1---------------- 2 3A C compiler. Any C89 or better compiler should work. Where supported, 4configure will attempt to enable the compiler's run-time integrity checking 5options. Some notes about specific compilers: 6 - clang: -ftrapv and -sanitize=integer require the compiler-rt runtime 7 (CC=clang LDFLAGS=--rtlib=compiler-rt ./configure) 8 9You will need working installations of Zlib and libcrypto (LibreSSL / 10OpenSSL) 11 12Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems): 13http://www.gzip.org/zlib/ 14 15libcrypto (LibreSSL or OpenSSL >= 0.9.8f < 1.1.0) 16LibreSSL http://www.libressl.org/ ; or 17OpenSSL http://www.openssl.org/ 18 19LibreSSL/OpenSSL should be compiled as a position-independent library 20(i.e. with -fPIC) otherwise OpenSSH will not be able to link with it. 21If you must use a non-position-independent libcrypto, then you may need 22to configure OpenSSH --without-pie. Note that because of API changes, 23OpenSSL 1.1.x is not currently supported. 24 25The remaining items are optional. 26 27NB. If you operating system supports /dev/random, you should configure 28libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's 29direct support of /dev/random, or failing that, either prngd or egd 30 31PRNGD: 32 33If your system lacks kernel-based random collection, the use of Lutz 34Jaenicke's PRNGd is recommended. 35 36http://prngd.sourceforge.net/ 37 38EGD: 39 40If the kernel lacks /dev/random the Entropy Gathering Daemon (EGD) is 41supported only if libcrypto supports it. 42 43http://egd.sourceforge.net/ 44 45PAM: 46 47OpenSSH can utilise Pluggable Authentication Modules (PAM) if your 48system supports it. PAM is standard most Linux distributions, Solaris, 49HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD. 50 51Information about the various PAM implementations are available: 52 53Solaris PAM: http://www.sun.com/software/solaris/pam/ 54Linux PAM: http://www.kernel.org/pub/linux/libs/pam/ 55OpenPAM: http://www.openpam.org/ 56 57If you wish to build the GNOME passphrase requester, you will need the GNOME 58libraries and headers. 59 60GNOME: 61http://www.gnome.org/ 62 63Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11 64passphrase requester. This is maintained separately at: 65 66http://www.jmknoble.net/software/x11-ssh-askpass/ 67 68TCP Wrappers: 69 70If you wish to use the TCP wrappers functionality you will need at least 71tcpd.h and libwrap.a, either in the standard include and library paths, 72or in the directory specified by --with-tcp-wrappers. Version 7.6 is 73known to work. 74 75http://ftp.porcupine.org/pub/security/index.html 76 77S/Key Libraries: 78 79If you wish to use --with-skey then you will need the library below 80installed. No other S/Key library is currently known to be supported. 81 82http://www.sparc.spb.su/solaris/skey/ 83 84LibEdit: 85 86sftp supports command-line editing via NetBSD's libedit. If your platform 87has it available natively you can use that, alternatively you might try 88these multi-platform ports: 89 90http://www.thrysoee.dk/editline/ 91http://sourceforge.net/projects/libedit/ 92 93LDNS: 94 95LDNS is a DNS BSD-licensed resolver library which supports DNSSEC. 96 97http://nlnetlabs.nl/projects/ldns/ 98 99Autoconf: 100 101If you modify configure.ac or configure doesn't exist (eg if you checked 102the code out of CVS yourself) then you will need autoconf-2.69 to rebuild 103the automatically generated files by running "autoreconf". Earlier 104versions may also work but this is not guaranteed. 105 106http://www.gnu.org/software/autoconf/ 107 108Basic Security Module (BSM): 109 110Native BSM support is know to exist in Solaris from at least 2.5.1, 111FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM 112implementation (http://www.openbsm.org). 113 114 1152. Building / Installation 116-------------------------- 117 118To install OpenSSH with default options: 119 120./configure 121make 122make install 123 124This will install the OpenSSH binaries in /usr/local/bin, configuration files 125in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different 126installation prefix, use the --prefix option to configure: 127 128./configure --prefix=/opt 129make 130make install 131 132Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override 133specific paths, for example: 134 135./configure --prefix=/opt --sysconfdir=/etc/ssh 136make 137make install 138 139This will install the binaries in /opt/{bin,lib,sbin}, but will place the 140configuration files in /etc/ssh. 141 142If you are using Privilege Separation (which is enabled by default) 143then you will also need to create the user, group and directory used by 144sshd for privilege separation. See README.privsep for details. 145 146If you are using PAM, you may need to manually install a PAM control 147file as "/etc/pam.d/sshd" (or wherever your system prefers to keep 148them). Note that the service name used to start PAM is __progname, 149which is the basename of the path of your sshd (e.g., the service name 150for /usr/sbin/osshd will be osshd). If you have renamed your sshd 151executable, your PAM configuration may need to be modified. 