Introduction to OpenSSH

The OpenSSH package contains ssh clients and the sshd daemon. This is useful for encrypting authentication and subsequent traffic over a network. The ssh and scp commands are secure implementions of telnet and rcp respectively.

This package is known to build and work properly using an LFS 7.8-systemd platform.

Package Information

OpenSSH Dependencies


OpenSSL-1.0.2f or LibreSSL Portable


Linux-PAM-1.2.1, X Window System, MIT Kerberos V5-1.14, libedit, OpenSC, and libsectok

Optional Runtime (Used only to gather entropy)

OpenJDK-, Net-tools-CVS_20101030, and Sysstat-11.2.0

User Notes:

Installation of OpenSSH



If reinstalling over an SSH connection to enable Linux-PAM-1.2.1 support, be certian to temporarily set PermitRootLogin to yes in /etc/ssh/sshd_config until you complete reinstallation of Systemd-228, or you may find that you are unable to login to the system remotely.

OpenSSH runs as two processes when connecting to other computers. The first process is a privileged process and controls the issuance of privileges as necessary. The second process communicates with the network. Additional installation steps are necessary to set up the proper environment, which are performed by issuing the following commands as the root user:

install -v -m700 -d /var/lib/sshd &&
chown   -v root:sys /var/lib/sshd &&

groupadd -g 50 sshd &&
useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd -s /bin/false -u 50 sshd

Install OpenSSH by running the following commands:

./configure --prefix=/usr                     \
            --sysconfdir=/etc/ssh             \
            --with-md5-passwords              \
            --with-privsep-path=/var/lib/sshd &&

The testsuite requires an installed copy of scp to complete the multiplexing tests. To run the test suite, first copy the scp program to /usr/bin, making sure that you back up any existing copy first.

To test the results, issue: make tests.

Now, as the root user:

make install                                  &&
install -v -m755 contrib/ssh-copy-id /usr/bin &&
install -v -m644 contrib/ssh-copy-id.1 /usr/share/man/man1 &&
install -v -m755 -d /usr/share/doc/openssh-7.1p2           &&
install -v -m644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-7.1p2

Command Explanations

--sysconfdir=/etc/ssh: This prevents the configuration files from being installed in /usr/etc.

--with-md5-passwords: This enables the use of MD5 passwords.

--with-pam: This parameter enables Linux-PAM support in the build.

--with-xauth=/usr/bin/xauth: Set the default location for the xauth binary for X authentication. Change the location if xauth will be installed to a different path. This can also be controlled from sshd_config with the XAuthLocation keyword. You can omit this switch if Xorg is already installed.

--with-kerberos5=/usr: This option is used to include Kerberos 5 support in the build.

--with-libedit: This option enables line editing and history features for sftp.

Configuring OpenSSH

Config Files

~/.ssh/*, /etc/ssh/ssh_config, and /etc/ssh/sshd_config

There are no required changes to any of these files. However, you may wish to view the /etc/ssh/ files and make any changes appropriate for the security of your system. One recommended change is that you disable root login via ssh. Execute the following command as the root user to disable root login via ssh:

echo "PermitRootLogin no" >> /etc/ssh/sshd_config

If you want to be able to log in without typing in your password, first create ~/.ssh/id_rsa and ~/.ssh/ with ssh-keygen and then copy ~/.ssh/ to ~/.ssh/authorized_keys on the remote computer that you want to log into. You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote computer and you'll also need to enter your password for the ssh-copy-id command to succeed:

ssh-keygen &&

Once you've got passwordless logins working it's actually more secure than logging in with a password (as the private key is much longer than most people's passwords). If you would like to now disable password logins, as the root user:

echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &&
echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config

If you added LinuxPAM support and you want ssh to use it then you will need to add a configuration file for sshd and enable use of LinuxPAM. Note, ssh only uses PAM to check passwords, if you've disabled password logins these commands are not needed. If you want to use PAM issue the following commands as the root user:

sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd &&
chmod 644 /etc/pam.d/sshd &&
echo "UsePAM yes" >> /etc/ssh/sshd_config

Additional configuration information can be found in the man pages for sshd, ssh and ssh-agent.

Systemd Units

To start the sshd daemon at boot, install the systemd units from the blfs-systemd-units-20150210 package by running the following command as the root user:

make install-sshd


This package comes with two types of units: A service file and a socket file. The service file will start sshd daemon once at boot and it will keep running until the system shuts down. The socket file will make systemd listen on sshd port (Default 22, needs to be edited for anything else) and will start sshd daemon when something tries to connect to that port and stop the daemon when the connection is terminated. This is called socket activation. By default, the first method is used - sshd daemon is started at boot and stopped at shutdown. If the socket method is desired, you need to run as the root user:

systemctl stop sshd && 
systemctl disable sshd &&
systemctl enable sshd.socket &&
systemctl start sshd.socket


Installed Programs: scp, sftp, slogin (symlink to ssh), ssh, ssh-add, ssh-agent, ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
Installed Libraries: None
Installed Directories: /etc/ssh, /usr/share/doc/openssh-7.1p2, and /var/lib/sshd

Short Descriptions


is a file copy program that acts like rcp except it uses an encrypted protocol.


is an FTP-like program that works over the SSH1 and SSH2 protocols.


is a symlink to ssh.


is an rlogin/rsh-like client program except it uses an encrypted protocol.


is a daemon that listens for ssh login requests.


is a tool which adds keys to the ssh-agent.


is an authentication agent that can store private keys.


is a script that enables logins on remote machine using local keys.


is a key generation tool.


is a utility for gathering public host keys from a number of hosts.

Last updated on 2016-02-07 15:25:37 -0600