Installation of OpenSSH
OpenSSH runs as two processes when
connecting to other computers. The first process is a privileged
process and controls the issuance of privileges as necessary. The
second process communicates with the network. Additional
installation steps are necessary to set up the proper environment,
which are performed by issuing the following commands as the
root user:
install -v -m700 -d /var/lib/sshd &&
chown -v root:sys /var/lib/sshd &&
groupadd -g 50 sshd &&
useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd \
-s /bin/false -u 50 sshd
OpenSSH is very sensitive to
changes in the linked OpenSSL
libraries. If you recompile OpenSSL, OpenSSH may fail to startup. An alternative is
to link against the static OpenSSL
library. To link against the static library, execute the following
command:
sed -i 's@-lcrypto@/usr/lib/libcrypto.a -ldl@' configure
Install OpenSSH by running the
following commands:
sed -i 's@ -ldes@@' configure &&
./configure --prefix=/usr --sysconfdir=/etc/ssh --datadir=/usr/share/sshd \
--libexecdir=/usr/lib/openssh --with-md5-passwords \
--with-privsep-path=/var/lib/sshd \
--with-xauth=/usr/bin/xauth &&
make
If you linked tcp_wrappers into
the build using the --with-tcp-wrappers
parameter, ensure you add 127.0.0.1 to the sshd line in
/etc/hosts.allow if you have a
restrictive /etc/hosts.deny file, or
the test suite will fail. Additionally, the testsuite requires an
installed copy of scp
to complete the mulitplexing tests. To run the test suite, issue
the following commnds as the root
user:
if test -f /usr/bin/scp
then
mv /usr/bin/scp /usr/bin/scp-bak
fi &&
cp scp /usr/bin/scp &&
make tests 2>&1 | tee check.log
grep "FATAL" check.log
If the above command produces no 'FATAL' errors, then proceed with
the installation, again as the root
user:
rm /usr/bin/scp &&
if test -f /usr/bin/scp-bak
then
rm /usr/bin/scp-bak
fi &&
make install &&
install -v -m755 -d /usr/share/doc/openssh-4.7p1 &&
install -v -m644 INSTALL LICENCE OVERVIEW README* WARNING.RNG \
/usr/share/doc/openssh-4.7p1
Command Explanations
sed -i 's@ -ldes@@'
configure: This command fixes a build crash if you
used the --with-kerberos5 parameter and
you built the Heimdal package in
accordance with the BLFS instructions. The command is harmless in
all other instances.
--sysconfdir=/etc/ssh: This
prevents the configuration files from being installed in
/usr/etc.
--datadir=/usr/share/sshd:
This switch puts the Ssh.bin file (used for SmartCard
authentication) in /usr/share/sshd.
--with-md5-passwords: This
is required with the default configuration of Shadow password suite
in LFS.
--libexecdir=/usr/lib/openssh: This
parameter changes the installation path of some programs to
/usr/lib/openssh instead of
/usr/libexec.
--with-pam: This parameter
enables Linux-PAM support in the
build.
--with-xauth=/usr/bin/xauth: Set the
default location for the xauth binary for X
authentication. Change the location if xauth will be installed to a
different path. This can also be controlled from sshd_config with the XAuthLocation keyword. You
can omit this switch if Xorg is
already installed.
Configuring OpenSSH
Config Files
~/.ssh/*, /etc/ssh/ssh_config, and /etc/ssh/sshd_config
There are no required changes to any of these files. However, you
may wish to view the /etc/ssh/
files and make any changes appropriate for the security of your
system. One recommended change is that you disable root login via ssh. Execute the following
command as the root user to
disable root login via
ssh:
echo "PermitRootLogin no" >> /etc/ssh/sshd_config
If you added LinuxPAM support,
then you will need to add a configuration file for sshd. Issue the following commands as the
root user:
sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd &&
chmod 644 /etc/pam.d/sshd
Additional configuration information can be found in the man
pages for sshd,
ssh and
ssh-agent.
Boot Script
To start the SSH server at system boot, install the /etc/rc.d/init.d/sshd init script included in
the blfs-bootscripts-20080816 package.
make install-sshd