152 153A generic PAM configuration is included as "contrib/sshd.pam.generic", 154you may need to edit it before using it on your system. If you are 155using a recent version of Red Hat Linux, the config file in 156contrib/redhat/sshd.pam should be more useful. Failure to install a 157valid PAM file may result in an inability to use password 158authentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf 159configuration will work with sshd (sshd will match the other service 160name). 161 162There are a few other options to the configure script: 163 164--with-audit=[module] enable additional auditing via the specified module. 165Currently, drivers for "debug" (additional info via syslog) and "bsm" 166(Sun's Basic Security Module) are supported. 167 168--with-pam enables PAM support. If PAM support is compiled in, it must 169also be enabled in sshd_config (refer to the UsePAM directive). 170 171--with-prngd-socket=/some/file allows you to enable EGD or PRNGD 172support and to specify a PRNGd socket. Use this if your Unix lacks 173/dev/random and you don't want to use OpenSSH's builtin entropy 174collection support. 175 176--with-prngd-port=portnum allows you to enable EGD or PRNGD support 177and to specify a EGD localhost TCP port. Use this if your Unix lacks 178/dev/random and you don't want to use OpenSSH's builtin entropy 179collection support. 180 181--with-lastlog=FILE will specify the location of the lastlog file. 182./configure searches a few locations for lastlog, but may not find 183it if lastlog is installed in a different place. 184 185--without-lastlog will disable lastlog support entirely. 186 187--with-osfsia, --without-osfsia will enable or disable OSF1's Security 188Integration Architecture. The default for OSF1 machines is enable. 189 190--with-skey=PATH will enable S/Key one time password support. You will 191need the S/Key libraries and header files installed for this to work. 192 193--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) 194support. 195 196--with-md5-passwords will enable the use of MD5 passwords. Enable this 197if your operating system uses MD5 passwords and the system crypt() does 198not support them directly (see the crypt(3/3c) man page). If enabled, the 199resulting binary will support both MD5 and traditional crypt passwords. 200 201--with-utmpx enables utmpx support. utmpx support is automatic for 202some platforms. 203 204--without-shadow disables shadow password support. 205 206--with-ipaddr-display forces the use of a numeric IP address in the 207$DISPLAY environment variable. Some broken systems need this. 208 209--with-default-path=PATH allows you to specify a default $PATH for sessions 210started by sshd. This replaces the standard path entirely. 211 212--with-pid-dir=PATH specifies the directory in which the sshd.pid file is 213created. 214 215--with-xauth=PATH specifies the location of the xauth binary 216 217--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL 218libraries 219are installed. 220 221--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support 222 223--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to 224real (AF_INET) IPv4 addresses. Works around some quirks on Linux. 225 226If you need to pass special options to the compiler or linker, you 227can specify these as environment variables before running ./configure. 228For example: 229 230CFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure 231 2323. Configuration 233---------------- 234 235The runtime configuration files are installed by in ${prefix}/etc or 236whatever you specified as your --sysconfdir (/usr/local/etc by default). 237 238The default configuration should be instantly usable, though you should 239review it to ensure that it matches your security requirements. 240 241To generate a host key, run "make host-key". Alternately you can do so 242manually using the following commands: 243 244 ssh-keygen -t [type] -f /etc/ssh/ssh_host_key -N "" 245 246for each of the types you wish to generate (rsa, dsa or ecdsaa) or 247 248 ssh-keygen -A 249 250to generate keys for all supported types. 251 252Replacing /etc/ssh with the correct path to the configuration directory. 253(${prefix}/etc or whatever you specified with --sysconfdir during 254configuration) 255 256If you have configured OpenSSH with EGD support, ensure that EGD is 257running and has collected some Entropy. 258 259For more information on configuration, please refer to the manual pages 260for sshd, ssh and ssh-agent. 261 2624. (Optional) Send survey 263------------------------- 264 265$ make survey 266[check the contents of the file "survey" to ensure there's no information 267that you consider sensitive] 268$ make send-survey 269 270This will send configuration information for the currently configured 271host to a survey address. This will help determine which configurations 272are actually in use, and what valid combinations of configure options 273exist. The raw data is available only to the OpenSSH developers, however 274summary data may be published. 275 2765. Problems? 277------------ 278 279If you experience problems compiling, installing or running OpenSSH. 280Please refer to the "reporting bugs" section of the webpage at 281https://www.openssh.com/ 282