Author: bdubbs Date: 2011-10-19 17:44:14 -0600 (Wed, 19 Oct 2011) New Revision: 8901
Added: trunk/BOOK/basicnet/netprogs/openssh.xml Removed: trunk/BOOK/server/major/openssh.xml Modified: trunk/BOOK/basicnet/netprogs/netprogs.xml trunk/BOOK/general.ent trunk/BOOK/general/sysutils/which.xml trunk/BOOK/introduction/welcome/changelog.xml trunk/BOOK/server/major/major.xml trunk/bootscripts/blfs/init.d/sshd Log: Update to openssh-5.9p1 Modified: trunk/BOOK/basicnet/netprogs/netprogs.xml =================================================================== --- trunk/BOOK/basicnet/netprogs/netprogs.xml 2011-10-19 20:18:40 UTC (rev 8900) +++ trunk/BOOK/basicnet/netprogs/netprogs.xml 2011-10-19 23:44:14 UTC (rev 8901) @@ -27,7 +27,7 @@ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="net-tools.xml"/> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="nfs-utils-client.xml"/> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="ntp.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="openssh-client.xml"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="openssh.xml"/> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="portmap.xml"/> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="rsync-client.xml"/> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="samba3-client.xml"/> Copied: trunk/BOOK/basicnet/netprogs/openssh.xml (from rev 8899, trunk/BOOK/server/major/openssh.xml) =================================================================== --- trunk/BOOK/basicnet/netprogs/openssh.xml (rev 0) +++ trunk/BOOK/basicnet/netprogs/openssh.xml 2011-10-19 23:44:14 UTC (rev 8901) @@ -0,0 +1,412 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" + "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"; [ + <!ENTITY % general-entities SYSTEM "../../general.ent"> + %general-entities; + + <!ENTITY openssh-download-http "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz";> + <!ENTITY openssh-download-ftp "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz";> + <!ENTITY openssh-md5sum "afe17eee7e98d3b8550cc349834a85d0"> + <!ENTITY openssh-size "1.1 MB"> + <!ENTITY openssh-buildsize "44 MB"> + <!ENTITY openssh-time "3.5 SBU (including the test suite)"> +]> + +<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;"> + <?dbhtml filename="openssh.html"?> + + <sect1info> + <othername>$LastChangedBy$</othername> + <date>$Date$</date> + </sect1info> + + <title>OpenSSH-&openssh-version;</title> + + <para>The <application>OpenSSH</application> package contains + <command>ssh</command> clients and the <command>sshd</command> daemon. + This is useful for encrypting authentication and subsequent traffic + over a network. The <command>ssh</command> and <command>scp</command> + commands are secure implementions of <command>telnet</command> and + <command>rcp</command> respectively.</para> + + &lfs70_checked; + + <indexterm zone="openssh"> + <primary sortas="a-OpenSSH">OpenSSH</primary> + </indexterm> + + <sect2 role="package"> + <title>Introduction to OpenSSH</title> + + <bridgehead renderas="sect3">Package Information</bridgehead> + <itemizedlist spacing="compact"> + <listitem> + <para>Download (HTTP): <ulink url="&openssh-download-http;"/></para> + </listitem> + <listitem> + <para>Download (FTP): <ulink url="&openssh-download-ftp;"/></para> + </listitem> + <listitem> + <para>Download MD5 sum: &openssh-md5sum;</para> + </listitem> + <listitem> + <para>Download size: &openssh-size;</para> + </listitem> + <listitem> + <para>Estimated disk space required: &openssh-buildsize;</para> + </listitem> + <listitem> + <para>Estimated build time: &openssh-time;</para> + </listitem> + </itemizedlist> + + <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead> + + <bridgehead renderas="sect4">Required</bridgehead> + <para role="required"><xref linkend="openssl"/></para> + + <bridgehead renderas="sect4">Optional</bridgehead> + <para role="optional"><xref linkend="linux-pam"/>, + <xref linkend="tcpwrappers"/>, + <xref linkend="x-window-system"/>, + <xref linkend="mitkrb"/> or <xref linkend="heimdal"/>, + <ulink url="http://www.thrysoee.dk/editline/";>libedit</ulink> + (provides a command-line history feature to <command>sftp</command>), + <ulink url="http://www.opensc-project.org/";>OpenSC</ulink>, and + <ulink + url="http://www.citi.umich.edu/projects/smartcard/sectok.html";>libsectok</ulink></para> + + <bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead> + <para role="optional"><xref linkend="icedtea6"/> or <xref linkend="jdk"/>, + <xref linkend="net-tools"/>, and + <xref linkend="sysstat"/>.