xref: /freebsd/crypto/openssh/INSTALL (revision 83d2307d00b1f24dddf918c6651fb440d6863bf9) 
183d2307dSDag-Erling Smørgrav1. Prerequisites
283d2307dSDag-Erling Smørgrav----------------
383d2307dSDag-Erling Smørgrav
483d2307dSDag-Erling SmørgravYou will need working installations of Zlib and OpenSSL.
583d2307dSDag-Erling Smørgrav
683d2307dSDag-Erling SmørgravZlib:
783d2307dSDag-Erling Smørgravhttp://www.gzip.org/zlib/
883d2307dSDag-Erling Smørgrav
983d2307dSDag-Erling SmørgravOpenSSL 0.9.6 or greater:
1083d2307dSDag-Erling Smørgravhttp://www.openssl.org/
1183d2307dSDag-Erling Smørgrav
1283d2307dSDag-Erling Smørgrav(OpenSSL 0.9.5a is partially supported, but some ciphers (SSH protocol 1
1383d2307dSDag-Erling SmørgravBlowfish included) do not work correctly.)
1483d2307dSDag-Erling Smørgrav
1583d2307dSDag-Erling SmørgravRPMs of OpenSSL are available at http://violet.ibs.com.au/openssh/files/support.
1683d2307dSDag-Erling SmørgravFor Red Hat Linux 6.2, they have been released as errata.  RHL7 includes
1783d2307dSDag-Erling Smørgravthese.
1883d2307dSDag-Erling Smørgrav
1983d2307dSDag-Erling SmørgravOpenSSH can utilise Pluggable Authentication Modules (PAM) if your system
2083d2307dSDag-Erling Smørgravsupports it. PAM is standard on Redhat and Debian Linux, Solaris and
2183d2307dSDag-Erling SmørgravHP-UX 11.
2283d2307dSDag-Erling Smørgrav
2383d2307dSDag-Erling SmørgravNB. If you operating system supports /dev/random, you should configure
2483d2307dSDag-Erling SmørgravOpenSSL to use it. OpenSSH relies on OpenSSL's direct support of
2583d2307dSDag-Erling Smørgrav/dev/random. If you don't you will have to rely on ssh-rand-helper, which
2683d2307dSDag-Erling Smørgravis inferior to a good kernel-based solution.
2783d2307dSDag-Erling Smørgrav
2883d2307dSDag-Erling SmørgravPAM:
2983d2307dSDag-Erling Smørgravhttp://www.kernel.org/pub/linux/libs/pam/
3083d2307dSDag-Erling Smørgrav
3183d2307dSDag-Erling SmørgravIf you wish to build the GNOME passphrase requester, you will need the GNOME
3283d2307dSDag-Erling Smørgravlibraries and headers.
3383d2307dSDag-Erling Smørgrav
3483d2307dSDag-Erling SmørgravGNOME:
3583d2307dSDag-Erling Smørgravhttp://www.gnome.org/
3683d2307dSDag-Erling Smørgrav
3783d2307dSDag-Erling SmørgravAlternatively, Jim Knoble <jmknoble@jmknoble.cx> has written an excellent X11
3883d2307dSDag-Erling Smørgravpassphrase requester. This is maintained separately at:
3983d2307dSDag-Erling Smørgrav
4083d2307dSDag-Erling Smørgravhttp://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/index.html
4183d2307dSDag-Erling Smørgrav
4283d2307dSDag-Erling SmørgravPRNGD:
4383d2307dSDag-Erling Smørgrav
4483d2307dSDag-Erling SmørgravIf your system lacks Kernel based random collection, the use of Lutz
4583d2307dSDag-Erling SmørgravJaenicke's PRNGd is recommended.
4683d2307dSDag-Erling Smørgrav
4783d2307dSDag-Erling Smørgravhttp://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
4883d2307dSDag-Erling Smørgrav
4983d2307dSDag-Erling SmørgravEGD:
5083d2307dSDag-Erling Smørgrav
5183d2307dSDag-Erling SmørgravThe Entropy Gathering Daemon (EGD) is supported if you have a system which
5283d2307dSDag-Erling Smørgravlacks /dev/random and don't want to use OpenSSH's internal entropy collection.
5383d2307dSDag-Erling Smørgrav
5483d2307dSDag-Erling Smørgravhttp://www.lothar.com/tech/crypto/
5583d2307dSDag-Erling Smørgrav
5683d2307dSDag-Erling SmørgravS/Key Libraries:
5783d2307dSDag-Erling Smørgravhttp://www.sparc.spb.su/solaris/skey/
5883d2307dSDag-Erling Smørgrav
5983d2307dSDag-Erling SmørgravIf you wish to use --with-skey then you will need the above library
6083d2307dSDag-Erling Smørgravinstalled.  No other current S/Key library is currently known to be
6183d2307dSDag-Erling Smørgravsupported.
