INSTALL revision 323120
11. Prerequisites 2---------------- 3 4You will need working installations of Zlib and libcrypto (LibreSSL / 5OpenSSL) 6 7Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems): 8http://www.gzip.org/zlib/ 9 10libcrypto (LibreSSL or OpenSSL >= 0.9.8f < 1.1.0) 11LibreSSL http://www.libressl.org/ ; or 12OpenSSL http://www.openssl.org/ 13 14LibreSSL/OpenSSL should be compiled as a position-independent library 15(i.e. with -fPIC) otherwise OpenSSH will not be able to link with it. 16If you must use a non-position-independent libcrypto, then you may need 17to configure OpenSSH --without-pie. Note that because of API changes, 18OpenSSL 1.1.x is not currently supported. 19 20The remaining items are optional. 21 22NB. If you operating system supports /dev/random, you should configure 23libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's 24direct support of /dev/random, or failing that, either prngd or egd 25 26PRNGD: 27 28If your system lacks kernel-based random collection, the use of Lutz 29Jaenicke's PRNGd is recommended. 30 31http://prngd.sourceforge.net/ 32 33EGD: 34 35If the kernel lacks /dev/random the Entropy Gathering Daemon (EGD) is 36supported only if libcrypto supports it. 37 38http://egd.sourceforge.net/ 39 40PAM: 41 42OpenSSH can utilise Pluggable Authentication Modules (PAM) if your 43system supports it. PAM is standard most Linux distributions, Solaris, 44HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD. 45 46Information about the various PAM implementations are available: 47 48Solaris PAM: http://www.sun.com/software/solaris/pam/ 49Linux PAM: http://www.kernel.org/pub/linux/libs/pam/ 50OpenPAM: http://www.openpam.org/ 51 52If you wish to build the GNOME passphrase requester, you will need the GNOME 53libraries and headers. 54 55GNOME: 56http://www.gnome.org/ 57 58Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11 59passphrase requester. This is maintained separately at: 60 61http://www.jmknoble.net/software/x11-ssh-askpass/ 62 63TCP Wrappers: 64 65If you wish to use the TCP wrappers functionality you will need at least 66tcpd.h and libwrap.a, either in the standard include and library paths, 67or in the directory specified by --with-tcp-wrappers. Version 7.6 is 68known to work. 69 70http://ftp.porcupine.org/pub/security/index.html 71 72S/Key Libraries: 73 74If you wish to use --with-skey then you will need the library below 75installed. No other S/Key library is currently known to be supported. 76 77http://www.sparc.spb.su/solaris/skey/ 78 79LibEdit: 80 81sftp supports command-line editing via NetBSD's libedit. If your platform 82has it available natively you can use that, alternatively you might try 83these multi-platform ports: 84 85http://www.thrysoee.dk/editline/ 86http://sourceforge.net/projects/libedit/ 87 88LDNS: 89 90LDNS is a DNS BSD-licensed resolver library which supports DNSSEC. 91 92http://nlnetlabs.nl/projects/ldns/ 93 94Autoconf: 95 96If you modify configure.ac or configure doesn't exist (eg if you checked 97the code out of CVS yourself) then you will need autoconf-2.68 to rebuild 98the automatically generated files by running "autoreconf". Earlier 99versions may also work but this is not guaranteed. 100 101http://www.gnu.org/software/autoconf/ 102 103Basic Security Module (BSM): 104 105Native BSM support is know to exist in Solaris from at least 2.5.1, 106FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM 107implementation (http://www.openbsm.org). 108 109 1102. Building / Installation 111-------------------------- 112 113To install OpenSSH with default options: 114 115./configure 116make 117make install 118 119This will install the OpenSSH binaries in /usr/local/bin, configuration files 120in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different 121installation prefix, use the --prefix option to configure: 122 123./configure --prefix=/opt 124make 125make install 126 127Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override 128specific paths, for example: 129 130./configure --prefix=/opt --sysconfdir=/etc/ssh 131make 132make install 133 134This will install the binaries in /opt/{bin,lib,sbin}, but will place the 135configuration files in /etc/ssh. 136 137If you are using Privilege Separation (which is enabled by default) 138then you will also need to create the user, group and directory used by 139sshd for privilege separation. See README.privsep for details. 140 141If you are using PAM, you may need to manually install a PAM control 142file as "/etc/pam.d/sshd" (or wherever your system prefers to keep 143them). Note that the service name used to start PAM is __progname, 144which is the basename of the path of your sshd (e.g., the service name 145for /usr/sbin/osshd will be osshd). If you have renamed your sshd 146executable, your PAM configuration may need to be modified. 