mirror of
https://github.com/Zeckmathederg/glfs.git
synced 2025-01-24 06:52:14 +08:00
3077c399e3
git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@21972 af4574ff-66df-0310-9fd7-8a98e5e911e0
486 lines
17 KiB
XML
486 lines
17 KiB
XML
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
|
<!ENTITY % general-entities SYSTEM "../../general.ent">
|
|
%general-entities;
|
|
|
|
<!ENTITY openssh-download-http
|
|
"http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
|
|
<!ENTITY openssh-download-ftp
|
|
" "> <!-- at the moment, unable to connect via ftp: ken
|
|
"ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz"> -->
|
|
<!ENTITY openssh-md5sum "bf050f002fe510e1daecd39044e1122d">
|
|
<!ENTITY openssh-size "1.5 MB">
|
|
<!ENTITY openssh-buildsize "45 MB (add 12 MB for tests)">
|
|
<!ENTITY openssh-time "0.4 SBU (running the tests takes 17+ minutes,
|
|
irrespective of processor speed)">
|
|
]>
|
|
|
|
<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
|
|
<?dbhtml filename="openssh.html"?>
|
|
|
|
<sect1info>
|
|
<othername>$LastChangedBy$</othername>
|
|
<date>$Date$</date>
|
|
</sect1info>
|
|
|
|
<title>OpenSSH-&openssh-version;</title>
|
|
|
|
<indexterm zone="openssh">
|
|
<primary sortas="a-OpenSSH">OpenSSH</primary>
|
|
</indexterm>
|
|
|
|
<sect2 role="package">
|
|
<title>Introduction to OpenSSH</title>
|
|
|
|
<para>
|
|
The <application>OpenSSH</application> package contains
|
|
<command>ssh</command> clients and the <command>sshd</command> daemon.
|
|
This is useful for encrypting authentication and subsequent traffic over
|
|
a network. The <command>ssh</command> and <command>scp</command> commands
|
|
are secure implementations of <command>telnet</command> and
|
|
<command>rcp</command> respectively.
|
|
</para>
|
|
|
|
&lfs90_checked;
|
|
|
|
<bridgehead renderas="sect3">Package Information</bridgehead>
|
|
<itemizedlist spacing="compact">
|
|
<listitem>
|
|
<para>
|
|
Download (HTTP): <ulink url="&openssh-download-http;"/>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Download (FTP): <ulink url="&openssh-download-ftp;"/>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Download MD5 sum: &openssh-md5sum;
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Download size: &openssh-size;
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Estimated disk space required: &openssh-buildsize;
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Estimated build time: &openssh-time;
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
|
|
|
|
<bridgehead renderas="sect4">Optional</bridgehead>
|
|
<para role="optional">
|
|
<xref linkend="gdb"/> (for tests),
|
|
<xref linkend="linux-pam"/>,
|
|
<xref linkend="x-window-system"/>,
|
|
<xref linkend="mitkrb"/>,
|
|
<ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>,
|
|
<ulink url="http://www.libressl.org/">LibreSSL Portable</ulink>,
|
|
<ulink url="https://github.com/OpenSC/OpenSC/wiki">OpenSC</ulink>, and
|
|
<ulink url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink>
|
|
</para>
|
|
|
|
<bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
|
|
<para role="optional">
|
|
<xref role="runtime" linkend="openjdk"/>,
|
|
<xref role="runtime" linkend="net-tools"/>, and
|
|
<xref role="runtime" linkend="sysstat"/>
|
|
</para>
|
|
|
|
<para condition="html" role="usernotes">
|
|
User Notes: <ulink url="&blfs-wiki;/OpenSSH"/>
|
|
</para>
|
|
</sect2>
|
|
|
|
<sect2 role="installation">
|
|
<title>Installation of OpenSSH</title>
|
|
|
|
<para>
|
|
<application>OpenSSH</application> runs as two processes when connecting
|
|
to other computers. The first process is a privileged process and controls
|
|
the issuance of privileges as necessary. The second process communicates
|
|
with the network. Additional installation steps are necessary to set up
|
|
the proper environment, which are performed by issuing the following
|
|
commands as the <systemitem class="username">root</systemitem> user:
|
|
</para>
|
|
|
|
<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &&
|
|
chown -v root:sys /var/lib/sshd &&
|
|
|
|
groupadd -g 50 sshd &&
|
|
useradd -c 'sshd PrivSep' \
|
|
-d /var/lib/sshd \
|
|
-g sshd \
|
|
-s /bin/false \
|
|
-u 50 sshd</userinput></screen>
|
|
|
|
<para>
|
|
Install <application>OpenSSH</application> by running the following
|
|
commands:
|
|
</para>
|
|
|
|
<screen><userinput>./configure --prefix=/usr \
|
|
--sysconfdir=/etc/ssh \
|
|
--with-md5-passwords \
|
|
--with-privsep-path=/var/lib/sshd &&
|
|
make</userinput></screen>
|
|
|
|
<para>
|
|
The testsuite requires an installed copy of <command>scp</command> to
|
|
complete the multiplexing tests. To run the test suite, first copy the
|
|
<command>scp</command> program to
|
|
<filename class="directory">/usr/bin</filename>, making sure that you
|
|
backup any existing copy first.
