Author: bdubbs Date: 2011-10-19 17:51:59 -0600 (Wed, 19 Oct 2011) New Revision: 8902
Added: trunk/BOOK/postlfs/security/openssh.xml Removed: trunk/BOOK/basicnet/netprogs/openssh.xml Modified: trunk/BOOK/basicnet/netprogs/netprogs.xml trunk/BOOK/postlfs/security/security.xml Log: Move openssh to security chapter Modified: trunk/BOOK/basicnet/netprogs/netprogs.xml =================================================================== --- trunk/BOOK/basicnet/netprogs/netprogs.xml 2011-10-19 23:44:14 UTC (rev 8901) +++ trunk/BOOK/basicnet/netprogs/netprogs.xml 2011-10-19 23:51:59 UTC (rev 8902) @@ -27,7 +27,6 @@ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="net-tools.xml"/> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="nfs-utils-client.xml"/> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="ntp.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="openssh.xml"/> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="portmap.xml"/> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="rsync-client.xml"/> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="samba3-client.xml"/> Deleted: trunk/BOOK/basicnet/netprogs/openssh.xml =================================================================== --- trunk/BOOK/basicnet/netprogs/openssh.xml 2011-10-19 23:44:14 UTC (rev 8901) +++ trunk/BOOK/basicnet/netprogs/openssh.xml 2011-10-19 23:51:59 UTC (rev 8902) @@ -1,412 +0,0 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" - "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"; [ - <!ENTITY % general-entities SYSTEM "../../general.ent"> - %general-entities; - - <!ENTITY openssh-download-http "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz";> - <!ENTITY openssh-download-ftp "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz";> - <!ENTITY openssh-md5sum "afe17eee7e98d3b8550cc349834a85d0"> - <!ENTITY openssh-size "1.1 MB"> - <!ENTITY openssh-buildsize "44 MB"> - <!ENTITY openssh-time "3.5 SBU (including the test suite)"> -]> - -<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;"> - <?dbhtml filename="openssh.html"?> - - <sect1info> - <othername>$LastChangedBy$</othername> - <date>$Date$</date> - </sect1info> - - <title>OpenSSH-&openssh-version;</title> - - <para>The <application>OpenSSH</application> package contains - <command>ssh</command> clients and the <command>sshd</command> daemon. - This is useful for encrypting authentication and subsequent traffic - over a network. The <command>ssh</command> and <command>scp</command> - commands are secure implementions of <command>telnet</command> and - <command>rcp</command> respectively.</para> - - &lfs70_checked; - - <indexterm zone="openssh"> - <primary sortas="a-OpenSSH">OpenSSH</primary> - </indexterm> - - <sect2 role="package"> - <title>Introduction to OpenSSH</title> - - <bridgehead renderas="sect3">Package Information</bridgehead> - <itemizedlist spacing="compact"> - <listitem> - <para>Download (HTTP): <ulink url="&openssh-download-http;"/></para> - </listitem> - <listitem> - <para>Download (FTP): <ulink url="&openssh-download-ftp;"/></para> - </listitem> - <listitem> - <para>Download MD5 sum: &openssh-md5sum;</para> - </listitem> - <listitem> - <para>Download size: &openssh-size;</para> - </listitem> - <listitem> - <para>Estimated disk space required: &openssh-buildsize;</para> - </listitem> - <listitem> - <para>Estimated build time: &openssh-time;</para> - </listitem> - </itemizedlist> - - <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead> - - <bridgehead renderas="sect4">Required</bridgehead> - <para role="required"><xref linkend="openssl"/></para> - - <bridgehead renderas="sect4">Optional</bridgehead> - <para role="optional"><xref linkend="linux-pam"/>, - <xref linkend="tcpwrappers"/>, - <xref linkend="x-window-system"/>, - <xref linkend="mitkrb"/> or <xref linkend="heimdal"/>, - <ulink url="http://www.thrysoee.dk/editline/";>libedit</ulink> - (provides a command-line history feature to <command>sftp</command>), - <ulink url="http://www.opensc-project.org/";>OpenSC</ulink>, and - <ulink - url="http://www.citi.umich.edu/projects/smartcard/sectok.html";>libsectok</ulink></para> - - <bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead> - <para role="optional"><xref linkend="icedtea6"/> or <xref linkend="jdk"/>, - <xref linkend="net-tools"/>, and - <xref linkend="sysstat"/>.