</para> + + <para condition="html" role="usernotes">User Notes: + <ulink url='&blfs-wiki;/OpenSSH'/></para> + + </sect2> + + <sect2 role="installation"> + <title>Installation of OpenSSH</title> + + <para><application>OpenSSH</application> runs as two processes when + connecting to other computers. The first process is a privileged process + and controls the issuance of privileges as necessary. The second process + communicates with the network. Additional installation steps are necessary + to set up the proper environment, which are performed by issuing the + following commands as the <systemitem class="username">root</systemitem> + user:</para> + +<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd && +chown -v root:sys /var/lib/sshd && +groupadd -g 50 sshd && +useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd \ + -s /bin/false -u 50 sshd</userinput></screen> + + <para><application>OpenSSH</application> is very sensitive to changes in + the linked <application>OpenSSL</application> libraries. If you recompile + <application>OpenSSL</application>, <application>OpenSSH</application> may + fail to start up. An alternative is to link against the static + <application>OpenSSL</application> library. To link against the static + library, execute the following command:</para> + +<screen><userinput>sed -i 's@-lcrypto@/usr/lib/libcrypto.a -ldl@' configure</userinput></screen> + + <para>Install <application>OpenSSH</application> by running + the following commands:</para> + +<screen><userinput>sed -i.bak 's/ -ldes//' configure && +./configure --prefix=/usr \ + --sysconfdir=/etc/ssh \ + --datadir=/usr/share/sshd \ + --libexecdir=/usr/lib/openssh \ + --with-md5-passwords \ + --with-privsep-path=/var/lib/sshd && +make</userinput></screen> + + <para>If you linked <application>tcp_wrappers</application> into the + build using the <option>--with-tcp-wrappers</option> parameter, ensure + you add 127.0.0.1 to the sshd line in <filename>/etc/hosts.allow</filename> + if you have a restrictive <filename>/etc/hosts.deny</filename> file, or the + test suite will fail. Additionally, the testsuite requires an installed + copy of <command>scp</command> to complete the multiplexing tests. To + run the test suite, first copy the scp program to + <filename class="directory">/usr/bin</filename>, making sure that you + back up any existing copy first.</para> + + <para>To run the test suite, issue the following commands:</para> + +<screen role="root"><userinput>make tests 2>&1 | tee check.log +grep FATAL check.log</userinput></screen> + + <para>If the above command produces no 'FATAL' errors, then proceed + with the installation, as the + <systemitem class="username">root</systemitem> user:</para> + +<screen role="root"><userinput>make install && +install -v -m755 -d /usr/share/doc/openssh-&openssh-version; && +install -v -m644 INSTALL LICENCE OVERVIEW README* \ + /usr/share/doc/openssh-&openssh-version;</userinput></screen> + + </sect2> + + <sect2 role="commands"> + <title>Command Explanations</title> + + <para><command>sed -i.bak 's/ -ldes//' configure</command>: + This command fixes a build crash if you used the + <option>--with-kerberos5</option> parameter and you built the + <application>Heimdal</application> package in accordance with the BLFS + instructions. The command is harmless in all other instances.</para> + + <para><parameter>--sysconfdir=/etc/ssh</parameter>: This prevents + the configuration files from being installed in + <filename class="directory">/usr/etc</filename>.</para> + + <para><parameter>--datadir=/usr/share/sshd</parameter>: This switch + puts the Ssh.bin file (used for SmartCard authentication) in + <filename class="directory">/usr/share/sshd</filename>.</para> + + <para><parameter>--with-md5-passwords</parameter>: This is required + with the default configuration of Shadow password suite in LFS.</para> + + <para><parameter>--libexecdir=/usr/lib/openssh</parameter>: This parameter + changes the installation path of some programs to + <filename class="directory">/usr/lib/openssh</filename> instead of + <filename class="directory">/usr/libexec</filename>.</para> + + <para><parameter>--with-pam</parameter>: This parameter enables + <application>Linux-PAM</application> support in the build.