r8902 - in trunk/BOOK: basicnet/netprogs postlfs/security

bdubbs at linuxfromscratch.org bdubbs at linuxfromscratch.org
Wed Oct 19 16:52:04 PDT 2011


Author: bdubbs
Date: 2011-10-19 17:51:59 -0600 (Wed, 19 Oct 2011)
New Revision: 8902

Added:
   trunk/BOOK/postlfs/security/openssh.xml
Removed:
   trunk/BOOK/basicnet/netprogs/openssh.xml
Modified:
   trunk/BOOK/basicnet/netprogs/netprogs.xml
   trunk/BOOK/postlfs/security/security.xml
Log:
Move openssh to security chapter

Modified: trunk/BOOK/basicnet/netprogs/netprogs.xml
===================================================================
--- trunk/BOOK/basicnet/netprogs/netprogs.xml	2011-10-19 23:44:14 UTC (rev 8901)
+++ trunk/BOOK/basicnet/netprogs/netprogs.xml	2011-10-19 23:51:59 UTC (rev 8902)
@@ -27,7 +27,6 @@
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="net-tools.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="nfs-utils-client.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="ntp.xml"/>
-  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="openssh.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="portmap.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="rsync-client.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="samba3-client.xml"/>

Deleted: trunk/BOOK/basicnet/netprogs/openssh.xml
===================================================================
--- trunk/BOOK/basicnet/netprogs/openssh.xml	2011-10-19 23:44:14 UTC (rev 8901)
+++ trunk/BOOK/basicnet/netprogs/openssh.xml	2011-10-19 23:51:59 UTC (rev 8902)
@@ -1,412 +0,0 @@
-<?xml version="1.0" encoding="ISO-8859-1"?>
-<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
-   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
-  <!ENTITY % general-entities SYSTEM "../../general.ent">
-  %general-entities;
-
-  <!ENTITY openssh-download-http "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
-  <!ENTITY openssh-download-ftp  "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
-  <!ENTITY openssh-md5sum        "afe17eee7e98d3b8550cc349834a85d0">
-  <!ENTITY openssh-size          "1.1 MB">
-  <!ENTITY openssh-buildsize     "44 MB">
-  <!ENTITY openssh-time          "3.5 SBU (including the test suite)">
-]>
-
-<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
-  <?dbhtml filename="openssh.html"?>
-
-  <sect1info>
-    <othername>$LastChangedBy$</othername>
-    <date>$Date$</date>
-  </sect1info>
-
-  <title>OpenSSH-&openssh-version;</title>
-
-  <para>The <application>OpenSSH</application> package contains
-  <command>ssh</command> clients and the <command>sshd</command> daemon.
-  This is useful for encrypting authentication and subsequent traffic
-  over a network. The <command>ssh</command> and <command>scp</command>
-  commands are secure implementions of <command>telnet</command> and 
-  <command>rcp</command> respectively.</para>
-
-  &lfs70_checked;
-
-  <indexterm zone="openssh">
-    <primary sortas="a-OpenSSH">OpenSSH</primary>
-  </indexterm>
-
-  <sect2 role="package">
-    <title>Introduction to OpenSSH</title>
-
-    <bridgehead renderas="sect3">Package Information</bridgehead>
-    <itemizedlist spacing="compact">
-      <listitem>
-        <para>Download (HTTP): <ulink url="&openssh-download-http;"/></para>
-      </listitem>
-      <listitem>
-        <para>Download (FTP): <ulink url="&openssh-download-ftp;"/></para>
-      </listitem>
-      <listitem>
-        <para>Download MD5 sum: &openssh-md5sum;</para>
-      </listitem>
-      <listitem>
-        <para>Download size: &openssh-size;</para>
-      </listitem>
-      <listitem>
-        <para>Estimated disk space required: &openssh-buildsize;</para>
-      </listitem>
-      <listitem>
-        <para>Estimated build time: &openssh-time;</para>
-      </listitem>
-    </itemizedlist>
-
-    <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
-
-    <bridgehead renderas="sect4">Required</bridgehead>
-    <para role="required"><xref linkend="openssl"/></para>
-
-    <bridgehead renderas="sect4">Optional</bridgehead>
-    <para role="optional"><xref linkend="linux-pam"/>,
-    <xref linkend="tcpwrappers"/>,
-    <xref linkend="x-window-system"/>,
-    <xref linkend="mitkrb"/> or <xref linkend="heimdal"/>,
-    <ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>
-    (provides a command-line history feature to <command>sftp</command>),
-    <ulink url="http://www.opensc-project.org/">OpenSC</ulink>, and
-    <ulink
-    url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink></para>
-
-    <bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
-    <para role="optional"><xref linkend="icedtea6"/> or <xref linkend="jdk"/>,
-    <xref linkend="net-tools"/>, and
-    <xref linkend="sysstat"/>.</para>
-
-    <para condition="html" role="usernotes">User Notes:
-    <ulink url='&blfs-wiki;/OpenSSH'/></para>
-
-  </sect2>
-
-  <sect2 role="installation">
-    <title>Installation of OpenSSH</title>
-
-    <para><application>OpenSSH</application> runs as two processes when
-    connecting to other computers. The first process is a privileged process
-    and controls the issuance of privileges as necessary. The second process
-    communicates with the network. Additional installation steps are necessary
-    to set up the proper environment, which are performed by issuing the
-    following commands as the <systemitem class="username">root</systemitem>
-    user:</para>
-
-<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &&
-chown -v root:sys /var/lib/sshd &&
-groupadd -g 50 sshd &&
-useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd \
-    -s /bin/false -u 50 sshd</userinput></screen>
-
-    <para><application>OpenSSH</application> is very sensitive to changes in
-    the linked <application>OpenSSL</application> libraries. If you recompile
-    <application>OpenSSL</application>, <application>OpenSSH</application> may
-    fail to start up. An alternative is to link against the static
-    <application>OpenSSL</application> library. To link against the static
-    library, execute the following command:</para>
-
-<screen><userinput>sed -i 's at -lcrypto@/usr/lib/libcrypto.a -ldl@' configure</userinput></screen>
-
-    <para>Install <application>OpenSSH</application> by running
-    the following commands:</para>
-
-<screen><userinput>sed -i.bak 's/ -ldes//' configure &&
-./configure --prefix=/usr \
-            --sysconfdir=/etc/ssh \
-            --datadir=/usr/share/sshd \
-            --libexecdir=/usr/lib/openssh \
-            --with-md5-passwords \
-            --with-privsep-path=/var/lib/sshd &&
-make</userinput></screen>
-
-    <para>If you linked <application>tcp_wrappers</application> into the
-    build using the <option>--with-tcp-wrappers</option> parameter, ensure
-    you add 127.0.0.1 to the sshd line in <filename>/etc/hosts.allow</filename>
-    if you have a restrictive <filename>/etc/hosts.deny</filename> file, or the
-    test suite will fail. Additionally, the testsuite requires an installed
-    copy of <command>scp</command> to complete the multiplexing tests.  To
-    run the test suite, first copy the scp program to
-    <filename class="directory">/usr/bin</filename>, making sure that you
-    back up any existing copy first.</para>
-
-    <para>To run the test suite, issue the following commands:</para>
-
-<screen role="root"><userinput>make tests 2>&1 | tee check.log
-grep FATAL check.log</userinput></screen>
-
-    <para>If the above command produces no 'FATAL' errors, then proceed
-    with the installation, as the
-    <systemitem class="username">root</systemitem> user:</para>
-
-<screen role="root"><userinput>make install &&
-install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &&
-install -v -m644 INSTALL LICENCE OVERVIEW README* \
-    /usr/share/doc/openssh-&openssh-version;</userinput></screen>
-
-  </sect2>
-
-  <sect2 role="commands">
-    <title>Command Explanations</title>
-
-    <para><command>sed -i.bak 's/ -ldes//' configure</command>:
-    This command fixes a build crash if you used the
-    <option>--with-kerberos5</option> parameter and you built the
-    <application>Heimdal</application> package in accordance with the BLFS
-    instructions. The command is harmless in all other instances.</para>
-
-    <para><parameter>--sysconfdir=/etc/ssh</parameter>: This prevents
-    the configuration files from being installed in
-    <filename class="directory">/usr/etc</filename>.</para>
-
-    <para><parameter>--datadir=/usr/share/sshd</parameter>: This switch
-    puts the Ssh.bin file (used for SmartCard authentication) in
-    <filename class="directory">/usr/share/sshd</filename>.</para>
-
-    <para><parameter>--with-md5-passwords</parameter>: This is required
-    with the default configuration of Shadow password suite in LFS.</para>
-
-    <para><parameter>--libexecdir=/usr/lib/openssh</parameter>: This parameter
-    changes the installation path of some programs to
-    <filename class="directory">/usr/lib/openssh</filename> instead of
-    <filename class="directory">/usr/libexec</filename>.</para>
-
-    <para><parameter>--with-pam</parameter>: This parameter enables
-    <application>Linux-PAM</application> support in the build.</para>
-
-    <para><parameter>--with-xauth=/usr/bin/xauth</parameter>: Set the
-    default location for the <command>xauth</command> binary for X
-    authentication. Change the location if <command>xauth</command> will
-    be installed to a different path. This can also be controlled from
-    <filename>sshd_config</filename> with the XAuthLocation keyword.
