198937Sdes1. Prerequisites 298937Sdes---------------- 398937Sdes 4295367SdesYou will need working installations of Zlib and libcrypto (LibreSSL / 5295367SdesOpenSSL) 698937Sdes 7147001SdesZlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems): 8126274Sdeshttp://www.gzip.org/zlib/ 998937Sdes 10323124Sdeslibcrypto (LibreSSL or OpenSSL >= 0.9.8f < 1.1.0) 11295367SdesLibreSSL http://www.libressl.org/ ; or 12295367SdesOpenSSL http://www.openssl.org/ 1398937Sdes 14295367SdesLibreSSL/OpenSSL should be compiled as a position-independent library 15295367Sdes(i.e. with -fPIC) otherwise OpenSSH will not be able to link with it. 16295367SdesIf you must use a non-position-independent libcrypto, then you may need 17323124Sdesto configure OpenSSH --without-pie. Note that because of API changes, 18323124SdesOpenSSL 1.1.x is not currently supported. 1998937Sdes 20162852SdesThe remaining items are optional. 21162852Sdes 22126274SdesNB. If you operating system supports /dev/random, you should configure 23295367Sdeslibcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's 24295367Sdesdirect support of /dev/random, or failing that, either prngd or egd 2598937Sdes 26181111SdesPRNGD: 27181111Sdes 28181111SdesIf your system lacks kernel-based random collection, the use of Lutz 29181111SdesJaenicke's PRNGd is recommended. 30181111Sdes 31181111Sdeshttp://prngd.sourceforge.net/ 32181111Sdes 33181111SdesEGD: 34181111Sdes 35295367SdesIf the kernel lacks /dev/random the Entropy Gathering Daemon (EGD) is 36295367Sdessupported only if libcrypto supports it. 37181111Sdes 38295367Sdeshttp://egd.sourceforge.net/ 39181111Sdes 4098937SdesPAM: 4198937Sdes 42181111SdesOpenSSH can utilise Pluggable Authentication Modules (PAM) if your 43181111Sdessystem supports it. PAM is standard most Linux distributions, Solaris, 44181111SdesHP-UX 11, AIX >= 5.2, FreeBSD and NetBSD. 45181111Sdes 46181111SdesInformation about the various PAM implementations are available: 47181111Sdes 48181111SdesSolaris PAM: http://www.sun.com/software/solaris/pam/ 49181111SdesLinux PAM: http://www.kernel.org/pub/linux/libs/pam/ 50181111SdesOpenPAM: http://www.openpam.org/ 51181111Sdes 5298937SdesIf you wish to build the GNOME passphrase requester, you will need the GNOME 5398937Sdeslibraries and headers. 5498937Sdes 5598937SdesGNOME: 5698937Sdeshttp://www.gnome.org/ 5798937Sdes 58137015SdesAlternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11 5998937Sdespassphrase requester. This is maintained separately at: 6098937Sdes 61124208Sdeshttp://www.jmknoble.net/software/x11-ssh-askpass/ 6298937Sdes 63181111SdesTCP Wrappers: 6498937Sdes 65181111SdesIf you wish to use the TCP wrappers functionality you will need at least 66181111Sdestcpd.h and libwrap.a, either in the standard include and library paths, 67181111Sdesor in the directory specified by --with-tcp-wrappers. Version 7.6 is 68181111Sdesknown to work. 6998937Sdes 70181111Sdeshttp://ftp.porcupine.org/pub/security/index.html 7198937Sdes 7298937SdesS/Key Libraries: 73147001Sdes 74147001SdesIf you wish to use --with-skey then you will need the library below 75147001Sdesinstalled. No other S/Key library is currently known to be supported. 76147001Sdes 7798937Sdeshttp://www.sparc.spb.su/solaris/skey/ 7898937Sdes 79146998SdesLibEdit: 80147001Sdes 81162852Sdessftp supports command-line editing via NetBSD's libedit. If your platform 82162852Sdeshas it available natively you can use that, alternatively you might try 83162852Sdesthese multi-platform ports: 84162852Sdes 85146998Sdeshttp://www.thrysoee.dk/editline/ 86146998Sdeshttp://sourceforge.net/projects/libedit/ 87146998Sdes 88240075SdesLDNS: 89240075Sdes 90240075SdesLDNS is a DNS BSD-licensed resolver library which supports DNSSEC. 91240075Sdes 92240075Sdeshttp://nlnetlabs.nl/projects/ldns/ 93240075Sdes 94162852SdesAutoconf: 95162852Sdes 96162852SdesIf you modify configure.ac or configure doesn't exist (eg if you checked 97248619Sdesthe code out of CVS yourself) then you will need autoconf-2.68 to rebuild 98181111Sdesthe automatically generated files by running "autoreconf". Earlier 99181111Sdesversions may also work but this is not guaranteed. 