INSTALL revision 226046
1314125Sdelphij1. Prerequisites 296593Smarkm---------------- 396593Smarkm 4142429SnectarYou will need working installations of Zlib and OpenSSL. 596593Smarkm 696593SmarkmZlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems): 796593Smarkmhttp://www.gzip.org/zlib/ 896593Smarkm 996593SmarkmOpenSSL 0.9.6 or greater: 1096593Smarkmhttp://www.openssl.org/ 1196593Smarkm 1296593Smarkm(OpenSSL 0.9.5a is partially supported, but some ciphers (SSH protocol 1 1396593SmarkmBlowfish) do not work correctly.) 1496593Smarkm 1596593SmarkmThe remaining items are optional. 1696593Smarkm 1796593SmarkmNB. If you operating system supports /dev/random, you should configure 1896593SmarkmOpenSSL to use it. OpenSSH relies on OpenSSL's direct support of 1996593Smarkm/dev/random, or failing that, either prngd or egd 20215698Ssimon 21215698SsimonPRNGD: 22215698Ssimon 23215698SsimonIf your system lacks kernel-based random collection, the use of Lutz 24215698SsimonJaenicke's PRNGd is recommended. 2596593Smarkm 2696593Smarkmhttp://prngd.sourceforge.net/ 2796593Smarkm 2896593SmarkmEGD: 2996593Smarkm 3096593SmarkmThe Entropy Gathering Daemon (EGD) is supported if you have a system which 3196593Smarkmlacks /dev/random and don't want to use OpenSSH's internal entropy collection. 3296593Smarkm 3396593Smarkmhttp://www.lothar.com/tech/crypto/ 3496593Smarkm 3596593SmarkmPAM: 3696593Smarkm 3796593SmarkmOpenSSH can utilise Pluggable Authentication Modules (PAM) if your 3896593Smarkmsystem supports it. PAM is standard most Linux distributions, Solaris, 3996593SmarkmHP-UX 11, AIX >= 5.2, FreeBSD and NetBSD. 4096593Smarkm 41276861SjkimInformation about the various PAM implementations are available: 42276861Sjkim 4396593SmarkmSolaris PAM: http://www.sun.com/software/solaris/pam/ 4496593SmarkmLinux PAM: http://www.kernel.org/pub/linux/libs/pam/ 45215698SsimonOpenPAM: http://www.openpam.org/ 46215698Ssimon 47215698SsimonIf you wish to build the GNOME passphrase requester, you will need the GNOME 48215698Ssimonlibraries and headers. 49314125Sdelphij 50215698SsimonGNOME: 51142429Snectarhttp://www.gnome.org/ 52142429Snectar 53276861SjkimAlternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11 54276861Sjkimpassphrase requester. This is maintained separately at: 55276861Sjkim 5696593Smarkmhttp://www.jmknoble.net/software/x11-ssh-askpass/ 57314125Sdelphij 58314125SdelphijTCP Wrappers: 59314125Sdelphij 60314125SdelphijIf you wish to use the TCP wrappers functionality you will need at least 61215698Ssimontcpd.h and libwrap.a, either in the standard include and library paths, 62314125Sdelphijor in the directory specified by --with-tcp-wrappers. Version 7.6 is 63314125Sdelphijknown to work. 64314125Sdelphij 65276861Sjkimhttp://ftp.porcupine.org/pub/security/index.html 66215698Ssimon 6796593SmarkmS/Key Libraries: 6896593Smarkm 6996593SmarkmIf you wish to use --with-skey then you will need the library below 7096593Smarkminstalled. No other S/Key library is currently known to be supported. 7196593Smarkm 7296593Smarkmhttp://www.sparc.spb.su/solaris/skey/ 7396593Smarkm 7496593SmarkmLibEdit: 7596593Smarkm 7696593Smarkmsftp supports command-line editing via NetBSD's libedit. If your platform 7796593Smarkmhas it available natively you can use that, alternatively you might try 7896593Smarkmthese multi-platform ports: 7996593Smarkm 8096593Smarkmhttp://www.thrysoee.dk/editline/ 8196593Smarkmhttp://sourceforge.net/projects/libedit/ 8296593Smarkm 8396593SmarkmAutoconf: 8496593Smarkm 8596593SmarkmIf you modify configure.ac or configure doesn't exist (eg if you checked 8696593Smarkmthe code out of CVS yourself) then you will need autoconf-2.61 to rebuild 8796593Smarkmthe automatically generated files by running "autoreconf". Earlier 8896593Smarkmversions may also work but this is not guaranteed. 8996593Smarkm 9096593Smarkmhttp://www.gnu.org/software/autoconf/ 9196593Smarkm 9296593SmarkmBasic Security Module (BSM): 9396593Smarkm 9496593SmarkmNative BSM support is know to exist in Solaris from at least 2.5.1, 9596593SmarkmFreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM 9696593Smarkmimplementation (http://www.openbsm.org). 