blob: 6bc80b68f56444ce8fe3bfcea603188b952abb73 [file] [log] [blame]
Damien Millerb5f89271999-11-12 14:35:58 +11001----------------
2
Darren Tucker560c0062016-08-17 13:38:30 +10003A C compiler. Any C89 or better compiler should work. Where supported,
4configure will attempt to enable the compiler's run-time integrity checking
5options. Some notes about specific compilers:
6 - clang: -ftrapv and -sanitize=integer require the compiler-rt runtime
Darren Tucker9abf84c2016-08-17 14:25:43 +10007 (CC=clang LDFLAGS=--rtlib=compiler-rt ./configure)
Darren Tucker560c0062016-08-17 13:38:30 +10008
Damien Millerad013942014-08-26 09:27:28 +10009You will need working installations of Zlib and libcrypto (LibreSSL /
10OpenSSL)
Damien Millerb5f89271999-11-12 14:35:58 +110011
Darren Tucker976ba8a2016-08-17 15:33:10 +100012Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems):
Damien Millera8e06ce2003-11-21 23:48:55 +110013http://www.gzip.org/zlib/
Damien Millerb5f89271999-11-12 14:35:58 +110014
Darren Tuckera162dd52016-07-14 21:19:59 +100015libcrypto (LibreSSL or OpenSSL >= 0.9.8f < 1.1.0)
Damien Millerad013942014-08-26 09:27:28 +100016LibreSSL http://www.libressl.org/ ; or
17OpenSSL http://www.openssl.org/
Damien Millerb5f89271999-11-12 14:35:58 +110018
Damien Millerad013942014-08-26 09:27:28 +100019LibreSSL/OpenSSL should be compiled as a position-independent library
20(i.e. with -fPIC) otherwise OpenSSH will not be able to link with it.
21If you must use a non-position-independent libcrypto, then you may need
Darren Tuckera162dd52016-07-14 21:19:59 +100022to configure OpenSSH --without-pie. Note that because of API changes,
23OpenSSL 1.1.x is not currently supported.
Damien Millere71eb912000-04-13 12:19:32 +100024
Darren Tuckerdb4c54b2006-06-30 16:20:58 +100025The remaining items are optional.
26
Damien Millera8e06ce2003-11-21 23:48:55 +110027NB. If you operating system supports /dev/random, you should configure
Damien Millerad013942014-08-26 09:27:28 +100028libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's
29direct support of /dev/random, or failing that, either prngd or egd
Damien Miller780b3761999-12-26 13:36:11 +110030
Damien Miller0736c4d2001-01-25 10:51:46 +110031PRNGD:
32
Darren Tucker2a386852007-04-06 12:25:08 +100033If your system lacks kernel-based random collection, the use of Lutz
Damien Miller0736c4d2001-01-25 10:51:46 +110034Jaenicke's PRNGd is recommended.
35
Darren Tucker2a386852007-04-06 12:25:08 +100036http://prngd.sourceforge.net/
Damien Miller0736c4d2001-01-25 10:51:46 +110037
38EGD:
39
Darren Tuckerad7d23d2014-09-09 12:23:10 +100040If the kernel lacks /dev/random the Entropy Gathering Daemon (EGD) is
41supported only if libcrypto supports it.
Damien Millerb5f89271999-11-12 14:35:58 +110042
Darren Tuckerad7d23d2014-09-09 12:23:10 +100043http://egd.sourceforge.net/
Damien Millerb5f89271999-11-12 14:35:58 +110044
Darren Tucker8ea84562007-08-17 22:12:14 +100045PAM:
46
Darren Tucker1a329532007-08-17 22:03:09 +100047OpenSSH can utilise Pluggable Authentication Modules (PAM) if your
48system supports it. PAM is standard most Linux distributions, Solaris,
49HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD.
50
51Information about the various PAM implementations are available:
52
53Solaris PAM: http://www.sun.com/software/solaris/pam/
54Linux PAM: http://www.kernel.org/pub/linux/libs/pam/
55OpenPAM: http://www.openpam.org/
56
57If you wish to build the GNOME passphrase requester, you will need the GNOME
58libraries and headers.
