11. Prerequisites 2---------------- 3 4A C compiler. Any C89 or better compiler that supports variadic macros 5should work. Where supported, configure will attempt to enable the 6compiler's run-time integrity checking options. Some notes about 7specific compilers: 8 - clang: -ftrapv and -sanitize=integer require the compiler-rt runtime 9 (CC=clang LDFLAGS=--rtlib=compiler-rt ./configure) 10 11To support Privilege Separation (which is now required) you will need 12to create the user, group and directory used by sshd for privilege 13separation. See README.privsep for details. 14 15 16The remaining items are optional. 17 18A working installation of zlib: 19Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems): 20https://zlib.net/ 21 22libcrypto from either of LibreSSL or OpenSSL. Building without libcrypto 23is supported but severely restricts the available ciphers and algorithms. 24 - LibreSSL (https://www.libressl.org/) 3.1.0 or greater 25 - OpenSSL (https://www.openssl.org) 1.1.1 or greater 26 27LibreSSL/OpenSSL should be compiled as a position-independent library 28(i.e. -fPIC, eg by configuring OpenSSL as "./config [options] -fPIC" 29or LibreSSL as "CFLAGS=-fPIC ./configure") otherwise OpenSSH will not 30be able to link with it. If you must use a non-position-independent 31libcrypto, then you may need to configure OpenSSH --without-pie. 32 33If you build either from source, running the OpenSSL self-test ("make 34tests") or the LibreSSL equivalent ("make check") and ensuring that all 35tests pass is strongly recommended. 36 37NB. If you operating system supports /dev/random, you should configure 38libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's 39direct support of /dev/random, or failing that, either prngd or egd. 40 41PRNGD: 42 43If your system lacks kernel-based random collection, the use of Lutz 44Jaenicke's PRNGd is recommended. It requires that libcrypto be configured 45to support it. 46 47http://prngd.sourceforge.net/ 48 49EGD: 50 51The Entropy Gathering Daemon (EGD) supports the same interface as prngd. 52It also supported only if libcrypto is configured to support it. 53 54http://egd.sourceforge.net/ 55 56PAM: 57 58OpenSSH can utilise Pluggable Authentication Modules (PAM) if your 59system supports it. PAM is standard most Linux distributions, Solaris, 60HP-UX 11, AIX >= 5.2, FreeBSD, NetBSD and Mac OS X. 61 62Information about the various PAM implementations are available: 63 64Solaris PAM: http://www.sun.com/software/solaris/pam/ 65Linux PAM: http://www.kernel.org/pub/linux/libs/pam/ 66OpenPAM: http://www.openpam.org/ 67 68If you wish to build the GNOME passphrase requester, you will need the GNOME 69libraries and headers. 70 71GNOME: 72http://www.gnome.org/ 73 74Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11 75passphrase requester. This is maintained separately at: 76 77http://www.jmknoble.net/software/x11-ssh-askpass/ 78 79TCP Wrappers: 80 81If you wish to use the TCP wrappers functionality you will need at least 82tcpd.h and libwrap.a, either in the standard include and library paths, 83or in the directory specified by --with-tcp-wrappers. Version 7.6 is 84known to work. 85 86http://ftp.porcupine.org/pub/security/index.html 87 88LibEdit: 89 90sftp supports command-line editing via NetBSD's libedit. If your platform 91has it available natively you can use that, alternatively you might try 92these multi-platform ports: 93 94http://www.thrysoee.dk/editline/ 95http://sourceforge.net/projects/libedit/ 96 97LDNS: 98 99LDNS is a DNS BSD-licensed resolver library which supports DNSSEC. 100 101http://nlnetlabs.nl/projects/ldns/ 102 103Autoconf: 104 105If you modify configure.ac or configure doesn't exist (eg if you checked 106the code out of git yourself) then you will need autoconf-2.69 and 107automake-1.16.1 to rebuild the automatically generated files by running 108"autoreconf". Earlier versions may also work but this is not guaranteed. 109 110http://www.gnu.org/software/autoconf/ 111http://www.gnu.org/software/automake/ 112 113Basic Security Module (BSM): 114 115Native BSM support is known to exist in Solaris from at least 2.5.1, 116FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM 117implementation (http://www.openbsm.org). 118 119makedepend: 120 121https://www.x.org/archive/individual/util/ 122 123If you are making significant changes to the code you may need to rebuild 124the dependency (.depend) file using "make depend", which requires the 125"makedepend" tool from the X11 distribution. 126 127libfido2: 128 129libfido2 allows the use of hardware security keys over USB. libfido2 130in turn depends on libcbor. libfido2 >= 1.5.0 is strongly recommended. 131Limited functionality is possible with earlier libfido2 versions. 132 133https://github.com/Yubico/libfido2 134https://github.com/pjk/libcbor 135 136 1372. Building / Installation 138-------------------------- 139 140To install OpenSSH with default options: 141 142./configure 143make 144make install 145 146This will install the OpenSSH binaries in /usr/local/bin, configuration files 147in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different 148installation prefix, use the --prefix option to configure: 149 150./configure --prefix=/opt 151make 152make install 153 154Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override 155specific paths, for example: 156 157./configure --prefix=/opt --sysconfdir=/etc/ssh 158make 159make install 160 161This will install the binaries in /opt/{bin,lib,sbin}, but will place the 162configuration files in /etc/ssh. 163 164If you are using PAM, you may need to manually install a PAM control 165file as "/etc/pam.d/sshd" (or wherever your system prefers to keep 166them). Note that the service name used to start PAM is __progname, 167which is the basename of the path of your sshd (e.g., the service name 168for /usr/sbin/osshd will be osshd). If you have renamed your sshd 169executable, your PAM configuration may need to be modified. 