-    You can omit this switch if <application>Xorg</application> is already
-    installed.
-    </para>
-
-    <para><parameter>--with-kerberos5=/usr</parameter>: This option is used to
-    include Heimdal support in the build.</para>
-
-  </sect2>
-
-  <sect2 role="configuration">
-    <title>Configuring OpenSSH</title>
-
-    <para>If you are only going to use the <command>ssh</command> or
-    <command>scp</command> clients, no configuration or boot scripts are
-    required.</para>
-
-    <sect3 id="openssh-config">
-      <title>Config Files</title>
-
-      <para><filename>~/.ssh/*</filename>,
-      <filename>/etc/ssh/ssh_config</filename>, and
-      <filename>/etc/ssh/sshd_config</filename></para>
-
-      <indexterm zone="openssh openssh-config">
-        <primary sortas="e-AA.ssh">~/.ssh/*</primary>
-      </indexterm>
-
-      <indexterm zone="openssh openssh-config">
-        <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
-      </indexterm>
-
-      <indexterm zone="openssh openssh-config">
-        <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
-      </indexterm>
-
-      <para>There are no required changes to any of these files. However,
-      you may wish to view the <filename class='directory'>/etc/ssh/</filename>
-      files and make any changes appropriate for the security of your system.
-      One recommended change is that you disable
-      <systemitem class='username'>root</systemitem> login via
-      <command>ssh</command>. Execute the following command as the
-      <systemitem class='username'>root</systemitem> user to disable
-      <systemitem class='username'>root</systemitem> login via
-      <command>ssh</command>:</para>
-
-<screen role="root"><userinput>echo "PermitRootLogin no" >> /etc/ssh/sshd_config</userinput></screen>
-
-      <para>If you added <application>LinuxPAM</application> support, then you
-      will need to add a configuration file for
-      <application>sshd</application> and enable use of
-      <application>LinuxPAM</application>.  Issue the following commands as the
-      <systemitem class='username'>root</systemitem> user:</para>
-
-<screen role="root"><userinput>sed 's at d/login at d/sshd at g' /etc/pam.d/login > /etc/pam.d/sshd &&
-chmod 644 /etc/pam.d/sshd &&
-echo "USEPAM yes" >> /etc/ssh/sshd_config</userinput></screen>
-
-      <para>Additional configuration information can be found in the man
-      pages for <command>sshd</command>, <command>ssh</command> and
-      <command>ssh-agent</command>.</para>
-
-    </sect3>
-
-    <sect3  id="openssh-init">
-      <title>Boot Script</title>
-
-      <para>To start the SSH server at system boot, install the
-      <filename>/etc/rc.d/init.d/sshd</filename> init script included
-      in the <xref linkend="bootscripts"/> package.</para>
-
-      <indexterm zone="openssh openssh-init">
-        <primary sortas="f-sshd">sshd</primary>
-      </indexterm>
-
-<screen role="root"><userinput>make install-sshd</userinput></screen>
-
-    </sect3>
-
-  </sect2>
-
-  <sect2 role="content">
-    <title>Contents</title>
-
-    <segmentedlist>
-      <segtitle>Installed Programs</segtitle>
-      <segtitle>Installed Libraries</segtitle>
-      <segtitle>Installed Directories</segtitle>
-
-      <seglistitem>
-        <seg>scp, sftp, sftp-server, slogin, ssh, sshd, ssh-add, ssh-agent,
-        ssh-keygen, ssh-keyscan, and ssh-keysign</seg>
-        <seg>None</seg>
-        <seg>/etc/ssh, /var/lib/sshd, /usr/lib/openssh, and
-        /usr/share/doc/openssh-&openssh-version;</seg>
-      </seglistitem>
-    </segmentedlist>
-
-    <variablelist>
-      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
-      <?dbfo list-presentation="list"?>
-      <?dbhtml list-presentation="table"?>
-
-      <varlistentry id="scp">
-        <term><command>scp</command></term>
-        <listitem>
-          <para>is a file copy program that acts like <command>rcp</command>
-          except it uses an encrypted protocol.</para>
-          <indexterm zone="openssh scp">
-            <primary sortas="b-scp">scp</primary>