</para> + + <para><parameter>--with-xauth=/usr/bin/xauth</parameter>: Set the + default location for the <command>xauth</command> binary for X + authentication. Change the location if <command>xauth</command> will + be installed to a different path. This can also be controlled from + <filename>sshd_config</filename> with the XAuthLocation keyword. + You can omit this switch if <application>Xorg</application> is already + installed. + </para> + + <para><parameter>--with-kerberos5=/usr</parameter>: This option is used to + include Heimdal support in the build.</para> + + </sect2> + + <sect2 role="configuration"> + <title>Configuring OpenSSH</title> + + <para>If you are only going to use the <command>ssh</command> or + <command>scp</command> clients, no configuration or boot scripts are + required.</para> + + <sect3 id="openssh-config"> + <title>Config Files</title> + + <para><filename>~/.ssh/*</filename>, + <filename>/etc/ssh/ssh_config</filename>, and + <filename>/etc/ssh/sshd_config</filename></para> + + <indexterm zone="openssh openssh-config"> + <primary sortas="e-AA.ssh">~/.ssh/*</primary> + </indexterm> + + <indexterm zone="openssh openssh-config"> + <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary> + </indexterm> + + <indexterm zone="openssh openssh-config"> + <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary> + </indexterm> + + <para>There are no required changes to any of these files. However, + you may wish to view the <filename class='directory'>/etc/ssh/</filename> + files and make any changes appropriate for the security of your system. + One recommended change is that you disable + <systemitem class='username'>root</systemitem> login via + <command>ssh</command>. Execute the following command as the + <systemitem class='username'>root</systemitem> user to disable + <systemitem class='username'>root</systemitem> login via + <command>ssh</command>:</para> + +<screen role="root"><userinput>echo "PermitRootLogin no" >> /etc/ssh/sshd_config</userinput></screen> + + <para>If you added <application>LinuxPAM</application> support, then you + will need to add a configuration file for + <application>sshd</application> and enable use of + <application>LinuxPAM</application>. Issue the following commands as the + <systemitem class='username'>root</systemitem> user:</para> + +<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd && +chmod 644 /etc/pam.d/sshd && +echo "USEPAM yes" >> /etc/ssh/sshd_config</userinput></screen> + + <para>Additional configuration information can be found in the man + pages for <command>sshd</command>, <command>ssh</command> and + <command>ssh-agent</command>.</para> + + </sect3> + + <sect3 id="openssh-init"> + <title>Boot Script</title> + + <para>To start the SSH server at system boot, install the + <filename>/etc/rc.d/init.d/sshd</filename> init script included + in the <xref linkend="bootscripts"/> package.</para> + + <indexterm zone="openssh openssh-init"> + <primary sortas="f-sshd">sshd</primary> + </indexterm> + +<screen role="root"><userinput>make install-sshd</userinput></screen> + + </sect3> + + </sect2> + + <sect2 role="content"> + <title>Contents</title> + + <segmentedlist> + <segtitle>Installed Programs</segtitle> + <segtitle>Installed Libraries</segtitle> + <segtitle>Installed Directories</segtitle> + + <seglistitem> + <seg>scp, sftp, sftp-server, slogin, ssh, sshd, ssh-add, ssh-agent, + ssh-keygen, ssh-keyscan, and ssh-keysign</seg> + <seg>None</seg> + <seg>/etc/ssh, /var/lib/sshd, /usr/lib/openssh, and + /usr/share/doc/openssh-&openssh-version;</seg> + </seglistitem> + </segmentedlist> + + <variablelist> + <bridgehead renderas="sect3">Short Descriptions</bridgehead> + <?dbfo list-presentation="list"?> + <?dbhtml list-presentation="table"?> + + <varlistentry id="scp"> + <term><command>scp</command></term> + <listitem> + <para>is a file copy program that acts like <command>rcp</command> + except it uses an encrypted protocol.</para> + <indexterm zone="openssh scp"> + <primary sortas="b-scp">scp</primary> + </indexterm> + </listitem> + </varlistentry> + + <varlistentry id="sftp"> + <term><command>sftp</command></term> + <listitem> + <para>is an FTP-like program that works over + SSH1 and SSH2 protocols.</para> + <indexterm zone="openssh sftp"> + <primary sortas="b-sftp">sftp</primary> + </indexterm> + </listitem> + </varlistentry> + + <varlistentry id="sftp-server"> + <term><command>sftp-server</command></term> + <listitem> + <para>is an SFTP server subsystem. This program is not normally + called directly by the user.