1323136Sdes1. Prerequisites 298937Sdes---------------- 398937Sdes 4323134SdesA C compiler. Any C89 or better compiler should work. Where supported, 5323134Sdesconfigure will attempt to enable the compiler's run-time integrity checking 6323134Sdesoptions. Some notes about specific compilers: 7323134Sdes - clang: -ftrapv and -sanitize=integer require the compiler-rt runtime 8323134Sdes (CC=clang LDFLAGS=--rtlib=compiler-rt ./configure) 9323134Sdes 10294328SdesYou will need working installations of Zlib and libcrypto (LibreSSL / 11294328SdesOpenSSL) 1298937Sdes 13323134SdesZlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems): 14126274Sdeshttp://www.gzip.org/zlib/ 1598937Sdes 16323129Sdeslibcrypto (LibreSSL or OpenSSL >= 0.9.8f < 1.1.0) 17294328SdesLibreSSL http://www.libressl.org/ ; or 18294328SdesOpenSSL http://www.openssl.org/ 1998937Sdes 20294328SdesLibreSSL/OpenSSL should be compiled as a position-independent library 21294328Sdes(i.e. with -fPIC) otherwise OpenSSH will not be able to link with it. 22294328SdesIf you must use a non-position-independent libcrypto, then you may need 23323129Sdesto configure OpenSSH --without-pie. Note that because of API changes, 24323129SdesOpenSSL 1.1.x is not currently supported. 2598937Sdes 26162852SdesThe remaining items are optional. 27162852Sdes 28126274SdesNB. If you operating system supports /dev/random, you should configure 29294328Sdeslibcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's 30294328Sdesdirect support of /dev/random, or failing that, either prngd or egd 3198937Sdes 32181111SdesPRNGD: 33181111Sdes 34181111SdesIf your system lacks kernel-based random collection, the use of Lutz 35181111SdesJaenicke's PRNGd is recommended. 36181111Sdes 37181111Sdeshttp://prngd.sourceforge.net/ 38181111Sdes 39181111SdesEGD: 40181111Sdes 41294328SdesIf the kernel lacks /dev/random the Entropy Gathering Daemon (EGD) is 42294328Sdessupported only if libcrypto supports it. 43181111Sdes 44294328Sdeshttp://egd.sourceforge.net/ 45181111Sdes 4698937SdesPAM: 4798937Sdes 48181111SdesOpenSSH can utilise Pluggable Authentication Modules (PAM) if your 49181111Sdessystem supports it. PAM is standard most Linux distributions, Solaris, 50181111SdesHP-UX 11, AIX >= 5.2, FreeBSD and NetBSD. 51181111Sdes 52181111SdesInformation about the various PAM implementations are available: 53181111Sdes 54181111SdesSolaris PAM: http://www.sun.com/software/solaris/pam/ 55181111SdesLinux PAM: http://www.kernel.org/pub/linux/libs/pam/ 56181111SdesOpenPAM: http://www.openpam.org/ 57181111Sdes 5898937SdesIf you wish to build the GNOME passphrase requester, you will need the GNOME 5998937Sdeslibraries and headers. 6098937Sdes 6198937SdesGNOME: 6298937Sdeshttp://www.gnome.org/ 6398937Sdes 64137015SdesAlternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11 6598937Sdespassphrase requester. This is maintained separately at: 6698937Sdes 67124208Sdeshttp://www.jmknoble.net/software/x11-ssh-askpass/ 6898937Sdes 69181111SdesTCP Wrappers: 7098937Sdes 71181111SdesIf you wish to use the TCP wrappers functionality you will need at least 72181111Sdestcpd.h and libwrap.a, either in the standard include and library paths, 73181111Sdesor in the directory specified by --with-tcp-wrappers. Version 7.6 is 74181111Sdesknown to work. 7598937Sdes 76181111Sdeshttp://ftp.porcupine.org/pub/security/index.html 7798937Sdes 7898937SdesS/Key Libraries: 79147001Sdes 80147001SdesIf you wish to use --with-skey then you will need the library below 81147001Sdesinstalled. No other S/Key library is currently known to be supported. 82147001Sdes 8398937Sdeshttp://www.sparc.spb.su/solaris/skey/ 8498937Sdes 85146998SdesLibEdit: 86147001Sdes 87162852Sdessftp supports command-line editing via NetBSD's libedit. If your platform 88162852Sdeshas it available natively you can use that, alternatively you might try 89162852Sdesthese multi-platform ports: 90162852Sdes 91146998Sdeshttp://www.thrysoee.dk/editline/ 92146998Sdeshttp://sourceforge.net/projects/libedit/ 93146998Sdes 94240075SdesLDNS: 95240075Sdes 96240075SdesLDNS is a DNS BSD-licensed resolver library which supports DNSSEC. 97240075Sdes 98240075Sdeshttp://nlnetlabs.nl/projects/ldns/ 99240075Sdes 100162852SdesAutoconf: 101162852Sdes 102162852SdesIf you modify configure.ac or configure doesn't exist (eg if you checked 103323134Sdesthe code out of CVS yourself) then you will need autoconf-2.69 to rebuild 104181111Sdesthe automatically generated files by running "autoreconf". Earlier 105181111Sdesversions may also work but this is not guaranteed. 