]>
Commit | Line | Data |
---|---|---|
bbf3a7a8 | 1 | This file contains notes about OpenSSH on specific platforms. |
2 | ||
3 | AIX | |
4 | --- | |
5 | As of OpenSSH 3.8p1, sshd will now honour an accounts password expiry | |
6 | settings, where previously it did not. Because of this, it's possible for | |
7 | sites that have used OpenSSH's sshd exclusively to have accounts which | |
8 | have passwords expired longer than the inactive time (ie the "Weeks between | |
9 | password EXPIRATION and LOCKOUT" setting in SMIT or the maxexpired | |
10 | chuser attribute). | |
11 | ||
12 | Accounts in this state must have their passwords reset manually by the | |
13 | administrator. As a precaution, it is recommended that the administrative | |
14 | passwords be reset before upgrading from OpenSSH <3.8. | |
15 | ||
dfddba3d | 16 | As of OpenSSH 4.0, configure will attempt to detect if your version |
17 | and maintenance level of AIX has a working getaddrinfo, and will use it | |
18 | if found. This will enable IPv6 support. If for some reason configure | |
19 | gets it wrong, or if you want to build binaries to work on earlier MLs | |
20 | than the build host then you can add "-DBROKEN_GETADDRINFO" to CFLAGS | |
21 | to force the previous IPv4-only behaviour. | |
22 | ||
23 | IPv6 known to work: 5.1ML7 5.2ML2 5.2ML5 | |
24 | IPv6 known broken: 4.3.3ML11 5.1ML4 | |
7e82606e | 25 | |
fa0f0f45 | 26 | If you wish to use dynamic libraries that aren't in the normal system |
27 | locations (eg IBM's OpenSSL and zlib packages) then you will need to | |
28 | define the environment variable blibpath before running configure, eg | |
29 | ||
30 | blibpath=/lib:/usr/lib:/opt/freeware/lib ./configure \ | |
31 | --with-ssl-dir=/opt/freeware --with-zlib=/opt/freeware | |
32 | ||
33 | If sshd is built with the WITH_AIXAUTHENTICATE option (which is enabled | |
34 | by default) then sshd checks that users are permitted via the | |
35 | loginrestrictions() function, in particular that the user has the | |
36 | "rlogin" attribute set. This check is not done for the root account, | |
37 | instead the PermitRootLogin setting in sshd_config is used. | |
38 | ||
39 | ||
7e82606e | 40 | Cygwin |
41 | ------ | |
42 | To build on Cygwin, OpenSSH requires the following packages: | |
43 | gcc, gcc-mingw-core, mingw-runtime, binutils, make, openssl, | |
44 | openssl-devel, zlib, minres, minires-devel. | |
45 | ||
46 | ||
30460aeb | 47 | Darwin and MacOS X |
48 | ------------------ | |
49 | Darwin does not provide a tun(4) driver required for OpenSSH-based | |
50 | virtual private networks. The BSD manpage still exists, but the driver | |
51 | has been removed in recent releases of Darwin and MacOS X. | |
52 | ||
53 | Nevertheless, tunnel support is known to work with Darwin 8 and | |
54 | MacOS X 10.4 in Point-to-Point (Layer 3) and Ethernet (Layer 2) mode | |
55 | using a third party driver. More information is available at: | |
56 | http://www-user.rhrk.uni-kl.de/~nissler/tuntap/ | |
57 | ||
58 | ||
b5afdff5 | 59 | Linux |
60 | ----- | |
61 | ||
62 | Some Linux distributions (including Red Hat/Fedora/CentOS) include | |
63 | headers and library links in the -devel RPMs rather than the main | |
64 | binary RPMs. If you get an error about headers, or complaining about a | |
65 | missing prerequisite then you may need to install the equivalent | |
66 | development packages. On Redhat based distros these may be openssl-devel, | |
67 | zlib-devel and pam-devel, on Debian based distros these may be | |
68 | libssl-dev, libz-dev and libpam-dev. | |
69 | ||
70 | ||
bbf3a7a8 | 71 | Solaris |
72 | ------- | |
dfddba3d | 73 | If you enable BSM auditing on Solaris, you need to update audit_event(4) |
74 | for praudit(1m) to give sensible output. The following line needs to be | |
75 | added to /etc/security/audit_event: | |
76 | ||
77 | 32800:AUE_openssh:OpenSSH login:lo | |
78 | ||
79 | The BSM audit event range available for third party TCB applications is | |
80 | 32768 - 65535. Event number 32800 has been choosen for AUE_openssh. | |
81 | There is no official registry of 3rd party event numbers, so if this | |
82 | number is already in use on your system, you may change it at build time | |
83 | by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding. | |
84 | ||
bbf3a7a8 | 85 | |
08822d99 | 86 | Platforms using PAM |
87 | ------------------- | |
88 | As of OpenSSH 4.3p1, sshd will no longer check /etc/nologin itself when | |
89 | PAM is enabled. To maintain existing behaviour, pam_nologin should be | |
90 | added to sshd's session stack which will prevent users from starting shell | |
91 | sessions. Alternatively, pam_nologin can be added to either the auth or | |
92 | account stacks which will prevent authentication entirely, but will still | |
93 | return the output from pam_nologin to the client. | |
94 | ||
95 | ||
bbf3a7a8 | 96 | $Id$ |