xref: /freebsd/crypto/openssh/INSTALL (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
11. Prerequisites
2----------------
3
4You will need working installations of Zlib and OpenSSL.
5
6Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems):
7http://www.gzip.org/zlib/
8
9OpenSSL 0.9.6 or greater:
10http://www.openssl.org/
11
12(OpenSSL 0.9.5a is partially supported, but some ciphers (SSH protocol 1
13Blowfish) do not work correctly.)
14
15The remaining items are optional.
16
17OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system
18supports it. PAM is standard on Redhat and Debian Linux, Solaris and
19HP-UX 11.
20
21NB. If you operating system supports /dev/random, you should configure
22OpenSSL to use it. OpenSSH relies on OpenSSL's direct support of
23/dev/random. If you don't you will have to rely on ssh-rand-helper, which
24is inferior to a good kernel-based solution.
25
26PAM:
27http://www.kernel.org/pub/linux/libs/pam/
28
29If you wish to build the GNOME passphrase requester, you will need the GNOME
30libraries and headers.
31
32GNOME:
33http://www.gnome.org/
34
35Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11
36passphrase requester. This is maintained separately at:
37
38http://www.jmknoble.net/software/x11-ssh-askpass/
39
40PRNGD:
41
42If your system lacks Kernel based random collection, the use of Lutz
43Jaenicke's PRNGd is recommended.
44
45http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
46
47EGD:
48
49The Entropy Gathering Daemon (EGD) is supported if you have a system which
50lacks /dev/random and don't want to use OpenSSH's internal entropy collection.
51
52http://www.lothar.com/tech/crypto/
53
54S/Key Libraries:
55
56If you wish to use --with-skey then you will need the library below
57installed.  No other S/Key library is currently known to be supported.
58
59http://www.sparc.spb.su/solaris/skey/
60
61LibEdit:
62
63sftp supports command-line editing via NetBSD's libedit.  If your platform
64has it available natively you can use that, alternatively you might try
65these multi-platform ports:
66
67http://www.thrysoee.dk/editline/
68http://sourceforge.net/projects/libedit/
69
70Autoconf:
71
72If you modify configure.ac or configure doesn't exist (eg if you checked
73the code out of CVS yourself) then you will need autoconf-2.60 to rebuild
74the automatically generated files by running "autoreconf".
75
76http://www.gnu.org/software/autoconf/
77
78Basic Security Module (BSM):
79
80Native BSM support is know to exist in Solaris from at least 2.5.1,
81FreeBSD 6.1 and OS X.  Alternatively, you may use the OpenBSM
82implementation (http://www.openbsm.org).
83
84
852. Building / Installation
86--------------------------
87
88To install OpenSSH with default options:
89
90./configure
91make
92make install
93
94This will install the OpenSSH binaries in /usr/local/bin, configuration files
95in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different
96installation prefix, use the --prefix option to configure:
97
98./configure --prefix=/opt
99make
100make install
101
102Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override
103specific paths, for example:
104
105./configure --prefix=/opt --sysconfdir=/etc/ssh
106make
107make install
108
109This will install the binaries in /opt/{bin,lib,sbin}, but will place the
110configuration files in /etc/ssh.
111
112If you are using Privilege Separation (which is enabled by default)
113then you will also need to create the user, group and directory used by
114sshd for privilege separation.  See README.privsep for details.
115
116If you are using PAM, you may need to manually install a PAM control
117file as "/etc/pam.d/sshd" (or wherever your system prefers to keep
118them).  Note that the service name used to start PAM is __progname,
119which is the basename of the path of your sshd (e.g., the service name
120for /usr/sbin/osshd will be osshd).  If you have renamed your sshd
121executable, your PAM configuration may need to be modified.
122
123A generic PAM configuration is included as "contrib/sshd.pam.generic",
124you may need to edit it before using it on your system. If you are
125using a recent version of Red Hat Linux, the config file in
126contrib/redhat/sshd.pam should be more useful.  Failure to install a
127valid PAM file may result in an inability to use password
128authentication.  On HP-UX 11 and Solaris, the standard /etc/pam.conf
129configuration will work with sshd (sshd will match the other service
130name).
