11. Prerequisites 2---------------- 3 4You will need working installations of Zlib and libcrypto (LibreSSL / 5OpenSSL) 6 7Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems): 8http://www.gzip.org/zlib/ 9 10libcrypto (LibreSSL or OpenSSL >= 0.9.8f) 11LibreSSL http://www.libressl.org/ ; or 12OpenSSL http://www.openssl.org/ 13 14LibreSSL/OpenSSL should be compiled as a position-independent library 15(i.e. with -fPIC) otherwise OpenSSH will not be able to link with it. 16If you must use a non-position-independent libcrypto, then you may need 17to configure OpenSSH --without-pie. 18 19The remaining items are optional. 20 21NB. If you operating system supports /dev/random, you should configure 22libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's 23direct support of /dev/random, or failing that, either prngd or egd 24 25PRNGD: 26 27If your system lacks kernel-based random collection, the use of Lutz 28Jaenicke's PRNGd is recommended. 29 30http://prngd.sourceforge.net/ 31 32EGD: 33 34If the kernel lacks /dev/random the Entropy Gathering Daemon (EGD) is 35supported only if libcrypto supports it. 36 37http://egd.sourceforge.net/ 38 39PAM: 40 41OpenSSH can utilise Pluggable Authentication Modules (PAM) if your 42system supports it. PAM is standard most Linux distributions, Solaris, 43HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD. 44 45Information about the various PAM implementations are available: 46 47Solaris PAM: http://www.sun.com/software/solaris/pam/ 48Linux PAM: http://www.kernel.org/pub/linux/libs/pam/ 49OpenPAM: http://www.openpam.org/ 50 51If you wish to build the GNOME passphrase requester, you will need the GNOME 52libraries and headers. 53 54GNOME: 55http://www.gnome.org/ 56 57Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11 58passphrase requester. This is maintained separately at: 59 60http://www.jmknoble.net/software/x11-ssh-askpass/ 61 62S/Key Libraries: 63 64If you wish to use --with-skey then you will need the library below 65installed. No other S/Key library is currently known to be supported. 66 67http://www.sparc.spb.su/solaris/skey/ 68 69LibEdit: 70 71sftp supports command-line editing via NetBSD's libedit. If your platform 72has it available natively you can use that, alternatively you might try 73these multi-platform ports: 74 75http://www.thrysoee.dk/editline/ 76http://sourceforge.net/projects/libedit/ 77 78LDNS: 79 80LDNS is a DNS BSD-licensed resolver library which supports DNSSEC. 81 82http://nlnetlabs.nl/projects/ldns/ 83 84Autoconf: 85 86If you modify configure.ac or configure doesn't exist (eg if you checked 87the code out of CVS yourself) then you will need autoconf-2.68 to rebuild 88the automatically generated files by running "autoreconf". Earlier 89versions may also work but this is not guaranteed. 90 91http://www.gnu.org/software/autoconf/ 92 93Basic Security Module (BSM): 94 95Native BSM support is know to exist in Solaris from at least 2.5.1, 96FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM 97implementation (http://www.openbsm.org). 98 99 1002. Building / Installation 101-------------------------- 102 103To install OpenSSH with default options: 104 105./configure 106make 107make install 108 109This will install the OpenSSH binaries in /usr/local/bin, configuration files 110in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different 111installation prefix, use the --prefix option to configure: 112 113./configure --prefix=/opt 114make 115make install 116 117Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override 118specific paths, for example: 119 120./configure --prefix=/opt --sysconfdir=/etc/ssh 121make 122make install 123 124This will install the binaries in /opt/{bin,lib,sbin}, but will place the 125configuration files in /etc/ssh. 126 127If you are using Privilege Separation (which is enabled by default) 128then you will also need to create the user, group and directory used by 129sshd for privilege separation. See README.privsep for details. 130 131If you are using PAM, you may need to manually install a PAM control 132file as "/etc/pam.d/sshd" (or wherever your system prefers to keep 133them). Note that the service name used to start PAM is __progname, 134which is the basename of the path of your sshd (e.g., the service name 135for /usr/sbin/osshd will be osshd). If you have renamed your sshd 136executable, your PAM configuration may need to be modified. 137 138A generic PAM configuration is included as "contrib/sshd.pam.generic", 139you may need to edit it before using it on your system. If you are 140using a recent version of Red Hat Linux, the config file in 141contrib/redhat/sshd.pam should be more useful. Failure to install a 142valid PAM file may result in an inability to use password 143authentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf 144configuration will work with sshd (sshd will match the other service 145name). 