INSTALL revision 181111
198937Sdes1. Prerequisites 298937Sdes---------------- 398937Sdes 498937SdesYou will need working installations of Zlib and OpenSSL. 598937Sdes 6147001SdesZlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems): 7126274Sdeshttp://www.gzip.org/zlib/ 898937Sdes 998937SdesOpenSSL 0.9.6 or greater: 1098937Sdeshttp://www.openssl.org/ 1198937Sdes 12126274Sdes(OpenSSL 0.9.5a is partially supported, but some ciphers (SSH protocol 1 13106121SdesBlowfish) do not work correctly.) 1498937Sdes 15162852SdesThe remaining items are optional. 16162852Sdes 17126274SdesNB. If you operating system supports /dev/random, you should configure 18126274SdesOpenSSL to use it. OpenSSH relies on OpenSSL's direct support of 19181111Sdes/dev/random, or failing that, either prngd or egd. If you don't have 20181111Sdesany of these you will have to rely on ssh-rand-helper, which is inferior 21181111Sdesto a good kernel-based solution or prngd. 2298937Sdes 23181111SdesPRNGD: 24181111Sdes 25181111SdesIf your system lacks kernel-based random collection, the use of Lutz 26181111SdesJaenicke's PRNGd is recommended. 27181111Sdes 28181111Sdeshttp://prngd.sourceforge.net/ 29181111Sdes 30181111SdesEGD: 31181111Sdes 32181111SdesThe Entropy Gathering Daemon (EGD) is supported if you have a system which 33181111Sdeslacks /dev/random and don't want to use OpenSSH's internal entropy collection. 34181111Sdes 35181111Sdeshttp://www.lothar.com/tech/crypto/ 36181111Sdes 3798937SdesPAM: 3898937Sdes 39181111SdesOpenSSH can utilise Pluggable Authentication Modules (PAM) if your 40181111Sdessystem supports it. PAM is standard most Linux distributions, Solaris, 41181111SdesHP-UX 11, AIX >= 5.2, FreeBSD and NetBSD. 42181111Sdes 43181111SdesInformation about the various PAM implementations are available: 44181111Sdes 45181111SdesSolaris PAM: http://www.sun.com/software/solaris/pam/ 46181111SdesLinux PAM: http://www.kernel.org/pub/linux/libs/pam/ 47181111SdesOpenPAM: http://www.openpam.org/ 48181111Sdes 4998937SdesIf you wish to build the GNOME passphrase requester, you will need the GNOME 5098937Sdeslibraries and headers. 5198937Sdes 5298937SdesGNOME: 5398937Sdeshttp://www.gnome.org/ 5498937Sdes 55137015SdesAlternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11 5698937Sdespassphrase requester. This is maintained separately at: 5798937Sdes 58124208Sdeshttp://www.jmknoble.net/software/x11-ssh-askpass/ 5998937Sdes 60181111SdesTCP Wrappers: 6198937Sdes 62181111SdesIf you wish to use the TCP wrappers functionality you will need at least 63181111Sdestcpd.h and libwrap.a, either in the standard include and library paths, 64181111Sdesor in the directory specified by --with-tcp-wrappers. Version 7.6 is 65181111Sdesknown to work. 6698937Sdes 67181111Sdeshttp://ftp.porcupine.org/pub/security/index.html 6898937Sdes 6998937SdesS/Key Libraries: 70147001Sdes 71147001SdesIf you wish to use --with-skey then you will need the library below 72147001Sdesinstalled. No other S/Key library is currently known to be supported. 73147001Sdes 7498937Sdeshttp://www.sparc.spb.su/solaris/skey/ 7598937Sdes 76146998SdesLibEdit: 77147001Sdes 78162852Sdessftp supports command-line editing via NetBSD's libedit. If your platform 79162852Sdeshas it available natively you can use that, alternatively you might try 80162852Sdesthese multi-platform ports: 81162852Sdes 82146998Sdeshttp://www.thrysoee.dk/editline/ 83146998Sdeshttp://sourceforge.net/projects/libedit/ 84146998Sdes 85162852SdesAutoconf: 86162852Sdes 87162852SdesIf you modify configure.ac or configure doesn't exist (eg if you checked 88181111Sdesthe code out of CVS yourself) then you will need autoconf-2.61 to rebuild 89181111Sdesthe automatically generated files by running "autoreconf". Earlier 90181111Sdesversions may also work but this is not guaranteed. 91162852Sdes 92162852Sdeshttp://www.gnu.org/software/autoconf/ 93162852Sdes 94162852SdesBasic Security Module (BSM): 95162852Sdes 96162852SdesNative BSM support is know to exist in Solaris from at least 2.5.1, 97162852SdesFreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM 98162852Sdesimplementation (http://www.openbsm.org). 