OpenSSH-5.9p1
The OpenSSH package contains
ssh clients and the
sshd daemon. This is
useful for encrypting authentication and subsequent traffic over a
network. The ssh and
scp commands are secure
implementions of telnet
and rcp respectively.
This package is known to build and work properly using an LFS-7.0
platform.
Installation of OpenSSH
OpenSSH runs as two processes when
connecting to other computers. The first process is a privileged
process and controls the issuance of privileges as necessary. The
second process communicates with the network. Additional
installation steps are necessary to set up the proper environment,
which are performed by issuing the following commands as the
root user:
install -v -m700 -d /var/lib/sshd &&
chown -v root:sys /var/lib/sshd &&
groupadd -g 50 sshd &&
useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd \
-s /bin/false -u 50 sshd
OpenSSH is very sensitive to
changes in the linked OpenSSL
libraries. If you recompile OpenSSL, OpenSSH may fail to start up. An alternative
is to link against the static OpenSSL library. To link against the static
library, execute the following command:
sed -i 's@-lcrypto@/usr/lib/libcrypto.a -ldl@' configure
Install OpenSSH by running the
following commands:
sed -i.bak '/K5LIBS=/s/ -ldes//' configure &&
./configure --prefix=/usr \
--sysconfdir=/etc/ssh \
--datadir=/usr/share/sshd \
--libexecdir=/usr/lib/openssh \
--with-md5-passwords \
--with-privsep-path=/var/lib/sshd &&
make
If you linked tcp_wrappers into
the build using the --with-tcp-wrappers
parameter, ensure you add 127.0.0.1 to the sshd line in
/etc/hosts.allow if you have a
restrictive /etc/hosts.deny file, or
the test suite will fail. Additionally, the testsuite requires an
installed copy of scp
to complete the multiplexing tests. To run the test suite, first
copy the scp program to /usr/bin,
making sure that you back up any existing copy first.
To run the test suite, issue the following commands:
make tests 2>&1 | tee check.log
grep FATAL check.log
If the above command produces no 'FATAL' errors, then proceed with
the installation, as the root user:
make install &&
install -v -m755 -d /usr/share/doc/openssh-5.9p1 &&
install -v -m644 INSTALL LICENCE OVERVIEW README* \
/usr/share/doc/openssh-5.9p1
Command Explanations
sed -i.bak '/K5LIBS=/s/ -ldes//'
configure: This command fixes a build crash if you
used the --with-kerberos5 parameter and
you built the Heimdal package in
accordance with the BLFS instructions. The command is harmless in
all other instances.
--sysconfdir=/etc/ssh: This
prevents the configuration files from being installed in
/usr/etc.
--datadir=/usr/share/sshd:
This switch puts the Ssh.bin file (used for SmartCard
authentication) in /usr/share/sshd.
--with-md5-passwords: This
is required with the default configuration of Shadow password suite
in LFS.
--libexecdir=/usr/lib/openssh: This
parameter changes the installation path of some programs to
/usr/lib/openssh instead of
/usr/libexec.
--with-pam: This parameter
enables Linux-PAM support in the
build.
--with-xauth=/usr/bin/xauth: Set the
default location for the xauth binary for X
authentication. Change the location if xauth will be installed to a
different path. This can also be controlled from sshd_config with the XAuthLocation keyword. You
can omit this switch if Xorg is
already installed.
--with-kerberos5=/usr: This
option is used to include Heimdal support in the build.
Configuring OpenSSH
If you are only going to use the ssh or scp clients, no configuration or
boot scripts are required.
Config Files
~/.ssh/*, /etc/ssh/ssh_config, and /etc/ssh/sshd_config
There are no required changes to any of these files. However, you
may wish to view the /etc/ssh/
files and make any changes appropriate for the security of your
system. One recommended change is that you disable root login via ssh. Execute the following
command as the root user to
disable root login via
ssh:
echo "PermitRootLogin no" >> /etc/ssh/sshd_config
If you added LinuxPAM support,
then you will need to add a configuration file for sshd and enable use of LinuxPAM. Issue the following commands as
the root user:
sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd &&
chmod 644 /etc/pam.d/sshd &&
echo "USEPAM yes" >> /etc/ssh/sshd_config
Additional configuration information can be found in the man
pages for sshd,
ssh and
ssh-agent.
Boot Script
To start the SSH server at system boot, install the /etc/rc.d/init.d/sshd init script included in
the blfs-bootscripts-20111226 package.
make install-sshd
Contents
Installed Programs:
scp, sftp, sftp-server, slogin, ssh,
sshd, ssh-add, ssh-agent, ssh-keygen, ssh-keyscan, and
ssh-keysign
Installed Libraries:
None
Installed Directories:
/etc/ssh, /var/lib/sshd,
/usr/lib/openssh, and /usr/share/doc/openssh-5.9p1
Short Descriptions
|
scp
|
is a file copy program that acts like rcp except it uses an
encrypted protocol.
|
|
sftp
|
is an FTP-like program that works over SSH1 and SSH2
protocols.
|
|
sftp-server
|
is an SFTP server subsystem. This program is not normally
called directly by the user.
|
|
slogin
|
is a symlink to ssh.
|
|
ssh
|
is an rlogin/rsh-like client program
except it uses an encrypted protocol.
|
|
sshd
|
is a daemon that listens for ssh login requests.
|
|
ssh-add
|
is a tool which adds keys to the ssh-agent.
|
|
ssh-agent
|
is an authentication agent that can store private keys.
|
|
ssh-keygen
|
is a key generation tool.
|
|
ssh-keyscan
|
is a utility for gathering public host keys from a number
of hosts.
|
|
ssh-keysign
|
is used by ssh to access the local
host keys and generate the digital signature required
during hostbased authentication with SSH protocol version
2. This program is not normally called directly by the
user.
|
Last updated on 2011-10-20 01:45:13 +0000