blob: 3d7db1494777ba8848ee615ff74bb0d55e3e0646 [file] [log] [blame]
Darren Tucker149543e2004-02-24 16:14:41 +11001This file contains notes about OpenSSH on specific platforms.
2
3AIX
4---
5As of OpenSSH 3.8p1, sshd will now honour an accounts password expiry
6settings, where previously it did not. Because of this, it's possible for
7sites that have used OpenSSH's sshd exclusively to have accounts which
8have passwords expired longer than the inactive time (ie the "Weeks between
9password EXPIRATION and LOCKOUT" setting in SMIT or the maxexpired
10chuser attribute).
11
12Accounts in this state must have their passwords reset manually by the
13administrator. As a precaution, it is recommended that the administrative
14passwords be reset before upgrading from OpenSSH <3.8.
15
Darren Tucker691d5232005-02-15 21:45:57 +110016As of OpenSSH 4.0, configure will attempt to detect if your version
17and maintenance level of AIX has a working getaddrinfo, and will use it
18if found. This will enable IPv6 support. If for some reason configure
19gets it wrong, or if you want to build binaries to work on earlier MLs
20than the build host then you can add "-DBROKEN_GETADDRINFO" to CFLAGS
21to force the previous IPv4-only behaviour.
22
Darren Tuckere13eace2005-02-15 22:44:05 +110023IPv6 known to work: 5.1ML7 5.2ML2 5.2ML5
Darren Tucker691d5232005-02-15 21:45:57 +110024IPv6 known broken: 4.3.3ML11 5.1ML4
Darren Tucker7749c512004-04-23 18:57:13 +100025
Darren Tucker5548e8c2007-03-13 21:00:45 +110026If you wish to use dynamic libraries that aren't in the normal system
27locations (eg IBM's OpenSSL and zlib packages) then you will need to
28define the environment variable blibpath before running configure, eg
29
30blibpath=/lib:/usr/lib:/opt/freeware/lib ./configure \
31 --with-ssl-dir=/opt/freeware --with-zlib=/opt/freeware
32
Darren Tucker6f6b27d2007-08-09 14:31:53 +100033If sshd is built with the WITH_AIXAUTHENTICATE option (which is enabled
34by default) then sshd checks that users are permitted via the
35loginrestrictions() function, in particular that the user has the
36"rlogin" attribute set. This check is not done for the root account,
37instead the PermitRootLogin setting in sshd_config is used.
38
Darren Tucker5548e8c2007-03-13 21:00:45 +110039
Darren Tucker7749c512004-04-23 18:57:13 +100040Cygwin
41------
42To build on Cygwin, OpenSSH requires the following packages:
43gcc, gcc-mingw-core, mingw-runtime, binutils, make, openssl,
44openssl-devel, zlib, minres, minires-devel.
45
46
Darren Tucker3eb48342006-06-23 21:05:12 +100047Darwin and MacOS X
48------------------
49Darwin does not provide a tun(4) driver required for OpenSSH-based
50virtual private networks. The BSD manpage still exists, but the driver
51has been removed in recent releases of Darwin and MacOS X.
52
53Nevertheless, tunnel support is known to work with Darwin 8 and
54MacOS X 10.4 in Point-to-Point (Layer 3) and Ethernet (Layer 2) mode
55using a third party driver. More information is available at:
56 http://www-user.rhrk.uni-kl.de/~nissler/tuntap/
57
58
Darren Tucker149543e2004-02-24 16:14:41 +110059Solaris
60-------
Darren Tuckerd9f88912005-02-20 21:01:48 +110061If you enable BSM auditing on Solaris, you need to update audit_event(4)
62for praudit(1m) to give sensible output. The following line needs to be
63added to /etc/security/audit_event:
Darren Tucker149543e2004-02-24 16:14:41 +110064
Darren Tuckerd9f88912005-02-20 21:01:48 +110065 32800:AUE_openssh:OpenSSH login:lo
66
67The BSM audit event range available for third party TCB applications is
6832768 - 65535. Event number 32800 has been choosen for AUE_openssh.
69There is no official registry of 3rd party event numbers, so if this
70number is already in use on your system, you may change it at build time
71by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.
72
73
Darren Tucker3a38c5a2005-11-05 16:28:35 +110074Platforms using PAM
75-------------------
76As of OpenSSH 4.3p1, sshd will no longer check /etc/nologin itself when
77PAM is enabled. To maintain existing behaviour, pam_nologin should be
78added to sshd's session stack which will prevent users from starting shell
79sessions. Alternatively, pam_nologin can be added to either the auth or
80account stacks which will prevent authentication entirely, but will still
81return the output from pam_nologin to the client.
82
83
Darren Tucker6f6b27d2007-08-09 14:31:53 +100084$Id: README.platform,v 1.9 2007/08/09 04:31:53 dtucker Exp $