99162852Sdes 100162852Sdes 10198937Sdes2. Building / Installation 10298937Sdes-------------------------- 10398937Sdes 10498937SdesTo install OpenSSH with default options: 10598937Sdes 10698937Sdes./configure 10798937Sdesmake 10898937Sdesmake install 10998937Sdes 11098937SdesThis will install the OpenSSH binaries in /usr/local/bin, configuration files 11198937Sdesin /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different 11298937Sdesinstallation prefix, use the --prefix option to configure: 11398937Sdes 11498937Sdes./configure --prefix=/opt 11598937Sdesmake 11698937Sdesmake install 11798937Sdes 118126274SdesWill install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override 11998937Sdesspecific paths, for example: 12098937Sdes 12198937Sdes./configure --prefix=/opt --sysconfdir=/etc/ssh 12298937Sdesmake 12398937Sdesmake install 12498937Sdes 12598937SdesThis will install the binaries in /opt/{bin,lib,sbin}, but will place the 12698937Sdesconfiguration files in /etc/ssh. 12798937Sdes 128147001SdesIf you are using Privilege Separation (which is enabled by default) 129147001Sdesthen you will also need to create the user, group and directory used by 130147001Sdessshd for privilege separation. See README.privsep for details. 131147001Sdes 13298937SdesIf you are using PAM, you may need to manually install a PAM control 13398937Sdesfile as "/etc/pam.d/sshd" (or wherever your system prefers to keep 13498937Sdesthem). Note that the service name used to start PAM is __progname, 13598937Sdeswhich is the basename of the path of your sshd (e.g., the service name 13698937Sdesfor /usr/sbin/osshd will be osshd). If you have renamed your sshd 13798937Sdesexecutable, your PAM configuration may need to be modified. 13898937Sdes 13998937SdesA generic PAM configuration is included as "contrib/sshd.pam.generic", 14098937Sdesyou may need to edit it before using it on your system. If you are 14198937Sdesusing a recent version of Red Hat Linux, the config file in 14298937Sdescontrib/redhat/sshd.pam should be more useful. Failure to install a 14398937Sdesvalid PAM file may result in an inability to use password 14498937Sdesauthentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf 14598937Sdesconfiguration will work with sshd (sshd will match the other service 14698937Sdesname). 14798937Sdes 14898937SdesThere are a few other options to the configure script: 14998937Sdes 150162852Sdes--with-audit=[module] enable additional auditing via the specified module. 151162852SdesCurrently, drivers for "debug" (additional info via syslog) and "bsm" 152162852Sdes(Sun's Basic Security Module) are supported. 153162852Sdes 154124208Sdes--with-pam enables PAM support. If PAM support is compiled in, it must 155124208Sdesalso be enabled in sshd_config (refer to the UsePAM directive). 15698937Sdes 157126274Sdes--with-prngd-socket=/some/file allows you to enable EGD or PRNGD 158126274Sdessupport and to specify a PRNGd socket. Use this if your Unix lacks 159126274Sdes/dev/random and you don't want to use OpenSSH's builtin entropy 16098937Sdescollection support. 16198937Sdes 162126274Sdes--with-prngd-port=portnum allows you to enable EGD or PRNGD support 163126274Sdesand to specify a EGD localhost TCP port. Use this if your Unix lacks 164126274Sdes/dev/random and you don't want to use OpenSSH's builtin entropy 16598937Sdescollection support. 16698937Sdes 167126274Sdes--with-lastlog=FILE will specify the location of the lastlog file. 16898937Sdes./configure searches a few locations for lastlog, but may not find 16998937Sdesit if lastlog is installed in a different place. 17098937Sdes 17198937Sdes--without-lastlog will disable lastlog support entirely. 17298937Sdes 173126274Sdes--with-osfsia, --without-osfsia will enable or disable OSF1's Security 17498937SdesIntegration Architecture. The default for OSF1 machines is enable. 17598937Sdes 176126274Sdes--with-skey=PATH will enable S/Key one time password support. You will 17798937Sdesneed the S/Key libraries and header files installed for this to work. 17898937Sdes 17998937Sdes--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) 180181111Sdessupport. 