blob: d0fa00e6cb933ce5020850d22a8389b845aea71e [file] [log] [blame]
Darren Tucker30eee7d2016-12-20 12:16:11 +110011. Prerequisites
Damien Millerb5f89271999-11-12 14:35:58 +11002----------------
3
Darren Tucker560c0062016-08-17 13:38:30 +10004A C compiler. Any C89 or better compiler should work. Where supported,
5configure will attempt to enable the compiler's run-time integrity checking
6options. Some notes about specific compilers:
7 - clang: -ftrapv and -sanitize=integer require the compiler-rt runtime
Darren Tucker9abf84c2016-08-17 14:25:43 +10008 (CC=clang LDFLAGS=--rtlib=compiler-rt ./configure)
Darren Tucker560c0062016-08-17 13:38:30 +10009
Damien Millerad013942014-08-26 09:27:28 +100010You will need working installations of Zlib and libcrypto (LibreSSL /
11OpenSSL)
Damien Millerb5f89271999-11-12 14:35:58 +110012
Darren Tucker976ba8a2016-08-17 15:33:10 +100013Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems):
Damien Millera8e06ce2003-11-21 23:48:55 +110014http://www.gzip.org/zlib/
Damien Millerb5f89271999-11-12 14:35:58 +110015
Darren Tucker6ab75ab2018-10-28 15:16:31 +110016libcrypto from either of:
Darren Tuckercd16ace2019-05-16 07:53:20 +100017 - LibreSSL (https://www.libressl.org/)
18 - OpenSSL (https://www.openssl.org) with any of the following versions:
19 - 1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g or any 1.1.1
Damien Millerb5f89271999-11-12 14:35:58 +110020
Damien Millerad013942014-08-26 09:27:28 +100021LibreSSL/OpenSSL should be compiled as a position-independent library
22(i.e. with -fPIC) otherwise OpenSSH will not be able to link with it.
23If you must use a non-position-independent libcrypto, then you may need
Darren Tucker6ab75ab2018-10-28 15:16:31 +110024to configure OpenSSH --without-pie. Note that due to a bug in EVP_CipherInit
25OpenSSL 1.1 versions prior to 1.1.0g can't be used.
Damien Millere71eb912000-04-13 12:19:32 +100026
Darren Tuckerdb4c54b2006-06-30 16:20:58 +100027The remaining items are optional.
28
Damien Millera8e06ce2003-11-21 23:48:55 +110029NB. If you operating system supports /dev/random, you should configure
Damien Millerad013942014-08-26 09:27:28 +100030libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's
Darren Tuckercd16ace2019-05-16 07:53:20 +100031direct support of /dev/random, or failing that, either prngd or egd.
Damien Miller780b3761999-12-26 13:36:11 +110032
Damien Miller0736c4d2001-01-25 10:51:46 +110033PRNGD:
34
Darren Tucker2a386852007-04-06 12:25:08 +100035If your system lacks kernel-based random collection, the use of Lutz
Darren Tuckercd16ace2019-05-16 07:53:20 +100036Jaenicke's PRNGd is recommended. It requires that libcrypto be configured
37to support it.
Damien Miller0736c4d2001-01-25 10:51:46 +110038
Darren Tucker2a386852007-04-06 12:25:08 +100039http://prngd.sourceforge.net/
Damien Miller0736c4d2001-01-25 10:51:46 +110040
41EGD:
42
Darren Tuckercd16ace2019-05-16 07:53:20 +100043The Entropy Gathering Daemon (EGD) suppports the same interface as prngd.
44It also supported only if libcrypto is configured to support it.
Damien Millerb5f89271999-11-12 14:35:58 +110045
Darren Tuckerad7d23d2014-09-09 12:23:10 +100046http://egd.sourceforge.net/
Damien Millerb5f89271999-11-12 14:35:58 +110047
Darren Tucker8ea84562007-08-17 22:12:14 +100048PAM:
49
Darren Tucker1a329532007-08-17 22:03:09 +100050OpenSSH can utilise Pluggable Authentication Modules (PAM) if your
51system supports it. PAM is standard most Linux distributions, Solaris,
52HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD.