-          </indexterm>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry id="sftp">
-        <term><command>sftp</command></term>
-        <listitem>
-          <para>is an FTP-like program that works over
-          SSH1 and SSH2 protocols.</para>
-          <indexterm zone="openssh sftp">
-            <primary sortas="b-sftp">sftp</primary>
-          </indexterm>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry id="sftp-server">
-        <term><command>sftp-server</command></term>
-        <listitem>
-          <para>is an SFTP server subsystem. This program is not normally
-          called directly by the user.</para>
-          <indexterm zone="openssh sftp-server">
-            <primary sortas="b-sftp-server">sftp-server</primary>
-          </indexterm>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry id="slogin">
-        <term><command>slogin</command></term>
-        <listitem>
-          <para>is a symlink to <command>ssh</command>.</para>
-          <indexterm zone="openssh slogin">
-            <primary sortas="g-slogin">slogin</primary>
-          </indexterm>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry id="ssh">
-        <term><command>ssh</command></term>
-        <listitem>
-          <para>is an <command>rlogin</command>/<command>rsh</command>-like
-          client program except it uses an encrypted protocol.</para>
-          <indexterm zone="openssh ssh">
-            <primary sortas="b-ssh">ssh</primary>
-          </indexterm>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry id="sshd">
-        <term><command>sshd</command></term>
-        <listitem>
-          <para>is a daemon that listens for <command>ssh</command> login
-          requests.</para>
-          <indexterm zone="openssh sshd">
-            <primary sortas="b-sshd">sshd</primary>
-          </indexterm>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry id="ssh-add">
-        <term><command>ssh-add</command></term>
-        <listitem>
-          <para>is a tool which adds keys to the
-          <command>ssh-agent</command>.</para>
-          <indexterm zone="openssh ssh-add">
-            <primary sortas="b-ssh-add">ssh-add</primary>
-          </indexterm>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry id="ssh-agent">
-        <term><command>ssh-agent</command></term>
-        <listitem>
-          <para>is an authentication agent that can store private keys.</para>
-          <indexterm zone="openssh ssh-agent">
-            <primary sortas="b-ssh-agent">ssh-agent</primary>
-          </indexterm>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry id="ssh-keygen">
-        <term><command>ssh-keygen</command></term>
-        <listitem>
-          <para>is a key generation tool.</para>
-          <indexterm zone="openssh ssh-keygen">
-            <primary sortas="b-ssh-keygen">ssh-keygen</primary>
-          </indexterm>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry id="ssh-keyscan">
-        <term><command>ssh-keyscan</command></term>
-        <listitem>
-          <para>is a utility for gathering public host keys from a
-          number of hosts.</para>
-          <indexterm zone="openssh ssh-keyscan">
-            <primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
-          </indexterm>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry id="ssh-keysign">
-        <term><command>ssh-keysign</command></term>
-        <listitem>
-          <para>is used by <command>ssh</command> to access the local host
-          keys and generate the digital signature required during hostbased
-          authentication with SSH protocol version 2. This program is not normally
-          called directly by the user.</para>
-          <indexterm zone="openssh ssh-keysign">
-            <primary sortas="b-ssh-keysign">ssh-keysign</primary>
-          </indexterm>
-        </listitem>
-      </varlistentry>
-
-    </variablelist>
-
-  </sect2>
-
-</sect1>

Copied: trunk/BOOK/postlfs/security/openssh.xml (from rev 8901, trunk/BOOK/basicnet/netprogs/openssh.xml)