</para> + <indexterm zone="openssh sftp-server"> + <primary sortas="b-sftp-server">sftp-server</primary> + </indexterm> + </listitem> + </varlistentry> + + <varlistentry id="slogin"> + <term><command>slogin</command></term> + <listitem> + <para>is a symlink to <command>ssh</command>.</para> + <indexterm zone="openssh slogin"> + <primary sortas="g-slogin">slogin</primary> + </indexterm> + </listitem> + </varlistentry> + + <varlistentry id="ssh"> + <term><command>ssh</command></term> + <listitem> + <para>is an <command>rlogin</command>/<command>rsh</command>-like + client program except it uses an encrypted protocol.</para> + <indexterm zone="openssh ssh"> + <primary sortas="b-ssh">ssh</primary> + </indexterm> + </listitem> + </varlistentry> + + <varlistentry id="sshd"> + <term><command>sshd</command></term> + <listitem> + <para>is a daemon that listens for <command>ssh</command> login + requests.</para> + <indexterm zone="openssh sshd"> + <primary sortas="b-sshd">sshd</primary> + </indexterm> + </listitem> + </varlistentry> + + <varlistentry id="ssh-add"> + <term><command>ssh-add</command></term> + <listitem> + <para>is a tool which adds keys to the + <command>ssh-agent</command>.</para> + <indexterm zone="openssh ssh-add"> + <primary sortas="b-ssh-add">ssh-add</primary> + </indexterm> + </listitem> + </varlistentry> + + <varlistentry id="ssh-agent"> + <term><command>ssh-agent</command></term> + <listitem> + <para>is an authentication agent that can store private keys.</para> + <indexterm zone="openssh ssh-agent"> + <primary sortas="b-ssh-agent">ssh-agent</primary> + </indexterm> + </listitem> + </varlistentry> + + <varlistentry id="ssh-keygen"> + <term><command>ssh-keygen</command></term> + <listitem> + <para>is a key generation tool.</para> + <indexterm zone="openssh ssh-keygen"> + <primary sortas="b-ssh-keygen">ssh-keygen</primary> + </indexterm> + </listitem> + </varlistentry> + + <varlistentry id="ssh-keyscan"> + <term><command>ssh-keyscan</command></term> + <listitem> + <para>is a utility for gathering public host keys from a + number of hosts.</para> + <indexterm zone="openssh ssh-keyscan"> + <primary sortas="b-ssh-keyscan">ssh-keyscan</primary> + </indexterm> + </listitem> + </varlistentry> + + <varlistentry id="ssh-keysign"> + <term><command>ssh-keysign</command></term> + <listitem> + <para>is used by <command>ssh</command> to access the local host + keys and generate the digital signature required during hostbased + authentication with SSH protocol version 2. This program is not normally + called directly by the user.</para> + <indexterm zone="openssh ssh-keysign"> + <primary sortas="b-ssh-keysign">ssh-keysign</primary> + </indexterm> + </listitem> + </varlistentry> + + </variablelist> + + </sect2> + +</sect1> Modified: trunk/BOOK/general/sysutils/which.xml =================================================================== --- trunk/BOOK/general/sysutils/which.xml 2011-10-19 20:18:40 UTC (rev 8900) +++ trunk/BOOK/general/sysutils/which.xml 2011-10-19 23:44:14 UTC (rev 8901) @@ -36,6 +36,8 @@ <para>The first option is to install the actual GNU <application>which</application> package.</para> + &lfs70_checked; + <sect2 role="package"> <title>Introduction to Which</title> Modified: trunk/BOOK/general.ent =================================================================== --- trunk/BOOK/general.ent 2011-10-19 20:18:40 UTC (rev 8900) +++ trunk/BOOK/general.ent 2011-10-19 23:44:14 UTC (rev 8901) @@ -55,7 +55,7 @@ <!ENTITY lfs-vim-version "7.3"> <!-- End LFS versions --> -<!ENTITY blfs-bootscripts-version "20100825"> +<!ENTITY blfs-bootscripts-version "20111019"> <!ENTITY blfs-bootscripts-download "&downloads-root;/blfs-bootscripts-&blfs-bootscripts-version;.tar.bz2"> <!ENTITY blfs-wiki "http://wiki.&lfs-domainname;/blfs/wiki";> @@ -440,7 +440,7 @@ <!ENTITY net-tools-version "1.60"> <!ENTITY wireless-tools-version "28"> <!ENTITY ntp-version "4.2.4p7"> -<!ENTITY openssh-version "5.6p1"> +<!ENTITY openssh-version "5.9p1"> <!ENTITY portmap-version "6.0"> <!ENTITY rsync-version "3.0.7"> <!ENTITY samba3-version "3.5.6"> Modified: trunk/BOOK/introduction/welcome/changelog.xml =================================================================== --- trunk/BOOK/introduction/welcome/changelog.xml 2011-10-19 20:18:40 UTC (rev 8900) +++ trunk/BOOK/introduction/welcome/changelog.xml 2011-10-19 23:44:14 UTC (rev 8901) @@ -45,6 +45,9 @@ <para>October 19th, 2011</para> <itemizedlist> <listitem> + <para>[bdubbs] - Updated to openssh-5.9p1.