59
60GNOME:
61http://www.gnome.org/
62
63Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11
64passphrase requester. This is maintained separately at:
65
66http://www.jmknoble.net/software/x11-ssh-askpass/
67
Ben Lindstrom305fb002000-11-10 02:41:30 +000068S/Key Libraries:
Darren Tucker16bcc1c2004-11-07 20:14:34 +110069
Darren Tucker8d158c92005-04-19 15:40:51 +100070If you wish to use --with-skey then you will need the library below
71installed. No other S/Key library is currently known to be supported.
Ben Lindstromca1c2a02000-10-14 21:33:19 +000072
Darren Tuckerad1e5e22005-04-19 15:31:49 +100073http://www.sparc.spb.su/solaris/skey/
74
75LibEdit:
Darren Tucker3eb48342006-06-23 21:05:12 +100076
77sftp supports command-line editing via NetBSD's libedit. If your platform
78has it available natively you can use that, alternatively you might try
79these multi-platform ports:
Darren Tuckerad1e5e22005-04-19 15:31:49 +100080
81http://www.thrysoee.dk/editline/
82http://sourceforge.net/projects/libedit/
83
Darren Tuckeraa3cbd12011-11-04 11:25:24 +110084LDNS:
85
86LDNS is a DNS BSD-licensed resolver library which supports DNSSEC.
87
88http://nlnetlabs.nl/projects/ldns/
89
Darren Tuckerdb4c54b2006-06-30 16:20:58 +100090Autoconf:
91
Darren Tuckerf32f5522006-07-06 19:12:08 +100092If you modify configure.ac or configure doesn't exist (eg if you checked
Damien Millerb0b48be2016-08-02 11:06:23 +100093the code out of CVS yourself) then you will need autoconf-2.69 to rebuild
Darren Tuckeraef5bee2007-03-02 17:53:41 +110094the automatically generated files by running "autoreconf". Earlier
Darren Tucker637cc402007-08-17 21:40:22 +100095versions may also work but this is not guaranteed.
Darren Tuckerdb4c54b2006-06-30 16:20:58 +100096
97http://www.gnu.org/software/autoconf/
98
Darren Tucker83bbb032006-09-17 22:55:52 +100099Basic Security Module (BSM):
100
101Native BSM support is know to exist in Solaris from at least 2.5.1,
102FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM
103implementation (http://www.openbsm.org).
104
Darren Tuckerdb4c54b2006-06-30 16:20:58 +1000105
Damien Millerb5f89271999-11-12 14:35:58 +11001062. Building / Installation
107--------------------------
108
109To install OpenSSH with default options:
110
111./configure
112make
113make install
114
115This will install the OpenSSH binaries in /usr/local/bin, configuration files
116in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different
117installation prefix, use the --prefix option to configure:
118
119./configure --prefix=/opt
120make
121make install
122
Damien Millera8e06ce2003-11-21 23:48:55 +1100123Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override
Damien Millerb5f89271999-11-12 14:35:58 +1100124specific paths, for example:
125
126./configure --prefix=/opt --sysconfdir=/etc/ssh
127make
128make install
129
130This will install the binaries in /opt/{bin,lib,sbin}, but will place the
131configuration files in /etc/ssh.
132
Darren Tuckerd9c88132005-04-19 12:21:21 +1000133If you are using Privilege Separation (which is enabled by default)
134then you will also need to create the user, group and directory used by
135sshd for privilege separation. See README.privsep for details.
136
Kevin Steves32c97c32001-04-20 20:56:21 +0000137If you are using PAM, you may need to manually install a PAM control
138file as "/etc/pam.d/sshd" (or wherever your system prefers to keep
139them). Note that the service name used to start PAM is __progname,
140which is the basename of the path of your sshd (e.g., the service name
141for /usr/sbin/osshd will be osshd). If you have renamed your sshd
142executable, your PAM configuration may need to be modified.
