xref: /freebsd/crypto/openssh/INSTALL (revision 4657548d18877f64bd02be888406aa5b02bf9b06)
1----------------
2
3A C compiler.  Any C89 or better compiler should work.  Where supported,
4configure will attempt to enable the compiler's run-time integrity checking
5options.  Some notes about specific compilers:
6 - clang: -ftrapv and -sanitize=integer require the compiler-rt runtime
7  (CC=clang LDFLAGS=--rtlib=compiler-rt ./configure)
8
9You will need working installations of Zlib and libcrypto (LibreSSL /
10OpenSSL)
11
12Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems):
13http://www.gzip.org/zlib/
14
15libcrypto (LibreSSL or OpenSSL >= 0.9.8f < 1.1.0)
16LibreSSL http://www.libressl.org/ ; or
17OpenSSL http://www.openssl.org/
18
19LibreSSL/OpenSSL should be compiled as a position-independent library
20(i.e. with -fPIC) otherwise OpenSSH will not be able to link with it.
21If you must use a non-position-independent libcrypto, then you may need
22to configure OpenSSH --without-pie.  Note that because of API changes,
23OpenSSL 1.1.x is not currently supported.
24
25The remaining items are optional.
26
27NB. If you operating system supports /dev/random, you should configure
28libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's
29direct support of /dev/random, or failing that, either prngd or egd
30
31PRNGD:
32
33If your system lacks kernel-based random collection, the use of Lutz
34Jaenicke's PRNGd is recommended.
35
36http://prngd.sourceforge.net/
37
38EGD:
39
40If the kernel lacks /dev/random the Entropy Gathering Daemon (EGD) is
41supported only if libcrypto supports it.
42
43http://egd.sourceforge.net/
44
45PAM:
46
47OpenSSH can utilise Pluggable Authentication Modules (PAM) if your
48system supports it. PAM is standard most Linux distributions, Solaris,
49HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD.
50
51Information about the various PAM implementations are available:
52
53Solaris PAM:	http://www.sun.com/software/solaris/pam/
54Linux PAM:	http://www.kernel.org/pub/linux/libs/pam/
55OpenPAM:	http://www.openpam.org/
56
57If you wish to build the GNOME passphrase requester, you will need the GNOME
58libraries and headers.
59
60GNOME:
61http://www.gnome.org/
62
63Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11
64passphrase requester. This is maintained separately at:
65
66http://www.jmknoble.net/software/x11-ssh-askpass/
67
68TCP Wrappers:
69
70If you wish to use the TCP wrappers functionality you will need at least
71tcpd.h and libwrap.a, either in the standard include and library paths,
72or in the directory specified by --with-tcp-wrappers.  Version 7.6 is
73known to work.
74
75http://ftp.porcupine.org/pub/security/index.html
76
77S/Key Libraries:
78
79If you wish to use --with-skey then you will need the library below
80installed.  No other S/Key library is currently known to be supported.
81
82http://www.sparc.spb.su/solaris/skey/
83
84LibEdit:
85
86sftp supports command-line editing via NetBSD's libedit.  If your platform
87has it available natively you can use that, alternatively you might try
88these multi-platform ports:
89
90http://www.thrysoee.dk/editline/
91http://sourceforge.net/projects/libedit/
92
93LDNS:
94
95LDNS is a DNS BSD-licensed resolver library which supports DNSSEC.
96
97http://nlnetlabs.nl/projects/ldns/
98
99Autoconf:
100
101If you modify configure.ac or configure doesn't exist (eg if you checked
102the code out of CVS yourself) then you will need autoconf-2.69 to rebuild
103the automatically generated files by running "autoreconf".  Earlier
104versions may also work but this is not guaranteed.
105
106http://www.gnu.org/software/autoconf/
107
108Basic Security Module (BSM):
109
110Native BSM support is know to exist in Solaris from at least 2.5.1,
111FreeBSD 6.1 and OS X.  Alternatively, you may use the OpenBSM
112implementation (http://www.openbsm.org).
113
114
1152. Building / Installation
116--------------------------
117
118To install OpenSSH with default options:
119
120./configure
121make
122make install
123
124This will install the OpenSSH binaries in /usr/local/bin, configuration files
125in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different
126installation prefix, use the --prefix option to configure:
127
128./configure --prefix=/opt
129make
130make install
131
132Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override
133specific paths, for example:
134
135./configure --prefix=/opt --sysconfdir=/etc/ssh
136make
137make install
138
139This will install the binaries in /opt/{bin,lib,sbin}, but will place the
140configuration files in /etc/ssh.
141
142If you are using Privilege Separation (which is enabled by default)
143then you will also need to create the user, group and directory used by
144sshd for privilege separation.  See README.privsep for details.