131
132There are a few other options to the configure script:
133
134--with-audit=[module] enable additional auditing via the specified module.
135Currently, drivers for "debug" (additional info via syslog) and "bsm"
136(Sun's Basic Security Module) are supported.
137
138--with-pam enables PAM support. If PAM support is compiled in, it must
139also be enabled in sshd_config (refer to the UsePAM directive).
140
141--with-prngd-socket=/some/file allows you to enable EGD or PRNGD
142support and to specify a PRNGd socket. Use this if your Unix lacks
143/dev/random and you don't want to use OpenSSH's builtin entropy
144collection support.
145
146--with-prngd-port=portnum allows you to enable EGD or PRNGD support
147and to specify a EGD localhost TCP port. Use this if your Unix lacks
148/dev/random and you don't want to use OpenSSH's builtin entropy
149collection support.
150
151--with-lastlog=FILE will specify the location of the lastlog file.
152./configure searches a few locations for lastlog, but may not find
153it if lastlog is installed in a different place.
154
155--without-lastlog will disable lastlog support entirely.
156
157--with-osfsia, --without-osfsia will enable or disable OSF1's Security
158Integration Architecture.  The default for OSF1 machines is enable.
159
160--with-skey=PATH will enable S/Key one time password support. You will
161need the S/Key libraries and header files installed for this to work.
162
163--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny)
164support. You will need libwrap.a and tcpd.h installed.
165
166--with-md5-passwords will enable the use of MD5 passwords. Enable this
167if your operating system uses MD5 passwords and the system crypt() does
168not support them directly (see the crypt(3/3c) man page). If enabled, the
169resulting binary will support both MD5 and traditional crypt passwords.
170
171--with-utmpx enables utmpx support. utmpx support is automatic for
172some platforms.
173
174--without-shadow disables shadow password support.
175
176--with-ipaddr-display forces the use of a numeric IP address in the
177$DISPLAY environment variable. Some broken systems need this.
178
179--with-default-path=PATH allows you to specify a default $PATH for sessions
180started by sshd. This replaces the standard path entirely.
181
182--with-pid-dir=PATH specifies the directory in which the ssh.pid file is
183created.
184
185--with-xauth=PATH specifies the location of the xauth binary
186
187--with-ssl-dir=DIR allows you to specify where your OpenSSL libraries
188are installed.
189
190--with-ssl-engine enables OpenSSL's (hardware) ENGINE support
191
192--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
193real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
194
195--with-opensc=DIR
196--with-sectok=DIR allows for OpenSC or sectok smartcard libraries to
197be used with OpenSSH.  See 'README.smartcard' for more details.
198
199If you need to pass special options to the compiler or linker, you
200can specify these as environment variables before running ./configure.
201For example:
202
203CFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure
204
2053. Configuration
206----------------
207
208The runtime configuration files are installed by in ${prefix}/etc or
209whatever you specified as your --sysconfdir (/usr/local/etc by default).
210
211The default configuration should be instantly usable, though you should
212review it to ensure that it matches your security requirements.
213
214To generate a host key, run "make host-key". Alternately you can do so
215manually using the following commands:
216
217    ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ""
218    ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""
219    ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ""
220
221Replacing /etc/ssh with the correct path to the configuration directory.
222(${prefix}/etc or whatever you specified with --sysconfdir during
223configuration)
224
225If you have configured OpenSSH with EGD support, ensure that EGD is
226running and has collected some Entropy.
227
228For more information on configuration, please refer to the manual pages
229for sshd, ssh and ssh-agent.
230
2314. (Optional) Send survey
232-------------------------
233
234$ make survey
235[check the contents of the file "survey" to ensure there's no information
236that you consider sensitive]
237$ make send-survey
238
239This will send configuration information for the currently configured
240host to a survey address.  This will help determine which configurations
241are actually in use, and what valid combinations of configure options
242exist.  The raw data is available only to the OpenSSH developers, however
243summary data may be published.
244
2455. Problems?
246------------
247
248If you experience problems compiling, installing or running OpenSSH.
249Please refer to the "reporting bugs" section of the webpage at
250http://www.openssh.com/
251
252
253$Id: INSTALL,v 1.76 2006/09/17 12:55:52 dtucker Exp $
254