</para> + </listitem> + <listitem> <para>[bdubbs] - Added separate page to generate CA certificates.</para> </listitem> <listitem> Modified: trunk/BOOK/server/major/major.xml =================================================================== --- trunk/BOOK/server/major/major.xml 2011-10-19 20:18:40 UTC (rev 8900) +++ trunk/BOOK/server/major/major.xml 2011-10-19 23:44:14 UTC (rev 8901) @@ -21,7 +21,7 @@ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="apache.xml"/> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="bind.xml"/> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="nfs-utils.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="openssh.xml"/> +<!-- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="openssh.xml"/>--> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="proftpd.xml"/> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="samba3.xml"/> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="vsftpd.xml"/> Deleted: trunk/BOOK/server/major/openssh.xml =================================================================== --- trunk/BOOK/server/major/openssh.xml 2011-10-19 20:18:40 UTC (rev 8900) +++ trunk/BOOK/server/major/openssh.xml 2011-10-19 23:44:14 UTC (rev 8901) @@ -1,404 +0,0 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" - "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"; [ - <!ENTITY % general-entities SYSTEM "../../general.ent"> - %general-entities; - - <!ENTITY openssh-download-http "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz";> - <!ENTITY openssh-download-ftp "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz";> - <!ENTITY openssh-md5sum "e6ee52e47c768bf0ec42a232b5d18fb0"> - <!ENTITY openssh-size "1.1 MB"> - <!ENTITY openssh-buildsize "22 MB"> - <!ENTITY openssh-time "0.5 SBU (additional 1.5 SBU to run the test suite)"> -]> - -<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;"> - <?dbhtml filename="openssh.html"?> - - <sect1info> - <othername>$LastChangedBy$</othername> - <date>$Date$</date> - </sect1info> - - <title>OpenSSH-&openssh-version;</title> - - <indexterm zone="openssh"> - <primary sortas="a-OpenSSH">OpenSSH</primary> - </indexterm> - - <sect2 role="package"> - <title>Introduction to OpenSSH</title> - - <para>The <application>OpenSSH</application> package contains - <command>ssh</command> clients and the <command>sshd</command> daemon. - This is useful for encrypting authentication and subsequent traffic - over a network.</para> - - <bridgehead renderas="sect3">Package Information</bridgehead> - <itemizedlist spacing="compact"> - <listitem> - <para>Download (HTTP): <ulink url="&openssh-download-http;"/></para> - </listitem> - <listitem> - <para>Download (FTP): <ulink url="&openssh-download-ftp;"/></para> - </listitem> - <listitem> - <para>Download MD5 sum: &openssh-md5sum;</para> - </listitem> - <listitem> - <para>Download size: &openssh-size;</para> - </listitem> - <listitem> - <para>Estimated disk space required: &openssh-buildsize;</para> - </listitem> - <listitem> - <para>Estimated build time: &openssh-time;</para> - </listitem> - </itemizedlist> - - <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead> - - <bridgehead renderas="sect4">Required</bridgehead> - <para role="required"><xref linkend="openssl"/></para> - - <bridgehead renderas="sect4">Optional</bridgehead> - <para role="optional"><xref linkend="linux-pam"/>, - <xref linkend="tcpwrappers"/>, - <xref linkend="x-window-system"/>, - <xref linkend="mitkrb"/> or <xref linkend="heimdal"/>, - <ulink url="http://www.thrysoee.dk/editline/";>libedit</ulink> - (provides a command-line history feature to <command>sftp</command>), - <ulink url="http://www.opensc-project.org/";>OpenSC</ulink>, and - <ulink - url="http://www.citi.umich.edu/projects/smartcard/sectok.html";>libsectok</ulink></para> - - <bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead> - <para role="optional"><xref linkend="icedtea6"/> or <xref linkend="jdk"/>, - <xref linkend="net-tools"/>, and - <xref linkend="sysstat"/>.