===================================================================
--- trunk/BOOK/postlfs/security/openssh.xml	                        (rev 0)
+++ trunk/BOOK/postlfs/security/openssh.xml	2011-10-19 23:51:59 UTC (rev 8902)
@@ -0,0 +1,412 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+  <!ENTITY % general-entities SYSTEM "../../general.ent">
+  %general-entities;
+
+  <!ENTITY openssh-download-http "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
+  <!ENTITY openssh-download-ftp  "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz">
+  <!ENTITY openssh-md5sum        "afe17eee7e98d3b8550cc349834a85d0">
+  <!ENTITY openssh-size          "1.1 MB">
+  <!ENTITY openssh-buildsize     "44 MB">
+  <!ENTITY openssh-time          "3.5 SBU (including the test suite)">
+]>
+
+<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;">
+  <?dbhtml filename="openssh.html"?>
+
+  <sect1info>
+    <othername>$LastChangedBy$</othername>
+    <date>$Date$</date>
+  </sect1info>
+
+  <title>OpenSSH-&openssh-version;</title>
+
+  <para>The <application>OpenSSH</application> package contains
+  <command>ssh</command> clients and the <command>sshd</command> daemon.
+  This is useful for encrypting authentication and subsequent traffic
+  over a network. The <command>ssh</command> and <command>scp</command>
+  commands are secure implementions of <command>telnet</command> and 
+  <command>rcp</command> respectively.</para>
+
+  &lfs70_checked;
+
+  <indexterm zone="openssh">
+    <primary sortas="a-OpenSSH">OpenSSH</primary>
+  </indexterm>
+
+  <sect2 role="package">
+    <title>Introduction to OpenSSH</title>
+
+    <bridgehead renderas="sect3">Package Information</bridgehead>
+    <itemizedlist spacing="compact">
+      <listitem>
+        <para>Download (HTTP): <ulink url="&openssh-download-http;"/></para>
+      </listitem>
+      <listitem>
+        <para>Download (FTP): <ulink url="&openssh-download-ftp;"/></para>
+      </listitem>
+      <listitem>
+        <para>Download MD5 sum: &openssh-md5sum;</para>
+      </listitem>
+      <listitem>
+        <para>Download size: &openssh-size;</para>
+      </listitem>
+      <listitem>
+        <para>Estimated disk space required: &openssh-buildsize;</para>
+      </listitem>
+      <listitem>
+        <para>Estimated build time: &openssh-time;</para>
+      </listitem>
+    </itemizedlist>
+
+    <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead>
+
+    <bridgehead renderas="sect4">Required</bridgehead>
+    <para role="required"><xref linkend="openssl"/></para>
+
+    <bridgehead renderas="sect4">Optional</bridgehead>
+    <para role="optional"><xref linkend="linux-pam"/>,
+    <xref linkend="tcpwrappers"/>,
+    <xref linkend="x-window-system"/>,
+    <xref linkend="mitkrb"/> or <xref linkend="heimdal"/>,
+    <ulink url="http://www.thrysoee.dk/editline/">libedit</ulink>
+    (provides a command-line history feature to <command>sftp</command>),
+    <ulink url="http://www.opensc-project.org/">OpenSC</ulink>, and
+    <ulink
+    url="http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</ulink></para>
+
+    <bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead>
+    <para role="optional"><xref linkend="icedtea6"/> or <xref linkend="jdk"/>,
+    <xref linkend="net-tools"/>, and
+    <xref linkend="sysstat"/>.</para>
+
+    <para condition="html" role="usernotes">User Notes:
+    <ulink url='&blfs-wiki;/OpenSSH'/></para>
+
+  </sect2>
+
+  <sect2 role="installation">
+    <title>Installation of OpenSSH</title>
+
+    <para><application>OpenSSH</application> runs as two processes when
+    connecting to other computers. The first process is a privileged process
+    and controls the issuance of privileges as necessary. The second process
+    communicates with the network. Additional installation steps are necessary
+    to set up the proper environment, which are performed by issuing the
+    following commands as the <systemitem class="username">root</systemitem>
+    user:</para>
+
+<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd &&
+chown -v root:sys /var/lib/sshd &&
