diff options
Diffstat (limited to 'INSTALL')
| -rw-r--r-- | INSTALL | 44 |
1 files changed, 30 insertions, 14 deletions
| @@ -7,28 +7,35 @@ options. Some notes about specific compilers: | |||
| 7 | - clang: -ftrapv and -sanitize=integer require the compiler-rt runtime | 7 | - clang: -ftrapv and -sanitize=integer require the compiler-rt runtime |
| 8 | (CC=clang LDFLAGS=--rtlib=compiler-rt ./configure) | 8 | (CC=clang LDFLAGS=--rtlib=compiler-rt ./configure) |
| 9 | 9 | ||
| 10 | You will need working installations of Zlib and libcrypto (LibreSSL / | 10 | To support Privilege Separation (which is now required) you will need |
| 11 | OpenSSL) | 11 | to create the user, group and directory used by sshd for privilege |
| 12 | separation. See README.privsep for details. | ||
| 13 | |||
| 12 | 14 | ||
| 15 | The remaining items are optional. | ||
| 16 | |||
| 17 | A working installation of zlib: | ||
| 13 | Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems): | 18 | Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems): |
| 14 | http://www.gzip.org/zlib/ | 19 | http://www.gzip.org/zlib/ |
| 15 | 20 | ||
| 16 | libcrypto from either of: | 21 | libcrypto from either of LibreSSL or OpenSSL. Building without libcrypto |
| 22 | is supported but severely restricts the avilable ciphers and algorithms. | ||
| 17 | - LibreSSL (https://www.libressl.org/) | 23 | - LibreSSL (https://www.libressl.org/) |
| 18 | - OpenSSL (https://www.openssl.org) with any of the following versions: | 24 | - OpenSSL (https://www.openssl.org) with any of the following versions: |
| 19 | - 1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g or any 1.1.1 | 25 | - 1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g or any 1.1.1 |
| 20 | 26 | ||
| 21 | LibreSSL/OpenSSL should be compiled as a position-independent library | 27 | Note that due to a bug in EVP_CipherInit OpenSSL 1.1 versions prior to |
| 22 | (i.e. with -fPIC) otherwise OpenSSH will not be able to link with it. | 28 | 1.1.0g can't be used. |
| 23 | If you must use a non-position-independent libcrypto, then you may need | ||
| 24 | to configure OpenSSH --without-pie. Note that due to a bug in EVP_CipherInit | ||
| 25 | OpenSSL 1.1 versions prior to 1.1.0g can't be used. | ||
| 26 | 29 | ||
| 27 | To support Privilege Separation (which is now required) you will need | 30 | LibreSSL/OpenSSL should be compiled as a position-independent library |
| 28 | to create the user, group and directory used by sshd for privilege | 31 | (i.e. -fPIC, eg by configuring OpenSSL as "./config [options] -fPIC" |
| 29 | separation. See README.privsep for details. | 32 | or LibreSSL as "CFLAGS=-fPIC ./configure") otherwise OpenSSH will not |
| 33 | be able to link with it. If you must use a non-position-independent | ||
| 34 | libcrypto, then you may need to configure OpenSSH --without-pie. | ||
| 30 | 35 | ||
| 31 | The remaining items are optional. | 36 | If you build either from source, running the OpenSSL self-test ("make |
| 37 | tests") or the LibreSSL equivalent ("make check") and ensuring that all | ||
| 38 | tests pass is strongly recommended. | ||
| 32 | 39 | ||
| 33 | NB. If you operating system supports /dev/random, you should configure | 40 | NB. If you operating system supports /dev/random, you should configure |
| 34 | libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's | 41 | libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's |
| @@ -53,7 +60,7 @@ PAM: | |||
| 53 | 60 | ||
| 54 | OpenSSH can utilise Pluggable Authentication Modules (PAM) if your | 61 | OpenSSH can utilise Pluggable Authentication Modules (PAM) if your |
| 55 | system supports it. PAM is standard most Linux distributions, Solaris, | 62 | system supports it. PAM is standard most Linux distributions, Solaris, |
| 56 | HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD. | 63 | HP-UX 11, AIX >= 5.2, FreeBSD, NetBSD and Mac OS X. |
| 57 | 64 | ||
| 58 | Information about the various PAM implementations are available: | 65 | Information about the various PAM implementations are available: |
| 59 | 66 | ||
| @@ -110,6 +117,15 @@ If you are making significant changes to the code you may need to rebuild | |||
| 110 | the dependency (.depend) file using "make depend", which requires the | 117 | the dependency (.depend) file using "make depend", which requires the |
| 111 | "makedepend" tool from the X11 distribution. | 118 | "makedepend" tool from the X11 distribution. |
| 112 | 119 | ||
| 120 | libfido2: | ||
| 121 | |||
| 122 | libfido2 allows the use of hardware security keys over USB. libfido2 | ||
| 123 | in turn depends on libcbor. | ||
| 124 | |||
| 125 | https://github.com/Yubico/libfido2 | ||
| 126 | https://github.com/pjk/libcbor | ||
| 127 | |||
| 128 | |||
| 113 | 2. Building / Installation | 129 | 2. Building / Installation |
| 114 | -------------------------- | 130 | -------------------------- |
| 115 | 131 | ||
| @@ -236,7 +252,7 @@ to generate keys for all supported types. | |||
| 236 | 252 | ||
| 237 | Replacing /etc/ssh with the correct path to the configuration directory. | 253 | Replacing /etc/ssh with the correct path to the configuration directory. |
| 238 | (${prefix}/etc or whatever you specified with --sysconfdir during | 254 | (${prefix}/etc or whatever you specified with --sysconfdir during |
| 239 | configuration) | 255 | configuration). |
| 240 | 256 | ||
| 241 | If you have configured OpenSSH with EGD support, ensure that EGD is | 257 | If you have configured OpenSSH with EGD support, ensure that EGD is |
| 242 | running and has collected some Entropy. | 258 | running and has collected some Entropy. |