blob: e4865bbb4d9ab6c3ab0d233c22f8d519ed4facdf [file] [log] [blame]
Darren Tucker30eee7d2016-12-20 12:16:11 +110011. Prerequisites
Damien Millerb5f89271999-11-12 14:35:58 +11002----------------
3
Darren Tucker560c0062016-08-17 13:38:30 +10004A C compiler. Any C89 or better compiler should work. Where supported,
5configure will attempt to enable the compiler's run-time integrity checking
6options. Some notes about specific compilers:
7 - clang: -ftrapv and -sanitize=integer require the compiler-rt runtime
Darren Tucker9abf84c2016-08-17 14:25:43 +10008 (CC=clang LDFLAGS=--rtlib=compiler-rt ./configure)
Darren Tucker560c0062016-08-17 13:38:30 +10009
Damien Millerad013942014-08-26 09:27:28 +100010You will need working installations of Zlib and libcrypto (LibreSSL /
11OpenSSL)
Damien Millerb5f89271999-11-12 14:35:58 +110012
Darren Tucker976ba8a2016-08-17 15:33:10 +100013Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems):
Damien Millera8e06ce2003-11-21 23:48:55 +110014http://www.gzip.org/zlib/
Damien Millerb5f89271999-11-12 14:35:58 +110015
Darren Tuckera162dd52016-07-14 21:19:59 +100016libcrypto (LibreSSL or OpenSSL >= 0.9.8f < 1.1.0)
Damien Millerad013942014-08-26 09:27:28 +100017LibreSSL http://www.libressl.org/ ; or
18OpenSSL http://www.openssl.org/
Damien Millerb5f89271999-11-12 14:35:58 +110019
Damien Millerad013942014-08-26 09:27:28 +100020LibreSSL/OpenSSL should be compiled as a position-independent library
21(i.e. with -fPIC) otherwise OpenSSH will not be able to link with it.
22If you must use a non-position-independent libcrypto, then you may need
Darren Tuckera162dd52016-07-14 21:19:59 +100023to configure OpenSSH --without-pie. Note that because of API changes,
24OpenSSL 1.1.x is not currently supported.
Damien Millere71eb912000-04-13 12:19:32 +100025
Darren Tuckerdb4c54b2006-06-30 16:20:58 +100026The remaining items are optional.
27
Damien Millera8e06ce2003-11-21 23:48:55 +110028NB. If you operating system supports /dev/random, you should configure
Damien Millerad013942014-08-26 09:27:28 +100029libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's
30direct support of /dev/random, or failing that, either prngd or egd
Damien Miller780b3761999-12-26 13:36:11 +110031
Damien Miller0736c4d2001-01-25 10:51:46 +110032PRNGD:
33
Darren Tucker2a386852007-04-06 12:25:08 +100034If your system lacks kernel-based random collection, the use of Lutz
Damien Miller0736c4d2001-01-25 10:51:46 +110035Jaenicke's PRNGd is recommended.
36
Darren Tucker2a386852007-04-06 12:25:08 +100037http://prngd.sourceforge.net/
Damien Miller0736c4d2001-01-25 10:51:46 +110038
39EGD:
40
Darren Tuckerad7d23d2014-09-09 12:23:10 +100041If the kernel lacks /dev/random the Entropy Gathering Daemon (EGD) is
42supported only if libcrypto supports it.
Damien Millerb5f89271999-11-12 14:35:58 +110043
Darren Tuckerad7d23d2014-09-09 12:23:10 +100044http://egd.sourceforge.net/
Damien Millerb5f89271999-11-12 14:35:58 +110045
Darren Tucker8ea84562007-08-17 22:12:14 +100046PAM:
47
Darren Tucker1a329532007-08-17 22:03:09 +100048OpenSSH can utilise Pluggable Authentication Modules (PAM) if your
49system supports it. PAM is standard most Linux distributions, Solaris,
50HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD.
51
52Information about the various PAM implementations are available:
53
54Solaris PAM: http://www.sun.com/software/solaris/pam/
55Linux PAM: http://www.kernel.org/pub/linux/libs/pam/
56OpenPAM: http://www.openpam.org/
57
58If you wish to build the GNOME passphrase requester, you will need the GNOME
59libraries and headers.