143
144A generic PAM configuration is included as "contrib/sshd.pam.generic",
145you may need to edit it before using it on your system. If you are
146using a recent version of Red Hat Linux, the config file in
147contrib/redhat/sshd.pam should be more useful. Failure to install a
148valid PAM file may result in an inability to use password
149authentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf
150configuration will work with sshd (sshd will match the other service
Kevin Stevesdf4a7ae2000-11-07 14:47:51 +0000151name).
Damien Miller755c90c1999-11-22 16:12:31 +1100152
Damien Millerb5f89271999-11-12 14:35:58 +1100153There are a few other options to the configure script:
154
Darren Tucker83bbb032006-09-17 22:55:52 +1000155--with-audit=[module] enable additional auditing via the specified module.
156Currently, drivers for "debug" (additional info via syslog) and "bsm"
157(Sun's Basic Security Module) are supported.
158
Damien Miller5c3a5582003-09-23 22:12:38 +1000159--with-pam enables PAM support. If PAM support is compiled in, it must
160also be enabled in sshd_config (refer to the UsePAM directive).
Damien Millerb5f89271999-11-12 14:35:58 +1100161
Damien Millera8e06ce2003-11-21 23:48:55 +1100162--with-prngd-socket=/some/file allows you to enable EGD or PRNGD
163support and to specify a PRNGd socket. Use this if your Unix lacks
164/dev/random and you don't want to use OpenSSH's builtin entropy
Damien Millerd0ccb982001-03-04 00:29:20 +1100165collection support.
166
Damien Millera8e06ce2003-11-21 23:48:55 +1100167--with-prngd-port=portnum allows you to enable EGD or PRNGD support
168and to specify a EGD localhost TCP port. Use this if your Unix lacks
169/dev/random and you don't want to use OpenSSH's builtin entropy
Damien Miller0736c4d2001-01-25 10:51:46 +1100170collection support.
Damien Millerb5f89271999-11-12 14:35:58 +1100171
Damien Millera8e06ce2003-11-21 23:48:55 +1100172--with-lastlog=FILE will specify the location of the lastlog file.
Damien Miller8bdeee21999-12-30 15:50:54 +1100173./configure searches a few locations for lastlog, but may not find
174it if lastlog is installed in a different place.
175
176--without-lastlog will disable lastlog support entirely.
177
Damien Millera8e06ce2003-11-21 23:48:55 +1100178--with-osfsia, --without-osfsia will enable or disable OSF1's Security
Ben Lindstrom72af2ef2001-05-08 20:42:28 +0000179Integration Architecture. The default for OSF1 machines is enable.
180
Damien Millera8e06ce2003-11-21 23:48:55 +1100181--with-skey=PATH will enable S/Key one time password support. You will
Ben Lindstrom305fb002000-11-10 02:41:30 +0000182need the S/Key libraries and header files installed for this to work.
Damien Millerc0967271999-11-19 15:53:50 +1100183
Damien Millerc0967271999-11-19 15:53:50 +1100184--with-md5-passwords will enable the use of MD5 passwords. Enable this
Darren Tucker0d37b5c2003-10-21 12:41:14 +1000185if your operating system uses MD5 passwords and the system crypt() does
186not support them directly (see the crypt(3/3c) man page). If enabled, the
187resulting binary will support both MD5 and traditional crypt passwords.
Damien Miller3d1b22c1999-11-12 15:46:08 +1100188
Damien Millera8e06ce2003-11-21 23:48:55 +1100189--with-utmpx enables utmpx support. utmpx support is automatic for
Damien Miller8bdeee21999-12-30 15:50:54 +1100190some platforms.
191
192--without-shadow disables shadow password support.
193
Damien Millera8e06ce2003-11-21 23:48:55 +1100194--with-ipaddr-display forces the use of a numeric IP address in the
Damien Miller8bdeee21999-12-30 15:50:54 +1100195$DISPLAY environment variable. Some broken systems need this.
196
197--with-default-path=PATH allows you to specify a default $PATH for sessions
Damien Miller29ea30d2000-03-17 10:54:15 +1100198started by sshd. This replaces the standard path entirely.
Damien Miller8bdeee21999-12-30 15:50:54 +1100199
Darren Tuckerea43c492007-08-17 22:10:10 +1000200--with-pid-dir=PATH specifies the directory in which the sshd.pid file is
Damien Miller5eed6a22000-01-16 12:05:18 +1100201created.
