11. Prerequisites 2---------------- 3 4A C compiler. Any C89 or better compiler should work. Where supported, 5configure will attempt to enable the compiler's run-time integrity checking 6options. Some notes about specific compilers: 7 - clang: -ftrapv and -sanitize=integer require the compiler-rt runtime 8 (CC=clang LDFLAGS=--rtlib=compiler-rt ./configure) 9 10You will need working installations of Zlib and libcrypto (LibreSSL / 11OpenSSL) 12 13Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems): 14http://www.gzip.org/zlib/ 15 16libcrypto (LibreSSL or OpenSSL >= 1.0.1 < 1.1.0) 17LibreSSL http://www.libressl.org/ ; or 18OpenSSL http://www.openssl.org/ 19 20LibreSSL/OpenSSL should be compiled as a position-independent library 21(i.e. with -fPIC) otherwise OpenSSH will not be able to link with it. 22If you must use a non-position-independent libcrypto, then you may need 23to configure OpenSSH --without-pie. Note that because of API changes, 24OpenSSL 1.1.x is not currently supported. 25 26The remaining items are optional. 27 28NB. If you operating system supports /dev/random, you should configure 29libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's 30direct support of /dev/random, or failing that, either prngd or egd 31 32PRNGD: 33 34If your system lacks kernel-based random collection, the use of Lutz 35Jaenicke's PRNGd is recommended. 36 37http://prngd.sourceforge.net/ 38 39EGD: 40 41If the kernel lacks /dev/random the Entropy Gathering Daemon (EGD) is 42supported only if libcrypto supports it. 43 44http://egd.sourceforge.net/ 45 46PAM: 47 48OpenSSH can utilise Pluggable Authentication Modules (PAM) if your 49system supports it. PAM is standard most Linux distributions, Solaris, 50HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD. 51 52Information about the various PAM implementations are available: 53 54Solaris PAM: http://www.sun.com/software/solaris/pam/ 55Linux PAM: http://www.kernel.org/pub/linux/libs/pam/ 56OpenPAM: http://www.openpam.org/ 57 58If you wish to build the GNOME passphrase requester, you will need the GNOME 59libraries and headers. 60 61GNOME: 62http://www.gnome.org/ 63 64Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11 65passphrase requester. This is maintained separately at: 66 67http://www.jmknoble.net/software/x11-ssh-askpass/ 68 69TCP Wrappers: 70 71If you wish to use the TCP wrappers functionality you will need at least 72tcpd.h and libwrap.a, either in the standard include and library paths, 73or in the directory specified by --with-tcp-wrappers. Version 7.6 is 74known to work. 75 76http://ftp.porcupine.org/pub/security/index.html 77 78LibEdit: 79 80sftp supports command-line editing via NetBSD's libedit. If your platform 81has it available natively you can use that, alternatively you might try 82these multi-platform ports: 83 84http://www.thrysoee.dk/editline/ 85http://sourceforge.net/projects/libedit/ 86 87LDNS: 88 89LDNS is a DNS BSD-licensed resolver library which supports DNSSEC. 90 91http://nlnetlabs.nl/projects/ldns/ 92 93Autoconf: 94 95If you modify configure.ac or configure doesn't exist (eg if you checked 96the code out of git yourself) then you will need autoconf-2.69 to rebuild 97the automatically generated files by running "autoreconf". Earlier 98versions may also work but this is not guaranteed. 99 100http://www.gnu.org/software/autoconf/ 101 102Basic Security Module (BSM): 103 104Native BSM support is known to exist in Solaris from at least 2.5.1, 105FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM 106implementation (http://www.openbsm.org). 107 108makedepend: 109 110https://www.x.org/archive/individual/util/ 111 112If you are making significant changes to the code you may need to rebuild 113the dependency (.depend) file using "make depend", which requires the 114"makedepend" tool from the X11 distribution. 115 1162. Building / Installation 117-------------------------- 118 119To install OpenSSH with default options: 120 121./configure 122make 123make install 124 125This will install the OpenSSH binaries in /usr/local/bin, configuration files 126in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different 127installation prefix, use the --prefix option to configure: 128 129./configure --prefix=/opt 130make 131make install 132 133Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override 134specific paths, for example: 135 136./configure --prefix=/opt --sysconfdir=/etc/ssh 137make 138make install 139 140This will install the binaries in /opt/{bin,lib,sbin}, but will place the 141configuration files in /etc/ssh. 142 143If you are using Privilege Separation (which is enabled by default) 144then you will also need to create the user, group and directory used by 145sshd for privilege separation. See README.privsep for details. 146 147If you are using PAM, you may need to manually install a PAM control 148file as "/etc/pam.d/sshd" (or wherever your system prefers to keep 149them). Note that the service name used to start PAM is __progname, 150which is the basename of the path of your sshd (e.g., the service name 151for /usr/sbin/osshd will be osshd). If you have renamed your sshd 152executable, your PAM configuration may need to be modified. 