xref: /freebsd/crypto/openssh/INSTALL (revision 47dd1d1b619cc035b82b49a91a25544309ff95ae)
11. Prerequisites
2----------------
3
4A C compiler.  Any C89 or better compiler should work.  Where supported,
5configure will attempt to enable the compiler's run-time integrity checking
6options.  Some notes about specific compilers:
7 - clang: -ftrapv and -sanitize=integer require the compiler-rt runtime
8  (CC=clang LDFLAGS=--rtlib=compiler-rt ./configure)
9
10You will need working installations of Zlib and libcrypto (LibreSSL /
11OpenSSL)
12
13Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems):
14http://www.gzip.org/zlib/
15
16libcrypto (LibreSSL or OpenSSL >= 1.0.1 < 1.1.0)
17LibreSSL http://www.libressl.org/ ; or
18OpenSSL http://www.openssl.org/
19
20LibreSSL/OpenSSL should be compiled as a position-independent library
21(i.e. with -fPIC) otherwise OpenSSH will not be able to link with it.
22If you must use a non-position-independent libcrypto, then you may need
23to configure OpenSSH --without-pie.  Note that because of API changes,
24OpenSSL 1.1.x is not currently supported.
25
26The remaining items are optional.
27
28NB. If you operating system supports /dev/random, you should configure
29libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's
30direct support of /dev/random, or failing that, either prngd or egd
31
32PRNGD:
33
34If your system lacks kernel-based random collection, the use of Lutz
35Jaenicke's PRNGd is recommended.
36
37http://prngd.sourceforge.net/
38
39EGD:
40
41If the kernel lacks /dev/random the Entropy Gathering Daemon (EGD) is
42supported only if libcrypto supports it.
43
44http://egd.sourceforge.net/
45
46PAM:
47
48OpenSSH can utilise Pluggable Authentication Modules (PAM) if your
49system supports it. PAM is standard most Linux distributions, Solaris,
50HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD.
51
52Information about the various PAM implementations are available:
53
54Solaris PAM:	http://www.sun.com/software/solaris/pam/
55Linux PAM:	http://www.kernel.org/pub/linux/libs/pam/
56OpenPAM:	http://www.openpam.org/
57
58If you wish to build the GNOME passphrase requester, you will need the GNOME
59libraries and headers.
60
61GNOME:
62http://www.gnome.org/
63
64Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11
65passphrase requester. This is maintained separately at:
66
67http://www.jmknoble.net/software/x11-ssh-askpass/
68
69TCP Wrappers:
70
71If you wish to use the TCP wrappers functionality you will need at least
72tcpd.h and libwrap.a, either in the standard include and library paths,
73or in the directory specified by --with-tcp-wrappers.  Version 7.6 is
74known to work.
75
76http://ftp.porcupine.org/pub/security/index.html
77
78S/Key Libraries:
79
80If you wish to use --with-skey then you will need the library below
81installed.  No other S/Key library is currently known to be supported.
82
83http://www.sparc.spb.su/solaris/skey/
84
85LibEdit:
86
87sftp supports command-line editing via NetBSD's libedit.  If your platform
88has it available natively you can use that, alternatively you might try
89these multi-platform ports:
90
91http://www.thrysoee.dk/editline/
92http://sourceforge.net/projects/libedit/
93
94LDNS:
95
96LDNS is a DNS BSD-licensed resolver library which supports DNSSEC.
97
98http://nlnetlabs.nl/projects/ldns/
99
100Autoconf:
101
102If you modify configure.ac or configure doesn't exist (eg if you checked
103the code out of git yourself) then you will need autoconf-2.69 to rebuild
104the automatically generated files by running "autoreconf".  Earlier
105versions may also work but this is not guaranteed.
106
107http://www.gnu.org/software/autoconf/
108
109Basic Security Module (BSM):
110
111Native BSM support is known to exist in Solaris from at least 2.5.1,
112FreeBSD 6.1 and OS X.  Alternatively, you may use the OpenBSM
113implementation (http://www.openbsm.org).
114
115makedepend:
116
117https://www.x.org/archive/individual/util/
118
119If you are making significant changes to the code you may need to rebuild
120the dependency (.depend) file using "make depend", which requires the
121"makedepend" tool from the X11 distribution.
122
1232. Building / Installation
124--------------------------
125
126To install OpenSSH with default options:
127
128./configure
129make
130make install
131
132This will install the OpenSSH binaries in /usr/local/bin, configuration files
133in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different
134installation prefix, use the --prefix option to configure:
135
136./configure --prefix=/opt
137make
138make install
139
140Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override
141specific paths, for example:
142
143./configure --prefix=/opt --sysconfdir=/etc/ssh
144make
145make install
146
147This will install the binaries in /opt/{bin,lib,sbin}, but will place the
148configuration files in /etc/ssh.
