INSTALL revision 146998
190075Sobrien1. Prerequisites 290075Sobrien---------------- 390075Sobrien 490075SobrienYou will need working installations of Zlib and OpenSSL. 590075Sobrien 690075SobrienZlib 1.1.4 or greater: 790075Sobrienhttp://www.gzip.org/zlib/ 8 9OpenSSL 0.9.6 or greater: 10http://www.openssl.org/ 11 12(OpenSSL 0.9.5a is partially supported, but some ciphers (SSH protocol 1 13Blowfish) do not work correctly.) 14 15OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system 16supports it. PAM is standard on Redhat and Debian Linux, Solaris and 17HP-UX 11. 18 19NB. If you operating system supports /dev/random, you should configure 20OpenSSL to use it. OpenSSH relies on OpenSSL's direct support of 21/dev/random. If you don't you will have to rely on ssh-rand-helper, which 22is inferior to a good kernel-based solution. 23 24PAM: 25http://www.kernel.org/pub/linux/libs/pam/ 26 27If you wish to build the GNOME passphrase requester, you will need the GNOME 28libraries and headers. 29 30GNOME: 31http://www.gnome.org/ 32 33Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11 34passphrase requester. This is maintained separately at: 35 36http://www.jmknoble.net/software/x11-ssh-askpass/ 37 38PRNGD: 39 40If your system lacks Kernel based random collection, the use of Lutz 41Jaenicke's PRNGd is recommended. 42 43http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html 44 45EGD: 46 47The Entropy Gathering Daemon (EGD) is supported if you have a system which 48lacks /dev/random and don't want to use OpenSSH's internal entropy collection. 49 50http://www.lothar.com/tech/crypto/ 51 52S/Key Libraries: 53http://www.sparc.spb.su/solaris/skey/ 54 55LibEdit: 56 57sftp now supports command-line editing via NetBSD's libedit. If your 58platform has it available natively you can use that, alternatively 59you might try these multi-platform ports: 60http://www.thrysoee.dk/editline/ 61http://sourceforge.net/projects/libedit/ 62 63If you wish to use --with-skey then you will need the above library 64installed. No other current S/Key library is currently known to be 65supported. 66 672. Building / Installation 68-------------------------- 69 70To install OpenSSH with default options: 71 72./configure 73make 74make install 75 76This will install the OpenSSH binaries in /usr/local/bin, configuration files 77in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different 78installation prefix, use the --prefix option to configure: 79 80./configure --prefix=/opt 81make 82make install 83 84Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override 85specific paths, for example: 86 87./configure --prefix=/opt --sysconfdir=/etc/ssh 88make 89make install 90 91This will install the binaries in /opt/{bin,lib,sbin}, but will place the 92configuration files in /etc/ssh. 93 94If you are using PAM, you may need to manually install a PAM control 95file as "/etc/pam.d/sshd" (or wherever your system prefers to keep 96them). Note that the service name used to start PAM is __progname, 97which is the basename of the path of your sshd (e.g., the service name 98for /usr/sbin/osshd will be osshd). If you have renamed your sshd 99executable, your PAM configuration may need to be modified. 100 101A generic PAM configuration is included as "contrib/sshd.pam.generic", 102you may need to edit it before using it on your system. If you are 103using a recent version of Red Hat Linux, the config file in 104contrib/redhat/sshd.pam should be more useful. Failure to install a 105valid PAM file may result in an inability to use password 106authentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf 107configuration will work with sshd (sshd will match the other service 108name). 109 110There are a few other options to the configure script: 111 112--with-pam enables PAM support. If PAM support is compiled in, it must 113also be enabled in sshd_config (refer to the UsePAM directive). 114 115--with-prngd-socket=/some/file allows you to enable EGD or PRNGD 116support and to specify a PRNGd socket. Use this if your Unix lacks 117/dev/random and you don't want to use OpenSSH's builtin entropy 118collection support. 119 120--with-prngd-port=portnum allows you to enable EGD or PRNGD support 121and to specify a EGD localhost TCP port. Use this if your Unix lacks 122/dev/random and you don't want to use OpenSSH's builtin entropy 123collection support. 124 125--with-lastlog=FILE will specify the location of the lastlog file. 126./configure searches a few locations for lastlog, but may not find 127it if lastlog is installed in a different place. 128 129--without-lastlog will disable lastlog support entirely. 130 131--with-osfsia, --without-osfsia will enable or disable OSF1's Security 132Integration Architecture. The default for OSF1 machines is enable. 133 134--with-skey=PATH will enable S/Key one time password support. You will 135need the S/Key libraries and header files installed for this to work. 136 137--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) 138support. You will need libwrap.a and tcpd.h installed. 139 140--with-md5-passwords will enable the use of MD5 passwords. Enable this 141if your operating system uses MD5 passwords and the system crypt() does 142not support them directly (see the crypt(3/3c) man page). If enabled, the 143resulting binary will support both MD5 and traditional crypt passwords. 144 145--with-utmpx enables utmpx support. utmpx support is automatic for 146some platforms. 147 148--without-shadow disables shadow password support. 149 150--with-ipaddr-display forces the use of a numeric IP address in the 151$DISPLAY environment variable. Some broken systems need this. 152 153--with-default-path=PATH allows you to specify a default $PATH for sessions 154started by sshd. This replaces the standard path entirely. 155 156--with-pid-dir=PATH specifies the directory in which the ssh.pid file is 157created. 158 159--with-xauth=PATH specifies the location of the xauth binary 160 161--with-ssl-dir=DIR allows you to specify where your OpenSSL libraries 162are installed. 163 164--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to 165real (AF_INET) IPv4 addresses. Works around some quirks on Linux. 166 167--with-opensc=DIR 168--with-sectok=DIR allows for OpenSC or sectok smartcard libraries to 169be used with OpenSSH. See 'README.smartcard' for more details. 170 171If you need to pass special options to the compiler or linker, you 172can specify these as environment variables before running ./configure. 173For example: 174 175CFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure 176 1773. Configuration 178---------------- 179 180The runtime configuration files are installed by in ${prefix}/etc or 181whatever you specified as your --sysconfdir (/usr/local/etc by default). 182 183The default configuration should be instantly usable, though you should 184review it to ensure that it matches your security requirements. 185 186To generate a host key, run "make host-key". Alternately you can do so 187manually using the following commands: 188 189 ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" 190 ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" 191 ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" 192 193Replacing /etc/ssh with the correct path to the configuration directory. 194(${prefix}/etc or whatever you specified with --sysconfdir during 195configuration) 196 197If you have configured OpenSSH with EGD support, ensure that EGD is 198running and has collected some Entropy. 199 200For more information on configuration, please refer to the manual pages 201for sshd, ssh and ssh-agent. 202 2034. (Optional) Send survey 204------------------------- 205 206$ make survey 207[check the contents and make sure there's no sensitive information] 208$ make send-survey 209 210This will send configuration information for the currently configured 211host to a survey address. This will help determine which configurations 212are actually in use, and what valid combinations of configure options 213exist. The raw data is available only to the OpenSSH developers, however 214summary data may be published. 215 2165. Problems? 217------------ 218 219If you experience problems compiling, installing or running OpenSSH. 220Please refer to the "reporting bugs" section of the webpage at 221http://www.openssh.com/ 222 223 224$Id: INSTALL,v 1.66 2005/01/18 01:05:18 dtucker Exp $ 225