153 154A generic PAM configuration is included as "contrib/sshd.pam.generic", 155you may need to edit it before using it on your system. If you are 156using a recent version of Red Hat Linux, the config file in 157contrib/redhat/sshd.pam should be more useful. Failure to install a 158valid PAM file may result in an inability to use password 159authentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf 160configuration will work with sshd (sshd will match the other service 161name). 162 163There are a few other options to the configure script: 164 165--with-audit=[module] enable additional auditing via the specified module. 166Currently, drivers for "debug" (additional info via syslog) and "bsm" 167(Sun's Basic Security Module) are supported. 168 169--with-pam enables PAM support. If PAM support is compiled in, it must 170also be enabled in sshd_config (refer to the UsePAM directive). 171 172--with-prngd-socket=/some/file allows you to enable EGD or PRNGD 173support and to specify a PRNGd socket. Use this if your Unix lacks 174/dev/random. 175 176--with-prngd-port=portnum allows you to enable EGD or PRNGD support 177and to specify a EGD localhost TCP port. Use this if your Unix lacks 178/dev/random. 179 180--with-lastlog=FILE will specify the location of the lastlog file. 181./configure searches a few locations for lastlog, but may not find 182it if lastlog is installed in a different place. 183 184--without-lastlog will disable lastlog support entirely. 185 186--with-osfsia, --without-osfsia will enable or disable OSF1's Security 187Integration Architecture. The default for OSF1 machines is enable. 188 189--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) 190support. 191 192--with-md5-passwords will enable the use of MD5 passwords. Enable this 193if your operating system uses MD5 passwords and the system crypt() does 194not support them directly (see the crypt(3/3c) man page). If enabled, the 195resulting binary will support both MD5 and traditional crypt passwords. 196 197--with-utmpx enables utmpx support. utmpx support is automatic for 198some platforms. 199 200--without-shadow disables shadow password support. 201 202--with-ipaddr-display forces the use of a numeric IP address in the 203$DISPLAY environment variable. Some broken systems need this. 204 205--with-default-path=PATH allows you to specify a default $PATH for sessions 206started by sshd. This replaces the standard path entirely. 207 208--with-pid-dir=PATH specifies the directory in which the sshd.pid file is 209created. 210 211--with-xauth=PATH specifies the location of the xauth binary 212 213--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL 214libraries are installed. 215 216--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support 217 218--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to 219real (AF_INET) IPv4 addresses. Works around some quirks on Linux. 220 221If you need to pass special options to the compiler or linker, you 222can specify these as environment variables before running ./configure. 223For example: 224 225CC="/usr/foo/cc" CFLAGS="-O" LDFLAGS="-s" LIBS="-lrubbish" ./configure 226 2273. Configuration 228---------------- 229 230The runtime configuration files are installed by in ${prefix}/etc or 231whatever you specified as your --sysconfdir (/usr/local/etc by default). 232 233The default configuration should be instantly usable, though you should 234review it to ensure that it matches your security requirements. 235 236To generate a host key, run "make host-key". Alternately you can do so 237manually using the following commands: 238 239 ssh-keygen -t [type] -f /etc/ssh/ssh_host_key -N "" 240 241for each of the types you wish to generate (rsa, dsa or ecdsa) or 242 243 ssh-keygen -A 244 245to generate keys for all supported types. 246 247Replacing /etc/ssh with the correct path to the configuration directory. 248(${prefix}/etc or whatever you specified with --sysconfdir during 249configuration) 250 251If you have configured OpenSSH with EGD support, ensure that EGD is 252running and has collected some Entropy. 253 254For more information on configuration, please refer to the manual pages 255for sshd, ssh and ssh-agent. 256 2574. (Optional) Send survey 258------------------------- 259 260$ make survey 261[check the contents of the file "survey" to ensure there's no information 262that you consider sensitive] 263$ make send-survey 264 265This will send configuration information for the currently configured 266host to a survey address. This will help determine which configurations 267are actually in use, and what valid combinations of configure options 268exist. The raw data is available only to the OpenSSH developers, however 269summary data may be published. 270 2715. Problems? 272------------ 273 274If you experience problems compiling, installing or running OpenSSH. 275Please refer to the "reporting bugs" section of the webpage at 276https://www.openssh.com/ 277