145
146If you are using PAM, you may need to manually install a PAM control
147file as "/etc/pam.d/sshd" (or wherever your system prefers to keep
148them).  Note that the service name used to start PAM is __progname,
149which is the basename of the path of your sshd (e.g., the service name
150for /usr/sbin/osshd will be osshd).  If you have renamed your sshd
151executable, your PAM configuration may need to be modified.
152
153A generic PAM configuration is included as "contrib/sshd.pam.generic",
154you may need to edit it before using it on your system. If you are
155using a recent version of Red Hat Linux, the config file in
156contrib/redhat/sshd.pam should be more useful.  Failure to install a
157valid PAM file may result in an inability to use password
158authentication.  On HP-UX 11 and Solaris, the standard /etc/pam.conf
159configuration will work with sshd (sshd will match the other service
160name).
161
162There are a few other options to the configure script:
163
164--with-audit=[module] enable additional auditing via the specified module.
165Currently, drivers for "debug" (additional info via syslog) and "bsm"
166(Sun's Basic Security Module) are supported.
167
168--with-pam enables PAM support. If PAM support is compiled in, it must
169also be enabled in sshd_config (refer to the UsePAM directive).
170
171--with-prngd-socket=/some/file allows you to enable EGD or PRNGD
172support and to specify a PRNGd socket. Use this if your Unix lacks
173/dev/random and you don't want to use OpenSSH's builtin entropy
174collection support.
175
176--with-prngd-port=portnum allows you to enable EGD or PRNGD support
177and to specify a EGD localhost TCP port. Use this if your Unix lacks
178/dev/random and you don't want to use OpenSSH's builtin entropy
179collection support.
180
181--with-lastlog=FILE will specify the location of the lastlog file.
182./configure searches a few locations for lastlog, but may not find
183it if lastlog is installed in a different place.
184
185--without-lastlog will disable lastlog support entirely.
186
187--with-osfsia, --without-osfsia will enable or disable OSF1's Security
188Integration Architecture.  The default for OSF1 machines is enable.
189
190--with-skey=PATH will enable S/Key one time password support. You will
191need the S/Key libraries and header files installed for this to work.
192
193--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny)
194support.
195
196--with-md5-passwords will enable the use of MD5 passwords. Enable this
197if your operating system uses MD5 passwords and the system crypt() does
198not support them directly (see the crypt(3/3c) man page). If enabled, the
199resulting binary will support both MD5 and traditional crypt passwords.
200
201--with-utmpx enables utmpx support. utmpx support is automatic for
202some platforms.
203
204--without-shadow disables shadow password support.
205
206--with-ipaddr-display forces the use of a numeric IP address in the
207$DISPLAY environment variable. Some broken systems need this.
208
209--with-default-path=PATH allows you to specify a default $PATH for sessions
210started by sshd. This replaces the standard path entirely.
211
212--with-pid-dir=PATH specifies the directory in which the sshd.pid file is
213created.
214
215--with-xauth=PATH specifies the location of the xauth binary
216
217--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL
218libraries
219are installed.
220
221--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support
222
223--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
224real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
225
226If you need to pass special options to the compiler or linker, you
227can specify these as environment variables before running ./configure.
228For example:
229
230CFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure
231
2323. Configuration
233----------------
234
235The runtime configuration files are installed by in ${prefix}/etc or
236whatever you specified as your --sysconfdir (/usr/local/etc by default).
237
238The default configuration should be instantly usable, though you should
239review it to ensure that it matches your security requirements.
240
241To generate a host key, run "make host-key". Alternately you can do so
242manually using the following commands:
243
244    ssh-keygen -t [type] -f /etc/ssh/ssh_host_key -N ""
245
246for each of the types you wish to generate (rsa, dsa or ecdsaa) or
247
248    ssh-keygen -A
249
250to generate keys for all supported types.
251
252Replacing /etc/ssh with the correct path to the configuration directory.
253(${prefix}/etc or whatever you specified with --sysconfdir during
254configuration)
255
256If you have configured OpenSSH with EGD support, ensure that EGD is
257running and has collected some Entropy.
258
259For more information on configuration, please refer to the manual pages
260for sshd, ssh and ssh-agent.
261
2624. (Optional) Send survey
263-------------------------
264
265$ make survey
266[check the contents of the file "survey" to ensure there's no information
267that you consider sensitive]
268$ make send-survey
269
270This will send configuration information for the currently configured
271host to a survey address.  This will help determine which configurations
272are actually in use, and what valid combinations of configure options
273exist.  The raw data is available only to the OpenSSH developers, however
274summary data may be published.
275
2765. Problems?
277------------
278
279If you experience problems compiling, installing or running OpenSSH.
280Please refer to the "reporting bugs" section of the webpage at
281https://www.openssh.com/
282