INSTALL revision 126274
11844Swollman1. Prerequisites 250476Speter---------------- 31844Swollman 41638SrgrimesYou will need working installations of Zlib and OpenSSL. 594940Sru 61638SrgrimesZlib 1.1.4 or greater: 742915Sjdphttp://www.gzip.org/zlib/ 842915Sjdp 942915SjdpOpenSSL 0.9.6 or greater: 1042915Sjdphttp://www.openssl.org/ 1142915Sjdp 1242915Sjdp(OpenSSL 0.9.5a is partially supported, but some ciphers (SSH protocol 1 1342915SjdpBlowfish) do not work correctly.) 1442915Sjdp 1542915SjdpOpenSSH can utilise Pluggable Authentication Modules (PAM) if your system 1642915Sjdpsupports it. PAM is standard on Redhat and Debian Linux, Solaris and 1742915SjdpHP-UX 11. 1842915Sjdp 1929141SpeterNB. If you operating system supports /dev/random, you should configure 2042915SjdpOpenSSL to use it. OpenSSH relies on OpenSSL's direct support of 2142915Sjdp/dev/random. If you don't you will have to rely on ssh-rand-helper, which 2242915Sjdpis inferior to a good kernel-based solution. 2342915Sjdp 2442915SjdpPAM: 2542915Sjdphttp://www.kernel.org/pub/linux/libs/pam/ 2642915Sjdp 2729141SpeterIf you wish to build the GNOME passphrase requester, you will need the GNOME 282827Sjkhlibraries and headers. 292827Sjkh 302827SjkhGNOME: 312827Sjkhhttp://www.gnome.org/ 322827Sjkh 331638SrgrimesAlternatively, Jim Knoble <jmknoble@jmknoble.cx> has written an excellent X11 342827Sjkhpassphrase requester. This is maintained separately at: 351638Srgrimes 3643055Sjdphttp://www.jmknoble.net/software/x11-ssh-askpass/ 3718529Sbde 3831809SbdePRNGD: 3918529Sbde 401638SrgrimesIf your system lacks Kernel based random collection, the use of Lutz 4142450SjdpJaenicke's PRNGd is recommended. 421638Srgrimes 4395064Sobrienhttp://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html 441638Srgrimes 4596512SruEGD: 4696512Sru 4796512SruThe Entropy Gathering Daemon (EGD) is supported if you have a system which 4896512Srulacks /dev/random and don't want to use OpenSSH's internal entropy collection. 4996512Sru 5096512Sruhttp://www.lothar.com/tech/crypto/ 5196512Sru 5296512SruS/Key Libraries: 5392491Smarkmhttp://www.sparc.spb.su/solaris/skey/ 5492491Smarkm 5592553SruIf you wish to use --with-skey then you will need the above library 5692491Smarkminstalled. No other current S/Key library is currently known to be 5792491Smarkmsupported. 5892553Sru 5992553Sru2. Building / Installation 6092491Smarkm-------------------------- 611638Srgrimes 621844SwollmanTo install OpenSSH with default options: 6338186Speter 6438186Speter./configure 651638Srgrimesmake 661638Srgrimesmake install 6724761Sjdp 6838186SpeterThis will install the OpenSSH binaries in /usr/local/bin, configuration files 6938186Speterin /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different 701638Srgrimesinstallation prefix, use the --prefix option to configure: 7142450Sjdp 721844Swollman./configure --prefix=/opt 7396258Sobrienmake 7438186Spetermake install 751844Swollman 7636673SdtWill install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override 771844Swollmanspecific paths, for example: 7838186Speter 7938186Speter./configure --prefix=/opt --sysconfdir=/etc/ssh 801844Swollmanmake 8136673Sdtmake install 8224761Sjdp 8338186SpeterThis will install the binaries in /opt/{bin,lib,sbin}, but will place the 8438186Speterconfiguration files in /etc/ssh. 851844Swollman 8642450SjdpIf you are using PAM, you may need to manually install a PAM control 871844Swollmanfile as "/etc/pam.d/sshd" (or wherever your system prefers to keep 8896258Sobrienthem). Note that the service name used to start PAM is __progname, 8938186Speterwhich is the basename of the path of your sshd (e.g., the service name 901844Swollmanfor /usr/sbin/osshd will be osshd). If you have renamed your sshd 911844Swollmanexecutable, your PAM configuration may need to be modified. 921844Swollman 9338186SpeterA generic PAM configuration is included as "contrib/sshd.pam.generic", 9438186Speteryou may need to edit it before using it on your system. If you are 951844Swollmanusing a recent version of Red Hat Linux, the config file in 961844Swollmancontrib/redhat/sshd.pam should be more useful. Failure to install a 9724761Sjdpvalid PAM file may result in an inability to use password 9838186Speterauthentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf 9938186Speterconfiguration will work with sshd (sshd will match the other service 1001844Swollmanname). 10142450Sjdp 1021844SwollmanThere are a few other options to the configure script: 10396258Sobrien 10438186Speter--with-pam enables PAM support. If PAM support is compiled in, it must 1051844Swollmanalso be enabled in sshd_config (refer to the UsePAM directive). 