diff options
Diffstat (limited to 'INSTALL')
| -rw-r--r-- | INSTALL | 116 |
1 files changed, 68 insertions, 48 deletions
@@ -1,38 +1,58 @@ 1. Prerequisites ---------------- -You will need working installations of Zlib and libcrypto (LibreSSL / -OpenSSL) +A C compiler. Any C89 or better compiler should work. Where supported, +configure will attempt to enable the compiler's run-time integrity checking +options. Some notes about specific compilers: + - clang: -ftrapv and -sanitize=integer require the compiler-rt runtime + (CC=clang LDFLAGS=--rtlib=compiler-rt ./configure) -Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems): +To support Privilege Separation (which is now required) you will need +to create the user, group and directory used by sshd for privilege +separation. See README.privsep for details. + + +The remaining items are optional. + +A working installation of zlib: +Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems): http://www.gzip.org/zlib/ -libcrypto (LibreSSL or OpenSSL >= 0.9.8f) -LibreSSL http://www.libressl.org/ ; or -OpenSSL http://www.openssl.org/ +libcrypto from either of LibreSSL or OpenSSL. Building without libcrypto +is supported but severely restricts the available ciphers and algorithms. + - LibreSSL (https://www.libressl.org/) + - OpenSSL (https://www.openssl.org) with any of the following versions: + - 1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g or any 1.1.1 + +Note that due to a bug in EVP_CipherInit OpenSSL 1.1 versions prior to +1.1.0g can't be used. LibreSSL/OpenSSL should be compiled as a position-independent library -(i.e. with -fPIC) otherwise OpenSSH will not be able to link with it. -If you must use a non-position-independent libcrypto, then you may need -to configure OpenSSH --without-pie. +(i.e. -fPIC, eg by configuring OpenSSL as "./config [options] -fPIC" +or LibreSSL as "CFLAGS=-fPIC ./configure") otherwise OpenSSH will not +be able to link with it. If you must use a non-position-independent +libcrypto, then you may need to configure OpenSSH --without-pie. -The remaining items are optional. +If you build either from source, running the OpenSSL self-test ("make +tests") or the LibreSSL equivalent ("make check") and ensuring that all +tests pass is strongly recommended. NB. If you operating system supports /dev/random, you should configure libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's -direct support of /dev/random, or failing that, either prngd or egd +direct support of /dev/random, or failing that, either prngd or egd. PRNGD: If your system lacks kernel-based random collection, the use of Lutz -Jaenicke's PRNGd is recommended. +Jaenicke's PRNGd is recommended. It requires that libcrypto be configured +to support it. http://prngd.sourceforge.net/ EGD: -If the kernel lacks /dev/random the Entropy Gathering Daemon (EGD) is -supported only if libcrypto supports it. +The Entropy Gathering Daemon (EGD) supports the same interface as prngd. +It also supported only if libcrypto is configured to support it. http://egd.sourceforge.net/ @@ -40,7 +60,7 @@ PAM: OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system supports it. PAM is standard most Linux distributions, Solaris, -HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD. +HP-UX 11, AIX >= 5.2, FreeBSD, NetBSD and Mac OS X. Information about the various PAM implementations are available: @@ -59,13 +79,6 @@ passphrase requester. This is maintained separately at: http://www.jmknoble.net/software/x11-ssh-askpass/ -S/Key Libraries: - -If you wish to use --with-skey then you will need the library below -installed. No other S/Key library is currently known to be supported. - -http://www.sparc.spb.su/solaris/skey/ - LibEdit: sftp supports command-line editing via NetBSD's libedit. If your platform @@ -84,7 +97,7 @@ http://nlnetlabs.nl/projects/ldns/ Autoconf: If you modify configure.ac or configure doesn't exist (eg if you checked -the code out of CVS yourself) then you will need autoconf-2.68 to rebuild +the code out of git yourself) then you will need autoconf-2.69 to rebuild the automatically generated files by running "autoreconf". Earlier versions may also work but this is not guaranteed. @@ -92,10 +105,26 @@ http://www.gnu.org/software/autoconf/ Basic Security Module (BSM): -Native BSM support is know to exist in Solaris from at least 2.5.1, +Native