xref: /freebsd/crypto/openssh/INSTALL (revision fed1ca4b719c56c930f2259d80663cd34be812bb)
11. Prerequisites
2----------------
3
4You will need working installations of Zlib and libcrypto (LibreSSL /
5OpenSSL)
6
7Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems):
8http://www.gzip.org/zlib/
9
10libcrypto (LibreSSL or OpenSSL >= 0.9.8f)
11LibreSSL http://www.libressl.org/ ; or
12OpenSSL http://www.openssl.org/
13
14LibreSSL/OpenSSL should be compiled as a position-independent library
15(i.e. with -fPIC) otherwise OpenSSH will not be able to link with it.
16If you must use a non-position-independent libcrypto, then you may need
17to configure OpenSSH --without-pie.
18
19The remaining items are optional.
20
21NB. If you operating system supports /dev/random, you should configure
22libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's
23direct support of /dev/random, or failing that, either prngd or egd
24
25PRNGD:
26
27If your system lacks kernel-based random collection, the use of Lutz
28Jaenicke's PRNGd is recommended.
29
30http://prngd.sourceforge.net/
31
32EGD:
33
34If the kernel lacks /dev/random the Entropy Gathering Daemon (EGD) is
35supported only if libcrypto supports it.
36
37http://egd.sourceforge.net/
38
39PAM:
40
41OpenSSH can utilise Pluggable Authentication Modules (PAM) if your
42system supports it. PAM is standard most Linux distributions, Solaris,
43HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD.
44
45Information about the various PAM implementations are available:
46
47Solaris PAM:	http://www.sun.com/software/solaris/pam/
48Linux PAM:	http://www.kernel.org/pub/linux/libs/pam/
49OpenPAM:	http://www.openpam.org/
50
51If you wish to build the GNOME passphrase requester, you will need the GNOME
52libraries and headers.
53
54GNOME:
55http://www.gnome.org/
56
57Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11
58passphrase requester. This is maintained separately at:
59
60http://www.jmknoble.net/software/x11-ssh-askpass/
61
62TCP Wrappers:
63
64If you wish to use the TCP wrappers functionality you will need at least
65tcpd.h and libwrap.a, either in the standard include and library paths,
66or in the directory specified by --with-tcp-wrappers.  Version 7.6 is
67known to work.
68
69http://ftp.porcupine.org/pub/security/index.html
70
71S/Key Libraries:
72
73If you wish to use --with-skey then you will need the library below
74installed.  No other S/Key library is currently known to be supported.
75
76http://www.sparc.spb.su/solaris/skey/
77
78LibEdit:
79
80sftp supports command-line editing via NetBSD's libedit.  If your platform
81has it available natively you can use that, alternatively you might try
82these multi-platform ports:
83
84http://www.thrysoee.dk/editline/
85http://sourceforge.net/projects/libedit/
86
87LDNS:
88
89LDNS is a DNS BSD-licensed resolver library which supports DNSSEC.
90
91http://nlnetlabs.nl/projects/ldns/
92
93Autoconf:
94
95If you modify configure.ac or configure doesn't exist (eg if you checked
96the code out of CVS yourself) then you will need autoconf-2.68 to rebuild
97the automatically generated files by running "autoreconf".  Earlier
98versions may also work but this is not guaranteed.
99
100http://www.gnu.org/software/autoconf/
101
102Basic Security Module (BSM):
103
104Native BSM support is know to exist in Solaris from at least 2.5.1,
105FreeBSD 6.1 and OS X.  Alternatively, you may use the OpenBSM
106implementation (http://www.openbsm.org).
107
108
1092. Building / Installation
110--------------------------
111
112To install OpenSSH with default options:
113
114./configure
115make
116make install
117
118This will install the OpenSSH binaries in /usr/local/bin, configuration files
119in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different
120installation prefix, use the --prefix option to configure:
121
122./configure --prefix=/opt
123make
124make install
125
126Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override
127specific paths, for example:
128
129./configure --prefix=/opt --sysconfdir=/etc/ssh
130make
131make install
132
133This will install the binaries in /opt/{bin,lib,sbin}, but will place the
134configuration files in /etc/ssh.
135
136If you are using Privilege Separation (which is enabled by default)
137then you will also need to create the user, group and directory used by
138sshd for privilege separation.  See README.privsep for details.