53
54Information about the various PAM implementations are available:
55
56Solaris PAM: http://www.sun.com/software/solaris/pam/
57Linux PAM: http://www.kernel.org/pub/linux/libs/pam/
58OpenPAM: http://www.openpam.org/
59
60If you wish to build the GNOME passphrase requester, you will need the GNOME
61libraries and headers.
62
63GNOME:
64http://www.gnome.org/
65
66Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11
67passphrase requester. This is maintained separately at:
68
69http://www.jmknoble.net/software/x11-ssh-askpass/
70
Darren Tuckerad1e5e22005-04-19 15:31:49 +100071LibEdit:
Darren Tucker3eb48342006-06-23 21:05:12 +100072
73sftp supports command-line editing via NetBSD's libedit. If your platform
74has it available natively you can use that, alternatively you might try
75these multi-platform ports:
Darren Tuckerad1e5e22005-04-19 15:31:49 +100076
77http://www.thrysoee.dk/editline/
78http://sourceforge.net/projects/libedit/
79
Darren Tuckeraa3cbd12011-11-04 11:25:24 +110080LDNS:
81
82LDNS is a DNS BSD-licensed resolver library which supports DNSSEC.
83
84http://nlnetlabs.nl/projects/ldns/
85
Darren Tuckerdb4c54b2006-06-30 16:20:58 +100086Autoconf:
87
Darren Tuckerf32f5522006-07-06 19:12:08 +100088If you modify configure.ac or configure doesn't exist (eg if you checked
Darren Tuckerc5bfe832017-12-09 10:12:23 +110089the code out of git yourself) then you will need autoconf-2.69 to rebuild
Darren Tuckeraef5bee2007-03-02 17:53:41 +110090the automatically generated files by running "autoreconf". Earlier
Darren Tucker637cc402007-08-17 21:40:22 +100091versions may also work but this is not guaranteed.
Darren Tuckerdb4c54b2006-06-30 16:20:58 +100092
93http://www.gnu.org/software/autoconf/
94
Darren Tucker83bbb032006-09-17 22:55:52 +100095Basic Security Module (BSM):
96
Damien Millerff3507a2017-07-07 11:21:27 +100097Native BSM support is known to exist in Solaris from at least 2.5.1,
Darren Tucker83bbb032006-09-17 22:55:52 +100098FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM
99implementation (http://www.openbsm.org).
100
Darren Tucker79c0e1d2017-12-11 14:38:33 +1100101makedepend:
102
103https://www.x.org/archive/individual/util/
104
105If you are making significant changes to the code you may need to rebuild
106the dependency (.depend) file using "make depend", which requires the
107"makedepend" tool from the X11 distribution.
Darren Tuckerdb4c54b2006-06-30 16:20:58 +1000108
Damien Millerb5f89271999-11-12 14:35:58 +11001092. Building / Installation
110--------------------------
111
112To install OpenSSH with default options:
113
114./configure
115make
116make install
117
118This will install the OpenSSH binaries in /usr/local/bin, configuration files
119in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different
120installation prefix, use the --prefix option to configure:
121
122./configure --prefix=/opt
123make
124make install
125
Damien Millera8e06ce2003-11-21 23:48:55 +1100126Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override
Damien Millerb5f89271999-11-12 14:35:58 +1100127specific paths, for example:
128
129./configure --prefix=/opt --sysconfdir=/etc/ssh
130make
131make install
132
133This will install the binaries in /opt/{bin,lib,sbin}, but will place the
134configuration files in /etc/ssh.
135
Darren Tuckerd9c88132005-04-19 12:21:21 +1000136If you are using Privilege Separation (which is enabled by default)
137then you will also need to create the user, group and directory used by
138sshd for privilege separation. See README.privsep for details.
139
Kevin Steves32c97c32001-04-20 20:56:21 +0000140If you are using PAM, you may need to manually install a PAM control
141file as "/etc/pam.d/sshd" (or wherever your system prefers to keep
142them). Note that the service name used to start PAM is __progname,
143which is the basename of the path of your sshd (e.g., the service name
144for /usr/sbin/osshd will be osshd). If you have renamed your sshd
145executable, your PAM configuration may need to be modified.
