp://www.gnu.org/software/autoconf/ 97162852Sdes 98162852SdesBasic Security Module (BSM): 99162852Sdes 100162852SdesNative BSM support is know to exist in Solaris from at least 2.5.1, 101162852SdesFreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM 102162852Sdesimplementation (http://www.openbsm.org). 103162852Sdes 104162852Sdes 10598937Sdes2. Building / Installation 10698937Sdes-------------------------- 10798937Sdes 10898937SdesTo install OpenSSH with default options: 10998937Sdes 11098937Sdes./configure 11198937Sdesmake 11298937Sdesmake install 11398937Sdes 11498937SdesThis will install the OpenSSH binaries in /usr/local/bin, configuration files 11598937Sdesin /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different 11698937Sdesinstallation prefix, use the --prefix option to configure: 11798937Sdes 11898937Sdes./configure --prefix=/opt 11998937Sdesmake 12098937Sdesmake install 12198937Sdes 122126274SdesWill install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override 12398937Sdesspecific paths, for example: 12498937Sdes 12598937Sdes./configure --prefix=/opt --sysconfdir=/etc/ssh 12698937Sdesmake 12798937Sdesmake install 12898937Sdes 12998937SdesThis will install the binaries in /opt/{bin,lib,sbin}, but will place the 13098937Sdesconfiguration files in /etc/ssh. 13198937Sdes 132147001SdesIf you are using Privilege Separation (which is enabled by default) 133147001Sdesthen you will also need to create the user, group and directory used by 134147001Sdessshd for privilege separation. See README.privsep for details. 135147001Sdes 13698937SdesIf you are using PAM, you may need to manually install a PAM control 13798937Sdesfile as "/etc/pam.d/sshd" (or wherever your system prefers to keep 13898937Sdesthem). Note that the service name used to start PAM is __progname, 13998937Sdeswhich is the basename of the path of your sshd (e.g., the service name 14098937Sdesfor /usr/sbin/osshd will be osshd). If you have renamed your sshd 14198937Sdesexecutable, your PAM configuration may need to be modified. 14298937Sdes 14398937SdesA generic PAM configuration is included as "contrib/sshd.pam.generic", 14498937Sdesyou may need to edit it before using it on your system. If you are 14598937Sdesusing a recent version of Red Hat Linux, the config file in 14698937Sdescontrib/redhat/sshd.pam should be more useful. Failure to install a 14798937Sdesvalid PAM file may result in an inability to use password 14898937Sdesauthentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf 14998937Sdesconfiguration will work with sshd (sshd will match the other service 15098937Sdesname). 15198937Sdes 15298937SdesThere are a few other options to the configure script: 15398937Sdes 154162852Sdes--with-audit=[module] enable additional auditing via the specified module. 155162852SdesCurrently, drivers for "debug" (additional info via syslog) and "bsm" 156162852Sdes(Sun's Basic Security Module) are supported. 157162852Sdes 158124208Sdes--with-pam enables PAM support. If PAM support is compiled in, it must 159124208Sdesalso be enabled in sshd_config (refer to the UsePAM directive). 16098937Sdes 161126274Sdes--with-prngd-socket=/some/file allows you to enable EGD or PRNGD 162126274Sdessupport and to specify a PRNGd socket. Use this if your Unix lacks 163126274Sdes/dev/random and you don't want to use OpenSSH's builtin entropy 16498937Sdescollection support. 16598937Sdes 166126274Sdes--with-prngd-port=portnum allows you to enable EGD or PRNGD support 167126274Sdesand to specify a EGD localhost TCP port. Use this if your Unix lacks 168126274Sdes/dev/random and you don't want to use OpenSSH's builtin entropy 16998937Sdescollection support. 17098937Sdes 171126274Sdes--with-lastlog=FILE will specify the location of the lastlog file. 17298937Sdes./configure searches a few locations for lastlog, but may not find 17398937Sdesit if lastlog is installed in a different place. 17498937Sdes 17598937Sdes--without-lastlog will disable lastlog support entirely. 17698937Sdes 177126274Sdes--with-osfsia, --without-osfsia will enable or disable OSF1's Security 17898937SdesIntegration Architecture. The default for OSF1 machines is enable. 