xref: /freebsd/crypto/openssh/INSTALL (revision 7fdf597e96a02165cfe22ff357b857d5fa15ed8a)
11. Prerequisites
2----------------
3
4A C compiler.  Any C89 or better compiler that supports variadic macros
5should work.  Where supported, configure will attempt to enable the
6compiler's run-time integrity checking options.  Some notes about
7specific compilers:
8 - clang: -ftrapv and -sanitize=integer require the compiler-rt runtime
9  (CC=clang LDFLAGS=--rtlib=compiler-rt ./configure)
10
11To support Privilege Separation (which is now required) you will need
12to create the user, group and directory used by sshd for privilege
13separation.  See README.privsep for details.
14
15
16The remaining items are optional.
17
18A working installation of zlib:
19Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems):
20https://zlib.net/
21
22libcrypto from either of LibreSSL or OpenSSL.  Building without libcrypto
23is supported but severely restricts the available ciphers and algorithms.
24 - LibreSSL (https://www.libressl.org/) 3.1.0 or greater
25 - OpenSSL (https://www.openssl.org) 1.1.1 or greater
26
27LibreSSL/OpenSSL should be compiled as a position-independent library
28(i.e. -fPIC, eg by configuring OpenSSL as "./config [options] -fPIC"
29or LibreSSL as "CFLAGS=-fPIC ./configure") otherwise OpenSSH will not
30be able to link with it.  If you must use a non-position-independent
31libcrypto, then you may need to configure OpenSSH --without-pie.
32
33If you build either from source, running the OpenSSL self-test ("make
34tests") or the LibreSSL equivalent ("make check") and ensuring that all
35tests pass is strongly recommended.
36
37NB. If you operating system supports /dev/random, you should configure
38libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's
39direct support of /dev/random, or failing that, either prngd or egd.
40
41PRNGD:
42
43If your system lacks kernel-based random collection, the use of Lutz
44Jaenicke's PRNGd is recommended. It requires that libcrypto be configured
45to support it.
46
47http://prngd.sourceforge.net/
48
49EGD:
50
51The Entropy Gathering Daemon (EGD) supports the same interface as prngd.
52It also supported only if libcrypto is configured to support it.
53
54http://egd.sourceforge.net/
55
56PAM:
57
58OpenSSH can utilise Pluggable Authentication Modules (PAM) if your
59system supports it. PAM is standard most Linux distributions, Solaris,
60HP-UX 11, AIX >= 5.2, FreeBSD, NetBSD and Mac OS X.
61
62Information about the various PAM implementations are available:
63
64Solaris PAM:	http://www.sun.com/software/solaris/pam/
65Linux PAM:	http://www.kernel.org/pub/linux/libs/pam/
66OpenPAM:	http://www.openpam.org/
67
68If you wish to build the GNOME passphrase requester, you will need the GNOME
69libraries and headers.
70
71GNOME:
72http://www.gnome.org/
73
74Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11
75passphrase requester. This is maintained separately at:
76
77http://www.jmknoble.net/software/x11-ssh-askpass/
78
79TCP Wrappers:
80
81If you wish to use the TCP wrappers functionality you will need at least
82tcpd.h and libwrap.a, either in the standard include and library paths,
83or in the directory specified by --with-tcp-wrappers.  Version 7.6 is
84known to work.
85
86http://ftp.porcupine.org/pub/security/index.html
87
88LibEdit:
89
90sftp supports command-line editing via NetBSD's libedit.  If your platform
91has it available natively you can use that, alternatively you might try
92these multi-platform ports:
93
94http://www.thrysoee.dk/editline/
95http://sourceforge.net/projects/libedit/
96
97LDNS:
98
99LDNS is a DNS BSD-licensed resolver library which supports DNSSEC.
100
101http://nlnetlabs.nl/projects/ldns/
102
103Autoconf:
104
105If you modify configure.ac or configure doesn't exist (eg if you checked
106the code out of git yourself) then you will need autoconf-2.69 and
107automake-1.16.1 to rebuild the automatically generated files by running
108"autoreconf".  Earlier versions may also work but this is not guaranteed.
109
110http://www.gnu.org/software/autoconf/
111http://www.gnu.org/software/automake/
112
113Basic Security Module (BSM):
114
115Native BSM support is known to exist in Solaris from at least 2.5.1,
116FreeBSD 6.1 and OS X.  Alternatively, you may use the OpenBSM
117implementation (http://www.openbsm.org).
118
119makedepend:
120
121https://www.x.org/archive/individual/util/
122
123If you are making significant changes to the code you may need to rebuild
124the dependency (.depend) file using "make depend", which requires the
125"makedepend" tool from the X11 distribution.
126
127libfido2:
128
129libfido2 allows the use of hardware security keys over USB.  libfido2
130in turn depends on libcbor.  libfido2 >= 1.5.0 is strongly recommended.
131Limited functionality is possible with earlier libfido2 versions.