9796593Smarkm 9896593Smarkm 9996593Smarkm2. Building / Installation 10096593Smarkm-------------------------- 10196593Smarkm 10296593SmarkmTo install OpenSSH with default options: 10396593Smarkm 10496593Smarkm./configure 10596593Smarkmmake 10696593Smarkmmake install 10796593Smarkm 10896593SmarkmThis will install the OpenSSH binaries in /usr/local/bin, configuration files 10996593Smarkmin /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different 11096593Smarkminstallation prefix, use the --prefix option to configure: 11196593Smarkm 11296593Smarkm./configure --prefix=/opt 11396593Smarkmmake 11496593Smarkmmake install 11596593Smarkm 11696593SmarkmWill install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override 11796593Smarkmspecific paths, for example: 11896593Smarkm 11996593Smarkm./configure --prefix=/opt --sysconfdir=/etc/ssh 12096593Smarkmmake 12196593Smarkmmake install 12296593Smarkm 12396593SmarkmThis will install the binaries in /opt/{bin,lib,sbin}, but will place the 12496593Smarkmconfiguration files in /etc/ssh. 12596593Smarkm 12696593SmarkmIf you are using Privilege Separation (which is enabled by default) 12796593Smarkmthen you will also need to create the user, group and directory used by 12896593Smarkmsshd for privilege separation. See README.privsep for details. 129142429Snectar 13096593SmarkmIf you are using PAM, you may need to manually install a PAM control 131100946Snectarfile as "/etc/pam.d/sshd" (or wherever your system prefers to keep 132314125Sdelphijthem). Note that the service name used to start PAM is __progname, 133215698Ssimonwhich is the basename of the path of your sshd (e.g., the service name 134215698Ssimonfor /usr/sbin/osshd will be osshd). If you have renamed your sshd 135215698Ssimonexecutable, your PAM configuration may need to be modified. 136215698Ssimon 13796593SmarkmA generic PAM configuration is included as "contrib/sshd.pam.generic", 138290207Sjkimyou may need to edit it before using it on your system. If you are 13996593Smarkmusing a recent version of Red Hat Linux, the config file in 14096593Smarkmcontrib/redhat/sshd.pam should be more useful. Failure to install a 14196593Smarkmvalid PAM file may result in an inability to use password 14296593Smarkmauthentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf 143215698Ssimonconfiguration will work with sshd (sshd will match the other service 144290207Sjkimname). 145290207Sjkim 146290207SjkimThere are a few other options to the configure script: 147290207Sjkim 148290207Sjkim--with-audit=[module] enable additional auditing via the specified module. 149290207SjkimCurrently, drivers for "debug" (additional info via syslog) and "bsm" 150290207Sjkim(Sun's Basic Security Module) are supported. 151290207Sjkim 15296593Smarkm--with-pam enables PAM support. If PAM support is compiled in, it must 15396593Smarkmalso be enabled in sshd_config (refer to the UsePAM directive). 15496593Smarkm 15596593Smarkm--with-prngd-socket=/some/file allows you to enable EGD or PRNGD 15696593Smarkmsupport and to specify a PRNGd socket. Use this if your Unix lacks 15796593Smarkm/dev/random and you don't want to use OpenSSH's builtin entropy 158290207Sjkimcollection support. 159290207Sjkim 16096593Smarkm--with-prngd-port=portnum allows you to enable EGD or PRNGD support 16196593Smarkmand to specify a EGD localhost TCP port. Use this if your Unix lacks 16296593Smarkm/dev/random and you don't want to use OpenSSH's builtin entropy 16396593Smarkmcollection support. 16496593Smarkm 16596593Smarkm--with-lastlog=FILE will specify the location of the lastlog file. 16696593Smarkm./configure searches a few locations for lastlog, but may not find 167291719Sjkimit if lastlog is installed in a different place. 16896593Smarkm 169290207Sjkim--without-lastlog will disable lastlog support entirely. 17096593Smarkm 17196593Smarkm--with-osfsia, --without-osfsia will enable or disable OSF1's Security 17296593SmarkmIntegration Architecture. The default for OSF1 machines is enable. 