1efcad6b7SDag-Erling SmørgravThis file contains notes about OpenSSH on specific platforms. 2efcad6b7SDag-Erling Smørgrav 3efcad6b7SDag-Erling SmørgravAIX 419261079SEd Maste 519261079SEd MasteBeginning with OpenSSH 3.8p1, sshd will honour an account's password 619261079SEd Masteexpiry settings, where prior to that it did not. Because of this, 719261079SEd Masteit's possible for sites that have used OpenSSH's sshd exclusively to 819261079SEd Mastehave accounts which have passwords expired longer than the inactive time 919261079SEd Maste(ie the "Weeks between password EXPIRATION and LOCKOUT" setting in SMIT 1019261079SEd Masteor the maxexpired chuser attribute). 11efcad6b7SDag-Erling Smørgrav 12efcad6b7SDag-Erling SmørgravAccounts in this state must have their passwords reset manually by the 13efcad6b7SDag-Erling Smørgravadministrator. As a precaution, it is recommended that the administrative 14efcad6b7SDag-Erling Smørgravpasswords be reset before upgrading from OpenSSH <3.8. 15efcad6b7SDag-Erling Smørgrav 1619261079SEd MasteAs of OpenSSH 4.0p1, configure will attempt to detect if your version 175e8dbd04SDag-Erling Smørgravand maintenance level of AIX has a working getaddrinfo, and will use it 185e8dbd04SDag-Erling Smørgravif found. This will enable IPv6 support. If for some reason configure 195e8dbd04SDag-Erling Smørgravgets it wrong, or if you want to build binaries to work on earlier MLs 205e8dbd04SDag-Erling Smørgravthan the build host then you can add "-DBROKEN_GETADDRINFO" to CFLAGS 215e8dbd04SDag-Erling Smørgravto force the previous IPv4-only behaviour. 225e8dbd04SDag-Erling Smørgrav 235e8dbd04SDag-Erling SmørgravIPv6 known to work: 5.1ML7 5.2ML2 5.2ML5 245e8dbd04SDag-Erling SmørgravIPv6 known broken: 4.3.3ML11 5.1ML4 25d74d50a8SDag-Erling Smørgrav 26d4af9e69SDag-Erling SmørgravIf you wish to use dynamic libraries that aren't in the normal system 27d4af9e69SDag-Erling Smørgravlocations (eg IBM's OpenSSL and zlib packages) then you will need to 28d4af9e69SDag-Erling Smørgravdefine the environment variable blibpath before running configure, eg 29d4af9e69SDag-Erling Smørgrav 30d4af9e69SDag-Erling Smørgravblibpath=/lib:/usr/lib:/opt/freeware/lib ./configure \ 31d4af9e69SDag-Erling Smørgrav --with-ssl-dir=/opt/freeware --with-zlib=/opt/freeware 32d4af9e69SDag-Erling Smørgrav 33d4af9e69SDag-Erling SmørgravIf sshd is built with the WITH_AIXAUTHENTICATE option (which is enabled 34d4af9e69SDag-Erling Smørgravby default) then sshd checks that users are permitted via the 35d4af9e69SDag-Erling Smørgravloginrestrictions() function, in particular that the user has the 36d4af9e69SDag-Erling Smørgrav"rlogin" attribute set. This check is not done for the root account, 37d4af9e69SDag-Erling Smørgravinstead the PermitRootLogin setting in sshd_config is used. 38d4af9e69SDag-Erling Smørgrav 39acc1a9efSDag-Erling SmørgravIf you are using the IBM compiler you probably want to use CC=xlc rather 40acc1a9efSDag-Erling Smørgravthan the default of cc. 41acc1a9efSDag-Erling Smørgrav 42d4af9e69SDag-Erling Smørgrav 43d74d50a8SDag-Erling SmørgravCygwin 44d74d50a8SDag-Erling Smørgrav------ 45d74d50a8SDag-Erling SmørgravTo build on Cygwin, OpenSSH requires the following packages: 46d74d50a8SDag-Erling Smørgravgcc, gcc-mingw-core, mingw-runtime, binutils, make, openssl, 47d74d50a8SDag-Erling Smørgravopenssl-devel, zlib, minres, minires-devel. 