17998937Sdes 180126274Sdes--with-skey=PATH will enable S/Key one time password support. You will 18198937Sdesneed the S/Key libraries and header files installed for this to work. 18298937Sdes 18398937Sdes--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) 184181111Sdessupport. 18598937Sdes 18698937Sdes--with-md5-passwords will enable the use of MD5 passwords. Enable this 187126274Sdesif your operating system uses MD5 passwords and the system crypt() does 188126274Sdesnot support them directly (see the crypt(3/3c) man page). If enabled, the 189126274Sdesresulting binary will support both MD5 and traditional crypt passwords. 19098937Sdes 191126274Sdes--with-utmpx enables utmpx support. utmpx support is automatic for 19298937Sdessome platforms. 19398937Sdes 19498937Sdes--without-shadow disables shadow password support. 19598937Sdes 196126274Sdes--with-ipaddr-display forces the use of a numeric IP address in the 19798937Sdes$DISPLAY environment variable. Some broken systems need this. 19898937Sdes 19998937Sdes--with-default-path=PATH allows you to specify a default $PATH for sessions 20098937Sdesstarted by sshd. This replaces the standard path entirely. 20198937Sdes 202181111Sdes--with-pid-dir=PATH specifies the directory in which the sshd.pid file is 20398937Sdescreated. 20498937Sdes 20598937Sdes--with-xauth=PATH specifies the location of the xauth binary 20698937Sdes 20798937Sdes--with-ssl-dir=DIR allows you to specify where your OpenSSL libraries 20898937Sdesare installed. 20998937Sdes 210162852Sdes--with-ssl-engine enables OpenSSL's (hardware) ENGINE support 211162852Sdes 21298937Sdes--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to 21398937Sdesreal (AF_INET) IPv4 addresses. Works around some quirks on Linux. 21498937Sdes 21598937SdesIf you need to pass special options to the compiler or linker, you 21698937Sdescan specify these as environment variables before running ./configure. 21798937SdesFor example: 21898937Sdes 21998937SdesCFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure 22098937Sdes 22198937Sdes3. Configuration 22298937Sdes---------------- 22398937Sdes 224126274SdesThe runtime configuration files are installed by in ${prefix}/etc or 22598937Sdeswhatever you specified as your --sysconfdir (/usr/local/etc by default). 22698937Sdes 227126274SdesThe default configuration should be instantly usable, though you should 22898937Sdesreview it to ensure that it matches your security requirements. 22998937Sdes 23098937SdesTo generate a host key, run "make host-key". Alternately you can do so 231126274Sdesmanually using the following commands: 23298937Sdes 23398937Sdes ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" 23498937Sdes ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" 23598937Sdes ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" 23698937Sdes 23798937SdesReplacing /etc/ssh with the correct path to the configuration directory. 238126274Sdes(${prefix}/etc or whatever you specified with --sysconfdir during 23998937Sdesconfiguration) 24098937Sdes 24198937SdesIf you have configured OpenSSH with EGD support, ensure that EGD is 24298937Sdesrunning and has collected some Entropy. 24398937Sdes 244126274SdesFor more information on configuration, please refer to the manual pages 24598937Sdesfor sshd, ssh and ssh-agent. 24698937Sdes 247146998Sdes4. (Optional) Send survey 248146998Sdes------------------------- 249146998Sdes 250146998Sdes$ make survey 251162852Sdes[check the contents of the file "survey" to ensure there's no information 252162852Sdesthat you consider sensitive] 253146998Sdes$ make send-survey 254146998Sdes 255146998SdesThis will send configuration information for the currently configured 256146998Sdeshost to a survey address. This will help determine which configurations 257146998Sdesare actually in use, and what valid combinations of configure options 258146998Sdesexist. The raw data is available only to the OpenSSH developers, however 259146998Sdessummary data may be published. 260146998Sdes 261146998Sdes5. Problems? 26298937Sdes------------ 26398937Sdes 264126274SdesIf you experience problems compiling, installing or running OpenSSH. 26598937SdesPlease refer to the "reporting bugs" section of the webpage at 26698937Sdeshttp://www.openssh.com/ 26798937Sdes 26898937Sdes 269248619Sdes$Id: INSTALL,v 1.88 2013/03/07 01:33:35 dtucker Exp $ 270