100162852Sdes 101162852Sdeshttp://www.gnu.org/software/autoconf/ 102162852Sdes 103162852SdesBasic Security Module (BSM): 104162852Sdes 105162852SdesNative BSM support is know to exist in Solaris from at least 2.5.1, 106162852SdesFreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM 107162852Sdesimplementation (http://www.openbsm.org). 108162852Sdes 109162852Sdes 11098937Sdes2. Building / Installation 11198937Sdes-------------------------- 11298937Sdes 11398937SdesTo install OpenSSH with default options: 11498937Sdes 11598937Sdes./configure 11698937Sdesmake 11798937Sdesmake install 11898937Sdes 11998937SdesThis will install the OpenSSH binaries in /usr/local/bin, configuration files 12098937Sdesin /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different 12198937Sdesinstallation prefix, use the --prefix option to configure: 12298937Sdes 12398937Sdes./configure --prefix=/opt 12498937Sdesmake 12598937Sdesmake install 12698937Sdes 127126274SdesWill install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override 12898937Sdesspecific paths, for example: 12998937Sdes 13098937Sdes./configure --prefix=/opt --sysconfdir=/etc/ssh 13198937Sdesmake 13298937Sdesmake install 13398937Sdes 13498937SdesThis will install the binaries in /opt/{bin,lib,sbin}, but will place the 13598937Sdesconfiguration files in /etc/ssh. 13698937Sdes 137147001SdesIf you are using Privilege Separation (which is enabled by default) 138147001Sdesthen you will also need to create the user, group and directory used by 139147001Sdessshd for privilege separation. See README.privsep for details. 140147001Sdes 14198937SdesIf you are using PAM, you may need to manually install a PAM control 14298937Sdesfile as "/etc/pam.d/sshd" (or wherever your system prefers to keep 14398937Sdesthem). Note that the service name used to start PAM is __progname, 14498937Sdeswhich is the basename of the path of your sshd (e.g., the service name 14598937Sdesfor /usr/sbin/osshd will be osshd). If you have renamed your sshd 14698937Sdesexecutable, your PAM configuration may need to be modified. 14798937Sdes 14898937SdesA generic PAM configuration is included as "contrib/sshd.pam.generic", 14998937Sdesyou may need to edit it before using it on your system. If you are 15098937Sdesusing a recent version of Red Hat Linux, the config file in 15198937Sdescontrib/redhat/sshd.pam should be more useful. Failure to install a 15298937Sdesvalid PAM file may result in an inability to use password 15398937Sdesauthentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf 15498937Sdesconfiguration will work with sshd (sshd will match the other service 15598937Sdesname). 15698937Sdes 15798937SdesThere are a few other options to the configure script: 15898937Sdes 159162852Sdes--with-audit=[module] enable additional auditing via the specified module. 160162852SdesCurrently, drivers for "debug" (additional info via syslog) and "bsm" 161162852Sdes(Sun's Basic Security Module) are supported. 162162852Sdes 163124208Sdes--with-pam enables PAM support. If PAM support is compiled in, it must 164124208Sdesalso be enabled in sshd_config (refer to the UsePAM directive). 16598937Sdes 166126274Sdes--with-prngd-socket=/some/file allows you to enable EGD or PRNGD 167126274Sdessupport and to specify a PRNGd socket. Use this if your Unix lacks 168126274Sdes/dev/random and you don't want to use OpenSSH's builtin entropy 16998937Sdescollection support. 17098937Sdes 171126274Sdes--with-prngd-port=portnum allows you to enable EGD or PRNGD support 172126274Sdesand to specify a EGD localhost TCP port. Use this if your Unix lacks 173126274Sdes/dev/random and you don't want to use OpenSSH's builtin entropy 17498937Sdescollection support. 17598937Sdes 176126274Sdes--with-lastlog=FILE will specify the location of the lastlog file. 17798937Sdes./configure searches a few locations for lastlog, but may not find 17898937Sdesit if lastlog is installed in a different place. 17998937Sdes 18098937Sdes--without-lastlog will disable lastlog support entirely. 18198937Sdes 182126274Sdes--with-osfsia, --without-osfsia will enable or disable OSF1's Security 18398937SdesIntegration Architecture. The default for OSF1 machines is enable. 