11. Prerequisites 2---------------- 3 4You will need working installations of Zlib and libcrypto (LibreSSL / 5OpenSSL) 6 7Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems): 8http://www.gzip.org/zlib/ 9 10libcrypto (LibreSSL or OpenSSL >= 0.9.8f) 11LibreSSL http://www.libressl.org/ ; or 12OpenSSL http://www.openssl.org/ 13 14LibreSSL/OpenSSL should be compiled as a position-independent library 15(i.e. with -fPIC) otherwise OpenSSH will not be able to link with it. 16If you must use a non-position-independent libcrypto, then you may need 17to configure OpenSSH --without-pie. 18 19The remaining items are optional. 20 21NB. If you operating system supports /dev/random, you should configure 22libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's 23direct support of /dev/random, or failing that, either prngd or egd 24 25PRNGD: 26 27If your system lacks kernel-based random collection, the use of Lutz 28Jaenicke's PRNGd is recommended. 29 30http://prngd.sourceforge.net/ 31 32EGD: 33 34If the kernel lacks /dev/random the Entropy Gathering Daemon (EGD) is 35supported only if libcrypto supports it. 36 37http://egd.sourceforge.net/ 38 39PAM: 40 41OpenSSH can utilise Pluggable Authentication Modules (PAM) if your 42system supports it. PAM is standard most Linux distributions, Solaris, 43HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD. 44 45Information about the various PAM implementations are available: 46 47Solaris PAM: http://www.sun.com/software/solaris/pam/ 48Linux PAM: http://www.kernel.org/pub/linux/libs/pam/ 49OpenPAM: http://www.openpam.org/ 50 51If you wish to build the GNOME passphrase requester, you will need the GNOME 52libraries and headers. 53 54GNOME: 55http://www.gnome.org/ 56 57Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11 58passphrase requester. This is maintained separately at: 59 60http://www.jmknoble.net/software/x11-ssh-askpass/ 61 62TCP Wrappers: 63 64If you wish to use the TCP wrappers functionality you will need at least 65tcpd.h and libwrap.a, either in the standard include and library paths, 66or in the directory specified by --with-tcp-wrappers. Version 7.6 is 67known to work. 68 69http://ftp.porcupine.org/pub/security/index.html 70 71S/Key Libraries: 72 73If you wish to use --with-skey then you will need the library below 74installed. No other S/Key library is currently known to be supported. 75 76http://www.sparc.spb.su/solaris/skey/ 77 78LibEdit: 79 80sftp supports command-line editing via NetBSD's libedit. If your platform 81has it available natively you can use that, alternatively you might try 82these multi-platform ports: 83 84http://www.thrysoee.dk/editline/ 85http://sourceforge.net/projects/libedit/ 86 87LDNS: 88 89LDNS is a DNS BSD-licensed resolver library which supports DNSSEC. 90 91http://nlnetlabs.nl/projects/ldns/ 92 93Autoconf: 94 95If you modify configure.ac or configure doesn't exist (eg if you checked 96the code out of CVS yourself) then you will need autoconf-2.68 to rebuild 97the automatically generated files by running "autoreconf". Earlier 98versions may also work but this is not guaranteed. 99 100http://www.gnu.org/software/autoconf/ 101 102Basic Security Module (BSM): 103 104Native BSM support is know to exist in Solaris from at least 2.5.1, 105FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM 106implementation (http://www.openbsm.org). 107 108 1092. Building / Installation 110-------------------------- 111 112To install OpenSSH with default options: 113 114./configure 115make 116make install 117 118This will install the OpenSSH binaries in /usr/local/bin, configuration files 119in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different 120installation prefix, use the --prefix option to configure: 121 122./configure --prefix=/opt 123make 124make install 125 126Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override 127specific paths, for example: 128 129./configure --prefix=/opt --sysconfdir=/etc/ssh 130make 131make install 132 133This will install the binaries in /opt/{bin,lib,sbin}, but will place the 134configuration files in /etc/ssh. 135 136If you are using Privilege Separation (which is enabled by default) 137then you will also need to create the user, group and directory used by 138sshd for privilege separation. See README.privsep for details. 139 140If you are using PAM, you may need to manually install a PAM control 141file as "/etc/pam.d/sshd" (or wherever your system prefers to keep 142them). Note that the service name used to start PAM is __progname, 143which is the basename of the path of your sshd (e.g., the service name 144for /usr/sbin/osshd will be osshd). If you have renamed your sshd 145executable, your PAM configuration may need to be modified. 146 147A generic PAM configuration is included as "contrib/sshd.pam.generic", 148you may need to edit it before using it on your system. If you are 149using a recent version of Red Hat Linux, the config file in 150contrib/redhat/sshd.pam should be more useful. Failure to install a 151valid PAM file may result in an inability to use password 152authentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf 153configuration will work with sshd (sshd will match the other service 154name). 