1 1. Prerequisites 2 ---------------- 3 4 You will need working installations of Zlib and libcrypto (LibreSSL / 5 OpenSSL) 6 7 Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems): 8 http://www.gzip.org/zlib/ 9 10 libcrypto (LibreSSL or OpenSSL >= 0.9.8f) 11 LibreSSL http://www.libressl.org/ ; or 12 OpenSSL http://www.openssl.org/ 13 14 LibreSSL/OpenSSL should be compiled as a position-independent library 15 (i.e. with -fPIC) otherwise OpenSSH will not be able to link with it. 16 If you must use a non-position-independent libcrypto, then you may need 17 to configure OpenSSH --without-pie. 18 19 The remaining items are optional. 20 21 NB. If you operating system supports /dev/random, you should configure 22 libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's 23 direct support of /dev/random, or failing that, either prngd or egd 24 25 PRNGD: 26 27 If your system lacks kernel-based random collection, the use of Lutz 28 Jaenicke's PRNGd is recommended. 29 30 http://prngd.sourceforge.net/ 31 32 EGD: 33 34 If the kernel lacks /dev/random the Entropy Gathering Daemon (EGD) is 35 supported only if libcrypto supports it. 36 37 http://egd.sourceforge.net/ 38 39 PAM: 40 41 OpenSSH can utilise Pluggable Authentication Modules (PAM) if your 42 system supports it. PAM is standard most Linux distributions, Solaris, 43 HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD. 44 45 Information about the various PAM implementations are available: 46 47 Solaris PAM: http://www.sun.com/software/solaris/pam/ 48 Linux PAM: http://www.kernel.org/pub/linux/libs/pam/ 49 OpenPAM: http://www.openpam.org/ 50 51 If you wish to build the GNOME passphrase requester, you will need the GNOME 52 libraries and headers. 53 54 GNOME: 55 http://www.gnome.org/ 56 57 Alternatively, Jim Knoble <jmknoble (a] pobox.com> has written an excellent X11 58 passphrase requester. This is maintained separately at: 59 60 http://www.jmknoble.net/software/x11-ssh-askpass/ 61 62 S/Key Libraries: 63 64 If you wish to use --with-skey then you will need the library below 65 installed. No other S/Key library is currently known to be supported. 66 67 http://www.sparc.spb.su/solaris/skey/ 68 69 LibEdit: 70 71 sftp supports command-line editing via NetBSD's libedit. If your platform 72 has it available natively you can use that, alternatively you might try 73 these multi-platform ports: 74 75 http://www.thrysoee.dk/editline/ 76 http://sourceforge.net/projects/libedit/ 77 78 LDNS: 79 80 LDNS is a DNS BSD-licensed resolver library which supports DNSSEC. 81 82 http://nlnetlabs.nl/projects/ldns/ 83 84 Autoconf: 85 86 If you modify configure.ac or configure doesn't exist (eg if you checked 87 the code out of CVS yourself) then you will need autoconf-2.68 to rebuild 88 the automatically generated files by running "autoreconf". Earlier 89 versions may also work but this is not guaranteed. 90 91 http://www.gnu.org/software/autoconf/ 92 93 Basic Security Module (BSM): 94 95 Native BSM support is know to exist in Solaris from at least 2.5.1, 96 FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM 97 implementation (http://www.openbsm.org). 98 99 100 2. Building / Installation 101 -------------------------- 102 103 To install OpenSSH with default options: 104 105 ./configure 106 make 107 make install 108 109 This will install the OpenSSH binaries in /usr/local/bin, configuration files 110 in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different 111 installation prefix, use the --prefix option to configure: 112 113 ./configure --prefix=/opt 114 make 115 make install 116 117 Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override 118 specific paths, for example: 119 120 ./configure --prefix=/opt --sysconfdir=/etc/ssh 121 make 122 make install 123 124 This will install the binaries in /opt/{bin,lib,sbin}, but will place the 125 configuration files in /etc/ssh. 126 127 If you are using Privilege Separation (which is enabled by default) 128 then you will also need to create the user, group and directory used by 129 sshd for privilege separation. See README.privsep for details. 130 131 If you are using PAM, you may need to manually install a PAM control 132 file as "/etc/pam.d/sshd" (or wherever your system prefers to keep 133 them). Note that the service name used to start PAM is __progname, 134 which is the basename of the path of your sshd (e.g., the service name 135 for /usr/sbin/osshd will be osshd). If you have renamed your sshd 136 executable, your PAM configuration may need to be modified. 137 138 A generic PAM configuration is included as "contrib/sshd.pam.generic", 139 you may need to edit it before using it on your system. If you are 140 using a recent version of Red Hat Linux, the config file in 141 contrib/redhat/sshd.pam should be more useful. Failure to install a 142 valid PAM file may result in an inability to use password 143 authentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf 144 configuration will work with sshd (sshd will match the other service 145 name). 