18198937Sdes 18298937Sdes--with-md5-passwords will enable the use of MD5 passwords. Enable this 183126274Sdesif your operating system uses MD5 passwords and the system crypt() does 184126274Sdesnot support them directly (see the crypt(3/3c) man page). If enabled, the 185126274Sdesresulting binary will support both MD5 and traditional crypt passwords. 18698937Sdes 187126274Sdes--with-utmpx enables utmpx support. utmpx support is automatic for 18898937Sdessome platforms. 18998937Sdes 19098937Sdes--without-shadow disables shadow password support. 19198937Sdes 192126274Sdes--with-ipaddr-display forces the use of a numeric IP address in the 19398937Sdes$DISPLAY environment variable. Some broken systems need this. 19498937Sdes 19598937Sdes--with-default-path=PATH allows you to specify a default $PATH for sessions 19698937Sdesstarted by sshd. This replaces the standard path entirely. 19798937Sdes 198181111Sdes--with-pid-dir=PATH specifies the directory in which the sshd.pid file is 19998937Sdescreated. 20098937Sdes 20198937Sdes--with-xauth=PATH specifies the location of the xauth binary 20298937Sdes 20398937Sdes--with-ssl-dir=DIR allows you to specify where your OpenSSL libraries 20498937Sdesare installed. 20598937Sdes 206162852Sdes--with-ssl-engine enables OpenSSL's (hardware) ENGINE support 207162852Sdes 20898937Sdes--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to 20998937Sdesreal (AF_INET) IPv4 addresses. Works around some quirks on Linux. 21098937Sdes 21198937Sdes--with-opensc=DIR 21298937Sdes--with-sectok=DIR allows for OpenSC or sectok smartcard libraries to 21398937Sdesbe used with OpenSSH. See 'README.smartcard' for more details. 21498937Sdes 21598937SdesIf you need to pass special options to the compiler or linker, you 21698937Sdescan specify these as environment variables before running ./configure. 21798937SdesFor example: 21898937Sdes 21998937SdesCFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure 22098937Sdes 22198937Sdes3. Configuration 22298937Sdes---------------- 22398937Sdes 224126274SdesThe runtime configuration files are installed by in ${prefix}/etc or 22598937Sdeswhatever you specified as your --sysconfdir (/usr/local/etc by default). 22698937Sdes 227126274SdesThe default configuration should be instantly usable, though you should 22898937Sdesreview it to ensure that it matches your security requirements. 22998937Sdes 23098937SdesTo generate a host key, run "make host-key". Alternately you can do so 231126274Sdesmanually using the following commands: 23298937Sdes 23398937Sdes ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" 23498937Sdes ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" 23598937Sdes ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" 23698937Sdes 23798937SdesReplacing /etc/ssh with the correct path to the configuration directory. 238126274Sdes(${prefix}/etc or whatever you specified with --sysconfdir during 23998937Sdesconfiguration) 24098937Sdes 24198937SdesIf you have configured OpenSSH with EGD support, ensure that EGD is 24298937Sdesrunning and has collected some Entropy. 24398937Sdes 244126274SdesFor more information on configuration, please refer to the manual pages 24598937Sdesfor sshd, ssh and ssh-agent. 24698937Sdes 247146998Sdes4. (Optional) Send survey 248146998Sdes------------------------- 249146998Sdes 250146998Sdes$ make survey 251162852Sdes[check the contents of the file "survey" to ensure there's no information 252162852Sdesthat you consider sensitive] 253146998Sdes$ make send-survey 254146998Sdes 255146998SdesThis will send configuration information for the currently configured 256146998Sdeshost to a survey address. This will help determine which configurations 257146998Sdesare actually in use, and what valid combinations of configure options 258146998Sdesexist. The raw data is available only to the OpenSSH developers, however 259146998Sdessummary data may be published. 260146998Sdes 261146998Sdes5. Problems? 26298937Sdes------------ 26398937Sdes 264126274SdesIf you experience problems compiling, installing or running OpenSSH. 26598937SdesPlease refer to the "reporting bugs" section of the webpage at 26698937Sdeshttp://www.openssh.com/ 26798937Sdes 26898937Sdes 269181111Sdes$Id: INSTALL,v 1.84 2007/08/17 12:52:05 dtucker Exp $ 270