</para> - - <para condition="html" role="usernotes">User Notes: - <ulink url='&blfs-wiki;/OpenSSH'/></para> - - </sect2> - - <sect2 role="installation"> - <title>Installation of OpenSSH</title> - - <para><application>OpenSSH</application> runs as two processes when - connecting to other computers. The first process is a privileged process - and controls the issuance of privileges as necessary. The second process - communicates with the network. Additional installation steps are necessary - to set up the proper environment, which are performed by issuing the - following commands as the <systemitem class="username">root</systemitem> - user:</para> - -<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd && -chown -v root:sys /var/lib/sshd && -groupadd -g 50 sshd && -useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd \ - -s /bin/false -u 50 sshd</userinput></screen> - - <para><application>OpenSSH</application> is very sensitive to changes in - the linked <application>OpenSSL</application> libraries. If you recompile - <application>OpenSSL</application>, <application>OpenSSH</application> may - fail to start up. An alternative is to link against the static - <application>OpenSSL</application> library. To link against the static - library, execute the following command:</para> - -<screen><userinput>sed -i 's@-lcrypto@/usr/lib/libcrypto.a -ldl@' configure</userinput></screen> - - <para>Install <application>OpenSSH</application> by running - the following commands:</para> - -<screen><userinput>sed -i.bak 's/ -ldes//' configure && -./configure --prefix=/usr \ - --sysconfdir=/etc/ssh \ - --datadir=/usr/share/sshd \ - --libexecdir=/usr/lib/openssh \ - --with-md5-passwords \ - --with-privsep-path=/var/lib/sshd && -make</userinput></screen> - - <para>If you linked <application>tcp_wrappers</application> into the - build using the <option>--with-tcp-wrappers</option> parameter, ensure - you add 127.0.0.1 to the sshd line in <filename>/etc/hosts.allow</filename> - if you have a restrictive <filename>/etc/hosts.deny</filename> file, or the - test suite will fail. Additionally, the testsuite requires an installed - copy of <command>scp</command> to complete the multiplexing tests. To - run the test suite, first copy the scp program to - <filename class="directory">/usr/bin</filename>, making sure that you - back up any existing copy first.</para> - - <para>To run the test suite, issue the following commands:</para> - -<screen role="root"><userinput>make tests 2>&1 | tee check.log -grep FATAL check.log</userinput></screen> - - <para>If the above command produces no 'FATAL' errors, then proceed - with the installation, as the - <systemitem class="username">root</systemitem> user:</para> - -<screen role="root"><userinput>make install && -install -v -m755 -d /usr/share/doc/openssh-&openssh-version; && -install -v -m644 INSTALL LICENCE OVERVIEW README* WARNING.RNG \ - /usr/share/doc/openssh-&openssh-version;</userinput></screen> - - </sect2> - - <sect2 role="commands"> - <title>Command Explanations</title> - - <para><command>sed -i.bak 's/ -ldes//' configure</command>: - This command fixes a build crash if you used the - <option>--with-kerberos5</option> parameter and you built the - <application>Heimdal</application> package in accordance with the BLFS - instructions. The command is harmless in all other instances.</para> - - <para><parameter>--sysconfdir=/etc/ssh</parameter>: This prevents - the configuration files from being installed in - <filename class="directory">/usr/etc</filename>.</para> - - <para><parameter>--datadir=/usr/share/sshd</parameter>: This switch - puts the Ssh.bin file (used for SmartCard authentication) in - <filename class="directory">/usr/share/sshd</filename>.</para> - - <para><parameter>--with-md5-passwords</parameter>: This is required - with the default configuration of Shadow password suite in LFS.</para> - - <para><parameter>--libexecdir=/usr/lib/openssh</parameter>: This parameter - changes the installation path of some programs to - <filename class="directory">/usr/lib/openssh</filename> instead of - <filename class="directory">/usr/libexec</filename>.</para> - - <para><parameter>--with-pam</parameter>: This parameter enables - <application>Linux-PAM</application> support in the build.</para> - - <para><parameter>--with-xauth=/usr/bin/xauth</parameter>: Set the - default location for the <command>xauth</command> binary for X - authentication. Change the location if <command>xauth</command> will - be installed to a different path. This can also be controlled from - <filename>sshd_config</filename> with the XAuthLocation keyword. - You can omit this switch if <application>Xorg</application> is already - installed. - </para> - - <para><parameter>--with-kerberos5=/usr</parameter>: This option is used to - include Heimdal support in the build.