1126274SdesThis file contains notes about OpenSSH on specific platforms. 2126274Sdes 3126274SdesAIX 4126274Sdes--- 5126274SdesAs of OpenSSH 3.8p1, sshd will now honour an accounts password expiry 6126274Sdessettings, where previously it did not. Because of this, it's possible for 7126274Sdessites that have used OpenSSH's sshd exclusively to have accounts which 8126274Sdeshave passwords expired longer than the inactive time (ie the "Weeks between 9126274Sdespassword EXPIRATION and LOCKOUT" setting in SMIT or the maxexpired 10126274Sdeschuser attribute). 11126274Sdes 12126274SdesAccounts in this state must have their passwords reset manually by the 13126274Sdesadministrator. As a precaution, it is recommended that the administrative 14126274Sdespasswords be reset before upgrading from OpenSSH <3.8. 15126274Sdes 16146998SdesAs of OpenSSH 4.0, configure will attempt to detect if your version 17146998Sdesand maintenance level of AIX has a working getaddrinfo, and will use it 18146998Sdesif found. This will enable IPv6 support. If for some reason configure 19146998Sdesgets it wrong, or if you want to build binaries to work on earlier MLs 20146998Sdesthan the build host then you can add "-DBROKEN_GETADDRINFO" to CFLAGS 21146998Sdesto force the previous IPv4-only behaviour. 22137015Sdes 23146998SdesIPv6 known to work: 5.1ML7 5.2ML2 5.2ML5 24146998SdesIPv6 known broken: 4.3.3ML11 5.1ML4 25146998Sdes 26181111SdesIf you wish to use dynamic libraries that aren't in the normal system 27181111Sdeslocations (eg IBM's OpenSSL and zlib packages) then you will need to 28181111Sdesdefine the environment variable blibpath before running configure, eg 29181111Sdes 30181111Sdesblibpath=/lib:/usr/lib:/opt/freeware/lib ./configure \ 31181111Sdes --with-ssl-dir=/opt/freeware --with-zlib=/opt/freeware 32181111Sdes 33181111SdesIf sshd is built with the WITH_AIXAUTHENTICATE option (which is enabled 34181111Sdesby default) then sshd checks that users are permitted via the 35181111Sdesloginrestrictions() function, in particular that the user has the 36181111Sdes"rlogin" attribute set. This check is not done for the root account, 37181111Sdesinstead the PermitRootLogin setting in sshd_config is used. 38181111Sdes 39296781SdesIf you are using the IBM compiler you probably want to use CC=xlc rather 40296781Sdesthan the default of cc. 41181111Sdes 42296781Sdes 43137015SdesCygwin 44137015Sdes------ 45137015SdesTo build on Cygwin, OpenSSH requires the following packages: 46137015Sdesgcc, gcc-mingw-core, mingw-runtime, binutils, make, openssl, 47137015Sdesopenssl-devel, zlib, minres, minires-devel. 48137015Sdes 49137015Sdes 50162852SdesDarwin and MacOS X 51162852Sdes------------------ 52162852SdesDarwin does not provide a tun(4) driver required for OpenSSH-based 53162852Sdesvirtual private networks. The BSD manpage still exists, but the driver 54162852Sdeshas been removed in recent releases of Darwin and MacOS X. 55162852Sdes 56162852SdesNevertheless, tunnel support is known to work with Darwin 8 and 57162852SdesMacOS X 10.4 in Point-to-Point (Layer 3) and Ethernet (Layer 2) mode 58162852Sdesusing a third party driver. More information is available at: 59162852Sdes http://www-user.rhrk.uni-kl.de/~nissler/tuntap/ 60162852Sdes 61162852Sdes 62197679SdesLinux 63197679Sdes----- 64197679Sdes 65197679SdesSome Linux distributions (including Red Hat/Fedora/CentOS) include 66197679Sdesheaders and library links in the -devel RPMs rather than the main 67197679Sdesbinary RPMs. If you get an error about headers, or complaining about a 68197679Sdesmissing prerequisite then you may need to install the equivalent 69197679Sdesdevelopment packages. On Redhat based distros these may be openssl-devel, 70197679Sdeszlib-devel and pam-devel, on Debian based distros these may be 71197679Sdeslibssl-dev, libz-dev and libpam-dev. 72197679Sdes 73197679Sdes 74126274SdesSolaris 75126274Sdes------- 76146998SdesIf you enable BSM auditing on Solaris, you need to update audit_event(4) 77146998Sdesfor praudit(1m) to give sensible output. The following line needs to be 78146998Sdesadded to /etc/security/audit_event: 79126274Sdes 80146998Sdes 32800:AUE_openssh:OpenSSH login:lo 81146998Sdes 82146998SdesThe BSM audit event range available for third party TCB applications is 83146998Sdes32768 - 65535. Event number 32800 has been choosen for AUE_openssh. 84146998SdesThere is no official registry of 3rd party event numbers, so if this 85146998Sdesnumber is already in use on your system, you may change it at build time 86146998Sdesby configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding. 87146998Sdes 88146998Sdes 89157016SdesPlatforms using PAM 90157016Sdes------------------- 91157016SdesAs of OpenSSH 4.3p1, sshd will no longer check /etc/nologin itself when 92157016SdesPAM is enabled. To maintain existing behaviour, pam_nologin should be 93157016Sdesadded to sshd's session stack which will prevent users from starting shell 94157016Sdessessions. Alternatively, pam_nologin can be added to either the auth or 95157016Sdesaccount stacks which will prevent authentication entirely, but will still 96157016Sdesreturn the output from pam_nologin to the client. 97157016Sdes 98157016Sdes 99197679Sdes$Id: README.platform,v 1.10 2009/08/28 23:14:48 dtucker Exp $ 100