+groupadd -g 50 sshd &&
+useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd \
+    -s /bin/false -u 50 sshd</userinput></screen>
+
+    <para><application>OpenSSH</application> is very sensitive to changes in
+    the linked <application>OpenSSL</application> libraries. If you recompile
+    <application>OpenSSL</application>, <application>OpenSSH</application> may
+    fail to start up. An alternative is to link against the static
+    <application>OpenSSL</application> library. To link against the static
+    library, execute the following command:</para>
+
+<screen><userinput>sed -i 's at -lcrypto@/usr/lib/libcrypto.a -ldl@' configure</userinput></screen>
+
+    <para>Install <application>OpenSSH</application> by running
+    the following commands:</para>
+
+<screen><userinput>sed -i.bak 's/ -ldes//' configure &&
+./configure --prefix=/usr \
+            --sysconfdir=/etc/ssh \
+            --datadir=/usr/share/sshd \
+            --libexecdir=/usr/lib/openssh \
+            --with-md5-passwords \
+            --with-privsep-path=/var/lib/sshd &&
+make</userinput></screen>
+
+    <para>If you linked <application>tcp_wrappers</application> into the
+    build using the <option>--with-tcp-wrappers</option> parameter, ensure
+    you add 127.0.0.1 to the sshd line in <filename>/etc/hosts.allow</filename>
+    if you have a restrictive <filename>/etc/hosts.deny</filename> file, or the
+    test suite will fail. Additionally, the testsuite requires an installed
+    copy of <command>scp</command> to complete the multiplexing tests.  To
+    run the test suite, first copy the scp program to
+    <filename class="directory">/usr/bin</filename>, making sure that you
+    back up any existing copy first.</para>
+
+    <para>To run the test suite, issue the following commands:</para>
+
+<screen role="root"><userinput>make tests 2>&1 | tee check.log
+grep FATAL check.log</userinput></screen>
+
+    <para>If the above command produces no 'FATAL' errors, then proceed
+    with the installation, as the
+    <systemitem class="username">root</systemitem> user:</para>
+
+<screen role="root"><userinput>make install &&
+install -v -m755 -d /usr/share/doc/openssh-&openssh-version; &&
+install -v -m644 INSTALL LICENCE OVERVIEW README* \
+    /usr/share/doc/openssh-&openssh-version;</userinput></screen>
+
+  </sect2>
+
+  <sect2 role="commands">
+    <title>Command Explanations</title>
+
+    <para><command>sed -i.bak 's/ -ldes//' configure</command>:
+    This command fixes a build crash if you used the
+    <option>--with-kerberos5</option> parameter and you built the
+    <application>Heimdal</application> package in accordance with the BLFS
+    instructions. The command is harmless in all other instances.</para>
+
+    <para><parameter>--sysconfdir=/etc/ssh</parameter>: This prevents
+    the configuration files from being installed in
+    <filename class="directory">/usr/etc</filename>.</para>
+
+    <para><parameter>--datadir=/usr/share/sshd</parameter>: This switch
+    puts the Ssh.bin file (used for SmartCard authentication) in
+    <filename class="directory">/usr/share/sshd</filename>.</para>
+
+    <para><parameter>--with-md5-passwords</parameter>: This is required
+    with the default configuration of Shadow password suite in LFS.</para>
+
+    <para><parameter>--libexecdir=/usr/lib/openssh</parameter>: This parameter
+    changes the installation path of some programs to
+    <filename class="directory">/usr/lib/openssh</filename> instead of
+    <filename class="directory">/usr/libexec</filename>.</para>
+
+    <para><parameter>--with-pam</parameter>: This parameter enables
+    <application>Linux-PAM</application> support in the build.</para>
+
+    <para><parameter>--with-xauth=/usr/bin/xauth</parameter>: Set the
+    default location for the <command>xauth</command> binary for X
+    authentication. Change the location if <command>xauth</command> will
+    be installed to a different path. This can also be controlled from
+    <filename>sshd_config</filename> with the XAuthLocation keyword.
