[openssh.git] / README.platform

This file contains notes about OpenSSH on specific platforms.

AIX
---
As of OpenSSH 3.8p1, sshd will now honour an accounts password expiry
settings, where previously it did not.  Because of this, it's possible for
sites that have used OpenSSH's sshd exclusively to have accounts which
have passwords expired longer than the inactive time (ie the "Weeks between
password EXPIRATION and LOCKOUT" setting in SMIT or the maxexpired
chuser attribute).

Accounts in this state must have their passwords reset manually by the
administrator.  As a precaution, it is recommended that the administrative
passwords be reset before upgrading from OpenSSH <3.8.

As of OpenSSH 4.0, configure will attempt to detect if your version
and maintenance level of AIX has a working getaddrinfo, and will use it
if found.  This will enable IPv6 support.  If for some reason configure
gets it wrong, or if you want to build binaries to work on earlier MLs
than the build host then you can add "-DBROKEN_GETADDRINFO" to CFLAGS
to force the previous IPv4-only behaviour.

IPv6 known to work: 5.1ML7 5.2ML2 5.2ML5
IPv6 known broken: 4.3.3ML11 5.1ML4

Cygwin
------
To build on Cygwin, OpenSSH requires the following packages:
gcc, gcc-mingw-core, mingw-runtime, binutils, make, openssl,
openssl-devel, zlib, minres, minires-devel.


Darwin and MacOS X
------------------
Darwin does not provide a tun(4) driver required for OpenSSH-based
virtual private networks. The BSD manpage still exists, but the driver
has been removed in recent releases of Darwin and MacOS X.

Nevertheless, tunnel support is known to work with Darwin 8 and
MacOS X 10.4 in Point-to-Point (Layer 3) and Ethernet (Layer 2) mode
using a third party driver. More information is available at:
	http://www-user.rhrk.uni-kl.de/~nissler/tuntap/


Solaris
-------
If you enable BSM auditing on Solaris, you need to update audit_event(4)
for praudit(1m) to give sensible output.  The following line needs to be
added to /etc/security/audit_event:

	32800:AUE_openssh:OpenSSH login:lo

The BSM audit event range available for third party TCB applications is
32768 - 65535.  Event number 32800 has been choosen for AUE_openssh.
There is no official registry of 3rd party event numbers, so if this
number is already in use on your system, you may change it at build time
by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.


Platforms using PAM
-------------------
As of OpenSSH 4.3p1, sshd will no longer check /etc/nologin itself when
PAM is enabled.  To maintain existing behaviour, pam_nologin should be
added to sshd's session stack which will prevent users from starting shell
sessions.  Alternatively, pam_nologin can be added to either the auth or
account stacks which will prevent authentication entirely, but will still
return the output from pam_nologin to the client.


$Id$
Commit	Line	Data
510c0a8a	1	This file contains notes about OpenSSH on specific platforms.
	2
	3	AIX
	4	---
	5	As of OpenSSH 3.8p1, sshd will now honour an accounts password expiry
	6	settings, where previously it did not. Because of this, it's possible for
	7	sites that have used OpenSSH's sshd exclusively to have accounts which
	8	have passwords expired longer than the inactive time (ie the "Weeks between
	9	password EXPIRATION and LOCKOUT" setting in SMIT or the maxexpired
	10	chuser attribute).
	11
	12	Accounts in this state must have their passwords reset manually by the
	13	administrator. As a precaution, it is recommended that the administrative
	14	passwords be reset before upgrading from OpenSSH <3.8.
	15
5ccf88cb	16	As of OpenSSH 4.0, configure will attempt to detect if your version
	17	and maintenance level of AIX has a working getaddrinfo, and will use it
	18	if found. This will enable IPv6 support. If for some reason configure
	19	gets it wrong, or if you want to build binaries to work on earlier MLs
	20	than the build host then you can add "-DBROKEN_GETADDRINFO" to CFLAGS
	21	to force the previous IPv4-only behaviour.
	22
c6b2ec35	23	IPv6 known to work: 5.1ML7 5.2ML2 5.2ML5
5ccf88cb	24	IPv6 known broken: 4.3.3ML11 5.1ML4
3daa912a	25
	26	Cygwin
	27	------
	28	To build on Cygwin, OpenSSH requires the following packages:
	29	gcc, gcc-mingw-core, mingw-runtime, binutils, make, openssl,
	30	openssl-devel, zlib, minres, minires-devel.
	31
	32
e02505e2	33	Darwin and MacOS X
	34	------------------
	35	Darwin does not provide a tun(4) driver required for OpenSSH-based
	36	virtual private networks. The BSD manpage still exists, but the driver
	37	has been removed in recent releases of Darwin and MacOS X.
	38
	39	Nevertheless, tunnel support is known to work with Darwin 8 and
	40	MacOS X 10.4 in Point-to-Point (Layer 3) and Ethernet (Layer 2) mode
	41	using a third party driver. More information is available at:
	42	http://www-user.rhrk.uni-kl.de/~nissler/tuntap/
	43
	44
510c0a8a	45	Solaris
510c0a8a	46	-------
7b578f7d	47	If you enable BSM auditing on Solaris, you need to update audit_event(4)
	48	for praudit(1m) to give sensible output. The following line needs to be
	49	added to /etc/security/audit_event:
	50
	51	32800:AUE_openssh:OpenSSH login:lo
	52
	53	The BSM audit event range available for third party TCB applications is
	54	32768 - 65535. Event number 32800 has been choosen for AUE_openssh.
	55	There is no official registry of 3rd party event numbers, so if this
	56	number is already in use on your system, you may change it at build time
	57	by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.
	58
510c0a8a	59
e557f3b5	60	Platforms using PAM
	61	-------------------
	62	As of OpenSSH 4.3p1, sshd will no longer check /etc/nologin itself when
	63	PAM is enabled. To maintain existing behaviour, pam_nologin should be
	64	added to sshd's session stack which will prevent users from starting shell
	65	sessions. Alternatively, pam_nologin can be added to either the auth or
	66	account stacks which will prevent authentication entirely, but will still
	67	return the output from pam_nologin to the client.
	68
	69
510c0a8a	70	$Id$