BSM support is known to exist in Solaris from at least 2.5.1, FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM implementation (http://www.openbsm.org). +makedepend: + +https://www.x.org/archive/individual/util/ + +If you are making significant changes to the code you may need to rebuild +the dependency (.depend) file using "make depend", which requires the +"makedepend" tool from the X11 distribution. + +libfido2: + +libfido2 allows the use of hardware security keys over USB. libfido2 +in turn depends on libcbor. + +https://github.com/Yubico/libfido2 +https://github.com/pjk/libcbor + 2. Building / Installation -------------------------- @@ -124,10 +153,6 @@ make install This will install the binaries in /opt/{bin,lib,sbin}, but will place the configuration files in /etc/ssh. -If you are using Privilege Separation (which is enabled by default) -then you will also need to create the user, group and directory used by -sshd for privilege separation. See README.privsep for details. - If you are using PAM, you may need to manually install a PAM control file as "/etc/pam.d/sshd" (or wherever your system prefers to keep them). Note that the service name used to start PAM is __progname, @@ -155,13 +180,11 @@ also be enabled in sshd_config (refer to the UsePAM directive). --with-prngd-socket=/some/file allows you to enable EGD or PRNGD support and to specify a PRNGd socket. Use this if your Unix lacks -/dev/random and you don't want to use OpenSSH's builtin entropy -collection support. +/dev/random. --with-prngd-port=portnum allows you to enable EGD or PRNGD support and to specify a EGD localhost TCP port. Use this if your Unix lacks -/dev/random and you don't want to use OpenSSH's builtin entropy -collection support. +/dev/random. --with-lastlog=FILE will specify the location of the lastlog file. ./configure searches a few locations for lastlog, but may not find @@ -172,9 +195,6 @@ it if lastlog is installed in a different place. --with-osfsia, --without-osfsia will enable or disable OSF1's Security Integration Architecture. The default for OSF1 machines is enable. ---with-skey=PATH will enable S/Key one time password support. You will -need the S/Key libraries and header files installed for this to work. - --with-md5-passwords will enable the use of MD5 passwords. Enable this if your operating system uses MD5 passwords and the system crypt() does not support them directly (see the crypt(3/3c) man page). If enabled, the @@ -197,8 +217,7 @@ created. --with-xauth=PATH specifies the location of the xauth binary --with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL -libraries -are installed. +libraries are installed. --with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support @@ -209,7 +228,7 @@ If you need to pass special options to the compiler or linker, you can specify these as environment variables before running ./configure. For example: -CFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure +CC="/usr/foo/cc" CFLAGS="-O" LDFLAGS="-s" LIBS="-lrubbish" ./configure 3. Configuration ---------------- @@ -223,13 +242,17 @@ review it to ensure that it matches your security requirements. To generate a host key, run "make host-key". Alternately you can do so manually using the following commands: - ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" - ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" - ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" + ssh-keygen -t [type] -f /etc/ssh/ssh_host_key -N "" + +for each of the types you wish to generate (rsa, dsa or ecdsa) or + + ssh-keygen -A + +to generate keys for all supported types. Replacing /etc/ssh with the correct path to the configuration directory. (${prefix}/etc or whatever you specified with --sysconfdir during -configuration) +configuration). If you have configured OpenSSH with EGD support, ensure that EGD is running and has collected some Entropy. @@ -254,9 +277,6 @@ summary data may be published. 5. Problems? ------------ -If you experience problems compiling, installing or running OpenSSH. -Please refer to the "reporting bugs" section of the webpage at -http://www.openssh.com/ - - -$Id: INSTALL,v 1.91 2014/09/09 02:23:11 dtucker Exp $ +If you experience problems compiling, installing or running OpenSSH, +please refer to the "reporting bugs" section of the webpage at +https://www.openssh.com/ |