146 147There are a few other options to the configure script: 148 149--with-audit=[module] enable additional auditing via the specified module. 150Currently, drivers for "debug" (additional info via syslog) and "bsm" 151(Sun's Basic Security Module) are supported. 152 153--with-pam enables PAM support. If PAM support is compiled in, it must 154also be enabled in sshd_config (refer to the UsePAM directive). 155 156--with-prngd-socket=/some/file allows you to enable EGD or PRNGD 157support and to specify a PRNGd socket. Use this if your Unix lacks 158/dev/random and you don't want to use OpenSSH's builtin entropy 159collection support. 160 161--with-prngd-port=portnum allows you to enable EGD or PRNGD support 162and to specify a EGD localhost TCP port. Use this if your Unix lacks 163/dev/random and you don't want to use OpenSSH's builtin entropy 164collection support. 165 166--with-lastlog=FILE will specify the location of the lastlog file. 167./configure searches a few locations for lastlog, but may not find 168it if lastlog is installed in a different place. 169 170--without-lastlog will disable lastlog support entirely. 171 172--with-osfsia, --without-osfsia will enable or disable OSF1's Security 173Integration Architecture. The default for OSF1 machines is enable. 174 175--with-skey=PATH will enable S/Key one time password support. You will 176need the S/Key libraries and header files installed for this to work. 177 178--with-md5-passwords will enable the use of MD5 passwords. Enable this 179if your operating system uses MD5 passwords and the system crypt() does 180not support them directly (see the crypt(3/3c) man page). If enabled, the 181resulting binary will support both MD5 and traditional crypt passwords. 182 183--with-utmpx enables utmpx support. utmpx support is automatic for 184some platforms. 185 186--without-shadow disables shadow password support. 187 188--with-ipaddr-display forces the use of a numeric IP address in the 189$DISPLAY environment variable. Some broken systems need this. 190 191--with-default-path=PATH allows you to specify a default $PATH for sessions 192started by sshd. This replaces the standard path entirely. 193 194--with-pid-dir=PATH specifies the directory in which the sshd.pid file is 195created. 196 197--with-xauth=PATH specifies the location of the xauth binary 198 199--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL 200libraries 201are installed. 202 203--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support 204 205--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to 206real (AF_INET) IPv4 addresses. Works around some quirks on Linux. 207 208If you need to pass special options to the compiler or linker, you 209can specify these as environment variables before running ./configure. 210For example: 211 212CFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure 213 2143. Configuration 215---------------- 216 217The runtime configuration files are installed by in ${prefix}/etc or 218whatever you specified as your --sysconfdir (/usr/local/etc by default). 219 220The default configuration should be instantly usable, though you should 221review it to ensure that it matches your security requirements. 222 223To generate a host key, run "make host-key". Alternately you can do so 224manually using the following commands: 225 226 ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" 227 ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" 228 ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" 229 230Replacing /etc/ssh with the correct path to the configuration directory. 231(${prefix}/etc or whatever you specified with --sysconfdir during 232configuration) 233 234If you have configured OpenSSH with EGD support, ensure that EGD is 235running and has collected some Entropy. 236 237For more information on configuration, please refer to the manual pages 238for sshd, ssh and ssh-agent. 239 2404. (Optional) Send survey 241------------------------- 242 243$ make survey 244[check the contents of the file "survey" to ensure there's no information 245that you consider sensitive] 246$ make send-survey 247 248This will send configuration information for the currently configured 249host to a survey address. This will help determine which configurations 250are actually in use, and what valid combinations of configure options 251exist. The raw data is available only to the OpenSSH developers, however 252summary data may be published. 253 2545. Problems? 255------------ 256 257If you experience problems compiling, installing or running OpenSSH. 258Please refer to the "reporting bugs" section of the webpage at 259http://www.openssh.com/ 260 261 262$Id: INSTALL,v 1.91 2014/09/09 02:23:11 dtucker Exp $ 263