146
147A generic PAM configuration is included as "contrib/sshd.pam.generic",
148you may need to edit it before using it on your system. If you are
149using a recent version of Red Hat Linux, the config file in
150contrib/redhat/sshd.pam should be more useful. Failure to install a
151valid PAM file may result in an inability to use password
152authentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf
153configuration will work with sshd (sshd will match the other service
Kevin Stevesdf4a7ae2000-11-07 14:47:51 +0000154name).
Damien Miller755c90c1999-11-22 16:12:31 +1100155
Damien Millerb5f89271999-11-12 14:35:58 +1100156There are a few other options to the configure script:
157
Darren Tucker83bbb032006-09-17 22:55:52 +1000158--with-audit=[module] enable additional auditing via the specified module.
159Currently, drivers for "debug" (additional info via syslog) and "bsm"
160(Sun's Basic Security Module) are supported.
161
Damien Miller5c3a5582003-09-23 22:12:38 +1000162--with-pam enables PAM support. If PAM support is compiled in, it must
163also be enabled in sshd_config (refer to the UsePAM directive).
Damien Millerb5f89271999-11-12 14:35:58 +1100164
Damien Millera8e06ce2003-11-21 23:48:55 +1100165--with-prngd-socket=/some/file allows you to enable EGD or PRNGD
166support and to specify a PRNGd socket. Use this if your Unix lacks
Darren Tucker6d4e9802018-02-15 22:16:54 +1100167/dev/random.
Damien Millerd0ccb982001-03-04 00:29:20 +1100168
Damien Millera8e06ce2003-11-21 23:48:55 +1100169--with-prngd-port=portnum allows you to enable EGD or PRNGD support
170and to specify a EGD localhost TCP port. Use this if your Unix lacks
Darren Tucker6d4e9802018-02-15 22:16:54 +1100171/dev/random.
Damien Millerb5f89271999-11-12 14:35:58 +1100172
Damien Millera8e06ce2003-11-21 23:48:55 +1100173--with-lastlog=FILE will specify the location of the lastlog file.
Damien Miller8bdeee21999-12-30 15:50:54 +1100174./configure searches a few locations for lastlog, but may not find
175it if lastlog is installed in a different place.
176
177--without-lastlog will disable lastlog support entirely.
178
Damien Millera8e06ce2003-11-21 23:48:55 +1100179--with-osfsia, --without-osfsia will enable or disable OSF1's Security
Ben Lindstrom72af2ef2001-05-08 20:42:28 +0000180Integration Architecture. The default for OSF1 machines is enable.
181
Damien Millerc0967271999-11-19 15:53:50 +1100182--with-md5-passwords will enable the use of MD5 passwords. Enable this
Darren Tucker0d37b5c2003-10-21 12:41:14 +1000183if your operating system uses MD5 passwords and the system crypt() does
184not support them directly (see the crypt(3/3c) man page). If enabled, the
185resulting binary will support both MD5 and traditional crypt passwords.
Damien Miller3d1b22c1999-11-12 15:46:08 +1100186
Damien Millera8e06ce2003-11-21 23:48:55 +1100187--with-utmpx enables utmpx support. utmpx support is automatic for
Damien Miller8bdeee21999-12-30 15:50:54 +1100188some platforms.
189
190--without-shadow disables shadow password support.
191
Damien Millera8e06ce2003-11-21 23:48:55 +1100192--with-ipaddr-display forces the use of a numeric IP address in the
Damien Miller8bdeee21999-12-30 15:50:54 +1100193$DISPLAY environment variable. Some broken systems need this.
194
195--with-default-path=PATH allows you to specify a default $PATH for sessions
Damien Miller29ea30d2000-03-17 10:54:15 +1100196started by sshd. This replaces the standard path entirely.
Damien Miller8bdeee21999-12-30 15:50:54 +1100197
Darren Tuckerea43c492007-08-17 22:10:10 +1000198--with-pid-dir=PATH specifies the directory in which the sshd.pid file is
Damien Miller5eed6a22000-01-16 12:05:18 +1100199created.
200
201--with-xauth=PATH specifies the location of the xauth binary
202
Damien Millerad013942014-08-26 09:27:28 +1000203--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL
Darren Tuckerf1ca4872018-02-15 22:18:37 +1100204libraries are installed.