</para> - - </sect2> - - <sect2 role="configuration"> - <title>Configuring OpenSSH</title> - - <sect3 id="openssh-config"> - <title>Config Files</title> - - <para><filename>~/.ssh/*</filename>, - <filename>/etc/ssh/ssh_config</filename>, and - <filename>/etc/ssh/sshd_config</filename></para> - - <indexterm zone="openssh openssh-config"> - <primary sortas="e-AA.ssh">~/.ssh/*</primary> - </indexterm> - - <indexterm zone="openssh openssh-config"> - <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary> - </indexterm> - - <indexterm zone="openssh openssh-config"> - <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary> - </indexterm> - - <para>There are no required changes to any of these files. However, - you may wish to view the <filename class='directory'>/etc/ssh/</filename> - files and make any changes appropriate for the security of your system. - One recommended change is that you disable - <systemitem class='username'>root</systemitem> login via - <command>ssh</command>. Execute the following command as the - <systemitem class='username'>root</systemitem> user to disable - <systemitem class='username'>root</systemitem> login via - <command>ssh</command>:</para> - -<screen role="root"><userinput>echo "PermitRootLogin no" >> /etc/ssh/sshd_config</userinput></screen> - - <para>If you added <application>LinuxPAM</application> support, then you - will need to add a configuration file for - <application>sshd</application> and enable use of - <application>LinuxPAM</application>. Issue the following commands as the - <systemitem class='username'>root</systemitem> user:</para> - -<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd && -chmod 644 /etc/pam.d/sshd && -echo "USEPAM yes" >> /etc/ssh/sshd_config</userinput></screen> - - <para>Additional configuration information can be found in the man - pages for <command>sshd</command>, <command>ssh</command> and - <command>ssh-agent</command>.</para> - - </sect3> - - <sect3 id="openssh-init"> - <title>Boot Script</title> - - <para>To start the SSH server at system boot, install the - <filename>/etc/rc.d/init.d/sshd</filename> init script included - in the <xref linkend="bootscripts"/> package.</para> - - <indexterm zone="openssh openssh-init"> - <primary sortas="f-sshd">sshd</primary> - </indexterm> - -<screen role="root"><userinput>make install-sshd</userinput></screen> - - </sect3> - - </sect2> - - <sect2 role="content"> - <title>Contents</title> - - <segmentedlist> - <segtitle>Installed Programs</segtitle> - <segtitle>Installed Libraries</segtitle> - <segtitle>Installed Directories</segtitle> - - <seglistitem> - <seg>scp, sftp, sftp-server, slogin, ssh, sshd, ssh-add, ssh-agent, - ssh-keygen, ssh-keyscan, and ssh-keysign</seg> - <seg>None</seg> - <seg>/etc/ssh, /var/lib/sshd, /usr/lib/openssh, and - /usr/share/doc/openssh-&openssh-version;</seg> - </seglistitem> - </segmentedlist> - - <variablelist> - <bridgehead renderas="sect3">Short Descriptions</bridgehead> - <?dbfo list-presentation="list"?> - <?dbhtml list-presentation="table"?> - - <varlistentry id="scp"> - <term><command>scp</command></term> - <listitem> - <para>is a file copy program that acts like <command>rcp</command> - except it uses an encrypted protocol.</para> - <indexterm zone="openssh scp"> - <primary sortas="b-scp">scp</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="sftp"> - <term><command>sftp</command></term> - <listitem> - <para>is an FTP-like program that works over - SSH1 and SSH2 protocols.</para> - <indexterm zone="openssh sftp"> - <primary sortas="b-sftp">sftp</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="sftp-server"> - <term><command>sftp-server</command></term> - <listitem> - <para>is an SFTP server subsystem. This program is not normally - called directly by the user.</para> - <indexterm zone="openssh sftp-server"> - <primary sortas="b-sftp-server">sftp-server</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="slogin"> - <term><command>slogin</command></term> - <listitem> - <para>is a symlink to <command>ssh</command>.