Changeset View
Changeset View
Standalone View
Standalone View
INSTALL
1. Prerequisites | 1. Prerequisites | ||||
---------------- | ---------------- | ||||
A C compiler. Any C89 or better compiler should work. Where supported, | A C compiler. Any C89 or better compiler should work. Where supported, | ||||
configure will attempt to enable the compiler's run-time integrity checking | configure will attempt to enable the compiler's run-time integrity checking | ||||
options. Some notes about specific compilers: | options. Some notes about specific compilers: | ||||
- clang: -ftrapv and -sanitize=integer require the compiler-rt runtime | - clang: -ftrapv and -sanitize=integer require the compiler-rt runtime | ||||
(CC=clang LDFLAGS=--rtlib=compiler-rt ./configure) | (CC=clang LDFLAGS=--rtlib=compiler-rt ./configure) | ||||
You will need working installations of Zlib and libcrypto (LibreSSL / | You will need working installations of Zlib and libcrypto (LibreSSL / | ||||
OpenSSL) | OpenSSL) | ||||
Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems): | Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems): | ||||
http://www.gzip.org/zlib/ | http://www.gzip.org/zlib/ | ||||
libcrypto (LibreSSL or OpenSSL >= 1.0.1 < 1.1.0) | libcrypto from either of: | ||||
LibreSSL http://www.libressl.org/ ; or | - LibreSSL (https://www.libressl.org/) | ||||
OpenSSL http://www.openssl.org/ | - OpenSSL (https://www.openssl.org) with any of the following versions: | ||||
- 1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g or any 1.1.1 | |||||
LibreSSL/OpenSSL should be compiled as a position-independent library | LibreSSL/OpenSSL should be compiled as a position-independent library | ||||
(i.e. with -fPIC) otherwise OpenSSH will not be able to link with it. | (i.e. with -fPIC) otherwise OpenSSH will not be able to link with it. | ||||
If you must use a non-position-independent libcrypto, then you may need | If you must use a non-position-independent libcrypto, then you may need | ||||
to configure OpenSSH --without-pie. Note that because of API changes, | to configure OpenSSH --without-pie. Note that due to a bug in EVP_CipherInit | ||||
OpenSSL 1.1.x is not currently supported. | OpenSSL 1.1 versions prior to 1.1.0g can't be used. | ||||
To support Privilege Separation (which is now required) you will need | |||||
to create the user, group and directory used by sshd for privilege | |||||
separation. See README.privsep for details. | |||||
The remaining items are optional. | The remaining items are optional. | ||||
NB. If you operating system supports /dev/random, you should configure | NB. If you operating system supports /dev/random, you should configure | ||||
libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's | libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's | ||||
direct support of /dev/random, or failing that, either prngd or egd | direct support of /dev/random, or failing that, either prngd or egd. | ||||
PRNGD: | PRNGD: | ||||
If your system lacks kernel-based random collection, the use of Lutz | If your system lacks kernel-based random collection, the use of Lutz | ||||
Jaenicke's PRNGd is recommended. | Jaenicke's PRNGd is recommended. It requires that libcrypto be configured | ||||
to support it. | |||||
http://prngd.sourceforge.net/ | http://prngd.sourceforge.net/ | ||||
EGD: | EGD: | ||||
If the kernel lacks /dev/random the Entropy Gathering Daemon (EGD) is | The Entropy Gathering Daemon (EGD) suppports the same interface as prngd. | ||||
supported only if libcrypto supports it. | It also supported only if libcrypto is configured to support it. | ||||
http://egd.sourceforge.net/ | http://egd.sourceforge.net/ | ||||
PAM: | PAM: | ||||
OpenSSH can utilise Pluggable Authentication Modules (PAM) if your | OpenSSH can utilise Pluggable Authentication Modules (PAM) if your | ||||
system supports it. PAM is standard most Linux distributions, Solaris, | system supports it. PAM is standard most Linux distributions, Solaris, | ||||
HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD. | HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD. | ||||
▲ Show 20 Lines • Show All 74 Lines • ▼ Show 20 Lines | |||||
specific paths, for example: | specific paths, for example: | ||||
./configure --prefix=/opt --sysconfdir=/etc/ssh | ./configure --prefix=/opt --sysconfdir=/etc/ssh | ||||
make | make | ||||
make install | make install | ||||
This will install the binaries in /opt/{bin,lib,sbin}, but will place the | This will install the binaries in /opt/{bin,lib,sbin}, but will place the | ||||
configuration files in /etc/ssh. | configuration files in /etc/ssh. | ||||
If you are using Privilege Separation (which is enabled by default) | |||||
then you will also need to create the user, group and directory used by | |||||
sshd for privilege separation. See README.privsep for details. | |||||
If you are using PAM, you may need to manually install a PAM control | If you are using PAM, you may need to manually install a PAM control | ||||
file as "/etc/pam.d/sshd" (or wherever your system prefers to keep | file as "/etc/pam.d/sshd" (or wherever your system prefers to keep | ||||
them). Note that the service name used to start PAM is __progname, | them). Note that the service name used to start PAM is __progname, | ||||
which is the basename of the path of your sshd (e.g., the service name | which is the basename of the path of your sshd (e.g., the service name | ||||
for /usr/sbin/osshd will be osshd). If you have renamed your sshd | for /usr/sbin/osshd will be osshd). If you have renamed your sshd | ||||
executable, your PAM configuration may need to be modified. | executable, your PAM configuration may need to be modified. | ||||
▲ Show 20 Lines • Show All 120 Lines • Show Last 20 Lines |