</para> - - <para condition="html" role="usernotes">User Notes: - <ulink url='&blfs-wiki;/OpenSSH'/></para> - - </sect2> - - <sect2 role="installation"> - <title>Installation of OpenSSH</title> - - <para><application>OpenSSH</application> runs as two processes when - connecting to other computers. The first process is a privileged process - and controls the issuance of privileges as necessary. The second process - communicates with the network. Additional installation steps are necessary - to set up the proper environment, which are performed by issuing the - following commands as the <systemitem class="username">root</systemitem> - user:</para> - -<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd && -chown -v root:sys /var/lib/sshd && -groupadd -g 50 sshd && -useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd \ - -s /bin/false -u 50 sshd</userinput></screen> - - <para><application>OpenSSH</application> is very sensitive to changes in - the linked <application>OpenSSL</application> libraries. If you recompile - <application>OpenSSL</application>, <application>OpenSSH</application> may - fail to start up. An alternative is to link against the static - <application>OpenSSL</application> library. To link against the static - library, execute the following command:</para> - -<screen><userinput>sed -i 's@-lcrypto@/usr/lib/libcrypto.a -ldl@' configure</userinput></screen> - - <para>Install <application>OpenSSH</application> by running - the following commands:</para> - -<screen><userinput>sed -i.bak 's/ -ldes//' configure && -./configure --prefix=/usr \ - --sysconfdir=/etc/ssh \ - --datadir=/usr/share/sshd \ - --libexecdir=/usr/lib/openssh \ - --with-md5-passwords \ - --with-privsep-path=/var/lib/sshd && -make</userinput></screen> - - <para>If you linked <application>tcp_wrappers</application> into the - build using the <option>--with-tcp-wrappers</option> parameter, ensure - you add 127.0.0.1 to the sshd line in <filename>/etc/hosts.allow</filename> - if you have a restrictive <filename>/etc/hosts.deny</filename> file, or the - test suite will fail. Additionally, the testsuite requires an installed - copy of <command>scp</command> to complete the multiplexing tests. To - run the test suite, first copy the scp program to - <filename class="directory">/usr/bin</filename>, making sure that you - back up any existing copy first.</para> - - <para>To run the test suite, issue the following commands:</para> - -<screen role="root"><userinput>make tests 2>&1 | tee check.log -grep FATAL check.log</userinput></screen> - - <para>If the above command produces no 'FATAL' errors, then proceed - with the installation, as the - <systemitem class="username">root</systemitem> user:</para> - -<screen role="root"><userinput>make install && -install -v -m755 -d /usr/share/doc/openssh-&openssh-version; && -install -v -m644 INSTALL LICENCE OVERVIEW README* \ - /usr/share/doc/openssh-&openssh-version;</userinput></screen> - - </sect2> - - <sect2 role="commands"> - <title>Command Explanations</title> - - <para><command>sed -i.bak 's/ -ldes//' configure</command>: - This command fixes a build crash if you used the - <option>--with-kerberos5</option> parameter and you built the - <application>Heimdal</application> package in accordance with the BLFS - instructions. The command is harmless in all other instances.</para> - - <para><parameter>--sysconfdir=/etc/ssh</parameter>: This prevents - the configuration files from being installed in - <filename class="directory">/usr/etc</filename>.</para> - - <para><parameter>--datadir=/usr/share/sshd</parameter>: This switch - puts the Ssh.bin file (used for SmartCard authentication) in - <filename class="directory">/usr/share/sshd</filename>.</para> - - <para><parameter>--with-md5-passwords</parameter>: This is required - with the default configuration of Shadow password suite in LFS.</para> - - <para><parameter>--libexecdir=/usr/lib/openssh</parameter>: This parameter - changes the installation path of some programs to - <filename class="directory">/usr/lib/openssh</filename> instead of - <filename class="directory">/usr/libexec</filename>.