Darren Tucker | 149543e | 2004-02-24 16:14:41 +1100 | [diff] [blame] | 1 | This file contains notes about OpenSSH on specific platforms. |
| 2 | |
| 3 | AIX |
| 4 | --- |
| 5 | As of OpenSSH 3.8p1, sshd will now honour an accounts password expiry |
| 6 | settings, where previously it did not. Because of this, it's possible for |
| 7 | sites that have used OpenSSH's sshd exclusively to have accounts which |
| 8 | have passwords expired longer than the inactive time (ie the "Weeks between |
| 9 | password EXPIRATION and LOCKOUT" setting in SMIT or the maxexpired |
| 10 | chuser attribute). |
| 11 | |
| 12 | Accounts in this state must have their passwords reset manually by the |
| 13 | administrator. As a precaution, it is recommended that the administrative |
| 14 | passwords be reset before upgrading from OpenSSH <3.8. |
| 15 | |
Darren Tucker | 691d523 | 2005-02-15 21:45:57 +1100 | [diff] [blame] | 16 | As of OpenSSH 4.0, configure will attempt to detect if your version |
| 17 | and maintenance level of AIX has a working getaddrinfo, and will use it |
| 18 | if found. This will enable IPv6 support. If for some reason configure |
| 19 | gets it wrong, or if you want to build binaries to work on earlier MLs |
| 20 | than the build host then you can add "-DBROKEN_GETADDRINFO" to CFLAGS |
| 21 | to force the previous IPv4-only behaviour. |
| 22 | |
Darren Tucker | e13eace | 2005-02-15 22:44:05 +1100 | [diff] [blame] | 23 | IPv6 known to work: 5.1ML7 5.2ML2 5.2ML5 |
Darren Tucker | 691d523 | 2005-02-15 21:45:57 +1100 | [diff] [blame] | 24 | IPv6 known broken: 4.3.3ML11 5.1ML4 |
Darren Tucker | 7749c51 | 2004-04-23 18:57:13 +1000 | [diff] [blame] | 25 | |
Darren Tucker | 5548e8c | 2007-03-13 21:00:45 +1100 | [diff] [blame] | 26 | If you wish to use dynamic libraries that aren't in the normal system |
| 27 | locations (eg IBM's OpenSSL and zlib packages) then you will need to |
| 28 | define the environment variable blibpath before running configure, eg |
| 29 | |
| 30 | blibpath=/lib:/usr/lib:/opt/freeware/lib ./configure \ |
| 31 | --with-ssl-dir=/opt/freeware --with-zlib=/opt/freeware |
| 32 | |
Darren Tucker | 6f6b27d | 2007-08-09 14:31:53 +1000 | [diff] [blame] | 33 | If sshd is built with the WITH_AIXAUTHENTICATE option (which is enabled |
| 34 | by default) then sshd checks that users are permitted via the |
| 35 | loginrestrictions() function, in particular that the user has the |
| 36 | "rlogin" attribute set. This check is not done for the root account, |
| 37 | instead the PermitRootLogin setting in sshd_config is used. |
| 38 | |
Darren Tucker | 72b061d | 2016-02-26 14:40:04 +1100 | [diff] [blame] | 39 | If you are using the IBM compiler you probably want to use CC=xlc rather |
| 40 | than the default of cc. |
| 41 | |
Darren Tucker | 5548e8c | 2007-03-13 21:00:45 +1100 | [diff] [blame] | 42 | |
Darren Tucker | 7749c51 | 2004-04-23 18:57:13 +1000 | [diff] [blame] | 43 | Cygwin |
| 44 | ------ |
| 45 | To build on Cygwin, OpenSSH requires the following packages: |
| 46 | gcc, gcc-mingw-core, mingw-runtime, binutils, make, openssl, |
| 47 | openssl-devel, zlib, minres, minires-devel. |
| 48 | |
| 49 | |
Darren Tucker | 3eb4834 | 2006-06-23 21:05:12 +1000 | [diff] [blame] | 50 | Darwin and MacOS X |
| 51 | ------------------ |
| 52 | Darwin does not provide a tun(4) driver required for OpenSSH-based |
| 53 | virtual private networks. The BSD manpage still exists, but the driver |
| 54 | has been removed in recent releases of Darwin and MacOS X. |
| 55 | |
| 56 | Nevertheless, tunnel support is known to work with Darwin 8 and |
| 57 | MacOS X 10.4 in Point-to-Point (Layer 3) and Ethernet (Layer 2) mode |
| 58 | using a third party driver. More information is available at: |
| 59 | http://www-user.rhrk.uni-kl.de/~nissler/tuntap/ |
| 60 | |
| 61 | |
Darren Tucker | 427adf1 | 2009-08-29 09:14:48 +1000 | [diff] [blame] | 62 | Linux |
| 63 | ----- |
| 64 | |
| 65 | Some Linux distributions (including Red Hat/Fedora/CentOS) include |
| 66 | headers and library links in the -devel RPMs rather than the main |
| 67 | binary RPMs. If you get an error about headers, or complaining about a |
| 68 | missing prerequisite then you may need to install the equivalent |
| 69 | development packages. On Redhat based distros these may be openssl-devel, |
| 70 | zlib-devel and pam-devel, on Debian based distros these may be |
| 71 | libssl-dev, libz-dev and libpam-dev. |
| 72 | |
| 73 | |
Darren Tucker | 149543e | 2004-02-24 16:14:41 +1100 | [diff] [blame] | 74 | Solaris |
| 75 | ------- |
Darren Tucker | d9f8891 | 2005-02-20 21:01:48 +1100 | [diff] [blame] | 76 | If you enable BSM auditing on Solaris, you need to update audit_event(4) |
| 77 | for praudit(1m) to give sensible output. The following line needs to be |
| 78 | added to /etc/security/audit_event: |
Darren Tucker | 149543e | 2004-02-24 16:14:41 +1100 | [diff] [blame] | 79 | |
Darren Tucker | d9f8891 | 2005-02-20 21:01:48 +1100 | [diff] [blame] | 80 | 32800:AUE_openssh:OpenSSH login:lo |
| 81 | |
| 82 | The BSM audit event range available for third party TCB applications is |
| 83 | 32768 - 65535. Event number 32800 has been choosen for AUE_openssh. |
| 84 | There is no official registry of 3rd party event numbers, so if this |
| 85 | number is already in use on your system, you may change it at build time |
| 86 | by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding. |
| 87 | |
| 88 | |
Darren Tucker | 3a38c5a | 2005-11-05 16:28:35 +1100 | [diff] [blame] | 89 | Platforms using PAM |
| 90 | ------------------- |
| 91 | As of OpenSSH 4.3p1, sshd will no longer check /etc/nologin itself when |
| 92 | PAM is enabled. To maintain existing behaviour, pam_nologin should be |
| 93 | added to sshd's session stack which will prevent users from starting shell |
| 94 | sessions. Alternatively, pam_nologin can be added to either the auth or |
| 95 | account stacks which will prevent authentication entirely, but will still |
| 96 | return the output from pam_nologin to the client. |