xref: /freebsd/crypto/openssh/INSTALL (revision c7a063741720ef81d4caa4613242579d12f1d605)
11. Prerequisites
2----------------
3
4A C compiler.  Any C89 or better compiler that supports variadic macros
5should work.  Where supported, configure will attempt to enable the
6compiler's run-time integrity checking options.  Some notes about
7specific compilers:
8 - clang: -ftrapv and -sanitize=integer require the compiler-rt runtime
9  (CC=clang LDFLAGS=--rtlib=compiler-rt ./configure)
10
11To support Privilege Separation (which is now required) you will need
12to create the user, group and directory used by sshd for privilege
13separation.  See README.privsep for details.
14
15
16The remaining items are optional.
17
18A working installation of zlib:
19Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems):
20http://www.gzip.org/zlib/
21
22libcrypto from either of LibreSSL or OpenSSL.  Building without libcrypto
23is supported but severely restricts the available ciphers and algorithms.
24 - LibreSSL (https://www.libressl.org/)
25 - OpenSSL (https://www.openssl.org) with any of the following versions:
26   - 1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g or any 1.1.1
27
28Note that due to a bug in EVP_CipherInit OpenSSL 1.1 versions prior to
291.1.0g can't be used.
30
31LibreSSL/OpenSSL should be compiled as a position-independent library
32(i.e. -fPIC, eg by configuring OpenSSL as "./config [options] -fPIC"
33or LibreSSL as "CFLAGS=-fPIC ./configure") otherwise OpenSSH will not
34be able to link with it.  If you must use a non-position-independent
35libcrypto, then you may need to configure OpenSSH --without-pie.
36
37If you build either from source, running the OpenSSL self-test ("make
38tests") or the LibreSSL equivalent ("make check") and ensuring that all
39tests pass is strongly recommended.
40
41NB. If you operating system supports /dev/random, you should configure
42libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's
43direct support of /dev/random, or failing that, either prngd or egd.
44
45PRNGD:
46
47If your system lacks kernel-based random collection, the use of Lutz
48Jaenicke's PRNGd is recommended. It requires that libcrypto be configured
49to support it.
50
51http://prngd.sourceforge.net/
52
53EGD:
54
55The Entropy Gathering Daemon (EGD) supports the same interface as prngd.
56It also supported only if libcrypto is configured to support it.
57
58http://egd.sourceforge.net/
59
60PAM:
61
62OpenSSH can utilise Pluggable Authentication Modules (PAM) if your
63system supports it. PAM is standard most Linux distributions, Solaris,
64HP-UX 11, AIX >= 5.2, FreeBSD, NetBSD and Mac OS X.
65
66Information about the various PAM implementations are available:
67
68Solaris PAM:	http://www.sun.com/software/solaris/pam/
69Linux PAM:	http://www.kernel.org/pub/linux/libs/pam/
70OpenPAM:	http://www.openpam.org/
71
72If you wish to build the GNOME passphrase requester, you will need the GNOME
73libraries and headers.
74
75GNOME:
76http://www.gnome.org/
77
78Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11
79passphrase requester. This is maintained separately at:
80
81http://www.jmknoble.net/software/x11-ssh-askpass/
82
83TCP Wrappers:
84
85If you wish to use the TCP wrappers functionality you will need at least
86tcpd.h and libwrap.a, either in the standard include and library paths,
87or in the directory specified by --with-tcp-wrappers.  Version 7.6 is
88known to work.
89
90http://ftp.porcupine.org/pub/security/index.html
91
92LibEdit:
93
94sftp supports command-line editing via NetBSD's libedit.  If your platform
95has it available natively you can use that, alternatively you might try
96these multi-platform ports:
97
98http://www.thrysoee.dk/editline/
99http://sourceforge.net/projects/libedit/
100
101LDNS:
102
103LDNS is a DNS BSD-licensed resolver library which supports DNSSEC.
104
105http://nlnetlabs.nl/projects/ldns/
106
107Autoconf:
108
109If you modify configure.ac or configure doesn't exist (eg if you checked
110the code out of git yourself) then you will need autoconf-2.69 and
111automake-1.16.1 to rebuild the automatically generated files by running
112"autoreconf".  Earlier versions may also work but this is not guaranteed.
113
114http://www.gnu.org/software/autoconf/
115http://www.gnu.org/software/automake/
116
117Basic Security Module (BSM):
118
119Native BSM support is known to exist in Solaris from at least 2.5.1,
120FreeBSD 6.1 and OS X.  Alternatively, you may use the OpenBSM
121implementation (http://www.openbsm.org).
122
123makedepend:
124
125https://www.x.org/archive/individual/util/
126
127If you are making significant changes to the code you may need to rebuild
128the dependency (.depend) file using "make depend", which requires the
129"makedepend" tool from the X11 distribution.
130
131libfido2:
132
133libfido2 allows the use of hardware security keys over USB.  libfido2
134in turn depends on libcbor.  libfido2 >= 1.5.0 is strongly recommended.
135Limited functionality is possible with earlier libfido2 versions.