60
61GNOME:
62http://www.gnome.org/
63
64Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11
65passphrase requester. This is maintained separately at:
66
67http://www.jmknoble.net/software/x11-ssh-askpass/
68
Ben Lindstrom305fb002000-11-10 02:41:30 +000069S/Key Libraries:
Darren Tucker16bcc1c2004-11-07 20:14:34 +110070
Darren Tucker8d158c92005-04-19 15:40:51 +100071If you wish to use --with-skey then you will need the library below
72installed. No other S/Key library is currently known to be supported.
Ben Lindstromca1c2a02000-10-14 21:33:19 +000073
Darren Tuckerad1e5e22005-04-19 15:31:49 +100074http://www.sparc.spb.su/solaris/skey/
75
76LibEdit:
Darren Tucker3eb48342006-06-23 21:05:12 +100077
78sftp supports command-line editing via NetBSD's libedit. If your platform
79has it available natively you can use that, alternatively you might try
80these multi-platform ports:
Darren Tuckerad1e5e22005-04-19 15:31:49 +100081
82http://www.thrysoee.dk/editline/
83http://sourceforge.net/projects/libedit/
84
Darren Tuckeraa3cbd12011-11-04 11:25:24 +110085LDNS:
86
87LDNS is a DNS BSD-licensed resolver library which supports DNSSEC.
88
89http://nlnetlabs.nl/projects/ldns/
90
Darren Tuckerdb4c54b2006-06-30 16:20:58 +100091Autoconf:
92
Darren Tuckerf32f5522006-07-06 19:12:08 +100093If you modify configure.ac or configure doesn't exist (eg if you checked
Damien Millerb0b48be2016-08-02 11:06:23 +100094the code out of CVS yourself) then you will need autoconf-2.69 to rebuild
Darren Tuckeraef5bee2007-03-02 17:53:41 +110095the automatically generated files by running "autoreconf". Earlier
Darren Tucker637cc402007-08-17 21:40:22 +100096versions may also work but this is not guaranteed.
Darren Tuckerdb4c54b2006-06-30 16:20:58 +100097
98http://www.gnu.org/software/autoconf/
99
Darren Tucker83bbb032006-09-17 22:55:52 +1000100Basic Security Module (BSM):
101
Damien Millerff3507a2017-07-07 11:21:27 +1000102Native BSM support is known to exist in Solaris from at least 2.5.1,
Darren Tucker83bbb032006-09-17 22:55:52 +1000103FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM
104implementation (http://www.openbsm.org).
105
Darren Tuckerdb4c54b2006-06-30 16:20:58 +1000106
Damien Millerb5f89271999-11-12 14:35:58 +11001072. Building / Installation
108--------------------------
109
110To install OpenSSH with default options:
111
112./configure
113make
114make install
115
116This will install the OpenSSH binaries in /usr/local/bin, configuration files
117in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different
118installation prefix, use the --prefix option to configure:
119
120./configure --prefix=/opt
121make
122make install
123
Damien Millera8e06ce2003-11-21 23:48:55 +1100124Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override
Damien Millerb5f89271999-11-12 14:35:58 +1100125specific paths, for example:
126
127./configure --prefix=/opt --sysconfdir=/etc/ssh
128make
129make install
130
131This will install the binaries in /opt/{bin,lib,sbin}, but will place the
132configuration files in /etc/ssh.
133
Darren Tuckerd9c88132005-04-19 12:21:21 +1000134If you are using Privilege Separation (which is enabled by default)
135then you will also need to create the user, group and directory used by
136sshd for privilege separation. See README.privsep for details.
137
Kevin Steves32c97c32001-04-20 20:56:21 +0000138If you are using PAM, you may need to manually install a PAM control
139file as "/etc/pam.d/sshd" (or wherever your system prefers to keep
140them). Note that the service name used to start PAM is __progname,
141which is the basename of the path of your sshd (e.g., the service name
142for /usr/sbin/osshd will be osshd). If you have renamed your sshd
143executable, your PAM configuration may need to be modified.