146 147 There are a few other options to the configure script: 148 149 --with-audit=[module] enable additional auditing via the specified module. 150 Currently, drivers for "debug" (additional info via syslog) and "bsm" 151 (Sun's Basic Security Module) are supported. 152 153 --with-pam enables PAM support. If PAM support is compiled in, it must 154 also be enabled in sshd_config (refer to the UsePAM directive). 155 156 --with-prngd-socket=/some/file allows you to enable EGD or PRNGD 157 support and to specify a PRNGd socket. Use this if your Unix lacks 158 /dev/random and you don't want to use OpenSSH's builtin entropy 159 collection support. 160 161 --with-prngd-port=portnum allows you to enable EGD or PRNGD support 162 and to specify a EGD localhost TCP port. Use this if your Unix lacks 163 /dev/random and you don't want to use OpenSSH's builtin entropy 164 collection support. 165 166 --with-lastlog=FILE will specify the location of the lastlog file. 167 ./configure searches a few locations for lastlog, but may not find 168 it if lastlog is installed in a different place. 169 170 --without-lastlog will disable lastlog support entirely. 171 172 --with-osfsia, --without-osfsia will enable or disable OSF1's Security 173 Integration Architecture. The default for OSF1 machines is enable. 174 175 --with-skey=PATH will enable S/Key one time password support. You will 176 need the S/Key libraries and header files installed for this to work. 177 178 --with-md5-passwords will enable the use of MD5 passwords. Enable this 179 if your operating system uses MD5 passwords and the system crypt() does 180 not support them directly (see the crypt(3/3c) man page). If enabled, the 181 resulting binary will support both MD5 and traditional crypt passwords. 182 183 --with-utmpx enables utmpx support. utmpx support is automatic for 184 some platforms. 185 186 --without-shadow disables shadow password support. 187 188 --with-ipaddr-display forces the use of a numeric IP address in the 189 $DISPLAY environment variable. Some broken systems need this. 190 191 --with-default-path=PATH allows you to specify a default $PATH for sessions 192 started by sshd. This replaces the standard path entirely. 193 194 --with-pid-dir=PATH specifies the directory in which the sshd.pid file is 195 created. 196 197 --with-xauth=PATH specifies the location of the xauth binary 198 199 --with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL 200 libraries 201 are installed. 202 203 --with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support 204 205 --with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to 206 real (AF_INET) IPv4 addresses. Works around some quirks on Linux. 207 208 If you need to pass special options to the compiler or linker, you 209 can specify these as environment variables before running ./configure. 210 For example: 211 212 CFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure 213 214 3. Configuration 215 ---------------- 216 217 The runtime configuration files are installed by in ${prefix}/etc or 218 whatever you specified as your --sysconfdir (/usr/local/etc by default). 219 220 The default configuration should be instantly usable, though you should 221 review it to ensure that it matches your security requirements. 222 223 To generate a host key, run "make host-key". Alternately you can do so 224 manually using the following commands: 225 226 ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" 227 ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" 228 ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" 229 230 Replacing /etc/ssh with the correct path to the configuration directory. 231 (${prefix}/etc or whatever you specified with --sysconfdir during 232 configuration) 233 234 If you have configured OpenSSH with EGD support, ensure that EGD is 235 running and has collected some Entropy. 236 237 For more information on configuration, please refer to the manual pages 238 for sshd, ssh and ssh-agent. 239 240 4. (Optional) Send survey 241 ------------------------- 242 243 $ make survey 244 [check the contents of the file "survey" to ensure there's no information 245 that you consider sensitive] 246 $ make send-survey 247 248 This will send configuration information for the currently configured 249 host to a survey address. This will help determine which configurations 250 are actually in use, and what valid combinations of configure options 251 exist. The raw data is available only to the OpenSSH developers, however 252 summary data may be published. 253 254 5. Problems? 255 ------------ 256 257 If you experience problems compiling, installing or running OpenSSH. 258 Please refer to the "reporting bugs" section of the webpage at 259 http://www.openssh.com/ 260 261 262 $Id: INSTALL,v 1.91 2014/09/09 02:23:11 dtucker Exp $ 263