11. Prerequisites 2---------------- 3 4You will need working installations of Zlib and OpenSSL. 5 6Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems): 7http://www.gzip.org/zlib/ 8 9OpenSSL 0.9.6 or greater: 10http://www.openssl.org/ 11 12(OpenSSL 0.9.5a is partially supported, but some ciphers (SSH protocol 1 13Blowfish) do not work correctly.) 14 15The remaining items are optional. 16 17OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system 18supports it. PAM is standard on Redhat and Debian Linux, Solaris and 19HP-UX 11. 20 21NB. If you operating system supports /dev/random, you should configure 22OpenSSL to use it. OpenSSH relies on OpenSSL's direct support of 23/dev/random. If you don't you will have to rely on ssh-rand-helper, which 24is inferior to a good kernel-based solution. 25 26PAM: 27http://www.kernel.org/pub/linux/libs/pam/ 28 29If you wish to build the GNOME passphrase requester, you will need the GNOME 30libraries and headers. 31 32GNOME: 33http://www.gnome.org/ 34 35Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11 36passphrase requester. This is maintained separately at: 37 38http://www.jmknoble.net/software/x11-ssh-askpass/ 39 40PRNGD: 41 42If your system lacks Kernel based random collection, the use of Lutz 43Jaenicke's PRNGd is recommended. 44 45http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html 46 47EGD: 48 49The Entropy Gathering Daemon (EGD) is supported if you have a system which 50lacks /dev/random and don't want to use OpenSSH's internal entropy collection. 51 52http://www.lothar.com/tech/crypto/ 53 54S/Key Libraries: 55 56If you wish to use --with-skey then you will need the library below 57installed. No other S/Key library is currently known to be supported. 58 59http://www.sparc.spb.su/solaris/skey/ 60 61LibEdit: 62 63sftp supports command-line editing via NetBSD's libedit. If your platform 64has it available natively you can use that, alternatively you might try 65these multi-platform ports: 66 67http://www.thrysoee.dk/editline/ 68http://sourceforge.net/projects/libedit/ 69 70Autoconf: 71 72If you modify configure.ac or configure doesn't exist (eg if you checked 73the code out of CVS yourself) then you will need autoconf-2.60 to rebuild 74the automatically generated files by running "autoreconf". 75 76http://www.gnu.org/software/autoconf/ 77 78Basic Security Module (BSM): 79 80Native BSM support is know to exist in Solaris from at least 2.5.1, 81FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM 82implementation (http://www.openbsm.org). 83 84 852. Building / Installation 86-------------------------- 87 88To install OpenSSH with default options: 89 90./configure 91make 92make install 93 94This will install the OpenSSH binaries in /usr/local/bin, configuration files 95in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different 96installation prefix, use the --prefix option to configure: 97 98./configure --prefix=/opt 99make 100make install 101 102Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override 103specific paths, for example: 104 105./configure --prefix=/opt --sysconfdir=/etc/ssh 106make 107make install 108 109This will install the binaries in /opt/{bin,lib,sbin}, but will place the 110configuration files in /etc/ssh. 111 112If you are using Privilege Separation (which is enabled by default) 113then you will also need to create the user, group and directory used by 114sshd for privilege separation. See README.privsep for details. 115 116If you are using PAM, you may need to manually install a PAM control 117file as "/etc/pam.d/sshd" (or wherever your system prefers to keep 118them). Note that the service name used to start PAM is __progname, 119which is the basename of the path of your sshd (e.g., the service name 120for /usr/sbin/osshd will be osshd). If you have renamed your sshd 121executable, your PAM configuration may need to be modified. 122 123A generic PAM configuration is included as "contrib/sshd.pam.generic", 124you may need to edit it before using it on your system. If you are 125using a recent version of Red Hat Linux, the config file in 126contrib/redhat/sshd.pam should be more useful. Failure to install a 127valid PAM file may result in an inability to use password 128authentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf 129configuration will work with sshd (sshd will match the other service 130name). 131 132There are a few other options to the configure script: 133 134--with-audit=[module] enable additional auditing via the specified module. 135Currently, drivers for "debug" (additional info via syslog) and "bsm" 136(Sun's Basic Security Module) are supported. 