144
145A generic PAM configuration is included as "contrib/sshd.pam.generic",
146you may need to edit it before using it on your system. If you are
147using a recent version of Red Hat Linux, the config file in
148contrib/redhat/sshd.pam should be more useful. Failure to install a
149valid PAM file may result in an inability to use password
150authentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf
151configuration will work with sshd (sshd will match the other service
Kevin Stevesdf4a7ae2000-11-07 14:47:51 +0000152name).
Damien Miller755c90c1999-11-22 16:12:31 +1100153
Damien Millerb5f89271999-11-12 14:35:58 +1100154There are a few other options to the configure script:
155
Darren Tucker83bbb032006-09-17 22:55:52 +1000156--with-audit=[module] enable additional auditing via the specified module.
157Currently, drivers for "debug" (additional info via syslog) and "bsm"
158(Sun's Basic Security Module) are supported.
159
Damien Miller5c3a5582003-09-23 22:12:38 +1000160--with-pam enables PAM support. If PAM support is compiled in, it must
161also be enabled in sshd_config (refer to the UsePAM directive).
Damien Millerb5f89271999-11-12 14:35:58 +1100162
Damien Millera8e06ce2003-11-21 23:48:55 +1100163--with-prngd-socket=/some/file allows you to enable EGD or PRNGD
164support and to specify a PRNGd socket. Use this if your Unix lacks
165/dev/random and you don't want to use OpenSSH's builtin entropy
Damien Millerd0ccb982001-03-04 00:29:20 +1100166collection support.
167
Damien Millera8e06ce2003-11-21 23:48:55 +1100168--with-prngd-port=portnum allows you to enable EGD or PRNGD support
169and to specify a EGD localhost TCP port. Use this if your Unix lacks
170/dev/random and you don't want to use OpenSSH's builtin entropy
Damien Miller0736c4d2001-01-25 10:51:46 +1100171collection support.
Damien Millerb5f89271999-11-12 14:35:58 +1100172
Damien Millera8e06ce2003-11-21 23:48:55 +1100173--with-lastlog=FILE will specify the location of the lastlog file.
Damien Miller8bdeee21999-12-30 15:50:54 +1100174./configure searches a few locations for lastlog, but may not find
175it if lastlog is installed in a different place.
176
177--without-lastlog will disable lastlog support entirely.
178
Damien Millera8e06ce2003-11-21 23:48:55 +1100179--with-osfsia, --without-osfsia will enable or disable OSF1's Security
Ben Lindstrom72af2ef2001-05-08 20:42:28 +0000180Integration Architecture. The default for OSF1 machines is enable.
181
Damien Millera8e06ce2003-11-21 23:48:55 +1100182--with-skey=PATH will enable S/Key one time password support. You will
Ben Lindstrom305fb002000-11-10 02:41:30 +0000183need the S/Key libraries and header files installed for this to work.
Damien Millerc0967271999-11-19 15:53:50 +1100184
Damien Millerc0967271999-11-19 15:53:50 +1100185--with-md5-passwords will enable the use of MD5 passwords. Enable this
Darren Tucker0d37b5c2003-10-21 12:41:14 +1000186if your operating system uses MD5 passwords and the system crypt() does
187not support them directly (see the crypt(3/3c) man page). If enabled, the
188resulting binary will support both MD5 and traditional crypt passwords.
Damien Miller3d1b22c1999-11-12 15:46:08 +1100189
Damien Millera8e06ce2003-11-21 23:48:55 +1100190--with-utmpx enables utmpx support. utmpx support is automatic for
Damien Miller8bdeee21999-12-30 15:50:54 +1100191some platforms.
192
193--without-shadow disables shadow password support.
194
Damien Millera8e06ce2003-11-21 23:48:55 +1100195--with-ipaddr-display forces the use of a numeric IP address in the
Damien Miller8bdeee21999-12-30 15:50:54 +1100196$DISPLAY environment variable. Some broken systems need this.
197
198--with-default-path=PATH allows you to specify a default $PATH for sessions
Damien Miller29ea30d2000-03-17 10:54:15 +1100199started by sshd. This replaces the standard path entirely.
Damien Miller8bdeee21999-12-30 15:50:54 +1100200
Darren Tuckerea43c492007-08-17 22:10:10 +1000201--with-pid-dir=PATH specifies the directory in which the sshd.pid file is
Damien Miller5eed6a22000-01-16 12:05:18 +1100202created.