17396593Smarkm 174290207Sjkim--with-skey=PATH will enable S/Key one time password support. You will 175290207Sjkimneed the S/Key libraries and header files installed for this to work. 176290207Sjkim 177290207Sjkim--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) 178142429Snectarsupport. 179290207Sjkim 18096593Smarkm--with-md5-passwords will enable the use of MD5 passwords. Enable this 181142429Snectarif your operating system uses MD5 passwords and the system crypt() does 18296593Smarkmnot support them directly (see the crypt(3/3c) man page). If enabled, the 183290207Sjkimresulting binary will support both MD5 and traditional crypt passwords. 18496593Smarkm 185290207Sjkim--with-utmpx enables utmpx support. utmpx support is automatic for 18696593Smarkmsome platforms. 18796593Smarkm 188142429Snectar--without-shadow disables shadow password support. 189290207Sjkim 190290207Sjkim--with-ipaddr-display forces the use of a numeric IP address in the 191142429Snectar$DISPLAY environment variable. Some broken systems need this. 19296593Smarkm 193290207Sjkim--with-default-path=PATH allows you to specify a default $PATH for sessions 194142429Snectarstarted by sshd. This replaces the standard path entirely. 19596593Smarkm 196290207Sjkim--with-pid-dir=PATH specifies the directory in which the sshd.pid file is 19796593Smarkmcreated. 198290207Sjkim 19996593Smarkm--with-xauth=PATH specifies the location of the xauth binary 20096593Smarkm 201142429Snectar--with-ssl-dir=DIR allows you to specify where your OpenSSL libraries 202290207Sjkimare installed. 203142429Snectar 204290207Sjkim--with-ssl-engine enables OpenSSL's (hardware) ENGINE support 205290207Sjkim 206290207Sjkim--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to 207290207Sjkimreal (AF_INET) IPv4 addresses. Works around some quirks on Linux. 208290207Sjkim 209290207SjkimIf you need to pass special options to the compiler or linker, you 21096593Smarkmcan specify these as environment variables before running ./configure. 21196593SmarkmFor example: 212290207Sjkim 213290207SjkimCFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure 21496593Smarkm 215290207Sjkim3. Configuration 216290207Sjkim---------------- 217290207Sjkim 21896593SmarkmThe runtime configuration files are installed by in ${prefix}/etc or 21996593Smarkmwhatever you specified as your --sysconfdir (/usr/local/etc by default). 22096593Smarkm 22196593SmarkmThe default configuration should be instantly usable, though you should 22296593Smarkmreview it to ensure that it matches your security requirements. 223142429Snectar 224290207SjkimTo generate a host key, run "make host-key". Alternately you can do so 22596593Smarkmmanually using the following commands: 22696593Smarkm 22796593Smarkm ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" 22896593Smarkm ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" 22996593Smarkm ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" 23096593Smarkm 23196593SmarkmReplacing /etc/ssh with the correct path to the configuration directory. 23296593Smarkm(${prefix}/etc or whatever you specified with --sysconfdir during 23396593Smarkmconfiguration) 234 235If you have configured OpenSSH with EGD support, ensure that EGD is 236running and has collected some Entropy. 237 238For more information on configuration, please refer to the manual pages 239for sshd, ssh and ssh-agent. 240 2414. (Optional) Send survey 242------------------------- 243 244$ make survey 245[check the contents of the file "survey" to ensure there's no information 246that you consider sensitive] 247$ make send-survey 248 249This will send configuration information for the currently configured 250host to a survey address. This will help determine which configurations 251are actually in use, and what valid combinations of configure options 252exist. The raw data is available only to the OpenSSH developers, however 253summary data may be published. 254 2555. Problems? 256------------ 257 258If you experience problems compiling, installing or running OpenSSH. 259Please refer to the "reporting bugs" section of the webpage at 260http://www.openssh.com/ 261 262 263$Id: INSTALL,v 1.86 2011/05/05 03:48:37 djm Exp $ 264