xref: /freebsd/crypto/openssh/INSTALL (revision 98fc0505155575df4170c863107153df2a751a13)
11. Prerequisites
2----------------
3
4A C compiler.  Any C89 or better compiler should work.  Where supported,
5configure will attempt to enable the compiler's run-time integrity checking
6options.  Some notes about specific compilers:
7 - clang: -ftrapv and -sanitize=integer require the compiler-rt runtime
8  (CC=clang LDFLAGS=--rtlib=compiler-rt ./configure)
9
10You will need working installations of Zlib and libcrypto (LibreSSL /
11OpenSSL)
12
13Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems):
14http://www.gzip.org/zlib/
15
16libcrypto (LibreSSL or OpenSSL >= 1.0.1 < 1.1.0)
17LibreSSL http://www.libressl.org/ ; or
18OpenSSL http://www.openssl.org/
19
20LibreSSL/OpenSSL should be compiled as a position-independent library
21(i.e. with -fPIC) otherwise OpenSSH will not be able to link with it.
22If you must use a non-position-independent libcrypto, then you may need
23to configure OpenSSH --without-pie.  Note that because of API changes,
24OpenSSL 1.1.x is not currently supported.
25
26The remaining items are optional.
27
28NB. If you operating system supports /dev/random, you should configure
29libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's
30direct support of /dev/random, or failing that, either prngd or egd
31
32PRNGD:
33
34If your system lacks kernel-based random collection, the use of Lutz
35Jaenicke's PRNGd is recommended.
36
37http://prngd.sourceforge.net/
38
39EGD:
40
41If the kernel lacks /dev/random the Entropy Gathering Daemon (EGD) is
42supported only if libcrypto supports it.
43
44http://egd.sourceforge.net/
45
46PAM:
47
48OpenSSH can utilise Pluggable Authentication Modules (PAM) if your
49system supports it. PAM is standard most Linux distributions, Solaris,
50HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD.
51
52Information about the various PAM implementations are available:
53
54Solaris PAM:	http://www.sun.com/software/solaris/pam/
55Linux PAM:	http://www.kernel.org/pub/linux/libs/pam/
56OpenPAM:	http://www.openpam.org/
57
58If you wish to build the GNOME passphrase requester, you will need the GNOME
59libraries and headers.
60
61GNOME:
62http://www.gnome.org/
63
64Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11
65passphrase requester. This is maintained separately at:
66
67http://www.jmknoble.net/software/x11-ssh-askpass/
68
69TCP Wrappers:
70
71If you wish to use the TCP wrappers functionality you will need at least
72tcpd.h and libwrap.a, either in the standard include and library paths,
73or in the directory specified by --with-tcp-wrappers.  Version 7.6 is
74known to work.
75
76http://ftp.porcupine.org/pub/security/index.html
77
78LibEdit:
79
80sftp supports command-line editing via NetBSD's libedit.  If your platform
81has it available natively you can use that, alternatively you might try
82these multi-platform ports:
83
84http://www.thrysoee.dk/editline/
85http://sourceforge.net/projects/libedit/
86
87LDNS:
88
89LDNS is a DNS BSD-licensed resolver library which supports DNSSEC.
90
91http://nlnetlabs.nl/projects/ldns/
92
93Autoconf:
94
95If you modify configure.ac or configure doesn't exist (eg if you checked
96the code out of git yourself) then you will need autoconf-2.69 to rebuild
97the automatically generated files by running "autoreconf".  Earlier
98versions may also work but this is not guaranteed.
99
100http://www.gnu.org/software/autoconf/
101
102Basic Security Module (BSM):
103
104Native BSM support is known to exist in Solaris from at least 2.5.1,
105FreeBSD 6.1 and OS X.  Alternatively, you may use the OpenBSM
106implementation (http://www.openbsm.org).
107
108makedepend:
109
110https://www.x.org/archive/individual/util/
111
112If you are making significant changes to the code you may need to rebuild
113the dependency (.depend) file using "make depend", which requires the
114"makedepend" tool from the X11 distribution.
115
1162. Building / Installation
117--------------------------
118
119To install OpenSSH with default options:
120
121./configure
122make
123make install
124
125This will install the OpenSSH binaries in /usr/local/bin, configuration files
126in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different
127installation prefix, use the --prefix option to configure:
128
129./configure --prefix=/opt
130make
131make install
132
133Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override
134specific paths, for example:
135
136./configure --prefix=/opt --sysconfdir=/etc/ssh
137make
138make install
139
140This will install the binaries in /opt/{bin,lib,sbin}, but will place the
141configuration files in /etc/ssh.
142
143If you are using Privilege Separation (which is enabled by default)
144then you will also need to create the user, group and directory used by
145sshd for privilege separation.  See README.privsep for details.
