diff options
Diffstat (limited to 'INSTALL')
| -rw-r--r-- | INSTALL | 22 |
1 files changed, 12 insertions, 10 deletions
| @@ -14,8 +14,9 @@ Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems): | |||
| 14 | http://www.gzip.org/zlib/ | 14 | http://www.gzip.org/zlib/ |
| 15 | 15 | ||
| 16 | libcrypto from either of: | 16 | libcrypto from either of: |
| 17 | - LibreSSL (http://www.libressl.org/) | 17 | - LibreSSL (https://www.libressl.org/) |
| 18 | - OpenSSL 1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g (http://www.openssl.org/) | 18 | - OpenSSL (https://www.openssl.org) with any of the following versions: |
| 19 | - 1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g or any 1.1.1 | ||
| 19 | 20 | ||
| 20 | LibreSSL/OpenSSL should be compiled as a position-independent library | 21 | LibreSSL/OpenSSL should be compiled as a position-independent library |
| 21 | (i.e. with -fPIC) otherwise OpenSSH will not be able to link with it. | 22 | (i.e. with -fPIC) otherwise OpenSSH will not be able to link with it. |
| @@ -23,23 +24,28 @@ If you must use a non-position-independent libcrypto, then you may need | |||
| 23 | to configure OpenSSH --without-pie. Note that due to a bug in EVP_CipherInit | 24 | to configure OpenSSH --without-pie. Note that due to a bug in EVP_CipherInit |
| 24 | OpenSSL 1.1 versions prior to 1.1.0g can't be used. | 25 | OpenSSL 1.1 versions prior to 1.1.0g can't be used. |
| 25 | 26 | ||
| 27 | To support Privilege Separation (which is now required) you will need | ||
| 28 | to create the user, group and directory used by sshd for privilege | ||
| 29 | separation. See README.privsep for details. | ||
| 30 | |||
| 26 | The remaining items are optional. | 31 | The remaining items are optional. |
| 27 | 32 | ||
| 28 | NB. If you operating system supports /dev/random, you should configure | 33 | NB. If you operating system supports /dev/random, you should configure |
| 29 | libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's | 34 | libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's |
| 30 | direct support of /dev/random, or failing that, either prngd or egd | 35 | direct support of /dev/random, or failing that, either prngd or egd. |
| 31 | 36 | ||
| 32 | PRNGD: | 37 | PRNGD: |
| 33 | 38 | ||
| 34 | If your system lacks kernel-based random collection, the use of Lutz | 39 | If your system lacks kernel-based random collection, the use of Lutz |
| 35 | Jaenicke's PRNGd is recommended. | 40 | Jaenicke's PRNGd is recommended. It requires that libcrypto be configured |
| 41 | to support it. | ||
| 36 | 42 | ||
| 37 | http://prngd.sourceforge.net/ | 43 | http://prngd.sourceforge.net/ |
| 38 | 44 | ||
| 39 | EGD: | 45 | EGD: |
| 40 | 46 | ||
| 41 | If the kernel lacks /dev/random the Entropy Gathering Daemon (EGD) is | 47 | The Entropy Gathering Daemon (EGD) suppports the same interface as prngd. |
| 42 | supported only if libcrypto supports it. | 48 | It also supported only if libcrypto is configured to support it. |
| 43 | 49 | ||
| 44 | http://egd.sourceforge.net/ | 50 | http://egd.sourceforge.net/ |
| 45 | 51 | ||
| @@ -131,10 +137,6 @@ make install | |||
| 131 | This will install the binaries in /opt/{bin,lib,sbin}, but will place the | 137 | This will install the binaries in /opt/{bin,lib,sbin}, but will place the |
| 132 | configuration files in /etc/ssh. | 138 | configuration files in /etc/ssh. |
| 133 | 139 | ||
| 134 | If you are using Privilege Separation (which is enabled by default) | ||
| 135 | then you will also need to create the user, group and directory used by | ||
| 136 | sshd for privilege separation. See README.privsep for details. | ||
| 137 | |||
| 138 | If you are using PAM, you may need to manually install a PAM control | 140 | If you are using PAM, you may need to manually install a PAM control |
| 139 | file as "/etc/pam.d/sshd" (or wherever your system prefers to keep | 141 | file as "/etc/pam.d/sshd" (or wherever your system prefers to keep |
| 140 | them). Note that the service name used to start PAM is __progname, | 142 | them). Note that the service name used to start PAM is __progname, |