48d74d50a8SDag-Erling Smørgrav 49d74d50a8SDag-Erling Smørgrav 50761efaa7SDag-Erling SmørgravDarwin and MacOS X 51761efaa7SDag-Erling Smørgrav------------------ 52761efaa7SDag-Erling SmørgravDarwin does not provide a tun(4) driver required for OpenSSH-based 53761efaa7SDag-Erling Smørgravvirtual private networks. The BSD manpage still exists, but the driver 54761efaa7SDag-Erling Smørgravhas been removed in recent releases of Darwin and MacOS X. 55761efaa7SDag-Erling Smørgrav 56*a91a2465SEd MasteTunnel support is known to work with Darwin 8 and MacOS X 10.4 in 57*a91a2465SEd MastePoint-to-Point (Layer 3) and Ethernet (Layer 2) mode using a third 58*a91a2465SEd Masteparty driver. More information is available at: 59*a91a2465SEd Maste https://tuntaposx.sourceforge.net 60761efaa7SDag-Erling Smørgrav 61*a91a2465SEd MasteRecent Darwin/MacOS X versions are likely unsupported. 62761efaa7SDag-Erling Smørgrav 637aee6ffeSDag-Erling SmørgravLinux 647aee6ffeSDag-Erling Smørgrav----- 657aee6ffeSDag-Erling Smørgrav 667aee6ffeSDag-Erling SmørgravSome Linux distributions (including Red Hat/Fedora/CentOS) include 677aee6ffeSDag-Erling Smørgravheaders and library links in the -devel RPMs rather than the main 687aee6ffeSDag-Erling Smørgravbinary RPMs. If you get an error about headers, or complaining about a 697aee6ffeSDag-Erling Smørgravmissing prerequisite then you may need to install the equivalent 707aee6ffeSDag-Erling Smørgravdevelopment packages. On Redhat based distros these may be openssl-devel, 717aee6ffeSDag-Erling Smørgravzlib-devel and pam-devel, on Debian based distros these may be 727aee6ffeSDag-Erling Smørgravlibssl-dev, libz-dev and libpam-dev. 737aee6ffeSDag-Erling Smørgrav 747aee6ffeSDag-Erling Smørgrav 75efcad6b7SDag-Erling SmørgravSolaris 76efcad6b7SDag-Erling Smørgrav------- 775e8dbd04SDag-Erling SmørgravIf you enable BSM auditing on Solaris, you need to update audit_event(4) 785e8dbd04SDag-Erling Smørgravfor praudit(1m) to give sensible output. The following line needs to be 795e8dbd04SDag-Erling Smørgravadded to /etc/security/audit_event: 80efcad6b7SDag-Erling Smørgrav 815e8dbd04SDag-Erling Smørgrav 32800:AUE_openssh:OpenSSH login:lo 825e8dbd04SDag-Erling Smørgrav 835e8dbd04SDag-Erling SmørgravThe BSM audit event range available for third party TCB applications is 84190cef3dSDag-Erling Smørgrav32768 - 65535. Event number 32800 has been chosen for AUE_openssh. 855e8dbd04SDag-Erling SmørgravThere is no official registry of 3rd party event numbers, so if this 865e8dbd04SDag-Erling Smørgravnumber is already in use on your system, you may change it at build time 875e8dbd04SDag-Erling Smørgravby configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding. 885e8dbd04SDag-Erling Smørgrav 895e8dbd04SDag-Erling Smørgrav 90021d409fSDag-Erling SmørgravPlatforms using PAM 91021d409fSDag-Erling Smørgrav------------------- 92021d409fSDag-Erling SmørgravAs of OpenSSH 4.3p1, sshd will no longer check /etc/nologin itself when 93021d409fSDag-Erling SmørgravPAM is enabled. To maintain existing behaviour, pam_nologin should be 94021d409fSDag-Erling Smørgravadded to sshd's session stack which will prevent users from starting shell 95021d409fSDag-Erling Smørgravsessions. Alternatively, pam_nologin can be added to either the auth or 96021d409fSDag-Erling Smørgravaccount stacks which will prevent authentication entirely, but will still 97021d409fSDag-Erling Smørgravreturn the output from pam_nologin to the client. 98