- djm@cvs.openbsd.org 2010/01/09 05:04:24

[openssh.git] / INSTALL

diff --git a/INSTALL b/INSTALL
index 78f3a7052c282d0e63846cb74196c2688497b468..a35c6747d1de78ed4fddaf273e68a0973f784a37 100644 (file)
--- a/INSTALL
+++ b/INSTALL
@@ -12,17 +12,39 @@ http://www.openssl.org/
 (OpenSSL 0.9.5a is partially supported, but some ciphers (SSH protocol 1
 Blowfish) do not work correctly.)
 
 (OpenSSL 0.9.5a is partially supported, but some ciphers (SSH protocol 1
 Blowfish) do not work correctly.)
 

-OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system
-supports it. PAM is standard on Redhat and Debian Linux, Solaris and
-HP-UX 11.
+The remaining items are optional.

 
 NB. If you operating system supports /dev/random, you should configure
 OpenSSL to use it. OpenSSH relies on OpenSSL's direct support of
 
 NB. If you operating system supports /dev/random, you should configure
 OpenSSL to use it. OpenSSH relies on OpenSSL's direct support of

-/dev/random. If you don't you will have to rely on ssh-rand-helper, which
-is inferior to a good kernel-based solution.
+/dev/random, or failing that, either prngd or egd.  If you don't have
+any of these you will have to rely on ssh-rand-helper, which is inferior
+to a good kernel-based solution or prngd.
+
+PRNGD:
+
+If your system lacks kernel-based random collection, the use of Lutz
+Jaenicke's PRNGd is recommended.
+
+http://prngd.sourceforge.net/
+
+EGD:
+
+The Entropy Gathering Daemon (EGD) is supported if you have a system which
+lacks /dev/random and don't want to use OpenSSH's internal entropy collection.
+
+http://www.lothar.com/tech/crypto/

 
 PAM:
 
 PAM:

-http://www.kernel.org/pub/linux/libs/pam/
+
+OpenSSH can utilise Pluggable Authentication Modules (PAM) if your
+system supports it. PAM is standard most Linux distributions, Solaris,
+HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD.
+
+Information about the various PAM implementations are available:
+
+Solaris PAM:   http://www.sun.com/software/solaris/pam/
+Linux PAM:     http://www.kernel.org/pub/linux/libs/pam/
+OpenPAM:       http://www.openpam.org/

 
 If you wish to build the GNOME passphrase requester, you will need the GNOME
 libraries and headers.
 
 If you wish to build the GNOME passphrase requester, you will need the GNOME
 libraries and headers.


@@ -35,19 +57,14 @@ passphrase requester. This is maintained separately at:
 
 http://www.jmknoble.net/software/x11-ssh-askpass/
 
 
 http://www.jmknoble.net/software/x11-ssh-askpass/
 

-PRNGD:
+TCP Wrappers:

 
 

-If your system lacks Kernel based random collection, the use of Lutz
-Jaenicke's PRNGd is recommended.
-
-http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
-
-EGD:
+If you wish to use the TCP wrappers functionality you will need at least
+tcpd.h and libwrap.a, either in the standard include and library paths,
+or in the directory specified by --with-tcp-wrappers.  Version 7.6 is
+known to work.

 
 

-The Entropy Gathering Daemon (EGD) is supported if you have a system which
-lacks /dev/random and don't want to use OpenSSH's internal entropy collection.
-
-http://www.lothar.com/tech/crypto/
+http://ftp.porcupine.org/pub/security/index.html

 
 S/Key Libraries:
 
 
 S/Key Libraries:
 


@@ -65,6 +82,22 @@ these multi-platform ports:
 http://www.thrysoee.dk/editline/
 http://sourceforge.net/projects/libedit/
 
 http://www.thrysoee.dk/editline/
 http://sourceforge.net/projects/libedit/
 

+Autoconf:
+
+If you modify configure.ac or configure doesn't exist (eg if you checked
+the code out of CVS yourself) then you will need autoconf-2.61 to rebuild
+the automatically generated files by running "autoreconf".  Earlier
+versions may also work but this is not guaranteed.
+
+http://www.gnu.org/software/autoconf/
+
+Basic Security Module (BSM):
+
+Native BSM support is know to exist in Solaris from at least 2.5.1,
+FreeBSD 6.1 and OS X.  Alternatively, you may use the OpenBSM
+implementation (http://www.openbsm.org).
+
+

 2. Building / Installation
 --------------------------
 
 2. Building / Installation
 --------------------------
 


@@ -114,6 +147,10 @@ name).
 
 There are a few other options to the configure script:
 
 
 There are a few other options to the configure script:
 

+--with-audit=[module] enable additional auditing via the specified module.
+Currently, drivers for "debug" (additional info via syslog) and "bsm"
+(Sun's Basic Security Module) are supported.
+

 --with-pam enables PAM support. If PAM support is compiled in, it must
 also be enabled in sshd_config (refer to the UsePAM directive).
 
 --with-pam enables PAM support. If PAM support is compiled in, it must
 also be enabled in sshd_config (refer to the UsePAM directive).
 


@@ -140,7 +177,7 @@ Integration Architecture.  The default for OSF1 machines is enable.
 need the S/Key libraries and header files installed for this to work.
 
 --with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny)
 need the S/Key libraries and header files installed for this to work.
 
 --with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny)

-support. You will need libwrap.a and tcpd.h installed.
+support.

 
 --with-md5-passwords will enable the use of MD5 passwords. Enable this
 if your operating system uses MD5 passwords and the system crypt() does
 
 --with-md5-passwords will enable the use of MD5 passwords. Enable this
 if your operating system uses MD5 passwords and the system crypt() does


@@ -158,7 +195,7 @@ $DISPLAY environment variable. Some broken systems need this.
 --with-default-path=PATH allows you to specify a default $PATH for sessions
 started by sshd. This replaces the standard path entirely.
 
 --with-default-path=PATH allows you to specify a default $PATH for sessions
 started by sshd. This replaces the standard path entirely.
 

---with-pid-dir=PATH specifies the directory in which the ssh.pid file is
+--with-pid-dir=PATH specifies the directory in which the sshd.pid file is

 created.
 
 --with-xauth=PATH specifies the location of the xauth binary
 created.
 
 --with-xauth=PATH specifies the location of the xauth binary