+    You can omit this switch if <application>Xorg</application> is already
+    installed.
+    </para>
+
+    <para><parameter>--with-kerberos5=/usr</parameter>: This option is used to
+    include Heimdal support in the build.</para>
+
+  </sect2>
+
+  <sect2 role="configuration">
+    <title>Configuring OpenSSH</title>
+
+    <para>If you are only going to use the <command>ssh</command> or
+    <command>scp</command> clients, no configuration or boot scripts are
+    required.</para>
+
+    <sect3 id="openssh-config">
+      <title>Config Files</title>
+
+      <para><filename>~/.ssh/*</filename>,
+      <filename>/etc/ssh/ssh_config</filename>, and
+      <filename>/etc/ssh/sshd_config</filename></para>
+
+      <indexterm zone="openssh openssh-config">
+        <primary sortas="e-AA.ssh">~/.ssh/*</primary>
+      </indexterm>
+
+      <indexterm zone="openssh openssh-config">
+        <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary>
+      </indexterm>
+
+      <indexterm zone="openssh openssh-config">
+        <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary>
+      </indexterm>
+
+      <para>There are no required changes to any of these files. However,
+      you may wish to view the <filename class='directory'>/etc/ssh/</filename>
+      files and make any changes appropriate for the security of your system.
+      One recommended change is that you disable
+      <systemitem class='username'>root</systemitem> login via
+      <command>ssh</command>. Execute the following command as the
+      <systemitem class='username'>root</systemitem> user to disable
+      <systemitem class='username'>root</systemitem> login via
+      <command>ssh</command>:</para>
+
+<screen role="root"><userinput>echo "PermitRootLogin no" >> /etc/ssh/sshd_config</userinput></screen>
+
+      <para>If you added <application>LinuxPAM</application> support, then you
+      will need to add a configuration file for
+      <application>sshd</application> and enable use of
+      <application>LinuxPAM</application>.  Issue the following commands as the
+      <systemitem class='username'>root</systemitem> user:</para>
+
+<screen role="root"><userinput>sed 's at d/login at d/sshd at g' /etc/pam.d/login > /etc/pam.d/sshd &&
+chmod 644 /etc/pam.d/sshd &&
+echo "USEPAM yes" >> /etc/ssh/sshd_config</userinput></screen>
+
+      <para>Additional configuration information can be found in the man
+      pages for <command>sshd</command>, <command>ssh</command> and
+      <command>ssh-agent</command>.</para>
+
+    </sect3>
+
+    <sect3  id="openssh-init">
+      <title>Boot Script</title>
+
+      <para>To start the SSH server at system boot, install the
+      <filename>/etc/rc.d/init.d/sshd</filename> init script included
+      in the <xref linkend="bootscripts"/> package.</para>
+
+      <indexterm zone="openssh openssh-init">
+        <primary sortas="f-sshd">sshd</primary>
+      </indexterm>
+
+<screen role="root"><userinput>make install-sshd</userinput></screen>
+
+    </sect3>
+
+  </sect2>
+
+  <sect2 role="content">
+    <title>Contents</title>
+
+    <segmentedlist>
+      <segtitle>Installed Programs</segtitle>
+      <segtitle>Installed Libraries</segtitle>
+      <segtitle>Installed Directories</segtitle>
+
+      <seglistitem>
+        <seg>scp, sftp, sftp-server, slogin, ssh, sshd, ssh-add, ssh-agent,
+        ssh-keygen, ssh-keyscan, and ssh-keysign</seg>
+        <seg>None</seg>
+        <seg>/etc/ssh, /var/lib/sshd, /usr/lib/openssh, and
+        /usr/share/doc/openssh-&openssh-version;</seg>
+      </seglistitem>
+    </segmentedlist>
+
+    <variablelist>
+      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
+      <?dbfo list-presentation="list"?>
+      <?dbhtml list-presentation="table"?>
+
+      <varlistentry id="scp">
+        <term><command>scp</command></term>
+        <listitem>
+          <para>is a file copy program that acts like <command>rcp</command>
+          except it uses an encrypted protocol.</para>
+          <indexterm zone="openssh scp">
+            <primary sortas="b-scp">scp</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry id="sftp">
+        <term><command>sftp</command></term>
+        <listitem>
+          <para>is an FTP-like program that works over