149
150If you are using Privilege Separation (which is enabled by default)
151then you will also need to create the user, group and directory used by
152sshd for privilege separation.  See README.privsep for details.
153
154If you are using PAM, you may need to manually install a PAM control
155file as "/etc/pam.d/sshd" (or wherever your system prefers to keep
156them).  Note that the service name used to start PAM is __progname,
157which is the basename of the path of your sshd (e.g., the service name
158for /usr/sbin/osshd will be osshd).  If you have renamed your sshd
159executable, your PAM configuration may need to be modified.
160
161A generic PAM configuration is included as "contrib/sshd.pam.generic",
162you may need to edit it before using it on your system. If you are
163using a recent version of Red Hat Linux, the config file in
164contrib/redhat/sshd.pam should be more useful.  Failure to install a
165valid PAM file may result in an inability to use password
166authentication.  On HP-UX 11 and Solaris, the standard /etc/pam.conf
167configuration will work with sshd (sshd will match the other service
168name).
169
170There are a few other options to the configure script:
171
172--with-audit=[module] enable additional auditing via the specified module.
173Currently, drivers for "debug" (additional info via syslog) and "bsm"
174(Sun's Basic Security Module) are supported.
175
176--with-pam enables PAM support. If PAM support is compiled in, it must
177also be enabled in sshd_config (refer to the UsePAM directive).
178
179--with-prngd-socket=/some/file allows you to enable EGD or PRNGD
180support and to specify a PRNGd socket. Use this if your Unix lacks
181/dev/random.
182
183--with-prngd-port=portnum allows you to enable EGD or PRNGD support
184and to specify a EGD localhost TCP port. Use this if your Unix lacks
185/dev/random.
186
187--with-lastlog=FILE will specify the location of the lastlog file.
188./configure searches a few locations for lastlog, but may not find
189it if lastlog is installed in a different place.
190
191--without-lastlog will disable lastlog support entirely.
192
193--with-osfsia, --without-osfsia will enable or disable OSF1's Security
194Integration Architecture.  The default for OSF1 machines is enable.
195
196--with-skey=PATH will enable S/Key one time password support. You will
197need the S/Key libraries and header files installed for this to work.
198
199--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny)
200support.
201
202--with-md5-passwords will enable the use of MD5 passwords. Enable this
203if your operating system uses MD5 passwords and the system crypt() does
204not support them directly (see the crypt(3/3c) man page). If enabled, the
205resulting binary will support both MD5 and traditional crypt passwords.
206
207--with-utmpx enables utmpx support. utmpx support is automatic for
208some platforms.
209
210--without-shadow disables shadow password support.
211
212--with-ipaddr-display forces the use of a numeric IP address in the
213$DISPLAY environment variable. Some broken systems need this.
214
215--with-default-path=PATH allows you to specify a default $PATH for sessions
216started by sshd. This replaces the standard path entirely.
217
218--with-pid-dir=PATH specifies the directory in which the sshd.pid file is
219created.
220
221--with-xauth=PATH specifies the location of the xauth binary
222
223--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL
224libraries are installed.
225
226--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support
227
228--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
229real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
230
231If you need to pass special options to the compiler or linker, you
232can specify these as environment variables before running ./configure.
233For example:
234
235CFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure
236
2373. Configuration
238----------------
239
240The runtime configuration files are installed by in ${prefix}/etc or
241whatever you specified as your --sysconfdir (/usr/local/etc by default).
242
243The default configuration should be instantly usable, though you should
244review it to ensure that it matches your security requirements.
245
246To generate a host key, run "make host-key". Alternately you can do so
247manually using the following commands:
248
249    ssh-keygen -t [type] -f /etc/ssh/ssh_host_key -N ""
250
251for each of the types you wish to generate (rsa, dsa or ecdsa) or
252
253    ssh-keygen -A
254
255to generate keys for all supported types.
256
257Replacing /etc/ssh with the correct path to the configuration directory.
258(${prefix}/etc or whatever you specified with --sysconfdir during
259configuration)
260
261If you have configured OpenSSH with EGD support, ensure that EGD is
262running and has collected some Entropy.
263
264For more information on configuration, please refer to the manual pages
265for sshd, ssh and ssh-agent.
266
2674. (Optional) Send survey
268-------------------------
269
270$ make survey
271[check the contents of the file "survey" to ensure there's no information
272that you consider sensitive]
273$ make send-survey
274
275This will send configuration information for the currently configured
276host to a survey address.  This will help determine which configurations
277are actually in use, and what valid combinations of configure options
278exist.  The raw data is available only to the OpenSSH developers, however
279summary data may be published.
280
2815. Problems?
282------------
283
284If you experience problems compiling, installing or running OpenSSH.
285Please refer to the "reporting bugs" section of the webpage at
286https://www.openssh.com/
287