Beyond Linux^® From Scratch - Version svn-20091118

Chapter 19. Major Servers

Prev
NFS Utilities-1.1.4
Next
ProFTPD-1.3.0
Up
Home

OpenSSH-5.1p1

Introduction to OpenSSH

The OpenSSH package contains ssh clients and the sshd daemon. This is useful for encrypting authentication and subsequent traffic over a network.

Package Information

Download (HTTP): http://sunsite.ualberta.ca/pub/OpenBSD/OpenSSH/portable/openssh-5.1p1.tar.gz
Download (FTP): ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.1p1.tar.gz
Download MD5 sum: 03f2d0c1b5ec60d4ac9997a146d2faec
Download size: 1.0 MB
Estimated disk space required: 29 MB
Estimated build time: 0.5 SBU (additional 1.3 SBU to run the test suite)

OpenSSH Dependencies

Required

Optional

Linux-PAM-1.1.0, TCP Wrapper-7.6, X Window System, MIT Kerberos V5-1.6 or Heimdal-1.1, libedit (provides a command-line history feature to sftp), OpenSC, and libsectok

Optional Runtime (Used only to gather entropy)

JDK-6 Update 16, Net-tools-1.60, and Sysstat-8.0.4.1.

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/OpenSSH

Installation of OpenSSH

OpenSSH runs as two processes when connecting to other computers. The first process is a privileged process and controls the issuance of privileges as necessary. The second process communicates with the network. Additional installation steps are necessary to set up the proper environment, which are performed by issuing the following commands as the root user:

install -v -m700 -d /var/lib/sshd &&
chown -v root:sys /var/lib/sshd &&
groupadd -g 50 sshd &&
useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd \
    -s /bin/false -u 50 sshd

OpenSSH is very sensitive to changes in the linked OpenSSL libraries. If you recompile OpenSSL, OpenSSH may fail to start up. An alternative is to link against the static OpenSSL library. To link against the static library, execute the following command:

sed -i 's@-lcrypto@/usr/lib/libcrypto.a -ldl@' configure

Install OpenSSH by running the following commands:

./configure --prefix=/usr --sysconfdir=/etc/ssh --datadir=/usr/share/sshd \
    --libexecdir=/usr/lib/openssh --with-md5-passwords \
    --with-privsep-path=/var/lib/sshd &&
make

If you linked tcp_wrappers into the build using the --with-tcp-wrappers parameter, ensure you add 127.0.0.1 to the sshd line in /etc/hosts.allow if you have a restrictive /etc/hosts.deny file, or the test suite will fail. Additionally, the testsuite requires an installed copy of scp to complete the multiplexing tests. To run the test suite, first copy the scp program to /usr/bin, making sure that you back up any existing copy first.

To run the test suite, issue the following commands:

make tests 2>&1 | tee check.log
grep FATAL check.log

If the above command produces no 'FATAL' errors, then proceed with the installation, as the root user:

make install &&
install -v -m755 -d /usr/share/doc/openssh-5.1p1 &&
install -v -m644 INSTALL LICENCE OVERVIEW README* WARNING.RNG \
    /usr/share/doc/openssh-5.1p1

Command Explanations

--sysconfdir=/etc/ssh: This prevents the configuration files from being installed in /usr/etc.

--datadir=/usr/share/sshd: This switch puts the Ssh.bin file (used for SmartCard authentication) in /usr/share/sshd.

--with-md5-passwords: This is required with the default configuration of Shadow password suite in LFS.

--libexecdir=/usr/lib/openssh: This parameter changes the installation path of some programs to /usr/lib/openssh instead of /usr/libexec.

--with-pam: This parameter enables Linux-PAM support in the build.

--with-xauth=/usr/bin/xauth: Set the default location for the xauth binary for X authentication. Change the location if xauth will be installed to a different path. This can also be controlled from sshd_config with the XAuthLocation keyword. You can omit this switch if Xorg is already installed.

--with-kerberos5=/usr: This option is used to include Heimdal support in the build.

Configuring OpenSSH

Config Files

~/.ssh/*, /etc/ssh/ssh_config, and /etc/ssh/sshd_config

There are no required changes to any of these files. However, you may wish to view the /etc/ssh/ files and make any changes appropriate for the security of your system. One recommended change is that you disable root login via ssh. Execute the following command as the root user to disable root login via ssh:

echo "PermitRootLogin no" >> /etc/ssh/sshd_config

If you added LinuxPAM support, then you will need to add a configuration file for sshd. Issue the following commands as the root user:

sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd &&
chmod 644 /etc/pam.d/sshd

Additional configuration information can be found in the man pages for sshd, ssh and ssh-agent.

Boot Script

To start the SSH server at system boot, install the /etc/rc.d/init.d/sshd init script included in the blfs-bootscripts-20090302 package.

make install-sshd

Contents

Installed Programs: scp, sftp, sftp-server, slogin, ssh, sshd, ssh-add, ssh-agent, ssh-keygen, ssh-keyscan, and ssh-keysign

Installed Libraries: None

Installed Directories: /etc/ssh, /var/lib/sshd, /usr/lib/openssh, and /usr/share/doc/openssh-5.1p1

Short Descriptions

scp	is a file copy program that acts like rcp except it uses an encrypted protocol.
sftp	is an FTP-like program that works over SSH1 and SSH2 protocols.
sftp-server	is an SFTP server subsystem. This program is not normally called directly by the user.
slogin	is a symlink to ssh.
ssh	is an rlogin/rsh-like client program except it uses an encrypted protocol.
sshd	is a daemon that listens for ssh login requests.
ssh-add	is a tool which adds keys to the ssh-agent.
ssh-agent	is an authentication agent that can store private keys.
ssh-keygen	is a key generation tool.
ssh-keyscan	is a utility for gathering public host keys from a number of hosts.
ssh-keysign	is used by ssh to access the local host keys and generate the digital signature required during hostbased authentication with SSH protocol version 2. This program is not normally called directly by the user.

Last updated on 2009-07-06 19:12:40 +0000

Prev
NFS Utilities-1.1.4
Next
ProFTPD-1.3.0
Up
Home