170 171A generic PAM configuration is included as "contrib/sshd.pam.generic", 172you may need to edit it before using it on your system. If you are 173using a recent version of Red Hat Linux, the config file in 174contrib/redhat/sshd.pam should be more useful. Failure to install a 175valid PAM file may result in an inability to use password 176authentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf 177configuration will work with sshd (sshd will match the other service 178name). 179 180There are a few other options to the configure script: 181 182--with-audit=[module] enable additional auditing via the specified module. 183Currently, drivers for "debug" (additional info via syslog) and "bsm" 184(Sun's Basic Security Module) are supported. 185 186--with-pam enables PAM support. If PAM support is compiled in, it must 187also be enabled in sshd_config (refer to the UsePAM directive). 188 189--with-prngd-socket=/some/file allows you to enable EGD or PRNGD 190support and to specify a PRNGd socket. Use this if your Unix lacks 191/dev/random. 192 193--with-prngd-port=portnum allows you to enable EGD or PRNGD support 194and to specify a EGD localhost TCP port. Use this if your Unix lacks 195/dev/random. 196 197--with-lastlog=FILE will specify the location of the lastlog file. 198./configure searches a few locations for lastlog, but may not find 199it if lastlog is installed in a different place. 200 201--without-lastlog will disable lastlog support entirely. 202 203--with-osfsia, --without-osfsia will enable or disable OSF1's Security 204Integration Architecture. The default for OSF1 machines is enable. 205 206--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) 207support. 208 209--with-utmpx enables utmpx support. utmpx support is automatic for 210some platforms. 211 212--without-shadow disables shadow password support. 213 214--with-ipaddr-display forces the use of a numeric IP address in the 215$DISPLAY environment variable. Some broken systems need this. 216 217--with-default-path=PATH allows you to specify a default $PATH for sessions 218started by sshd. This replaces the standard path entirely. 219 220--with-pid-dir=PATH specifies the directory in which the sshd.pid file is 221created. 222 223--with-xauth=PATH specifies the location of the xauth binary 224 225--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL 226libraries are installed. 227 228--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support 229 230--without-openssl builds without using OpenSSL. Only a subset of ciphers 231and algorithms are supported in this configuration. 232 233--without-zlib builds without zlib. This disables the Compression option. 234 235--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to 236real (AF_INET) IPv4 addresses. Works around some quirks on Linux. 237 238If you need to pass special options to the compiler or linker, you 239can specify these as environment variables before running ./configure. 240For example: 241 242CC="/usr/foo/cc" CFLAGS="-O" LDFLAGS="-s" LIBS="-lrubbish" ./configure 243 2443. Configuration 245---------------- 246 247The runtime configuration files are installed by in ${prefix}/etc or 248whatever you specified as your --sysconfdir (/usr/local/etc by default). 249 250The default configuration should be instantly usable, though you should 251review it to ensure that it matches your security requirements. 252 253To generate a host key, run "make host-key". Alternately you can do so 254manually using the following commands: 255 256 ssh-keygen -t [type] -f /etc/ssh/ssh_host_key -N "" 257 258for each of the types you wish to generate (rsa, dsa or ecdsa) or 259 260 ssh-keygen -A 261 262to generate keys for all supported types. 263 264Replacing /etc/ssh with the correct path to the configuration directory. 265(${prefix}/etc or whatever you specified with --sysconfdir during 266configuration). 267 268If you have configured OpenSSH with EGD/prngd support, ensure that EGD or 269prngd is running and has collected some entropy first. 270 271For more information on configuration, please refer to the manual pages 272for sshd, ssh and ssh-agent. 273 2744. (Optional) Send survey 275------------------------- 276 277$ make survey 278[check the contents of the file "survey" to ensure there's no information 279that you consider sensitive] 280$ make send-survey 281 282This will send configuration information for the currently configured 283host to a survey address. This will help determine which configurations 284are actually in use, and what valid combinations of configure options 285exist. The raw data is available only to the OpenSSH developers, however 286summary data may be published. 287 2885. Problems? 289------------ 290 291If you experience problems compiling, installing or running OpenSSH, 292please refer to the "reporting bugs" section of the webpage at 293https://www.openssh.com/ 294