|
|
</para>
|
|
|
|
<para>
|
|
To test the results, issue: <command>make tests</command>.
|
|
</para>
|
|
|
|
<!-- commenting this, I get "all tests passed" [ ken ]
|
|
NB tests should be run as _user_ but the role in the comment is root
|
|
|
|
commenting [ bruce ]: There are a couple of tests that want root.
|
|
The log mentions that SUDO is not set. These skipped tests are
|
|
ignored and the end says 'all tests passed' even when not root
|
|
|
|
<para>
|
|
To run the test suite, issue the following commands:
|
|
</para>
|
|
|
|
<screen role="root"><userinput>make tests 2>&1 | tee check.log
|
|
grep FATAL check.log</userinput></screen>
|
|
|
|
<para>
|
|
If the above command produces no 'FATAL' errors, then proceed with the
|
|
installation, as the <systemitem class="username">root</systemitem> user:
|
|
</para>-->
|
|
<para>
|
|
Now, as the <systemitem class="username">root</systemitem> user:
|
|
</para>
|
|
|
|
<screen role="root"><userinput>make install &&
|
|
install -v -m755 contrib/ssh-copy-id /usr/bin &&
|
|
|
|
install -v -m644 contrib/ssh-copy-id.1 \
|
|
/usr/share/man/man1 &&
|
|
install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &&
|
|
install -v -m644 INSTALL LICENCE OVERVIEW README* \
|
|
/usr/share/doc/openssh-&openssh-version;</userinput></screen>
|
|
</sect2>
|
|
|
|
<sect2 role="commands">
|
|
<title>Command Explanations</title>
|
|
|
|
<para>
|
|
<parameter>--sysconfdir=/etc/ssh</parameter>: This prevents the
|
|
configuration files from being installed in
|
|
<filename class="directory">/usr/etc</filename>.
|
|
</para>
|
|
|
|
<para>
|
|
<parameter>--with-md5-passwords</parameter>: This enables the use of MD5
|
|
passwords.
|
|
</para>
|
|
|
|
<para>
|
|
<option>--with-pam</option>: This parameter enables
|
|
<application>Linux-PAM</application> support in the build.
|
|
</para>
|
|
|
|
<para>
|
|
<option>--with-xauth=/usr/bin/xauth</option>: Set the default
|
|
location for the <command>xauth</command> binary for X authentication.
|
|
Change the location if <command>xauth</command> will be installed to a
|
|
different path. This can also be controlled from
|
|
<filename>sshd_config</filename> with the XAuthLocation keyword. You can
|
|
omit this switch if <application>Xorg</application> is already installed.
|
|
</para>
|
|
|
|
<para>
|
|
<option>--with-kerberos5=/usr</option>: This option is used to
|
|
include Kerberos 5 support in the build.
|
|
</para>
|
|
|
|
<para>
|
|
<option>--with-libedit</option>: This option enables line editing
|
|
and history features for <command>sftp</command>.