106162852Sdes 107162852Sdeshttp://www.gnu.org/software/autoconf/ 108162852Sdes 109162852SdesBasic Security Module (BSM): 110162852Sdes 111162852SdesNative BSM support is know to exist in Solaris from at least 2.5.1, 112162852SdesFreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM 113162852Sdesimplementation (http://www.openbsm.org). 114162852Sdes 115162852Sdes 11698937Sdes2. Building / Installation 11798937Sdes-------------------------- 11898937Sdes 11998937SdesTo install OpenSSH with default options: 12098937Sdes 12198937Sdes./configure 12298937Sdesmake 12398937Sdesmake install 12498937Sdes 12598937SdesThis will install the OpenSSH binaries in /usr/local/bin, configuration files 12698937Sdesin /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different 12798937Sdesinstallation prefix, use the --prefix option to configure: 12898937Sdes 12998937Sdes./configure --prefix=/opt 13098937Sdesmake 13198937Sdesmake install 13298937Sdes 133126274SdesWill install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override 13498937Sdesspecific paths, for example: 13598937Sdes 13698937Sdes./configure --prefix=/opt --sysconfdir=/etc/ssh 13798937Sdesmake 13898937Sdesmake install 13998937Sdes 14098937SdesThis will install the binaries in /opt/{bin,lib,sbin}, but will place the 14198937Sdesconfiguration files in /etc/ssh. 14298937Sdes 143147001SdesIf you are using Privilege Separation (which is enabled by default) 144147001Sdesthen you will also need to create the user, group and directory used by 145147001Sdessshd for privilege separation. See README.privsep for details. 146147001Sdes 14798937SdesIf you are using PAM, you may need to manually install a PAM control 14898937Sdesfile as "/etc/pam.d/sshd" (or wherever your system prefers to keep 14998937Sdesthem). Note that the service name used to start PAM is __progname, 15098937Sdeswhich is the basename of the path of your sshd (e.g., the service name 15198937Sdesfor /usr/sbin/osshd will be osshd). If you have renamed your sshd 15298937Sdesexecutable, your PAM configuration may need to be modified. 15398937Sdes 15498937SdesA generic PAM configuration is included as "contrib/sshd.pam.generic", 15598937Sdesyou may need to edit it before using it on your system. If you are 15698937Sdesusing a recent version of Red Hat Linux, the config file in 15798937Sdescontrib/redhat/sshd.pam should be more useful. Failure to install a 15898937Sdesvalid PAM file may result in an inability to use password 15998937Sdesauthentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf 16098937Sdesconfiguration will work with sshd (sshd will match the other service 16198937Sdesname). 16298937Sdes 16398937SdesThere are a few other options to the configure script: 16498937Sdes 165162852Sdes--with-audit=[module] enable additional auditing via the specified module. 166162852SdesCurrently, drivers for "debug" (additional info via syslog) and "bsm" 167162852Sdes(Sun's Basic Security Module) are supported. 168162852Sdes 169124208Sdes--with-pam enables PAM support. If PAM support is compiled in, it must 170124208Sdesalso be enabled in sshd_config (refer to the UsePAM directive). 17198937Sdes 172126274Sdes--with-prngd-socket=/some/file allows you to enable EGD or PRNGD 173126274Sdessupport and to specify a PRNGd socket. Use this if your Unix lacks 174126274Sdes/dev/random and you don't want to use OpenSSH's builtin entropy 17598937Sdescollection support. 17698937Sdes 177126274Sdes--with-prngd-port=portnum allows you to enable EGD or PRNGD support 178126274Sdesand to specify a EGD localhost TCP port. Use this if your Unix lacks 179126274Sdes/dev/random and you don't want to use OpenSSH's builtin entropy 18098937Sdescollection support. 18198937Sdes 182126274Sdes--with-lastlog=FILE will specify the location of the lastlog file. 18398937Sdes./configure searches a few locations for lastlog, but may not find 18498937Sdesit if lastlog is installed in a different place. 18598937Sdes 18698937Sdes--without-lastlog will disable lastlog support entirely. 18798937Sdes 188126274Sdes--with-osfsia, --without-osfsia will enable or disable OSF1's Security 18998937SdesIntegration Architecture. The default for OSF1 machines is enable. 