139
140If you are using PAM, you may need to manually install a PAM control
141file as "/etc/pam.d/sshd" (or wherever your system prefers to keep
142them).  Note that the service name used to start PAM is __progname,
143which is the basename of the path of your sshd (e.g., the service name
144for /usr/sbin/osshd will be osshd).  If you have renamed your sshd
145executable, your PAM configuration may need to be modified.
146
147A generic PAM configuration is included as "contrib/sshd.pam.generic",
148you may need to edit it before using it on your system. If you are
149using a recent version of Red Hat Linux, the config file in
150contrib/redhat/sshd.pam should be more useful.  Failure to install a
151valid PAM file may result in an inability to use password
152authentication.  On HP-UX 11 and Solaris, the standard /etc/pam.conf
153configuration will work with sshd (sshd will match the other service
154name).
155
156There are a few other options to the configure script:
157
158--with-audit=[module] enable additional auditing via the specified module.
159Currently, drivers for "debug" (additional info via syslog) and "bsm"
160(Sun's Basic Security Module) are supported.
161
162--with-pam enables PAM support. If PAM support is compiled in, it must
163also be enabled in sshd_config (refer to the UsePAM directive).
164
165--with-prngd-socket=/some/file allows you to enable EGD or PRNGD
166support and to specify a PRNGd socket. Use this if your Unix lacks
167/dev/random and you don't want to use OpenSSH's builtin entropy
168collection support.
169
170--with-prngd-port=portnum allows you to enable EGD or PRNGD support
171and to specify a EGD localhost TCP port. Use this if your Unix lacks
172/dev/random and you don't want to use OpenSSH's builtin entropy
173collection support.
174
175--with-lastlog=FILE will specify the location of the lastlog file.
176./configure searches a few locations for lastlog, but may not find
177it if lastlog is installed in a different place.
178
179--without-lastlog will disable lastlog support entirely.
180
181--with-osfsia, --without-osfsia will enable or disable OSF1's Security
182Integration Architecture.  The default for OSF1 machines is enable.
183
184--with-skey=PATH will enable S/Key one time password support. You will
185need the S/Key libraries and header files installed for this to work.
186
187--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny)
188support.
189
190--with-md5-passwords will enable the use of MD5 passwords. Enable this
191if your operating system uses MD5 passwords and the system crypt() does
192not support them directly (see the crypt(3/3c) man page). If enabled, the
193resulting binary will support both MD5 and traditional crypt passwords.
194
195--with-utmpx enables utmpx support. utmpx support is automatic for
196some platforms.
197
198--without-shadow disables shadow password support.
199
200--with-ipaddr-display forces the use of a numeric IP address in the
201$DISPLAY environment variable. Some broken systems need this.
202
203--with-default-path=PATH allows you to specify a default $PATH for sessions
204started by sshd. This replaces the standard path entirely.
205
206--with-pid-dir=PATH specifies the directory in which the sshd.pid file is
207created.
208
209--with-xauth=PATH specifies the location of the xauth binary
210
211--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL
212libraries
213are installed.
214
215--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support
216
217--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
218real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
219
220If you need to pass special options to the compiler or linker, you
221can specify these as environment variables before running ./configure.
222For example:
223
224CFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure
225
2263. Configuration
227----------------
228
229The runtime configuration files are installed by in ${prefix}/etc or
230whatever you specified as your --sysconfdir (/usr/local/etc by default).
231
232The default configuration should be instantly usable, though you should
233review it to ensure that it matches your security requirements.
234
235To generate a host key, run "make host-key". Alternately you can do so
236manually using the following commands:
237
238    ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ""
239    ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""
240    ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ""
241
242Replacing /etc/ssh with the correct path to the configuration directory.
243(${prefix}/etc or whatever you specified with --sysconfdir during
244configuration)
245
246If you have configured OpenSSH with EGD support, ensure that EGD is
247running and has collected some Entropy.
248
249For more information on configuration, please refer to the manual pages
250for sshd, ssh and ssh-agent.
251
2524. (Optional) Send survey
253-------------------------
254
255$ make survey
256[check the contents of the file "survey" to ensure there's no information
257that you consider sensitive]
258$ make send-survey
259
260This will send configuration information for the currently configured
261host to a survey address.  This will help determine which configurations
262are actually in use, and what valid combinations of configure options
263exist.  The raw data is available only to the OpenSSH developers, however
264summary data may be published.
265
2665. Problems?
267------------
268
269If you experience problems compiling, installing or running OpenSSH.
270Please refer to the "reporting bugs" section of the webpage at
271http://www.openssh.com/
272
273
274$Id: INSTALL,v 1.91 2014/09/09 02:23:11 dtucker Exp $
275