146
147If you are using PAM, you may need to manually install a PAM control
148file as "/etc/pam.d/sshd" (or wherever your system prefers to keep
149them).  Note that the service name used to start PAM is __progname,
150which is the basename of the path of your sshd (e.g., the service name
151for /usr/sbin/osshd will be osshd).  If you have renamed your sshd
152executable, your PAM configuration may need to be modified.
153
154A generic PAM configuration is included as "contrib/sshd.pam.generic",
155you may need to edit it before using it on your system. If you are
156using a recent version of Red Hat Linux, the config file in
157contrib/redhat/sshd.pam should be more useful.  Failure to install a
158valid PAM file may result in an inability to use password
159authentication.  On HP-UX 11 and Solaris, the standard /etc/pam.conf
160configuration will work with sshd (sshd will match the other service
161name).
162
163There are a few other options to the configure script:
164
165--with-audit=[module] enable additional auditing via the specified module.
166Currently, drivers for "debug" (additional info via syslog) and "bsm"
167(Sun's Basic Security Module) are supported.
168
169--with-pam enables PAM support. If PAM support is compiled in, it must
170also be enabled in sshd_config (refer to the UsePAM directive).
171
172--with-prngd-socket=/some/file allows you to enable EGD or PRNGD
173support and to specify a PRNGd socket. Use this if your Unix lacks
174/dev/random.
175
176--with-prngd-port=portnum allows you to enable EGD or PRNGD support
177and to specify a EGD localhost TCP port. Use this if your Unix lacks
178/dev/random.
179
180--with-lastlog=FILE will specify the location of the lastlog file.
181./configure searches a few locations for lastlog, but may not find
182it if lastlog is installed in a different place.
183
184--without-lastlog will disable lastlog support entirely.
185
186--with-osfsia, --without-osfsia will enable or disable OSF1's Security
187Integration Architecture.  The default for OSF1 machines is enable.
188
189--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny)
190support.
191
192--with-md5-passwords will enable the use of MD5 passwords. Enable this
193if your operating system uses MD5 passwords and the system crypt() does
194not support them directly (see the crypt(3/3c) man page). If enabled, the
195resulting binary will support both MD5 and traditional crypt passwords.
196
197--with-utmpx enables utmpx support. utmpx support is automatic for
198some platforms.
199
200--without-shadow disables shadow password support.
201
202--with-ipaddr-display forces the use of a numeric IP address in the
203$DISPLAY environment variable. Some broken systems need this.
204
205--with-default-path=PATH allows you to specify a default $PATH for sessions
206started by sshd. This replaces the standard path entirely.
207
208--with-pid-dir=PATH specifies the directory in which the sshd.pid file is
209created.
210
211--with-xauth=PATH specifies the location of the xauth binary
212
213--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL
214libraries are installed.
215
216--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support
217
218--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
219real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
220
221If you need to pass special options to the compiler or linker, you
222can specify these as environment variables before running ./configure.
223For example:
224
225CC="/usr/foo/cc" CFLAGS="-O" LDFLAGS="-s" LIBS="-lrubbish" ./configure
226
2273. Configuration
228----------------
229
230The runtime configuration files are installed by in ${prefix}/etc or
231whatever you specified as your --sysconfdir (/usr/local/etc by default).
232
233The default configuration should be instantly usable, though you should
234review it to ensure that it matches your security requirements.
235
236To generate a host key, run "make host-key". Alternately you can do so
237manually using the following commands:
238
239    ssh-keygen -t [type] -f /etc/ssh/ssh_host_key -N ""
240
241for each of the types you wish to generate (rsa, dsa or ecdsa) or
242
243    ssh-keygen -A
244
245to generate keys for all supported types.
246
247Replacing /etc/ssh with the correct path to the configuration directory.
248(${prefix}/etc or whatever you specified with --sysconfdir during
249configuration)
250
251If you have configured OpenSSH with EGD support, ensure that EGD is
252running and has collected some Entropy.
253
254For more information on configuration, please refer to the manual pages
255for sshd, ssh and ssh-agent.
256
2574. (Optional) Send survey
258-------------------------
259
260$ make survey
261[check the contents of the file "survey" to ensure there's no information
262that you consider sensitive]
263$ make send-survey
264
265This will send configuration information for the currently configured
266host to a survey address.  This will help determine which configurations
267are actually in use, and what valid combinations of configure options
268exist.  The raw data is available only to the OpenSSH developers, however
269summary data may be published.
270
2715. Problems?
272------------
273
274If you experience problems compiling, installing or running OpenSSH.
275Please refer to the "reporting bugs" section of the webpage at
276https://www.openssh.com/
277