155 156There are a few other options to the configure script: 157 158--with-audit=[module] enable additional auditing via the specified module. 159Currently, drivers for "debug" (additional info via syslog) and "bsm" 160(Sun's Basic Security Module) are supported. 161 162--with-pam enables PAM support. If PAM support is compiled in, it must 163also be enabled in sshd_config (refer to the UsePAM directive). 164 165--with-prngd-socket=/some/file allows you to enable EGD or PRNGD 166support and to specify a PRNGd socket. Use this if your Unix lacks 167/dev/random and you don't want to use OpenSSH's builtin entropy 168collection support. 169 170--with-prngd-port=portnum allows you to enable EGD or PRNGD support 171and to specify a EGD localhost TCP port. Use this if your Unix lacks 172/dev/random and you don't want to use OpenSSH's builtin entropy 173collection support. 174 175--with-lastlog=FILE will specify the location of the lastlog file. 176./configure searches a few locations for lastlog, but may not find 177it if lastlog is installed in a different place. 178 179--without-lastlog will disable lastlog support entirely. 180 181--with-osfsia, --without-osfsia will enable or disable OSF1's Security 182Integration Architecture. The default for OSF1 machines is enable. 183 184--with-skey=PATH will enable S/Key one time password support. You will 185need the S/Key libraries and header files installed for this to work. 186 187--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) 188support. 189 190--with-md5-passwords will enable the use of MD5 passwords. Enable this 191if your operating system uses MD5 passwords and the system crypt() does 192not support them directly (see the crypt(3/3c) man page). If enabled, the 193resulting binary will support both MD5 and traditional crypt passwords. 194 195--with-utmpx enables utmpx support. utmpx support is automatic for 196some platforms. 197 198--without-shadow disables shadow password support. 199 200--with-ipaddr-display forces the use of a numeric IP address in the 201$DISPLAY environment variable. Some broken systems need this. 202 203--with-default-path=PATH allows you to specify a default $PATH for sessions 204started by sshd. This replaces the standard path entirely. 205 206--with-pid-dir=PATH specifies the directory in which the sshd.pid file is 207created. 208 209--with-xauth=PATH specifies the location of the xauth binary 210 211--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL 212libraries 213are installed. 214 215--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support 216 217--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to 218real (AF_INET) IPv4 addresses. Works around some quirks on Linux. 219 220If you need to pass special options to the compiler or linker, you 221can specify these as environment variables before running ./configure. 222For example: 223 224CFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure 225 2263. Configuration 227---------------- 228 229The runtime configuration files are installed by in ${prefix}/etc or 230whatever you specified as your --sysconfdir (/usr/local/etc by default). 231 232The default configuration should be instantly usable, though you should 233review it to ensure that it matches your security requirements. 234 235To generate a host key, run "make host-key". Alternately you can do so 236manually using the following commands: 237 238 ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" 239 ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" 240 ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" 241 242Replacing /etc/ssh with the correct path to the configuration directory. 243(${prefix}/etc or whatever you specified with --sysconfdir during 244configuration) 245 246If you have configured OpenSSH with EGD support, ensure that EGD is 247running and has collected some Entropy. 248 249For more information on configuration, please refer to the manual pages 250for sshd, ssh and ssh-agent. 251 2524. (Optional) Send survey 253------------------------- 254 255$ make survey 256[check the contents of the file "survey" to ensure there's no information 257that you consider sensitive] 258$ make send-survey 259 260This will send configuration information for the currently configured 261host to a survey address. This will help determine which configurations 262are actually in use, and what valid combinations of configure options 263exist. The raw data is available only to the OpenSSH developers, however 264summary data may be published. 265 2665. Problems? 267------------ 268 269If you experience problems compiling, installing or running OpenSSH. 270Please refer to the "reporting bugs" section of the webpage at 271http://www.openssh.com/ 272 273 274$Id: INSTALL,v 1.91 2014/09/09 02:23:11 dtucker Exp $ 275