</para> - <indexterm zone="openssh slogin"> - <primary sortas="g-slogin">slogin</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="ssh"> - <term><command>ssh</command></term> - <listitem> - <para>is an <command>rlogin</command>/<command>rsh</command>-like - client program except it uses an encrypted protocol.</para> - <indexterm zone="openssh ssh"> - <primary sortas="b-ssh">ssh</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="sshd"> - <term><command>sshd</command></term> - <listitem> - <para>is a daemon that listens for <command>ssh</command> login - requests.</para> - <indexterm zone="openssh sshd"> - <primary sortas="b-sshd">sshd</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="ssh-add"> - <term><command>ssh-add</command></term> - <listitem> - <para>is a tool which adds keys to the - <command>ssh-agent</command>.</para> - <indexterm zone="openssh ssh-add"> - <primary sortas="b-ssh-add">ssh-add</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="ssh-agent"> - <term><command>ssh-agent</command></term> - <listitem> - <para>is an authentication agent that can store private keys.</para> - <indexterm zone="openssh ssh-agent"> - <primary sortas="b-ssh-agent">ssh-agent</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="ssh-keygen"> - <term><command>ssh-keygen</command></term> - <listitem> - <para>is a key generation tool.</para> - <indexterm zone="openssh ssh-keygen"> - <primary sortas="b-ssh-keygen">ssh-keygen</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="ssh-keyscan"> - <term><command>ssh-keyscan</command></term> - <listitem> - <para>is a utility for gathering public host keys from a - number of hosts.</para> - <indexterm zone="openssh ssh-keyscan"> - <primary sortas="b-ssh-keyscan">ssh-keyscan</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="ssh-keysign"> - <term><command>ssh-keysign</command></term> - <listitem> - <para>is used by <command>ssh</command> to access the local host - keys and generate the digital signature required during hostbased - authentication with SSH protocol version 2. This program is not normally - called directly by the user.</para> - <indexterm zone="openssh ssh-keysign"> - <primary sortas="b-ssh-keysign">ssh-keysign</primary> - </indexterm> - </listitem> - </varlistentry> - - </variablelist> - - </sect2> - -</sect1> Modified: trunk/bootscripts/blfs/init.d/sshd =================================================================== --- trunk/bootscripts/blfs/init.d/sshd 2011-10-19 20:18:40 UTC (rev 8900) +++ trunk/bootscripts/blfs/init.d/sshd 2011-10-19 23:44:14 UTC (rev 8901) @@ -1,34 +1,67 @@ #!/bin/sh -# Begin $rc_base/init.d/sshd +######################################################################## +# Begin sshd +# +# Description : Start sshd daemon +# +# Author : Bruce Dubbs - [email protected] +# +# Version : LFS 7.0 +# +######################################################################## -# Based on sysklogd script from LFS-3.1 and earlier. -# Rewritten by Gerard Beekmans - [email protected] +### BEGIN INIT INFO +# Provides: sshd +# Required-Start: network +# Should-Start: +# Required-Stop: sendsignals +# Should-Stop: +# Default-Start: 3 4 5 +# Default-Stop: 0 1 2 6 +# Short-Description: Starts sshd daemon. +# Description: Starts sshd daemon. +# X-LFS-Provided-By: LFS +### END INIT INFO +. /lib/lsb/init-functions + #$LastChangedBy$ #$Date$ -. /etc/sysconfig/rc -. $rc_functions - -pidfile=/var/run/sshd.pid - case "$1" in start) - boot_mesg "Starting SSH Server..." + log_info_msg "Starting SSH Server..." + start_daemon -f /usr/sbin/sshd + evaluate_retval # Also prevent ssh from being killed by out of memory conditions - loadproc /usr/sbin/sshd sleep 1 - echo "-16" >/proc/`cat $pidfile`/oom_adj + pid=`cat /run/sshd.pid 2>/dev/null` + echo "-16" >/proc/${pid}/oom_score_adj ;; stop) - boot_mesg "Stopping SSH Server..." - killproc /usr/sbin/sshd + log_info_msg "Stopping SSH Server..." + + if [ -e "/run/sshd.pid" ]; then + killproc -p "/run/sshd.pid" /usr/sbin/sshd + else + (exit 1) + fi + + evaluate_retval ;; reload) - boot_mesg "Reloading SSH Server..." - reloadproc /usr/sbin/sshd + log_info_msg "Reloading SSH Server..." + pid=`cat /run/sshd.pid 2>/dev/null` + + if [ -n "${pid}" ]; then + kill -HUP "${pid}" + else + (exit 1) + fi + + evaluate_retval ;; restart) @@ -47,4 +80,4 @@ ;; esac -# End $rc_base/init.d/sshd +# End sshd bootscript -- http://linuxfromscratch.org/mailman/listinfo/blfs-book FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