Damien Miller0c0e4bf2000-02-03 13:58:51 +1100205
Damien Millerad013942014-08-26 09:27:28 +1000206--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support
Darren Tuckerfabdb6c2006-02-20 20:17:35 +1100207
Damien Millerfd263682000-03-16 11:51:09 +1100208--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
209real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
210
Damien Millerbeb4ba51999-12-28 15:09:35 +1100211If you need to pass special options to the compiler or linker, you
Damien Miller615f9392000-05-17 22:53:33 +1000212can specify these as environment variables before running ./configure.
Damien Millerbeb4ba51999-12-28 15:09:35 +1100213For example:
214
Darren Tuckerf2c06ab2018-06-08 17:43:36 +1000215CC="/usr/foo/cc" CFLAGS="-O" LDFLAGS="-s" LIBS="-lrubbish" ./configure
Damien Millerb5f89271999-11-12 14:35:58 +1100216
2173. Configuration
218----------------
219
Damien Millera8e06ce2003-11-21 23:48:55 +1100220The runtime configuration files are installed by in ${prefix}/etc or
Damien Millerb5f89271999-11-12 14:35:58 +1100221whatever you specified as your --sysconfdir (/usr/local/etc by default).
222
Damien Millera8e06ce2003-11-21 23:48:55 +1100223The default configuration should be instantly usable, though you should
Damien Millerb5f89271999-11-12 14:35:58 +1100224review it to ensure that it matches your security requirements.
225
Damien Miller4095f892000-03-03 22:13:52 +1100226To generate a host key, run "make host-key". Alternately you can do so
Damien Millera8e06ce2003-11-21 23:48:55 +1100227manually using the following commands:
Damien Miller2a9d9f61999-11-15 23:34:11 +1100228
Darren Tuckerdd4e7212016-10-21 06:48:46 +1100229 ssh-keygen -t [type] -f /etc/ssh/ssh_host_key -N ""
230
Darren Tucker30eee7d2016-12-20 12:16:11 +1100231for each of the types you wish to generate (rsa, dsa or ecdsa) or
Darren Tuckerdd4e7212016-10-21 06:48:46 +1100232
233 ssh-keygen -A
234
235to generate keys for all supported types.
Damien Miller2a9d9f61999-11-15 23:34:11 +1100236
Damien Miller6ae00d61999-12-14 15:43:03 +1100237Replacing /etc/ssh with the correct path to the configuration directory.
Damien Millera8e06ce2003-11-21 23:48:55 +1100238(${prefix}/etc or whatever you specified with --sysconfdir during
Damien Miller6ae00d61999-12-14 15:43:03 +1100239configuration)
240
Damien Millerab8a4da1999-12-16 13:05:30 +1100241If you have configured OpenSSH with EGD support, ensure that EGD is
242running and has collected some Entropy.
243
Damien Millera8e06ce2003-11-21 23:48:55 +1100244For more information on configuration, please refer to the manual pages
Damien Millerb5f89271999-11-12 14:35:58 +1100245for sshd, ssh and ssh-agent.
246
Darren Tucker72c025d2005-01-18 12:05:18 +11002474. (Optional) Send survey
248-------------------------
249
250$ make survey
Darren Tucker3eb48342006-06-23 21:05:12 +1000251[check the contents of the file "survey" to ensure there's no information
252that you consider sensitive]
Darren Tucker72c025d2005-01-18 12:05:18 +1100253$ make send-survey
254
255This will send configuration information for the currently configured
256host to a survey address. This will help determine which configurations
257are actually in use, and what valid combinations of configure options
258exist. The raw data is available only to the OpenSSH developers, however
259summary data may be published.
260
2615. Problems?
Damien Miller6ae00d61999-12-14 15:43:03 +1100262------------
263
Damien Millera8e06ce2003-11-21 23:48:55 +1100264If you experience problems compiling, installing or running OpenSSH.
Damien Miller6ae00d61999-12-14 15:43:03 +1100265Please refer to the "reporting bugs" section of the webpage at
Darren Tucker461f50e2016-10-21 06:55:58 +1100266https://www.openssh.com/