1This file contains notes about OpenSSH on specific platforms. 2 3AIX 4 5Beginning with OpenSSH 3.8p1, sshd will honour an account's password 6expiry settings, where prior to that it did not. Because of this, 7it's possible for sites that have used OpenSSH's sshd exclusively to 8have accounts which have passwords expired longer than the inactive time 9(ie the "Weeks between password EXPIRATION and LOCKOUT" setting in SMIT 10or the maxexpired chuser attribute). 11 12Accounts in this state must have their passwords reset manually by the 13administrator. As a precaution, it is recommended that the administrative 14passwords be reset before upgrading from OpenSSH <3.8. 15 16As of OpenSSH 4.0p1, configure will attempt to detect if your version 17and maintenance level of AIX has a working getaddrinfo, and will use it 18if found. This will enable IPv6 support. If for some reason configure 19gets it wrong, or if you want to build binaries to work on earlier MLs 20than the build host then you can add "-DBROKEN_GETADDRINFO" to CFLAGS 21to force the previous IPv4-only behaviour. 22 23IPv6 known to work: 5.1ML7 5.2ML2 5.2ML5 24IPv6 known broken: 4.3.3ML11 5.1ML4 25 26If you wish to use dynamic libraries that aren't in the normal system 27locations (eg IBM's OpenSSL and zlib packages) then you will need to 28define the environment variable blibpath before running configure, eg 29 30blibpath=/lib:/usr/lib:/opt/freeware/lib ./configure \ 31 --with-ssl-dir=/opt/freeware --with-zlib=/opt/freeware 32 33If sshd is built with the WITH_AIXAUTHENTICATE option (which is enabled 34by default) then sshd checks that users are permitted via the 35loginrestrictions() function, in particular that the user has the 36"rlogin" attribute set. This check is not done for the root account, 37instead the PermitRootLogin setting in sshd_config is used. 38 39If you are using the IBM compiler you probably want to use CC=xlc rather 40than the default of cc. 41 42 43Cygwin 44------ 45To build on Cygwin, OpenSSH requires the following packages: 46gcc, gcc-mingw-core, mingw-runtime, binutils, make, openssl, 47openssl-devel, zlib, minres, minires-devel. 48 49 50Darwin and MacOS X 51------------------ 52Darwin does not provide a tun(4) driver required for OpenSSH-based 53virtual private networks. The BSD manpage still exists, but the driver 54has been removed in recent releases of Darwin and MacOS X. 55 56Tunnel support is known to work with Darwin 8 and MacOS X 10.4 in 57Point-to-Point (Layer 3) and Ethernet (Layer 2) mode using a third 58party driver. More information is available at: 59 https://tuntaposx.sourceforge.net 60 61Recent Darwin/MacOS X versions are likely unsupported. 62 63Linux 64----- 65 66Some Linux distributions (including Red Hat/Fedora/CentOS) include 67headers and library links in the -devel RPMs rather than the main 68binary RPMs. If you get an error about headers, or complaining about a 69missing prerequisite then you may need to install the equivalent 70development packages. On Redhat based distros these may be openssl-devel, 71zlib-devel and pam-devel, on Debian based distros these may be 72libssl-dev, libz-dev and libpam-dev. 73 74 75Solaris 76------- 77If you enable BSM auditing on Solaris, you need to update audit_event(4) 78for praudit(1m) to give sensible output. The following line needs to be 79added to /etc/security/audit_event: 80 81 32800:AUE_openssh:OpenSSH login:lo 82 83The BSM audit event range available for third party TCB applications is 8432768 - 65535. Event number 32800 has been chosen for AUE_openssh. 85There is no official registry of 3rd party event numbers, so if this 86number is already in use on your system, you may change it at build time 87by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding. 88 89 90Platforms using PAM 91------------------- 92As of OpenSSH 4.3p1, sshd will no longer check /etc/nologin itself when 93PAM is enabled. To maintain existing behaviour, pam_nologin should be 94added to sshd's session stack which will prevent users from starting shell 95sessions. Alternatively, pam_nologin can be added to either the auth or 96account stacks which will prevent authentication entirely, but will still 97return the output from pam_nologin to the client. 98