147 148A generic PAM configuration is included as "contrib/sshd.pam.generic", 149you may need to edit it before using it on your system. If you are 150using a recent version of Red Hat Linux, the config file in 151contrib/redhat/sshd.pam should be more useful. Failure to install a 152valid PAM file may result in an inability to use password 153authentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf 154configuration will work with sshd (sshd will match the other service 155name). 156 157There are a few other options to the configure script: 158 159--with-audit=[module] enable additional auditing via the specified module. 160Currently, drivers for "debug" (additional info via syslog) and "bsm" 161(Sun's Basic Security Module) are supported. 162 163--with-pam enables PAM support. If PAM support is compiled in, it must 164also be enabled in sshd_config (refer to the UsePAM directive). 165 166--with-prngd-socket=/some/file allows you to enable EGD or PRNGD 167support and to specify a PRNGd socket. Use this if your Unix lacks 168/dev/random and you don't want to use OpenSSH's builtin entropy 169collection support. 170 171--with-prngd-port=portnum allows you to enable EGD or PRNGD support 172and to specify a EGD localhost TCP port. Use this if your Unix lacks 173/dev/random and you don't want to use OpenSSH's builtin entropy 174collection support. 175 176--with-lastlog=FILE will specify the location of the lastlog file. 177./configure searches a few locations for lastlog, but may not find 178it if lastlog is installed in a different place. 179 180--without-lastlog will disable lastlog support entirely. 181 182--with-osfsia, --without-osfsia will enable or disable OSF1's Security 183Integration Architecture. The default for OSF1 machines is enable. 184 185--with-skey=PATH will enable S/Key one time password support. You will 186need the S/Key libraries and header files installed for this to work. 187 188--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) 189support. 190 191--with-md5-passwords will enable the use of MD5 passwords. Enable this 192if your operating system uses MD5 passwords and the system crypt() does 193not support them directly (see the crypt(3/3c) man page). If enabled, the 194resulting binary will support both MD5 and traditional crypt passwords. 195 196--with-utmpx enables utmpx support. utmpx support is automatic for 197some platforms. 198 199--without-shadow disables shadow password support. 200 201--with-ipaddr-display forces the use of a numeric IP address in the 202$DISPLAY environment variable. Some broken systems need this. 203 204--with-default-path=PATH allows you to specify a default $PATH for sessions 205started by sshd. This replaces the standard path entirely. 206 207--with-pid-dir=PATH specifies the directory in which the sshd.pid file is 208created. 209 210--with-xauth=PATH specifies the location of the xauth binary 211 212--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL 213libraries 214are installed. 215 216--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support 217 218--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to 219real (AF_INET) IPv4 addresses. Works around some quirks on Linux. 220 221If you need to pass special options to the compiler or linker, you 222can specify these as environment variables before running ./configure. 223For example: 224 225CFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure 226 2273. Configuration 228---------------- 229 230The runtime configuration files are installed by in ${prefix}/etc or 231whatever you specified as your --sysconfdir (/usr/local/etc by default). 232 233The default configuration should be instantly usable, though you should 234review it to ensure that it matches your security requirements. 235 236To generate a host key, run "make host-key". Alternately you can do so 237manually using the following commands: 238 239 ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" 240 ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" 241 ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" 242 243Replacing /etc/ssh with the correct path to the configuration directory. 244(${prefix}/etc or whatever you specified with --sysconfdir during 245configuration) 246 247If you have configured OpenSSH with EGD support, ensure that EGD is 248running and has collected some Entropy. 249 250For more information on configuration, please refer to the manual pages 251for sshd, ssh and ssh-agent. 252 2534. (Optional) Send survey 254------------------------- 255 256$ make survey 257[check the contents of the file "survey" to ensure there's no information 258that you consider sensitive] 259$ make send-survey 260 261This will send configuration information for the currently configured 262host to a survey address. This will help determine which configurations 263are actually in use, and what valid combinations of configure options 264exist. The raw data is available only to the OpenSSH developers, however 265summary data may be published. 266 2675. Problems? 268------------ 269 270If you experience problems compiling, installing or running OpenSSH. 271Please refer to the "reporting bugs" section of the webpage at 272http://www.openssh.com/ 273 274 275$Id: INSTALL,v 1.91 2014/09/09 02:23:11 dtucker Exp $ 276