202
203--with-xauth=PATH specifies the location of the xauth binary
204
Damien Millerad013942014-08-26 09:27:28 +1000205--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL
206libraries
Damien Miller0c0e4bf2000-02-03 13:58:51 +1100207are installed.
208
Damien Millerad013942014-08-26 09:27:28 +1000209--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support
Darren Tuckerfabdb6c2006-02-20 20:17:35 +1100210
Damien Millerfd263682000-03-16 11:51:09 +1100211--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
212real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
213
Damien Millerbeb4ba51999-12-28 15:09:35 +1100214If you need to pass special options to the compiler or linker, you
Damien Miller615f9392000-05-17 22:53:33 +1000215can specify these as environment variables before running ./configure.
Damien Millerbeb4ba51999-12-28 15:09:35 +1100216For example:
217
Damien Millerb5c42d92000-08-31 11:13:10 +1100218CFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure
Damien Millerb5f89271999-11-12 14:35:58 +1100219
2203. Configuration
221----------------
222
Damien Millera8e06ce2003-11-21 23:48:55 +1100223The runtime configuration files are installed by in ${prefix}/etc or
Damien Millerb5f89271999-11-12 14:35:58 +1100224whatever you specified as your --sysconfdir (/usr/local/etc by default).
225
Damien Millera8e06ce2003-11-21 23:48:55 +1100226The default configuration should be instantly usable, though you should
Damien Millerb5f89271999-11-12 14:35:58 +1100227review it to ensure that it matches your security requirements.
228
Damien Miller4095f892000-03-03 22:13:52 +1100229To generate a host key, run "make host-key". Alternately you can do so
Damien Millera8e06ce2003-11-21 23:48:55 +1100230manually using the following commands:
Damien Miller2a9d9f61999-11-15 23:34:11 +1100231
Darren Tuckerdd4e7212016-10-21 06:48:46 +1100232 ssh-keygen -t [type] -f /etc/ssh/ssh_host_key -N ""
233
234for each of the types you wish to generate (rsa, dsa or ecdsaa) or
235
236 ssh-keygen -A
237
238to generate keys for all supported types.
Damien Miller2a9d9f61999-11-15 23:34:11 +1100239
Damien Miller6ae00d61999-12-14 15:43:03 +1100240Replacing /etc/ssh with the correct path to the configuration directory.
Damien Millera8e06ce2003-11-21 23:48:55 +1100241(${prefix}/etc or whatever you specified with --sysconfdir during
Damien Miller6ae00d61999-12-14 15:43:03 +1100242configuration)
243
Damien Millerab8a4da1999-12-16 13:05:30 +1100244If you have configured OpenSSH with EGD support, ensure that EGD is
245running and has collected some Entropy.
246
Damien Millera8e06ce2003-11-21 23:48:55 +1100247For more information on configuration, please refer to the manual pages
Damien Millerb5f89271999-11-12 14:35:58 +1100248for sshd, ssh and ssh-agent.
249
Darren Tucker72c025d2005-01-18 12:05:18 +11002504. (Optional) Send survey
251-------------------------
252
253$ make survey
Darren Tucker3eb48342006-06-23 21:05:12 +1000254[check the contents of the file "survey" to ensure there's no information
255that you consider sensitive]
Darren Tucker72c025d2005-01-18 12:05:18 +1100256$ make send-survey
257
258This will send configuration information for the currently configured
259host to a survey address. This will help determine which configurations
260are actually in use, and what valid combinations of configure options
261exist. The raw data is available only to the OpenSSH developers, however
262summary data may be published.
263
2645. Problems?
Damien Miller6ae00d61999-12-14 15:43:03 +1100265------------
266
Damien Millera8e06ce2003-11-21 23:48:55 +1100267If you experience problems compiling, installing or running OpenSSH.
Damien Miller6ae00d61999-12-14 15:43:03 +1100268Please refer to the "reporting bugs" section of the webpage at
Darren Tucker461f50e2016-10-21 06:55:58 +1100269https://www.openssh.com/