Introduction to OpenSSH

The OpenSSH package contains ssh clients and the sshd daemon. This is useful for encrypting authentication and subsequent traffic over a network.

Package Information

OpenSSH Dependencies




Linux-PAM-, TCP Wrapper-7.6, X Window System, MIT Kerberos V5-1.6 or Heimdal-0.7.2, JDK-1.5.0_10, Net-tools-1.60, Sysstat-6.0.2, OpenSC, and libsectok

User Notes:

Installation of OpenSSH

OpenSSH runs as two processes when connecting to other computers. The first process is a privileged process and controls the issuance of privileges as necessary. The second process communicates with the network. Additional installation steps are necessary to set up the proper environment, which are performed by the following commands:

install -v -m700 -d /var/lib/sshd &&
chown -v root:sys /var/lib/sshd &&
groupadd -g 50 sshd &&
useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd \
    -s /bin/false -u 50 sshd

OpenSSH is very sensitive to changes in the linked OpenSSL libraries. If you recompile OpenSSL, OpenSSH may fail to startup. An alternative is to link against the static OpenSSL library. To link against the static library, execute the following command:

sed -i "s:-lcrypto:/usr/lib/libcrypto.a -ldl:g" configure

Install OpenSSH by running the following commands:

sed -i "s/lkrb5 -ldes/lkrb5/" configure &&
./configure --prefix=/usr --sysconfdir=/etc/ssh \
    --libexecdir=/usr/lib/openssh --with-md5-passwords \
    --with-privsep-path=/var/lib/sshd &&

If you linked tcp_wrappers into the build using the --with-tcp-wrappers parameter, ensure you add to the sshd line in /etc/hosts.allow if you have a restrictive /etc/hosts.deny file, or the test suite will fail. To run the test suite, issue: make -k tests.

Now, as the root user:

make install &&
install -v -m755 -d /usr/share/doc/openssh-4.5p1 &&

Command Explanations

sed -i "s/lkrb5 -ldes/lkrb5/" configure: This command fixes a build crash if you used the --with-kerberos5 parameter and you built the Heimdal package in accordance with the BLFS instructions. The command is harmless in all other instances.

--sysconfdir=/etc/ssh: This prevents the configuration files from being installed in /usr/etc.

--with-md5-passwords: This is required if you made the changes recommended by the shadowpasswd_plus LFS hint on your SSH server when you installed the Shadow Password Suite or if you access a SSH server that authenticates by user passwords encrypted with md5.

--libexecdir=/usr/lib/openssh: This parameter changes the installation path of some programs to /usr/lib/openssh instead of /usr/libexec.

Configuring OpenSSH

Config Files

~/.ssh/*, /etc/ssh/ssh_config, and /etc/ssh/sshd_config

There are no required changes to any of these files. However, you may wish to view the /etc/ssh/ files and make any changes appropriate for the security of your system. One recommended change is that you disable root login via ssh. Execute the following command as the root user to disable root login via ssh:

echo "PermitRootLogin no" >> /etc/ssh/sshd_config

Additional configuration information can be found in the man pages for sshd, ssh and ssh-agent.

Boot Script

To start the SSH server at system boot, install the /etc/rc.d/init.d/sshd init script included in the blfs-bootscripts-20060910 package.

make install-sshd


Installed Programs: scp, sftp, sftp-server, slogin, ssh, sshd, ssh-add, ssh-agent, ssh-keygen, ssh-keyscan, and ssh-keysign
Installed Libraries: None
Installed Directories: /etc/ssh, /var/lib/sshd and /usr/share/doc/openssh-4.5p1

Short Descriptions


is a file copy program that acts like rcp except it uses an encrypted protocol.


is an FTP-like program that works over SSH1 and SSH2 protocols.


is an SFTP server subsystem. This program is not normally called directly by the user.


is a symlink to ssh.


is an rlogin/rsh-like client program except it uses an encrypted protocol.


is a daemon that listens for ssh login requests.


is a tool which adds keys to the ssh-agent.


is an authentication agent that can store private keys.


is a key generation tool.


is a utility for gathering public host keys from a number of hosts.


is used by ssh to access the local host keys and generate the digital signature required during hostbased authentication with SSH protocol version 2. This program is not normally called directly by the user.

Last updated on 2007-01-13 19:30:49 -0600