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
<sect2 role="configuration">
|
|
<title>Configuring OpenSSH</title>
|
|
|
|
<sect3 id="openssh-config">
|
|
<title>Config Files</title>
|
|
|
|
<para>
|
|
<filename>~/.ssh/*</filename>,
|
|
<filename>/etc/ssh/ssh_config</filename>, and
|
|
<filename>/etc/ssh/sshd_config</filename>
|
|
</para>
|
|
|
|
<indexterm zone="openssh openssh-config">
|
|
<primary sortas="e-AA.ssh">~/.ssh/*</primary>
|
|
</indexterm>
|
|
|
|
<indexterm zone="openssh openssh-config">
|
|
<primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
|
|
</indexterm>
|
|
|
|
<indexterm zone="openssh openssh-config">
|
|
<primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
|
|
</indexterm>
|
|
|
|
<para>
|
|
There are no required changes to any of these files. However,
|
|
you may wish to view the
|
|
<filename class='directory'>/etc/ssh/</filename> files and make any
|
|
changes appropriate for the security of your system. One recommended
|
|
change is that you disable
|
|
<systemitem class='username'>root</systemitem> login via
|
|
<command>ssh</command>. Execute the following command as the
|
|
<systemitem class='username'>root</systemitem> user to disable
|
|
<systemitem class='username'>root</systemitem> login via
|
|
<command>ssh</command>:
|
|
</para>
|
|
|
|
<screen role="root"><userinput>echo "PermitRootLogin no" >> /etc/ssh/sshd_config</userinput></screen>
|
|
|
|
<para>
|
|
If you want to be able to log in without typing in your password, first
|
|
create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
|
|
<command>ssh-keygen</command> and then copy ~/.ssh/id_rsa.pub to
|
|
~/.ssh/authorized_keys on the remote computer that you want to log into.
|
|
You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote
|
|
computer and you'll also need to enter your password for the ssh-copy-id command
|
|
to succeed:
|
|
</para>
|
|
|
|
<screen><userinput>ssh-keygen &&
|
|
ssh-copy-id -i ~/.ssh/id_rsa.pub <replaceable>REMOTE_USERNAME</replaceable>@<replaceable>REMOTE_HOSTNAME</replaceable></userinput></screen>
|
|
|
|
<para>
|
|
Once you've got passwordless logins working it's actually more secure
|
|
than logging in with a password (as the private key is much longer than
|
|
most people's passwords). If you would like to now disable password
|
|
logins, as the <systemitem class="username">root</systemitem> user:
|
|
</para>
|
|
|
|
|
|
<screen role="root"><userinput>echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &&
|
|
echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config</userinput></screen>
|
|
|
|
<para>
|
|
If you added <application>Linux-PAM</application> support and you want
|
|
ssh to use it then you will need to add a configuration file for
|
|
<application>sshd</application> and enable use of
|
|
<application>LinuxPAM</application>. Note, ssh only uses PAM to check
|
|
passwords, if you've disabled password logins these commands are not
|
|
needed. If you want to use PAM, issue the following commands as the
|
|
<systemitem class='username'>root</systemitem> user:
|
|
</para>
|
|
|
|
<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd &&
|
|
chmod 644 /etc/pam.d/sshd &&
|
|
echo "UsePAM yes" >> /etc/ssh/sshd_config</userinput></screen>
|
|
|
|
<para>
|
|
Additional configuration information can be found in the man
|
|
pages for <command>sshd</command>, <command>ssh</command> and
|
|
<command>ssh-agent</command>.
|
|
</para>
|
|
</sect3>
|
|
|
|
<sect3 id="openssh-init">
|
|
<title><phrase revision="sysv">Boot Script</phrase>
|
|
<phrase revision="systemd">Systemd Unit</phrase></title>
|
|
|
|
<para revision="sysv">
|
|
To start the SSH server at system boot, install the
|
|
<filename>/etc/rc.d/init.d/sshd</filename> init script included
|
|
in the <xref linkend="bootscripts"/> package.
|
|
</para>
|
|
|
|
<para revision="systemd">
|
|
To start the SSH server at system boot, install the
|
|
<filename>sshd.service</filename> unit included in the
|
|
<xref linkend="systemd-units"/> package.