137 138--with-pam enables PAM support. If PAM support is compiled in, it must 139also be enabled in sshd_config (refer to the UsePAM directive). 140 141--with-prngd-socket=/some/file allows you to enable EGD or PRNGD 142support and to specify a PRNGd socket. Use this if your Unix lacks 143/dev/random and you don't want to use OpenSSH's builtin entropy 144collection support. 145 146--with-prngd-port=portnum allows you to enable EGD or PRNGD support 147and to specify a EGD localhost TCP port. Use this if your Unix lacks 148/dev/random and you don't want to use OpenSSH's builtin entropy 149collection support. 150 151--with-lastlog=FILE will specify the location of the lastlog file. 152./configure searches a few locations for lastlog, but may not find 153it if lastlog is installed in a different place. 154 155--without-lastlog will disable lastlog support entirely. 156 157--with-osfsia, --without-osfsia will enable or disable OSF1's Security 158Integration Architecture. The default for OSF1 machines is enable. 159 160--with-skey=PATH will enable S/Key one time password support. You will 161need the S/Key libraries and header files installed for this to work. 162 163--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) 164support. You will need libwrap.a and tcpd.h installed. 165 166--with-md5-passwords will enable the use of MD5 passwords. Enable this 167if your operating system uses MD5 passwords and the system crypt() does 168not support them directly (see the crypt(3/3c) man page). If enabled, the 169resulting binary will support both MD5 and traditional crypt passwords. 170 171--with-utmpx enables utmpx support. utmpx support is automatic for 172some platforms. 173 174--without-shadow disables shadow password support. 175 176--with-ipaddr-display forces the use of a numeric IP address in the 177$DISPLAY environment variable. Some broken systems need this. 178 179--with-default-path=PATH allows you to specify a default $PATH for sessions 180started by sshd. This replaces the standard path entirely. 181 182--with-pid-dir=PATH specifies the directory in which the ssh.pid file is 183created. 184 185--with-xauth=PATH specifies the location of the xauth binary 186 187--with-ssl-dir=DIR allows you to specify where your OpenSSL libraries 188are installed. 189 190--with-ssl-engine enables OpenSSL's (hardware) ENGINE support 191 192--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to 193real (AF_INET) IPv4 addresses. Works around some quirks on Linux. 194 195--with-opensc=DIR 196--with-sectok=DIR allows for OpenSC or sectok smartcard libraries to 197be used with OpenSSH. See 'README.smartcard' for more details. 198 199If you need to pass special options to the compiler or linker, you 200can specify these as environment variables before running ./configure. 201For example: 202 203CFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure 204 2053. Configuration 206---------------- 207 208The runtime configuration files are installed by in ${prefix}/etc or 209whatever you specified as your --sysconfdir (/usr/local/etc by default). 210 211The default configuration should be instantly usable, though you should 212review it to ensure that it matches your security requirements. 213 214To generate a host key, run "make host-key". Alternately you can do so 215manually using the following commands: 216 217 ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" 218 ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" 219 ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" 220 221Replacing /etc/ssh with the correct path to the configuration directory. 222(${prefix}/etc or whatever you specified with --sysconfdir during 223configuration) 224 225If you have configured OpenSSH with EGD support, ensure that EGD is 226running and has collected some Entropy. 227 228For more information on configuration, please refer to the manual pages 229for sshd, ssh and ssh-agent. 230 2314. (Optional) Send survey 232------------------------- 233 234$ make survey 235[check the contents of the file "survey" to ensure there's no information 236that you consider sensitive] 237$ make send-survey 238 239This will send configuration information for the currently configured 240host to a survey address. This will help determine which configurations 241are actually in use, and what valid combinations of configure options 242exist. The raw data is available only to the OpenSSH developers, however 243summary data may be published. 244 2455. Problems? 246------------ 247 248If you experience problems compiling, installing or running OpenSSH. 249Please refer to the "reporting bugs" section of the webpage at 250http://www.openssh.com/ 251 252 253$Id: INSTALL,v 1.76 2006/09/17 12:55:52 dtucker Exp $ 254