</para> - - <para><parameter>--with-pam</parameter>: This parameter enables - <application>Linux-PAM</application> support in the build.</para> - - <para><parameter>--with-xauth=/usr/bin/xauth</parameter>: Set the - default location for the <command>xauth</command> binary for X - authentication. Change the location if <command>xauth</command> will - be installed to a different path. This can also be controlled from - <filename>sshd_config</filename> with the XAuthLocation keyword. - You can omit this switch if <application>Xorg</application> is already - installed. - </para> - - <para><parameter>--with-kerberos5=/usr</parameter>: This option is used to - include Heimdal support in the build.</para> - - </sect2> - - <sect2 role="configuration"> - <title>Configuring OpenSSH</title> - - <para>If you are only going to use the <command>ssh</command> or - <command>scp</command> clients, no configuration or boot scripts are - required.</para> - - <sect3 id="openssh-config"> - <title>Config Files</title> - - <para><filename>~/.ssh/*</filename>, - <filename>/etc/ssh/ssh_config</filename>, and - <filename>/etc/ssh/sshd_config</filename></para> - - <indexterm zone="openssh openssh-config"> - <primary sortas="e-AA.ssh">~/.ssh/*</primary> - </indexterm> - - <indexterm zone="openssh openssh-config"> - <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary> - </indexterm> - - <indexterm zone="openssh openssh-config"> - <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary> - </indexterm> - - <para>There are no required changes to any of these files. However, - you may wish to view the <filename class='directory'>/etc/ssh/</filename> - files and make any changes appropriate for the security of your system. - One recommended change is that you disable - <systemitem class='username'>root</systemitem> login via - <command>ssh</command>. Execute the following command as the - <systemitem class='username'>root</systemitem> user to disable - <systemitem class='username'>root</systemitem> login via - <command>ssh</command>:</para> - -<screen role="root"><userinput>echo "PermitRootLogin no" >> /etc/ssh/sshd_config</userinput></screen> - - <para>If you added <application>LinuxPAM</application> support, then you - will need to add a configuration file for - <application>sshd</application> and enable use of - <application>LinuxPAM</application>. Issue the following commands as the - <systemitem class='username'>root</systemitem> user:</para> - -<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd && -chmod 644 /etc/pam.d/sshd && -echo "USEPAM yes" >> /etc/ssh/sshd_config</userinput></screen> - - <para>Additional configuration information can be found in the man - pages for <command>sshd</command>, <command>ssh</command> and - <command>ssh-agent</command>.</para> - - </sect3> - - <sect3 id="openssh-init"> - <title>Boot Script</title> - - <para>To start the SSH server at system boot, install the - <filename>/etc/rc.d/init.d/sshd</filename> init script included - in the <xref linkend="bootscripts"/> package.</para> - - <indexterm zone="openssh openssh-init"> - <primary sortas="f-sshd">sshd</primary> - </indexterm> - -<screen role="root"><userinput>make install-sshd</userinput></screen> - - </sect3> - - </sect2> - - <sect2 role="content"> - <title>Contents</title> - - <segmentedlist> - <segtitle>Installed Programs</segtitle> - <segtitle>Installed Libraries</segtitle> - <segtitle>Installed Directories</segtitle> - - <seglistitem> - <seg>scp, sftp, sftp-server, slogin, ssh, sshd, ssh-add, ssh-agent, - ssh-keygen, ssh-keyscan, and ssh-keysign</seg> - <seg>None</seg> - <seg>/etc/ssh, /var/lib/sshd, /usr/lib/openssh, and - /usr/share/doc/openssh-&openssh-version;</seg> - </seglistitem> - </segmentedlist> - - <variablelist> - <bridgehead renderas="sect3">Short Descriptions</bridgehead> - <?dbfo list-presentation="list"?> - <?dbhtml list-presentation="table"?> - - <varlistentry id="scp"> - <term><command>scp</command></term> - <listitem> - <para>is a file copy program that acts like <command>rcp</command> - except it uses an encrypted protocol.