203
204--with-xauth=PATH specifies the location of the xauth binary
205
Damien Millerad013942014-08-26 09:27:28 +1000206--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL
207libraries
Damien Miller0c0e4bf2000-02-03 13:58:51 +1100208are installed.
209
Damien Millerad013942014-08-26 09:27:28 +1000210--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support
Darren Tuckerfabdb6c2006-02-20 20:17:35 +1100211
Damien Millerfd263682000-03-16 11:51:09 +1100212--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
213real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
214
Damien Millerbeb4ba51999-12-28 15:09:35 +1100215If you need to pass special options to the compiler or linker, you
Damien Miller615f9392000-05-17 22:53:33 +1000216can specify these as environment variables before running ./configure.
Damien Millerbeb4ba51999-12-28 15:09:35 +1100217For example:
218
Damien Millerb5c42d92000-08-31 11:13:10 +1100219CFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure
Damien Millerb5f89271999-11-12 14:35:58 +1100220
2213. Configuration
222----------------
223
Damien Millera8e06ce2003-11-21 23:48:55 +1100224The runtime configuration files are installed by in ${prefix}/etc or
Damien Millerb5f89271999-11-12 14:35:58 +1100225whatever you specified as your --sysconfdir (/usr/local/etc by default).
226
Damien Millera8e06ce2003-11-21 23:48:55 +1100227The default configuration should be instantly usable, though you should
Damien Millerb5f89271999-11-12 14:35:58 +1100228review it to ensure that it matches your security requirements.
229
Damien Miller4095f892000-03-03 22:13:52 +1100230To generate a host key, run "make host-key". Alternately you can do so
Damien Millera8e06ce2003-11-21 23:48:55 +1100231manually using the following commands:
Damien Miller2a9d9f61999-11-15 23:34:11 +1100232
Darren Tuckerdd4e7212016-10-21 06:48:46 +1100233 ssh-keygen -t [type] -f /etc/ssh/ssh_host_key -N ""
234
Darren Tucker30eee7d2016-12-20 12:16:11 +1100235for each of the types you wish to generate (rsa, dsa or ecdsa) or
Darren Tuckerdd4e7212016-10-21 06:48:46 +1100236
237 ssh-keygen -A
238
239to generate keys for all supported types.
Damien Miller2a9d9f61999-11-15 23:34:11 +1100240
Damien Miller6ae00d61999-12-14 15:43:03 +1100241Replacing /etc/ssh with the correct path to the configuration directory.
Damien Millera8e06ce2003-11-21 23:48:55 +1100242(${prefix}/etc or whatever you specified with --sysconfdir during
Damien Miller6ae00d61999-12-14 15:43:03 +1100243configuration)
244
Damien Millerab8a4da1999-12-16 13:05:30 +1100245If you have configured OpenSSH with EGD support, ensure that EGD is
246running and has collected some Entropy.
247
Damien Millera8e06ce2003-11-21 23:48:55 +1100248For more information on configuration, please refer to the manual pages
Damien Millerb5f89271999-11-12 14:35:58 +1100249for sshd, ssh and ssh-agent.
250
Darren Tucker72c025d2005-01-18 12:05:18 +11002514. (Optional) Send survey
252-------------------------
253
254$ make survey
Darren Tucker3eb48342006-06-23 21:05:12 +1000255[check the contents of the file "survey" to ensure there's no information
256that you consider sensitive]
Darren Tucker72c025d2005-01-18 12:05:18 +1100257$ make send-survey
258
259This will send configuration information for the currently configured
260host to a survey address. This will help determine which configurations
261are actually in use, and what valid combinations of configure options
262exist. The raw data is available only to the OpenSSH developers, however
263summary data may be published.
264
2655. Problems?
Damien Miller6ae00d61999-12-14 15:43:03 +1100266------------
267
Damien Millera8e06ce2003-11-21 23:48:55 +1100268If you experience problems compiling, installing or running OpenSSH.
Damien Miller6ae00d61999-12-14 15:43:03 +1100269Please refer to the "reporting bugs" section of the webpage at
Darren Tucker461f50e2016-10-21 06:55:58 +1100270https://www.openssh.com/