136
137https://github.com/Yubico/libfido2
138https://github.com/pjk/libcbor
139
140
1412. Building / Installation
142--------------------------
143
144To install OpenSSH with default options:
145
146./configure
147make
148make install
149
150This will install the OpenSSH binaries in /usr/local/bin, configuration files
151in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different
152installation prefix, use the --prefix option to configure:
153
154./configure --prefix=/opt
155make
156make install
157
158Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override
159specific paths, for example:
160
161./configure --prefix=/opt --sysconfdir=/etc/ssh
162make
163make install
164
165This will install the binaries in /opt/{bin,lib,sbin}, but will place the
166configuration files in /etc/ssh.
167
168If you are using PAM, you may need to manually install a PAM control
169file as "/etc/pam.d/sshd" (or wherever your system prefers to keep
170them).  Note that the service name used to start PAM is __progname,
171which is the basename of the path of your sshd (e.g., the service name
172for /usr/sbin/osshd will be osshd).  If you have renamed your sshd
173executable, your PAM configuration may need to be modified.
174
175A generic PAM configuration is included as "contrib/sshd.pam.generic",
176you may need to edit it before using it on your system. If you are
177using a recent version of Red Hat Linux, the config file in
178contrib/redhat/sshd.pam should be more useful.  Failure to install a
179valid PAM file may result in an inability to use password
180authentication.  On HP-UX 11 and Solaris, the standard /etc/pam.conf
181configuration will work with sshd (sshd will match the other service
182name).
183
184There are a few other options to the configure script:
185
186--with-audit=[module] enable additional auditing via the specified module.
187Currently, drivers for "debug" (additional info via syslog) and "bsm"
188(Sun's Basic Security Module) are supported.
189
190--with-pam enables PAM support. If PAM support is compiled in, it must
191also be enabled in sshd_config (refer to the UsePAM directive).
192
193--with-prngd-socket=/some/file allows you to enable EGD or PRNGD
194support and to specify a PRNGd socket. Use this if your Unix lacks
195/dev/random.
196
197--with-prngd-port=portnum allows you to enable EGD or PRNGD support
198and to specify a EGD localhost TCP port. Use this if your Unix lacks
199/dev/random.
200
201--with-lastlog=FILE will specify the location of the lastlog file.
202./configure searches a few locations for lastlog, but may not find
203it if lastlog is installed in a different place.
204
205--without-lastlog will disable lastlog support entirely.
206
207--with-osfsia, --without-osfsia will enable or disable OSF1's Security
208Integration Architecture.  The default for OSF1 machines is enable.
209
210--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny)
211support.
212
213--with-utmpx enables utmpx support. utmpx support is automatic for
214some platforms.
215
216--without-shadow disables shadow password support.
217
218--with-ipaddr-display forces the use of a numeric IP address in the
219$DISPLAY environment variable. Some broken systems need this.
220
221--with-default-path=PATH allows you to specify a default $PATH for sessions
222started by sshd. This replaces the standard path entirely.
223
224--with-pid-dir=PATH specifies the directory in which the sshd.pid file is
225created.
226
227--with-xauth=PATH specifies the location of the xauth binary
228
229--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL
230libraries are installed.
231
232--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support
233
234--without-openssl builds without using OpenSSL.  Only a subset of ciphers
235and algorithms are supported in this configuration.
236
237--without-zlib builds without zlib.  This disables the Compression option.
238
239--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
240real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
241
242If you need to pass special options to the compiler or linker, you
243can specify these as environment variables before running ./configure.
244For example:
245
246CC="/usr/foo/cc" CFLAGS="-O" LDFLAGS="-s" LIBS="-lrubbish" ./configure
247
2483. Configuration
249----------------
250
251The runtime configuration files are installed by in ${prefix}/etc or
252whatever you specified as your --sysconfdir (/usr/local/etc by default).
253
254The default configuration should be instantly usable, though you should
255review it to ensure that it matches your security requirements.
256
257To generate a host key, run "make host-key". Alternately you can do so
258manually using the following commands:
259
260    ssh-keygen -t [type] -f /etc/ssh/ssh_host_key -N ""
261
262for each of the types you wish to generate (rsa, dsa or ecdsa) or
263
264    ssh-keygen -A
265
266to generate keys for all supported types.
267
268Replacing /etc/ssh with the correct path to the configuration directory.
269(${prefix}/etc or whatever you specified with --sysconfdir during
270configuration).
271
272If you have configured OpenSSH with EGD/prngd support, ensure that EGD or
273prngd is running and has collected some entropy first.
274
275For more information on configuration, please refer to the manual pages
276for sshd, ssh and ssh-agent.
277
2784. (Optional) Send survey
279-------------------------
280
281$ make survey
282[check the contents of the file "survey" to ensure there's no information
283that you consider sensitive]
284$ make send-survey
285
286This will send configuration information for the currently configured
287host to a survey address.  This will help determine which configurations
288are actually in use, and what valid combinations of configure options
289exist.  The raw data is available only to the OpenSSH developers, however
290summary data may be published.
291
2925. Problems?
293------------
294
295If you experience problems compiling, installing or running OpenSSH,
296please refer to the "reporting bugs" section of the webpage at
297https://www.openssh.com/
298