+          SSH1 and SSH2 protocols.</para>
+          <indexterm zone="openssh sftp">
+            <primary sortas="b-sftp">sftp</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry id="sftp-server">
+        <term><command>sftp-server</command></term>
+        <listitem>
+          <para>is an SFTP server subsystem. This program is not normally
+          called directly by the user.</para>
+          <indexterm zone="openssh sftp-server">
+            <primary sortas="b-sftp-server">sftp-server</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry id="slogin">
+        <term><command>slogin</command></term>
+        <listitem>
+          <para>is a symlink to <command>ssh</command>.</para>
+          <indexterm zone="openssh slogin">
+            <primary sortas="g-slogin">slogin</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry id="ssh">
+        <term><command>ssh</command></term>
+        <listitem>
+          <para>is an <command>rlogin</command>/<command>rsh</command>-like
+          client program except it uses an encrypted protocol.</para>
+          <indexterm zone="openssh ssh">
+            <primary sortas="b-ssh">ssh</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry id="sshd">
+        <term><command>sshd</command></term>
+        <listitem>
+          <para>is a daemon that listens for <command>ssh</command> login
+          requests.</para>
+          <indexterm zone="openssh sshd">
+            <primary sortas="b-sshd">sshd</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry id="ssh-add">
+        <term><command>ssh-add</command></term>
+        <listitem>
+          <para>is a tool which adds keys to the
+          <command>ssh-agent</command>.</para>
+          <indexterm zone="openssh ssh-add">
+            <primary sortas="b-ssh-add">ssh-add</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry id="ssh-agent">
+        <term><command>ssh-agent</command></term>
+        <listitem>
+          <para>is an authentication agent that can store private keys.</para>
+          <indexterm zone="openssh ssh-agent">
+            <primary sortas="b-ssh-agent">ssh-agent</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry id="ssh-keygen">
+        <term><command>ssh-keygen</command></term>
+        <listitem>
+          <para>is a key generation tool.</para>
+          <indexterm zone="openssh ssh-keygen">
+            <primary sortas="b-ssh-keygen">ssh-keygen</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry id="ssh-keyscan">
+        <term><command>ssh-keyscan</command></term>
+        <listitem>
+          <para>is a utility for gathering public host keys from a
+          number of hosts.</para>
+          <indexterm zone="openssh ssh-keyscan">
+            <primary sortas="b-ssh-keyscan">ssh-keyscan</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry id="ssh-keysign">
+        <term><command>ssh-keysign</command></term>
+        <listitem>
+          <para>is used by <command>ssh</command> to access the local host
+          keys and generate the digital signature required during hostbased
+          authentication with SSH protocol version 2. This program is not normally
+          called directly by the user.</para>
+          <indexterm zone="openssh ssh-keysign">
+            <primary sortas="b-ssh-keysign">ssh-keysign</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+
+    </variablelist>
+
+  </sect2>
+
+</sect1>

Modified: trunk/BOOK/postlfs/security/security.xml
===================================================================
--- trunk/BOOK/postlfs/security/security.xml	2011-10-19 23:44:14 UTC (rev 8901)
+++ trunk/BOOK/postlfs/security/security.xml	2011-10-19 23:51:59 UTC (rev 8902)
@@ -42,6 +42,7 @@
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="openssl.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="cacerts.xml"/> 
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gnutls.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="openssh.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="cracklib.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="linux-pam.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="shadow.xml"/>




More information about the blfs-book mailing list