1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
1. Prerequisites
----------------
You will need working installations of Zlib and OpenSSL.
Zlib:
http://www.cdrom.com/pub/infozip/zlib/
OpenSSL:
http://www.openssl.org/
OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system
supports it. PAM is standard on Redhat and Debian Linux and on Solaris.
PAM:
http://www.kernel.org/pub/linux/libs/pam/
If you wish to build the GNOME passphrase requestor, you will need the GNOME
libraries and headers.
GNOME:
http://www.gnome.org/
If you are planning to use OpenSSH on a Unix which lacks a Kernel random
number generator (/dev/urandom), you will need to install the Entropy
Gathering Daemon (or similar). You will also need to specify the
--with-egd-pool option to ./configure.
EGD:
http://www.lothar.com/tech/crypto/
2. Building / Installation
--------------------------
To install OpenSSH with default options:
./configure
make
make install
This will install the OpenSSH binaries in /usr/local/bin, configuration files
in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different
installation prefix, use the --prefix option to configure:
./configure --prefix=/opt
make
make install
Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override
specific paths, for example:
./configure --prefix=/opt --sysconfdir=/etc/ssh
make
make install
This will install the binaries in /opt/{bin,lib,sbin}, but will place the
configuration files in /etc/ssh.
If you are using PAM, you will need to manually install a PAM control
file as "/etc/pam.d/sshd" (or wherever your system prefers to keep
them). A generic PAM configuration is included as "sshd.pam.generic",
you may need to edit it before using it on your system.
There are a few other options to the configure script:
--enable-gnome-askpass will build the GNOME passphrase dialog. You
need a working installation of GNOME, including the development
headers, for this to work.
--with-random=/some/file allows you to specify an alternate source of
random numbers (the default is /dev/urandom). Unless you are absolutly
sure of what you are doing, it is best to leave this alone.
--with-egd-pool=/some/file allows you to enable Entropy Gathering
Daemon support and to specify a EGD pool socket. You will need to
use this if your Unix does not support the /dev/urandom device (or
similar).
--without-askpass will disable X11 password requestor support in
ssh-add
--with-kerberos4 will enable Kerberos IV support. You will need to
have the Kerberos libraries and header files installed for this to
work.
--with-afs will enable AFS support. You will need to have the Kerberos
IV and the AFS libraries and header files installed for this to work.
--with-skey will enable S/Key one time password support. You will need
the S/Key libraries and header files installed for this to work.
--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny)
support. You will need libwrap.a and tcpd.h installed.
--with-md5-passwords will enable the use of MD5 passwords. Enable this
if your operating system uses MD5 passwords without using PAM.
3. Configuration
----------------
The runtime configuration files are installed by in ${prefix}/etc or
whatever you specified as your --sysconfdir (/usr/local/etc by default).
The default configuration should be instantly usable, though you should
review it to ensure that it matches your security requirements.
To generate a host key, issue the following command: (replacing
/etc/ssh/ssh_host_key with an appropriate path)
/usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N ''
For more information on configuration, please refer to the manual pages
for sshd, ssh and ssh-agent.
|