6283d2307dSDag-Erling Smørgrav
6383d2307dSDag-Erling Smørgrav2. Building / Installation
6483d2307dSDag-Erling Smørgrav--------------------------
6583d2307dSDag-Erling Smørgrav
6683d2307dSDag-Erling SmørgravTo install OpenSSH with default options:
6783d2307dSDag-Erling Smørgrav
6883d2307dSDag-Erling Smørgrav./configure
6983d2307dSDag-Erling Smørgravmake
7083d2307dSDag-Erling Smørgravmake install
7183d2307dSDag-Erling Smørgrav
7283d2307dSDag-Erling SmørgravThis will install the OpenSSH binaries in /usr/local/bin, configuration files
7383d2307dSDag-Erling Smørgravin /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different
7483d2307dSDag-Erling Smørgravinstallation prefix, use the --prefix option to configure:
7583d2307dSDag-Erling Smørgrav
7683d2307dSDag-Erling Smørgrav./configure --prefix=/opt
7783d2307dSDag-Erling Smørgravmake
7883d2307dSDag-Erling Smørgravmake install
7983d2307dSDag-Erling Smørgrav
8083d2307dSDag-Erling SmørgravWill install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override
8183d2307dSDag-Erling Smørgravspecific paths, for example:
8283d2307dSDag-Erling Smørgrav
8383d2307dSDag-Erling Smørgrav./configure --prefix=/opt --sysconfdir=/etc/ssh
8483d2307dSDag-Erling Smørgravmake
8583d2307dSDag-Erling Smørgravmake install
8683d2307dSDag-Erling Smørgrav
8783d2307dSDag-Erling SmørgravThis will install the binaries in /opt/{bin,lib,sbin}, but will place the
8883d2307dSDag-Erling Smørgravconfiguration files in /etc/ssh.
8983d2307dSDag-Erling Smørgrav
9083d2307dSDag-Erling SmørgravIf you are using PAM, you may need to manually install a PAM control
9183d2307dSDag-Erling Smørgravfile as "/etc/pam.d/sshd" (or wherever your system prefers to keep
9283d2307dSDag-Erling Smørgravthem).  Note that the service name used to start PAM is __progname,
9383d2307dSDag-Erling Smørgravwhich is the basename of the path of your sshd (e.g., the service name
9483d2307dSDag-Erling Smørgravfor /usr/sbin/osshd will be osshd).  If you have renamed your sshd
9583d2307dSDag-Erling Smørgravexecutable, your PAM configuration may need to be modified.
9683d2307dSDag-Erling Smørgrav
9783d2307dSDag-Erling SmørgravA generic PAM configuration is included as "contrib/sshd.pam.generic",
9883d2307dSDag-Erling Smørgravyou may need to edit it before using it on your system. If you are
9983d2307dSDag-Erling Smørgravusing a recent version of Red Hat Linux, the config file in
10083d2307dSDag-Erling Smørgravcontrib/redhat/sshd.pam should be more useful.  Failure to install a
10183d2307dSDag-Erling Smørgravvalid PAM file may result in an inability to use password
10283d2307dSDag-Erling Smørgravauthentication.  On HP-UX 11 and Solaris, the standard /etc/pam.conf
10383d2307dSDag-Erling Smørgravconfiguration will work with sshd (sshd will match the other service
10483d2307dSDag-Erling Smørgravname).
10583d2307dSDag-Erling Smørgrav
10683d2307dSDag-Erling SmørgravThere are a few other options to the configure script:
10783d2307dSDag-Erling Smørgrav
10883d2307dSDag-Erling Smørgrav--with-rsh=PATH allows you to specify the path to your rsh program.
10983d2307dSDag-Erling SmørgravNormally ./configure will search the current $PATH for 'rsh'. You
11083d2307dSDag-Erling Smørgravmay need to specify this option if rsh is not in your path or has a
11183d2307dSDag-Erling Smørgravdifferent name.
11283d2307dSDag-Erling Smørgrav
11383d2307dSDag-Erling Smørgrav--with-pam enables PAM support.
11483d2307dSDag-Erling Smørgrav
11583d2307dSDag-Erling Smørgrav--enable-gnome-askpass will build the GNOME passphrase dialog. You
11683d2307dSDag-Erling Smørgravneed a working installation of GNOME, including the development
11783d2307dSDag-Erling Smørgravheaders, for this to work.