|
|
</para>
|
|
|
|
<indexterm zone="openssh openssh-init">
|
|
<primary sortas="f-sshd">sshd</primary>
|
|
</indexterm>
|
|
|
|
<screen role="root"><userinput>make install-sshd</userinput></screen>
|
|
</sect3>
|
|
</sect2>
|
|
|
|
<sect2 role="content">
|
|
<title>Contents</title>
|
|
|
|
<segmentedlist>
|
|
<segtitle>Installed Programs</segtitle>
|
|
<segtitle>Installed Libraries</segtitle>
|
|
<segtitle>Installed Directories</segtitle>
|
|
|
|
<seglistitem>
|
|
<seg>
|
|
scp, sftp, slogin (symlink to ssh), ssh, ssh-add, ssh-agent,
|
|
ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
|
|
</seg>
|
|
<seg>
|
|
None
|
|
</seg>
|
|
<seg>
|
|
/etc/ssh,
|
|
/usr/share/doc/openssh-&openssh-version;, and
|
|
/var/lib/sshd
|
|
</seg>
|
|
</seglistitem>
|
|
</segmentedlist>
|
|
|
|
<variablelist>
|
|
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
|
|
<?dbfo list-presentation="list"?>
|
|
<?dbhtml list-presentation="table"?>
|
|
|
|
<varlistentry id="scp">
|
|
<term><command>scp</command></term>
|
|
<listitem>
|
|
<para>
|
|
is a file copy program that acts like <command>rcp</command> except
|
|
it uses an encrypted protocol.
|
|
</para>
|
|
<indexterm zone="openssh scp">
|
|
<primary sortas="b-scp">scp</primary>
|
|
</indexterm>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry id="sftp">
|
|
<term><command>sftp</command></term>
|
|
<listitem>
|
|
<para>
|
|
is an FTP-like program that works over the SSH1 and SSH2 protocols.
|
|
</para>
|
|
<indexterm zone="openssh sftp">
|
|
<primary sortas="b-sftp">sftp</primary>
|
|
</indexterm>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry id="slogin">
|
|
<term><command>slogin</command></term>
|
|
<listitem>
|
|
<para>
|
|
is a symlink to <command>ssh</command>.
|
|
</para>
|
|
<indexterm zone="openssh slogin">
|
|
<primary sortas="b-slogin">slogin</primary>
|
|
</indexterm>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry id="ssh">
|
|
<term><command>ssh</command></term>
|
|
<listitem>
|
|
<para>
|
|
is an <command>rlogin</command>/<command>rsh</command>-like client
|
|
program except it uses an encrypted protocol.
|
|
</para>
|
|
<indexterm zone="openssh ssh">
|
|
<primary sortas="b-ssh">ssh</primary>
|
|
</indexterm>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry id="sshd">
|
|
<term><command>sshd</command></term>
|
|
<listitem>
|
|
<para>
|
|
is a daemon that listens for <command>ssh</command> login requests.
|
|
</para>
|
|
<indexterm zone="openssh sshd">
|
|
<primary sortas="b-sshd">sshd</primary>
|
|
</indexterm>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry id="ssh-add">
|
|
<term><command>ssh-add</command></term>
|
|
<listitem>
|
|
<para>
|
|
is a tool which adds keys to the <command>ssh-agent</command>.
|
|
</para>
|
|
<indexterm zone="openssh ssh-add">
|
|
<primary sortas="b-ssh-add">ssh-add</primary>
|
|
</indexterm>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry id="ssh-agent">
|
|
<term><command>ssh-agent</command></term>
|
|
<listitem>
|
|
<para>
|
|
is an authentication agent that can store private keys.
|
|
</para>
|
|
<indexterm zone="openssh ssh-agent">
|
|
<primary sortas="b-ssh-agent">ssh-agent</primary>
|
|
</indexterm>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry id="ssh-copy-id">
|
|
<term><command>ssh-copy-id</command></term>
|
|
<listitem>
|
|
<para>
|
|
is a script that enables logins on remote machine using local keys.
|
|
</para>
|
|
<indexterm zone="openssh ssh-copy-id">
|
|
<primary sortas="b-ssh-copy-id">ssh-copy-id</primary>
|
|
</indexterm>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry id="ssh-keygen">
|
|
<term><command>ssh-keygen</command></term>
|
|
<listitem>
|
|
<para>
|
|
is a key generation tool.
|
|
</para>
|
|
<indexterm zone="openssh ssh-keygen">
|
|
<primary sortas="b-ssh-keygen">ssh-keygen</primary>
|
|
</indexterm>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry id="ssh-keyscan">
|
|
<term><command>ssh-keyscan</command></term>
|
|
<listitem>
|
|
<para>
|
|
is a utility for gathering public host keys from a number of hosts.
|
|
</para>
|
|
<indexterm zone="openssh ssh-keyscan">
|
|
<primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
|
|
</indexterm>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
</sect2>
|
|
</sect1>
|