10636054Sbde 10736054Sbde--with-prngd-socket=/some/file allows you to enable EGD or PRNGD 10838186Spetersupport and to specify a PRNGd socket. Use this if your Unix lacks 10938186Speter/dev/random and you don't want to use OpenSSH's builtin entropy 11036054Sbdecollection support. 11136054Sbde 11236054Sbde--with-prngd-port=portnum allows you to enable EGD or PRNGD support 11338186Speterand to specify a EGD localhost TCP port. Use this if your Unix lacks 11438186Speter/dev/random and you don't want to use OpenSSH's builtin entropy 11536054Sbdecollection support. 11642450Sjdp 11736054Sbde--with-lastlog=FILE will specify the location of the lastlog file. 11896258Sobrien./configure searches a few locations for lastlog, but may not find 11938186Speterit if lastlog is installed in a different place. 12036054Sbde 12195251Sru--without-lastlog will disable lastlog support entirely. 12297101Sru 12317510Speter--with-osfsia, --without-osfsia will enable or disable OSF1's Security 12496258SobrienIntegration Architecture. The default for OSF1 machines is enable. 12538186Speter 1261638Srgrimes--with-skey=PATH will enable S/Key one time password support. You will 12795251Sruneed the S/Key libraries and header files installed for this to work. 12897101Sru 12917510Speter--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) 13096258Sobriensupport. You will need libwrap.a and tcpd.h installed. 13138186Speter 1321638Srgrimes--with-md5-passwords will enable the use of MD5 passwords. Enable this 13395251Sruif your operating system uses MD5 passwords and the system crypt() does 13497101Srunot support them directly (see the crypt(3/3c) man page). If enabled, the 13595216Smarkmresulting binary will support both MD5 and traditional crypt passwords. 13638186Speter 13738186Speter--with-utmpx enables utmpx support. utmpx support is automatic for 1381638Srgrimessome platforms. 1391844Swollman 14097101Sru--without-shadow disables shadow password support. 14196258Sobrien 14238186Speter--with-ipaddr-display forces the use of a numeric IP address in the 1431844Swollman$DISPLAY environment variable. Some broken systems need this. 1441844Swollman 14597101Sru--with-default-path=PATH allows you to specify a default $PATH for sessions 14696258Sobrienstarted by sshd. This replaces the standard path entirely. 14738186Speter 1481844Swollman--with-pid-dir=PATH specifies the directory in which the ssh.pid file is 14942450Sjdpcreated. 15097101Sru 15195216Smarkm--with-xauth=PATH specifies the location of the xauth binary 15238186Speter 15338186Speter--with-ssl-dir=DIR allows you to specify where your OpenSSL libraries 1541844Swollmanare installed. 15596512Sru 1561638Srgrimes--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to 15796512Srureal (AF_INET) IPv4 addresses. Works around some quirks on Linux. 15896512Sru 15996512Sru--with-opensc=DIR 1601638Srgrimes--with-sectok=DIR allows for OpenSC or sectok smartcard libraries to 16196512Srube used with OpenSSH. See 'README.smartcard' for more details. 16296512Sru 16396512SruIf you need to pass special options to the compiler or linker, you 16496512Srucan specify these as environment variables before running ./configure. 16596512SruFor example: 1661638Srgrimes 16796512SruCFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure 16895114Sobrien 16996512Sru3. Configuration 17096512Sru---------------- 17196512Sru 17295306SruThe runtime configuration files are installed by in ${prefix}/etc or 17396512Sruwhatever you specified as your --sysconfdir (/usr/local/etc by default). 17496512Sru 17596512SruThe default configuration should be instantly usable, though you should 17696512Srureview it to ensure that it matches your security requirements. 17796512Sru 17874805SruTo generate a host key, run "make host-key". Alternately you can do so 1791844Swollmanmanually using the following commands: 18096512Sru 1811844Swollman ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" 18296512Sru ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" 18396512Sru ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" 1841638Srgrimes 18542915SjdpReplacing /etc/ssh with the correct path to the configuration directory. 18642915Sjdp(${prefix}/etc or whatever you specified with --sysconfdir during 18796512Sruconfiguration) 18842915Sjdp 18996512SruIf you have configured OpenSSH with EGD support, ensure that EGD is 19042915Sjdprunning and has collected some Entropy. 19138655Sjb 19291011SruFor more information on configuration, please refer to the manual pages 19396512Srufor sshd, ssh and ssh-agent. 19491011Sru 19528945Speter4. Problems? 19696343Sobrien------------ 19796512Sru 19891011SruIf you experience problems compiling, installing or running OpenSSH. 19928945SpeterPlease refer to the "reporting bugs" section of the webpage at 20042915Sjdphttp://www.openssh.com/ 2011844Swollman 20242915Sjdp 20396512Sru$Id: INSTALL,v 1.63 2003/11/21 12:48:55 djm Exp $ 20496512Sru