11. Prerequisites 2---------------- 3 4You will need working installations of Zlib and OpenSSL. 5 6Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems): 7http://www.gzip.org/zlib/ 8 9OpenSSL 0.9.6 or greater: 10http://www.openssl.org/ 11 12(OpenSSL 0.9.5a is partially supported, but some ciphers (SSH protocol 1 13Blowfish) do not work correctly.) 14 15OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system 16supports it. PAM is standard on Redhat and Debian Linux, Solaris and 17HP-UX 11. 18 19NB. If you operating system supports /dev/random, you should configure 20OpenSSL to use it. OpenSSH relies on OpenSSL's direct support of 21/dev/random. If you don't you will have to rely on ssh-rand-helper, which 22is inferior to a good kernel-based solution. 23 24PAM: 25http://www.kernel.org/pub/linux/libs/pam/ 26 27If you wish to build the GNOME passphrase requester, you will need the GNOME 28libraries and headers. 29 30GNOME: 31http://www.gnome.org/ 32 33Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11 34passphrase requester. This is maintained separately at: 35 36http://www.jmknoble.net/software/x11-ssh-askpass/ 37 38PRNGD: 39 40If your system lacks Kernel based random collection, the use of Lutz 41Jaenicke's PRNGd is recommended. 42 43http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html 44 45EGD: 46 47The Entropy Gathering Daemon (EGD) is supported if you have a system which 48lacks /dev/random and don't want to use OpenSSH's internal entropy collection. 49 50http://www.lothar.com/tech/crypto/ 51 52S/Key Libraries: 53 54If you wish to use --with-skey then you will need the library below 55installed. No other S/Key library is currently known to be supported. 56 57http://www.sparc.spb.su/solaris/skey/ 58 59LibEdit: 60sftp now supports command-line editing via NetBSD's libedit. If your 61platform has it available natively you can use that, alternatively 62you might try these multi-platform ports: 63 64http://www.thrysoee.dk/editline/ 65http://sourceforge.net/projects/libedit/ 66 672. Building / Installation 68-------------------------- 69 70To install OpenSSH with default options: 71 72./configure 73make 74make install 75 76This will install the OpenSSH binaries in /usr/local/bin, configuration files 77in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different 78installation prefix, use the --prefix option to configure: 79 80./configure --prefix=/opt 81make 82make install 83 84Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override 85specific paths, for example: 86 87./configure --prefix=/opt --sysconfdir=/etc/ssh 88make 89make install 90 91This will install the binaries in /opt/{bin,lib,sbin}, but will place the 92configuration files in /etc/ssh. 93 94If you are using Privilege Separation (which is enabled by default) 95then you will also need to create the user, group and directory used by 96sshd for privilege separation. See README.privsep for details. 97 98If you are using PAM, you may need to manually install a PAM control 99file as "/etc/pam.d/sshd" (or wherever your system prefers to keep 100them). Note that the service name used to start PAM is __progname, 101which is the basename of the path of your sshd (e.g., the service name 102for /usr/sbin/osshd will be osshd). If you have renamed your sshd 103executable, your PAM configuration may need to be modified. 104 105A generic PAM configuration is included as "contrib/sshd.pam.generic", 106you may need to edit it before using it on your system. If you are 107using a recent version of Red Hat Linux, the config file in 108contrib/redhat/sshd.pam should be more useful. Failure to install a 109valid PAM file may result in an inability to use password 110authentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf 111configuration will work with sshd (sshd will match the other service 112name). 113 114There are a few other options to the configure script: 115 116--with-pam enables PAM support. If PAM support is compiled in, it must 117also be enabled in sshd_config (refer to the UsePAM directive). 118 119--with-prngd-socket=/some/file allows you to enable EGD or PRNGD 120support and to specify a PRNGd socket. Use this if your Unix lacks 121/dev/random and you don't want to use OpenSSH's builtin entropy 122collection support. 123 124--with-prngd-port=portnum allows you to enable EGD or PRNGD support 125and to specify a EGD localhost TCP port. Use this if your Unix lacks 126/dev/random and you don't want to use OpenSSH's builtin entropy 127collection support. 128 129--with-lastlog=FILE will specify the location of the lastlog file. 130./configure searches a few locations for lastlog, but may not find 131it if lastlog is installed in a different place. 132 133--without-lastlog will disable lastlog support entirely. 134 135--with-osfsia, --without-osfsia will enable or disable OSF1's Security 136Integration Architecture. The default for OSF1 machines is enable. 137 138--with-skey=PATH will enable S/Key one time password support. You will 139need the S/Key libraries and header files installed for this to work. 140 141--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) 142support. You will need libwrap.a and tcpd.h installed. 143 144--with-md5-passwords will enable the use of MD5 passwords. Enable this 145if your operating system uses MD5 passwords and the system crypt() does 146not support them directly (see the crypt(3/3c) man page). If enabled, the 147resulting binary will support both MD5 and traditional crypt passwords. 148 149--with-utmpx enables utmpx support. utmpx support is automatic for 150some platforms. 151 152--without-shadow disables shadow password support. 153 154--with-ipaddr-display forces the use of a numeric IP address in the 155$DISPLAY environment variable. Some broken systems need this. 156 157--with-default-path=PATH allows you to specify a default $PATH for sessions 158started by sshd. This replaces the standard path entirely. 159 160--with-pid-dir=PATH specifies the directory in which the ssh.pid file is 161created. 162 163--with-xauth=PATH specifies the location of the xauth binary 164 165--with-ssl-dir=DIR allows you to specify where your OpenSSL libraries 166are installed. 167 168--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to 169real (AF_INET) IPv4 addresses. Works around some quirks on Linux. 170 171--with-opensc=DIR 172--with-sectok=DIR allows for OpenSC or sectok smartcard libraries to 173be used with OpenSSH. See 'README.smartcard' for more details. 174 175If you need to pass special options to the compiler or linker, you 176can specify these as environment variables before running ./configure. 177For example: 178 179CFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure 180 1813. Configuration 182---------------- 183 184The runtime configuration files are installed by in ${prefix}/etc or 185whatever you specified as your --sysconfdir (/usr/local/etc by default). 186 187The default configuration should be instantly usable, though you should 188review it to ensure that it matches your security requirements. 189 190To generate a host key, run "make host-key". Alternately you can do so 191manually using the following commands: 192 193 ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" 194 ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" 195 ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" 196 197Replacing /etc/ssh with the correct path to the configuration directory. 198(${prefix}/etc or whatever you specified with --sysconfdir during 199configuration) 200 201If you have configured OpenSSH with EGD support, ensure that EGD is 202running and has collected some Entropy. 203 204For more information on configuration, please refer to the manual pages 205for sshd, ssh and ssh-agent. 206 2074. (Optional) Send survey 208------------------------- 209 210$ make survey 211[check the contents and make sure there's no sensitive information] 212$ make send-survey 213 214This will send configuration information for the currently configured 215host to a survey address. This will help determine which configurations 216are actually in use, and what valid combinations of configure options 217exist. The raw data is available only to the OpenSSH developers, however 218summary data may be published. 219 2205. Problems? 221------------ 222 223If you experience problems compiling, installing or running OpenSSH. 224Please refer to the "reporting bugs" section of the webpage at 225http://www.openssh.com/ 226 227 228$Id: INSTALL,v 1.70 2005/04/24 07:52:23 dtucker Exp $ 229