11883d2307dSDag-Erling Smørgrav
11983d2307dSDag-Erling Smørgrav--with-prngd-socket=/some/file allows you to enable EGD or PRNGD
12083d2307dSDag-Erling Smørgravsupport and to specify a PRNGd socket. Use this if your Unix lacks
12183d2307dSDag-Erling Smørgrav/dev/random and you don't want to use OpenSSH's builtin entropy
12283d2307dSDag-Erling Smørgravcollection support.
12383d2307dSDag-Erling Smørgrav
12483d2307dSDag-Erling Smørgrav--with-prngd-port=portnum allows you to enable EGD or PRNGD support
12583d2307dSDag-Erling Smørgravand to specify a EGD localhost TCP port. Use this if your Unix lacks
12683d2307dSDag-Erling Smørgrav/dev/random and you don't want to use OpenSSH's builtin entropy
12783d2307dSDag-Erling Smørgravcollection support.
12883d2307dSDag-Erling Smørgrav
12983d2307dSDag-Erling Smørgrav--with-lastlog=FILE will specify the location of the lastlog file.
13083d2307dSDag-Erling Smørgrav./configure searches a few locations for lastlog, but may not find
13183d2307dSDag-Erling Smørgravit if lastlog is installed in a different place.
13283d2307dSDag-Erling Smørgrav
13383d2307dSDag-Erling Smørgrav--without-lastlog will disable lastlog support entirely.
13483d2307dSDag-Erling Smørgrav
13583d2307dSDag-Erling Smørgrav--with-sia, --without-sia will enable or disable OSF1's Security
13683d2307dSDag-Erling SmørgravIntegration Architecture.  The default for OSF1 machines is enable.
13783d2307dSDag-Erling Smørgrav
13883d2307dSDag-Erling Smørgrav--with-kerberos4=PATH will enable Kerberos IV support. You will need
13983d2307dSDag-Erling Smørgravto have the Kerberos libraries and header files installed for this
14083d2307dSDag-Erling Smørgravto work. Use the optional PATH argument to specify the root of your
14183d2307dSDag-Erling SmørgravKerberos installation.
14283d2307dSDag-Erling Smørgrav
14383d2307dSDag-Erling Smørgrav--with-afs=PATH will enable AFS support. You will need to have the
14483d2307dSDag-Erling SmørgravKerberos IV and the AFS libraries and header files installed for this
14583d2307dSDag-Erling Smørgravto work.  Use the optional PATH argument to specify the root of your
14683d2307dSDag-Erling SmørgravAFS installation. AFS requires Kerberos support to be enabled.
14783d2307dSDag-Erling Smørgrav
14883d2307dSDag-Erling Smørgrav--with-skey=PATH will enable S/Key one time password support. You will
14983d2307dSDag-Erling Smørgravneed the S/Key libraries and header files installed for this to work.
15083d2307dSDag-Erling Smørgrav
15183d2307dSDag-Erling Smørgrav--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny)
15283d2307dSDag-Erling Smørgravsupport. You will need libwrap.a and tcpd.h installed.
15383d2307dSDag-Erling Smørgrav
15483d2307dSDag-Erling Smørgrav--with-md5-passwords will enable the use of MD5 passwords. Enable this
15583d2307dSDag-Erling Smørgravif your operating system uses MD5 passwords without using PAM.
15683d2307dSDag-Erling Smørgrav
15783d2307dSDag-Erling Smørgrav--with-utmpx enables utmpx support. utmpx support is automatic for
15883d2307dSDag-Erling Smørgravsome platforms.
15983d2307dSDag-Erling Smørgrav
16083d2307dSDag-Erling Smørgrav--without-shadow disables shadow password support.
16183d2307dSDag-Erling Smørgrav
16283d2307dSDag-Erling Smørgrav--with-ipaddr-display forces the use of a numeric IP address in the
16383d2307dSDag-Erling Smørgrav$DISPLAY environment variable. Some broken systems need this.
16483d2307dSDag-Erling Smørgrav
16583d2307dSDag-Erling Smørgrav--with-default-path=PATH allows you to specify a default $PATH for sessions
16683d2307dSDag-Erling Smørgravstarted by sshd. This replaces the standard path entirely.
16783d2307dSDag-Erling Smørgrav
16883d2307dSDag-Erling Smørgrav--with-pid-dir=PATH specifies the directory in which the ssh.pid file is
16983d2307dSDag-Erling Smørgravcreated.