132
133https://github.com/Yubico/libfido2
134https://github.com/pjk/libcbor
135
136
1372. Building / Installation
138--------------------------
139
140To install OpenSSH with default options:
141
142./configure
143make
144make install
145
146This will install the OpenSSH binaries in /usr/local/bin, configuration files
147in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different
148installation prefix, use the --prefix option to configure:
149
150./configure --prefix=/opt
151make
152make install
153
154Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override
155specific paths, for example:
156
157./configure --prefix=/opt --sysconfdir=/etc/ssh
158make
159make install
160
161This will install the binaries in /opt/{bin,lib,sbin}, but will place the
162configuration files in /etc/ssh.
163
164If you are using PAM, you may need to manually install a PAM control
165file as "/etc/pam.d/sshd" (or wherever your system prefers to keep
166them).  Note that the service name used to start PAM is __progname,
167which is the basename of the path of your sshd (e.g., the service name
168for /usr/sbin/osshd will be osshd).  If you have renamed your sshd
169executable, your PAM configuration may need to be modified.
170
171A generic PAM configuration is included as "contrib/sshd.pam.generic",
172you may need to edit it before using it on your system. If you are
173using a recent version of Red Hat Linux, the config file in
174contrib/redhat/sshd.pam should be more useful.  Failure to install a
175valid PAM file may result in an inability to use password
176authentication.  On HP-UX 11 and Solaris, the standard /etc/pam.conf
177configuration will work with sshd (sshd will match the other service
178name).
179
180There are a few other options to the configure script:
181
182--with-audit=[module] enable additional auditing via the specified module.
183Currently, drivers for "debug" (additional info via syslog) and "bsm"
184(Sun's Basic Security Module) are supported.
185
186--with-pam enables PAM support. If PAM support is compiled in, it must
187also be enabled in sshd_config (refer to the UsePAM directive).
188
189--with-prngd-socket=/some/file allows you to enable EGD or PRNGD
190support and to specify a PRNGd socket. Use this if your Unix lacks
191/dev/random.
192
193--with-prngd-port=portnum allows you to enable EGD or PRNGD support
194and to specify a EGD localhost TCP port. Use this if your Unix lacks
195/dev/random.
196
197--with-lastlog=FILE will specify the location of the lastlog file.
198./configure searches a few locations for lastlog, but may not find
199it if lastlog is installed in a different place.
200
201--without-lastlog will disable lastlog support entirely.
202
203--with-osfsia, --without-osfsia will enable or disable OSF1's Security
204Integration Architecture.  The default for OSF1 machines is enable.
205
206--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny)
207support.
208
209--with-utmpx enables utmpx support. utmpx support is automatic for
210some platforms.
211
212--without-shadow disables shadow password support.
213
214--with-ipaddr-display forces the use of a numeric IP address in the
215$DISPLAY environment variable. Some broken systems need this.
216
217--with-default-path=PATH allows you to specify a default $PATH for sessions
218started by sshd. This replaces the standard path entirely.
219
220--with-pid-dir=PATH specifies the directory in which the sshd.pid file is
221created.
222
223--with-xauth=PATH specifies the location of the xauth binary
224
225--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL
226libraries are installed.
227
228--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support
229
230--without-openssl builds without using OpenSSL.  Only a subset of ciphers
231and algorithms are supported in this configuration.
232
233--without-zlib builds without zlib.  This disables the Compression option.
234
235--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
236real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
237
238If you need to pass special options to the compiler or linker, you
239can specify these as environment variables before running ./configure.
240For example:
241
242CC="/usr/foo/cc" CFLAGS="-O" LDFLAGS="-s" LIBS="-lrubbish" ./configure
243
2443. Configuration
245----------------
246
247The runtime configuration files are installed by in ${prefix}/etc or
248whatever you specified as your --sysconfdir (/usr/local/etc by default).
249
250The default configuration should be instantly usable, though you should
251review it to ensure that it matches your security requirements.
252
253To generate a host key, run "make host-key". Alternately you can do so
254manually using the following commands:
255
256    ssh-keygen -t [type] -f /etc/ssh/ssh_host_key -N ""
257
258for each of the types you wish to generate (rsa, dsa or ecdsa) or
259
260    ssh-keygen -A
261
262to generate keys for all supported types.
263
264Replacing /etc/ssh with the correct path to the configuration directory.
265(${prefix}/etc or whatever you specified with --sysconfdir during
266configuration).
267
268If you have configured OpenSSH with EGD/prngd support, ensure that EGD or
269prngd is running and has collected some entropy first.
270
271For more information on configuration, please refer to the manual pages
272for sshd, ssh and ssh-agent.
273
2744. (Optional) Send survey
275-------------------------
276
277$ make survey
278[check the contents of the file "survey" to ensure there's no information
279that you consider sensitive]
280$ make send-survey
281
282This will send configuration information for the currently configured
283host to a survey address.  This will help determine which configurations
284are actually in use, and what valid combinations of configure options
285exist.  The raw data is available only to the OpenSSH developers, however
286summary data may be published.
287
2885. Problems?
289------------
290
291If you experience problems compiling, installing or running OpenSSH,
292please refer to the "reporting bugs" section of the webpage at
293https://www.openssh.com/
294