OpenSSH-3.9p1

Introduction to OpenSSH

The OpenSSH package contains ssh clients and the sshd daemon. This is useful for encrypting authentication and subsequent traffic over a network.

Package information

Installation of OpenSSH

OpenSSH runs as two processes when connecting to other computers. The first process is a privileged process and controls the issuance of privileges as necessary. The second process communicates with the network. Additional installation steps are necessary to set up the proper environment, which are performed by the following commands:

mkdir /var/empty &&
chown root:sys /var/empty &&
groupadd sshd &&
useradd -c 'sshd privsep' -d /var/empty -g sshd -s /bin/false sshd

OpenSSH is very sensitive to changes in the linked OpenSSL libraries. If you recompile OpenSSL, OpenSSH may fail to startup. An alternative is to link against the static OpenSSL library. To link against the static library, execute the following command:

sed -i "s:-lcrypto:/usr/lib/libcrypto.a:g" configure

Install OpenSSH by running the following commands:

./configure --prefix=/usr --sysconfdir=/etc/ssh \
    --libexecdir=/usr/sbin --with-md5-passwords &&
make &&
make install

Command explanations

--sysconfdir=/etc/ssh: This prevents the configuration files from going to /usr/etc.

--with-md5-passwords: This is required if you made the changes recommended by the shadowpasswd_plus LFS hint on your SSH server when you installed the Shadow Password Suite or if you access a SSH server that authenticates by user passwords encrypted with md5.

--libexecdir=/usr/sbin: OpenSSH installs programs called by programs in /usr/libexec. sftp-server is a sshd utility and ssh-askpass is a ssh-add utility that is installed as a link to X11-ssh-askpass. Both of these should go in /usr/sbin not /usr/libexec.

Configuring OpenSSH

Config files

/etc/ssh/ssh_config and /etc/ssh/sshd_config

There are no required changes to either of these files. However, you may wish to view them to make changes for appropriate security to your system. One recomended change is that you disable root login via ssh. Execute the following command to disable root login via ssh:

echo "PermitRootLogin no" >> /etc/ssh/sshd_config

Additional configuration information can be found in the man pages for sshd, ssh and ssh-agent

sshd init.d script

To start the SSH server at system boot, install the /etc/rc.d/init.d/sshd init script included in the blfs-bootscripts-6.0 package.

make install-sshd

Contents

The OpenSSH package contains ssh, sshd, ssh-agent, ssh-add, sftp, scp, ssh-keygen, sftp-server and ssh-keyscan.

Description

ssh

The basic rlogin/rsh-like client program.

sshd

The daemon that listens for ssh login requests.

ssh-agent

An authentication agent that can store private keys.

ssh-add

Tool which adds keys to the ssh-agent.

sftp

FTP-like program that works over SSH1 and SSH2 protocols.

scp

File copy program that acts like rcp.

ssh-keygen

Key generation tool.

sftp-server

SFTP server subsystem.

ssh-keyscan

Utility for gathering public host keys from a number of hosts.

Last updated on 2005-02-12 00:50:52 -0700