18498937Sdes 185126274Sdes--with-skey=PATH will enable S/Key one time password support. You will 18698937Sdesneed the S/Key libraries and header files installed for this to work. 18798937Sdes 18898937Sdes--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) 189181111Sdessupport. 19098937Sdes 19198937Sdes--with-md5-passwords will enable the use of MD5 passwords. Enable this 192126274Sdesif your operating system uses MD5 passwords and the system crypt() does 193126274Sdesnot support them directly (see the crypt(3/3c) man page). If enabled, the 194126274Sdesresulting binary will support both MD5 and traditional crypt passwords. 19598937Sdes 196126274Sdes--with-utmpx enables utmpx support. utmpx support is automatic for 19798937Sdessome platforms. 19898937Sdes 19998937Sdes--without-shadow disables shadow password support. 20098937Sdes 201126274Sdes--with-ipaddr-display forces the use of a numeric IP address in the 20298937Sdes$DISPLAY environment variable. Some broken systems need this. 20398937Sdes 20498937Sdes--with-default-path=PATH allows you to specify a default $PATH for sessions 20598937Sdesstarted by sshd. This replaces the standard path entirely. 20698937Sdes 207181111Sdes--with-pid-dir=PATH specifies the directory in which the sshd.pid file is 20898937Sdescreated. 20998937Sdes 21098937Sdes--with-xauth=PATH specifies the location of the xauth binary 21198937Sdes 212295367Sdes--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL 213295367Sdeslibraries 21498937Sdesare installed. 21598937Sdes 216295367Sdes--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support 217162852Sdes 21898937Sdes--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to 21998937Sdesreal (AF_INET) IPv4 addresses. Works around some quirks on Linux. 22098937Sdes 22198937SdesIf you need to pass special options to the compiler or linker, you 22298937Sdescan specify these as environment variables before running ./configure. 22398937SdesFor example: 22498937Sdes 22598937SdesCFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure 22698937Sdes 22798937Sdes3. Configuration 22898937Sdes---------------- 22998937Sdes 230126274SdesThe runtime configuration files are installed by in ${prefix}/etc or 23198937Sdeswhatever you specified as your --sysconfdir (/usr/local/etc by default). 23298937Sdes 233126274SdesThe default configuration should be instantly usable, though you should 23498937Sdesreview it to ensure that it matches your security requirements. 23598937Sdes 23698937SdesTo generate a host key, run "make host-key". Alternately you can do so 237126274Sdesmanually using the following commands: 23898937Sdes 23998937Sdes ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" 24098937Sdes ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" 24198937Sdes ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" 24298937Sdes 24398937SdesReplacing /etc/ssh with the correct path to the configuration directory. 244126274Sdes(${prefix}/etc or whatever you specified with --sysconfdir during 24598937Sdesconfiguration) 24698937Sdes 24798937SdesIf you have configured OpenSSH with EGD support, ensure that EGD is 24898937Sdesrunning and has collected some Entropy. 24998937Sdes 250126274SdesFor more information on configuration, please refer to the manual pages 25198937Sdesfor sshd, ssh and ssh-agent. 25298937Sdes 253146998Sdes4. (Optional) Send survey 254146998Sdes------------------------- 255146998Sdes 256146998Sdes$ make survey 257162852Sdes[check the contents of the file "survey" to ensure there's no information 258162852Sdesthat you consider sensitive] 259146998Sdes$ make send-survey 260146998Sdes 261146998SdesThis will send configuration information for the currently configured 262146998Sdeshost to a survey address. This will help determine which configurations 263146998Sdesare actually in use, and what valid combinations of configure options 264146998Sdesexist. The raw data is available only to the OpenSSH developers, however 265146998Sdessummary data may be published. 266146998Sdes 267146998Sdes5. Problems? 26898937Sdes------------ 26998937Sdes 270126274SdesIf you experience problems compiling, installing or running OpenSSH. 27198937SdesPlease refer to the "reporting bugs" section of the webpage at 27298937Sdeshttp://www.openssh.com/ 27398937Sdes 27498937Sdes 275295367Sdes$Id: INSTALL,v 1.91 2014/09/09 02:23:11 dtucker Exp $ 276