11. Prerequisites 2---------------- 3 4A C compiler. Any C89 or better compiler should work. Where supported, 5configure will attempt to enable the compiler's run-time integrity checking 6options. Some notes about specific compilers: 7 - clang: -ftrapv and -sanitize=integer require the compiler-rt runtime 8 (CC=clang LDFLAGS=--rtlib=compiler-rt ./configure) 9 10You will need working installations of Zlib and libcrypto (LibreSSL / 11OpenSSL) 12 13Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems): 14http://www.gzip.org/zlib/ 15 16libcrypto (LibreSSL or OpenSSL >= 0.9.8f < 1.1.0) 17LibreSSL http://www.libressl.org/ ; or 18OpenSSL http://www.openssl.org/ 19 20LibreSSL/OpenSSL should be compiled as a position-independent library 21(i.e. with -fPIC) otherwise OpenSSH will not be able to link with it. 22If you must use a non-position-independent libcrypto, then you may need 23to configure OpenSSH --without-pie. Note that because of API changes, 24OpenSSL 1.1.x is not currently supported. 25 26The remaining items are optional. 27 28NB. If you operating system supports /dev/random, you should configure 29libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's 30direct support of /dev/random, or failing that, either prngd or egd 31 32PRNGD: 33 34If your system lacks kernel-based random collection, the use of Lutz 35Jaenicke's PRNGd is recommended. 36 37http://prngd.sourceforge.net/ 38 39EGD: 40 41If the kernel lacks /dev/random the Entropy Gathering Daemon (EGD) is 42supported only if libcrypto supports it. 43 44http://egd.sourceforge.net/ 45 46PAM: 47 48OpenSSH can utilise Pluggable Authentication Modules (PAM) if your 49system supports it. PAM is standard most Linux distributions, Solaris, 50HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD. 51 52Information about the various PAM implementations are available: 53 54Solaris PAM: http://www.sun.com/software/solaris/pam/ 55Linux PAM: http://www.kernel.org/pub/linux/libs/pam/ 56OpenPAM: http://www.openpam.org/ 57 58If you wish to build the GNOME passphrase requester, you will need the GNOME 59libraries and headers. 60 61GNOME: 62http://www.gnome.org/ 63 64Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11 65passphrase requester. This is maintained separately at: 66 67http://www.jmknoble.net/software/x11-ssh-askpass/ 68 69S/Key Libraries: 70 71If you wish to use --with-skey then you will need the library below 72installed. No other S/Key library is currently known to be supported. 73 74http://www.sparc.spb.su/solaris/skey/ 75 76LibEdit: 77 78sftp supports command-line editing via NetBSD's libedit. If your platform 79has it available natively you can use that, alternatively you might try 80these multi-platform ports: 81 82http://www.thrysoee.dk/editline/ 83http://sourceforge.net/projects/libedit/ 84 85LDNS: 86 87LDNS is a DNS BSD-licensed resolver library which supports DNSSEC. 88 89http://nlnetlabs.nl/projects/ldns/ 90 91Autoconf: 92 93If you modify configure.ac or configure doesn't exist (eg if you checked 94the code out of CVS yourself) then you will need autoconf-2.69 to rebuild 95the automatically generated files by running "autoreconf". Earlier 96versions may also work but this is not guaranteed. 97 98http://www.gnu.org/software/autoconf/ 99 100Basic Security Module (BSM): 101 102Native BSM support is know to exist in Solaris from at least 2.5.1, 103FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM 104implementation (http://www.openbsm.org). 105 106 1072. Building / Installation 108-------------------------- 109 110To install OpenSSH with default options: 111 112./configure 113make 114make install 115 116This will install the OpenSSH binaries in /usr/local/bin, configuration files 117in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different 118installation prefix, use the --prefix option to configure: 119 120./configure --prefix=/opt 121make 122make install 123 124Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override 125specific paths, for example: 126 127./configure --prefix=/opt --sysconfdir=/etc/ssh 128make 129make install 130 131This will install the binaries in /opt/{bin,lib,sbin}, but will place the 132configuration files in /etc/ssh. 133 134If you are using Privilege Separation (which is enabled by default) 135then you will also need to create the user, group and directory used by 136sshd for privilege separation. See README.privsep for details. 137 138If you are using PAM, you may need to manually install a PAM control 139file as "/etc/pam.d/sshd" (or wherever your system prefers to keep 140them). Note that the service name used to start PAM is __progname, 141which is the basename of the path of your sshd (e.g., the service name 142for /usr/sbin/osshd will be osshd). If you have renamed your sshd 143executable, your PAM configuration may need to be modified. 