17083d2307dSDag-Erling Smørgrav
17183d2307dSDag-Erling Smørgrav--with-xauth=PATH specifies the location of the xauth binary
17283d2307dSDag-Erling Smørgrav
17383d2307dSDag-Erling Smørgrav--with-ipv4-default instructs OpenSSH to use IPv4 by default for new
17483d2307dSDag-Erling Smørgravconnections. Normally OpenSSH will try attempt to lookup both IPv6 and
17583d2307dSDag-Erling SmørgravIPv4 addresses. On Linux/glibc-2.1.2 this causes long delays in name
17683d2307dSDag-Erling Smørgravresolution. If this option is specified, you can still attempt to
17783d2307dSDag-Erling Smørgravconnect to IPv6 addresses using the command line option '-6'.
17883d2307dSDag-Erling Smørgrav
17983d2307dSDag-Erling Smørgrav--with-ssl-dir=DIR allows you to specify where your OpenSSL libraries
18083d2307dSDag-Erling Smørgravare installed.
18183d2307dSDag-Erling Smørgrav
18283d2307dSDag-Erling Smørgrav--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
18383d2307dSDag-Erling Smørgravreal (AF_INET) IPv4 addresses. Works around some quirks on Linux.
18483d2307dSDag-Erling Smørgrav
18583d2307dSDag-Erling Smørgrav--with-opensc=DIR
18683d2307dSDag-Erling Smørgrav--with-sectok=DIR allows for OpenSC or sectok smartcard libraries to
18783d2307dSDag-Erling Smørgravbe used with OpenSSH.  See 'README.smartcard' for more details.
18883d2307dSDag-Erling Smørgrav
18983d2307dSDag-Erling SmørgravIf you need to pass special options to the compiler or linker, you
19083d2307dSDag-Erling Smørgravcan specify these as environment variables before running ./configure.
19183d2307dSDag-Erling SmørgravFor example:
19283d2307dSDag-Erling Smørgrav
19383d2307dSDag-Erling SmørgravCFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure
19483d2307dSDag-Erling Smørgrav
19583d2307dSDag-Erling Smørgrav3. Configuration
19683d2307dSDag-Erling Smørgrav----------------
19783d2307dSDag-Erling Smørgrav
19883d2307dSDag-Erling SmørgravThe runtime configuration files are installed by in ${prefix}/etc or
19983d2307dSDag-Erling Smørgravwhatever you specified as your --sysconfdir (/usr/local/etc by default).
20083d2307dSDag-Erling Smørgrav
20183d2307dSDag-Erling SmørgravThe default configuration should be instantly usable, though you should
20283d2307dSDag-Erling Smørgravreview it to ensure that it matches your security requirements.
20383d2307dSDag-Erling Smørgrav
20483d2307dSDag-Erling SmørgravTo generate a host key, run "make host-key". Alternately you can do so
20583d2307dSDag-Erling Smørgravmanually using the following commands:
20683d2307dSDag-Erling Smørgrav
20783d2307dSDag-Erling Smørgrav    ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ""
20883d2307dSDag-Erling Smørgrav    ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""
20983d2307dSDag-Erling Smørgrav    ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ""
21083d2307dSDag-Erling Smørgrav
21183d2307dSDag-Erling SmørgravReplacing /etc/ssh with the correct path to the configuration directory.
21283d2307dSDag-Erling Smørgrav(${prefix}/etc or whatever you specified with --sysconfdir during
21383d2307dSDag-Erling Smørgravconfiguration)
21483d2307dSDag-Erling Smørgrav
21583d2307dSDag-Erling SmørgravIf you have configured OpenSSH with EGD support, ensure that EGD is
21683d2307dSDag-Erling Smørgravrunning and has collected some Entropy.
21783d2307dSDag-Erling Smørgrav
21883d2307dSDag-Erling SmørgravFor more information on configuration, please refer to the manual pages
21983d2307dSDag-Erling Smørgravfor sshd, ssh and ssh-agent.
22083d2307dSDag-Erling Smørgrav
22183d2307dSDag-Erling Smørgrav4. Problems?
22283d2307dSDag-Erling Smørgrav------------
22383d2307dSDag-Erling Smørgrav
22483d2307dSDag-Erling SmørgravIf you experience problems compiling, installing or running OpenSSH.
22583d2307dSDag-Erling SmørgravPlease refer to the "reporting bugs" section of the webpage at
22683d2307dSDag-Erling Smørgravhttp://www.openssh.com/
22783d2307dSDag-Erling Smørgrav
22883d2307dSDag-Erling Smørgrav
22983d2307dSDag-Erling Smørgrav$Id: INSTALL,v 1.53 2002/05/13 05:22:21 djm Exp $
230