19098937Sdes 191126274Sdes--with-skey=PATH will enable S/Key one time password support. You will 19298937Sdesneed the S/Key libraries and header files installed for this to work. 19398937Sdes 19498937Sdes--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) 195181111Sdessupport. 19698937Sdes 19798937Sdes--with-md5-passwords will enable the use of MD5 passwords. Enable this 198126274Sdesif your operating system uses MD5 passwords and the system crypt() does 199126274Sdesnot support them directly (see the crypt(3/3c) man page). If enabled, the 200126274Sdesresulting binary will support both MD5 and traditional crypt passwords. 20198937Sdes 202126274Sdes--with-utmpx enables utmpx support. utmpx support is automatic for 20398937Sdessome platforms. 20498937Sdes 20598937Sdes--without-shadow disables shadow password support. 20698937Sdes 207126274Sdes--with-ipaddr-display forces the use of a numeric IP address in the 20898937Sdes$DISPLAY environment variable. Some broken systems need this. 20998937Sdes 21098937Sdes--with-default-path=PATH allows you to specify a default $PATH for sessions 21198937Sdesstarted by sshd. This replaces the standard path entirely. 21298937Sdes 213181111Sdes--with-pid-dir=PATH specifies the directory in which the sshd.pid file is 21498937Sdescreated. 21598937Sdes 21698937Sdes--with-xauth=PATH specifies the location of the xauth binary 21798937Sdes 218294328Sdes--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL 219294328Sdeslibraries 22098937Sdesare installed. 22198937Sdes 222294328Sdes--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support 223162852Sdes 22498937Sdes--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to 22598937Sdesreal (AF_INET) IPv4 addresses. Works around some quirks on Linux. 22698937Sdes 22798937SdesIf you need to pass special options to the compiler or linker, you 22898937Sdescan specify these as environment variables before running ./configure. 22998937SdesFor example: 23098937Sdes 23198937SdesCFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure 23298937Sdes 23398937Sdes3. Configuration 23498937Sdes---------------- 23598937Sdes 236126274SdesThe runtime configuration files are installed by in ${prefix}/etc or 23798937Sdeswhatever you specified as your --sysconfdir (/usr/local/etc by default). 23898937Sdes 239126274SdesThe default configuration should be instantly usable, though you should 24098937Sdesreview it to ensure that it matches your security requirements. 24198937Sdes 24298937SdesTo generate a host key, run "make host-key". Alternately you can do so 243126274Sdesmanually using the following commands: 24498937Sdes 245323134Sdes ssh-keygen -t [type] -f /etc/ssh/ssh_host_key -N "" 24698937Sdes 247323136Sdesfor each of the types you wish to generate (rsa, dsa or ecdsa) or 248323134Sdes 249323134Sdes ssh-keygen -A 250323134Sdes 251323134Sdesto generate keys for all supported types. 252323134Sdes 25398937SdesReplacing /etc/ssh with the correct path to the configuration directory. 254126274Sdes(${prefix}/etc or whatever you specified with --sysconfdir during 25598937Sdesconfiguration) 25698937Sdes 25798937SdesIf you have configured OpenSSH with EGD support, ensure that EGD is 25898937Sdesrunning and has collected some Entropy. 25998937Sdes 260126274SdesFor more information on configuration, please refer to the manual pages 26198937Sdesfor sshd, ssh and ssh-agent. 26298937Sdes 263146998Sdes4. (Optional) Send survey 264146998Sdes------------------------- 265146998Sdes 266146998Sdes$ make survey 267162852Sdes[check the contents of the file "survey" to ensure there's no information 268162852Sdesthat you consider sensitive] 269146998Sdes$ make send-survey 270146998Sdes 271146998SdesThis will send configuration information for the currently configured 272146998Sdeshost to a survey address. This will help determine which configurations 273146998Sdesare actually in use, and what valid combinations of configure options 274146998Sdesexist. The raw data is available only to the OpenSSH developers, however 275146998Sdessummary data may be published. 276146998Sdes 277146998Sdes5. Problems? 27898937Sdes------------ 27998937Sdes 280126274SdesIf you experience problems compiling, installing or running OpenSSH. 28198937SdesPlease refer to the "reporting bugs" section of the webpage at 282323134Sdeshttps://www.openssh.com/ 283