144 145A generic PAM configuration is included as "contrib/sshd.pam.generic", 146you may need to edit it before using it on your system. If you are 147using a recent version of Red Hat Linux, the config file in 148contrib/redhat/sshd.pam should be more useful. Failure to install a 149valid PAM file may result in an inability to use password 150authentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf 151configuration will work with sshd (sshd will match the other service 152name). 153 154There are a few other options to the configure script: 155 156--with-audit=[module] enable additional auditing via the specified module. 157Currently, drivers for "debug" (additional info via syslog) and "bsm" 158(Sun's Basic Security Module) are supported. 159 160--with-pam enables PAM support. If PAM support is compiled in, it must 161also be enabled in sshd_config (refer to the UsePAM directive). 162 163--with-prngd-socket=/some/file allows you to enable EGD or PRNGD 164support and to specify a PRNGd socket. Use this if your Unix lacks 165/dev/random and you don't want to use OpenSSH's builtin entropy 166collection support. 167 168--with-prngd-port=portnum allows you to enable EGD or PRNGD support 169and to specify a EGD localhost TCP port. Use this if your Unix lacks 170/dev/random and you don't want to use OpenSSH's builtin entropy 171collection support. 172 173--with-lastlog=FILE will specify the location of the lastlog file. 174./configure searches a few locations for lastlog, but may not find 175it if lastlog is installed in a different place. 176 177--without-lastlog will disable lastlog support entirely. 178 179--with-osfsia, --without-osfsia will enable or disable OSF1's Security 180Integration Architecture. The default for OSF1 machines is enable. 181 182--with-skey=PATH will enable S/Key one time password support. You will 183need the S/Key libraries and header files installed for this to work. 184 185--with-md5-passwords will enable the use of MD5 passwords. Enable this 186if your operating system uses MD5 passwords and the system crypt() does 187not support them directly (see the crypt(3/3c) man page). If enabled, the 188resulting binary will support both MD5 and traditional crypt passwords. 189 190--with-utmpx enables utmpx support. utmpx support is automatic for 191some platforms. 192 193--without-shadow disables shadow password support. 194 195--with-ipaddr-display forces the use of a numeric IP address in the 196$DISPLAY environment variable. Some broken systems need this. 197 198--with-default-path=PATH allows you to specify a default $PATH for sessions 199started by sshd. This replaces the standard path entirely. 200 201--with-pid-dir=PATH specifies the directory in which the sshd.pid file is 202created. 203 204--with-xauth=PATH specifies the location of the xauth binary 205 206--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL 207libraries 208are installed. 209 210--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support 211 212--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to 213real (AF_INET) IPv4 addresses. Works around some quirks on Linux. 214 215If you need to pass special options to the compiler or linker, you 216can specify these as environment variables before running ./configure. 217For example: 218 219CFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure 220 2213. Configuration 222---------------- 223 224The runtime configuration files are installed by in ${prefix}/etc or 225whatever you specified as your --sysconfdir (/usr/local/etc by default). 226 227The default configuration should be instantly usable, though you should 228review it to ensure that it matches your security requirements. 229 230To generate a host key, run "make host-key". Alternately you can do so 231manually using the following commands: 232 233 ssh-keygen -t [type] -f /etc/ssh/ssh_host_key -N "" 234 235for each of the types you wish to generate (rsa, dsa or ecdsa) or 236 237 ssh-keygen -A 238 239to generate keys for all supported types. 240 241Replacing /etc/ssh with the correct path to the configuration directory. 242(${prefix}/etc or whatever you specified with --sysconfdir during 243configuration) 244 245If you have configured OpenSSH with EGD support, ensure that EGD is 246running and has collected some Entropy. 247 248For more information on configuration, please refer to the manual pages 249for sshd, ssh and ssh-agent. 250 2514. (Optional) Send survey 252------------------------- 253 254$ make survey 255[check the contents of the file "survey" to ensure there's no information 256that you consider sensitive] 257$ make send-survey 258 259This will send configuration information for the currently configured 260host to a survey address. This will help determine which configurations 261are actually in use, and what valid combinations of configure options 262exist. The raw data is available only to the OpenSSH developers, however 263summary data may be published. 264 2655. Problems? 266------------ 267 268If you experience problems compiling, installing or running OpenSSH. 269Please refer to the "reporting bugs" section of the webpage at 270https://www.openssh.com/ 271