X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/590317730f085ef1cc6e7ab892a7b09f038332b0..d03186af8de9b660564ccc1804d2a9c2e93b2e58:/INSTALL diff --git a/INSTALL b/INSTALL index 692baade..a35c6747 100644 --- a/INSTALL +++ b/INSTALL @@ -3,7 +3,7 @@ You will need working installations of Zlib and OpenSSL. -Zlib 1.1.4 or greater: +Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems): http://www.gzip.org/zlib/ OpenSSL 0.9.6 or greater: @@ -12,17 +12,39 @@ http://www.openssl.org/ (OpenSSL 0.9.5a is partially supported, but some ciphers (SSH protocol 1 Blowfish) do not work correctly.) -OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system -supports it. PAM is standard on Redhat and Debian Linux, Solaris and -HP-UX 11. +The remaining items are optional. NB. If you operating system supports /dev/random, you should configure OpenSSL to use it. OpenSSH relies on OpenSSL's direct support of -/dev/random. If you don't you will have to rely on ssh-rand-helper, which -is inferior to a good kernel-based solution. +/dev/random, or failing that, either prngd or egd. If you don't have +any of these you will have to rely on ssh-rand-helper, which is inferior +to a good kernel-based solution or prngd. + +PRNGD: + +If your system lacks kernel-based random collection, the use of Lutz +Jaenicke's PRNGd is recommended. + +http://prngd.sourceforge.net/ + +EGD: + +The Entropy Gathering Daemon (EGD) is supported if you have a system which +lacks /dev/random and don't want to use OpenSSH's internal entropy collection. + +http://www.lothar.com/tech/crypto/ PAM: -http://www.kernel.org/pub/linux/libs/pam/ + +OpenSSH can utilise Pluggable Authentication Modules (PAM) if your +system supports it. PAM is standard most Linux distributions, Solaris, +HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD. + +Information about the various PAM implementations are available: + +Solaris PAM: http://www.sun.com/software/solaris/pam/ +Linux PAM: http://www.kernel.org/pub/linux/libs/pam/ +OpenPAM: http://www.openpam.org/ If you wish to build the GNOME passphrase requester, you will need the GNOME libraries and headers. @@ -35,34 +57,46 @@ passphrase requester. This is maintained separately at: http://www.jmknoble.net/software/x11-ssh-askpass/ -PRNGD: - -If your system lacks Kernel based random collection, the use of Lutz -Jaenicke's PRNGd is recommended. +TCP Wrappers: -http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html +If you wish to use the TCP wrappers functionality you will need at least +tcpd.h and libwrap.a, either in the standard include and library paths, +or in the directory specified by --with-tcp-wrappers. Version 7.6 is +known to work. -EGD: +http://ftp.porcupine.org/pub/security/index.html -The Entropy Gathering Daemon (EGD) is supported if you have a system which -lacks /dev/random and don't want to use OpenSSH's internal entropy collection. +S/Key Libraries: -http://www.lothar.com/tech/crypto/ +If you wish to use --with-skey then you will need the library below +installed. No other S/Key library is currently known to be supported. -S/Key Libraries: http://www.sparc.spb.su/solaris/skey/ LibEdit: -sftp now supports command-line editing via NetBSD's libedit. If your -platform has it available natively you can use that, alternatively -you might try these multi-platform ports: +sftp supports command-line editing via NetBSD's libedit. If your platform +has it available natively you can use that, alternatively you might try +these multi-platform ports: + http://www.thrysoee.dk/editline/ http://sourceforge.net/projects/libedit/ -If you wish to use --with-skey then you will need the above library -installed. No other current S/Key library is currently known to be -supported. +Autoconf: + +If you modify configure.ac or configure doesn't exist (eg if you checked +the code out of CVS yourself) then you will need autoconf-2.61 to rebuild +the automatically generated files by running "autoreconf". Earlier +versions may also work but this is not guaranteed. + +http://www.gnu.org/software/autoconf/ + +Basic Security Module (BSM): + +Native BSM support is know to exist in Solaris from at least 2.5.1, +FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM +implementation (http://www.openbsm.org). + 2. Building / Installation -------------------------- @@ -91,6 +125,10 @@ make install This will install the binaries in /opt/{bin,lib,sbin}, but will place the configuration files in /etc/ssh. +If you are using Privilege Separation (which is enabled by default) +then you will also need to create the user, group and directory used by +sshd for privilege separation. See README.privsep for details. + If you are using PAM, you may need to manually install a PAM control file as "/etc/pam.d/sshd" (or wherever your system prefers to keep them). Note that the service name used to start PAM is __progname, @@ -109,6 +147,10 @@ name). There are a few other options to the configure script: +--with-audit=[module] enable additional auditing via the specified module. +Currently, drivers for "debug" (additional info via syslog) and "bsm" +(Sun's Basic Security Module) are supported. + --with-pam enables PAM support. If PAM support is compiled in, it must also be enabled in sshd_config (refer to the UsePAM directive). @@ -135,7 +177,7 @@ Integration Architecture. The default for OSF1 machines is enable. need the S/Key libraries and header files installed for this to work. --with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) -support. You will need libwrap.a and tcpd.h installed. +support. --with-md5-passwords will enable the use of MD5 passwords. Enable this if your operating system uses MD5 passwords and the system crypt() does @@ -153,7 +195,7 @@ $DISPLAY environment variable. Some broken systems need this. --with-default-path=PATH allows you to specify a default $PATH for sessions started by sshd. This replaces the standard path entirely. ---with-pid-dir=PATH specifies the directory in which the ssh.pid file is +--with-pid-dir=PATH specifies the directory in which the sshd.pid file is created. --with-xauth=PATH specifies the location of the xauth binary @@ -161,6 +203,8 @@ created. --with-ssl-dir=DIR allows you to specify where your OpenSSL libraries are installed. +--with-ssl-engine enables OpenSSL's (hardware) ENGINE support + --with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to real (AF_INET) IPv4 addresses. Works around some quirks on Linux. @@ -200,7 +244,21 @@ running and has collected some Entropy. For more information on configuration, please refer to the manual pages for sshd, ssh and ssh-agent. -4. Problems? +4. (Optional) Send survey +------------------------- + +$ make survey +[check the contents of the file "survey" to ensure there's no information +that you consider sensitive] +$ make send-survey + +This will send configuration information for the currently configured +host to a survey address. This will help determine which configurations +are actually in use, and what valid combinations of configure options +exist. The raw data is available only to the OpenSSH developers, however +summary data may be published. + +5. Problems? ------------ If you experience problems compiling, installing or running OpenSSH.