</para> - <indexterm zone="openssh scp"> - <primary sortas="b-scp">scp</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="sftp"> - <term><command>sftp</command></term> - <listitem> - <para>is an FTP-like program that works over - SSH1 and SSH2 protocols.</para> - <indexterm zone="openssh sftp"> - <primary sortas="b-sftp">sftp</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="sftp-server"> - <term><command>sftp-server</command></term> - <listitem> - <para>is an SFTP server subsystem. This program is not normally - called directly by the user.</para> - <indexterm zone="openssh sftp-server"> - <primary sortas="b-sftp-server">sftp-server</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="slogin"> - <term><command>slogin</command></term> - <listitem> - <para>is a symlink to <command>ssh</command>.</para> - <indexterm zone="openssh slogin"> - <primary sortas="g-slogin">slogin</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="ssh"> - <term><command>ssh</command></term> - <listitem> - <para>is an <command>rlogin</command>/<command>rsh</command>-like - client program except it uses an encrypted protocol.</para> - <indexterm zone="openssh ssh"> - <primary sortas="b-ssh">ssh</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="sshd"> - <term><command>sshd</command></term> - <listitem> - <para>is a daemon that listens for <command>ssh</command> login - requests.</para> - <indexterm zone="openssh sshd"> - <primary sortas="b-sshd">sshd</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="ssh-add"> - <term><command>ssh-add</command></term> - <listitem> - <para>is a tool which adds keys to the - <command>ssh-agent</command>.</para> - <indexterm zone="openssh ssh-add"> - <primary sortas="b-ssh-add">ssh-add</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="ssh-agent"> - <term><command>ssh-agent</command></term> - <listitem> - <para>is an authentication agent that can store private keys.</para> - <indexterm zone="openssh ssh-agent"> - <primary sortas="b-ssh-agent">ssh-agent</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="ssh-keygen"> - <term><command>ssh-keygen</command></term> - <listitem> - <para>is a key generation tool.</para> - <indexterm zone="openssh ssh-keygen"> - <primary sortas="b-ssh-keygen">ssh-keygen</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="ssh-keyscan"> - <term><command>ssh-keyscan</command></term> - <listitem> - <para>is a utility for gathering public host keys from a - number of hosts.</para> - <indexterm zone="openssh ssh-keyscan"> - <primary sortas="b-ssh-keyscan">ssh-keyscan</primary> - </indexterm> - </listitem> - </varlistentry> - - <varlistentry id="ssh-keysign"> - <term><command>ssh-keysign</command></term> - <listitem> - <para>is used by <command>ssh</command> to access the local host - keys and generate the digital signature required during hostbased - authentication with SSH protocol version 2. This program is not normally - called directly by the user.</para> - <indexterm zone="openssh ssh-keysign"> - <primary sortas="b-ssh-keysign">ssh-keysign</primary> - </indexterm> - </listitem> - </varlistentry> - - </variablelist> - - </sect2> - -</sect1> Copied: trunk/BOOK/postlfs/security/openssh.xml (from rev 8901, trunk/BOOK/basicnet/netprogs/openssh.xml) =================================================================== --- trunk/BOOK/postlfs/security/openssh.xml (rev 0) +++ trunk/BOOK/postlfs/security/openssh.xml 2011-10-19 23:51:59 UTC (rev 8902) @@ -0,0 +1,412 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" + "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"; [ + <!ENTITY % general-entities SYSTEM "../../general.ent"> + %general-entities; + + <!ENTITY openssh-download-http "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz";> + <!ENTITY openssh-download-ftp "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-&openssh-version;.tar.gz";> + <!ENTITY openssh-md5sum "afe17eee7e98d3b8550cc349834a85d0"> + <!ENTITY openssh-size "1.1 MB"> + <!ENTITY openssh-buildsize "44 MB"> + <!ENTITY openssh-time "3.5 SBU (including the test suite)"> +]> + +<sect1 id="openssh" xreflabel="OpenSSH-&openssh-version;"> + <?dbhtml filename="openssh.html"?> + + <sect1info> + <othername>$LastChangedBy$</othername> + <date>$Date$</date> + </sect1info> + + <title>OpenSSH-&openssh-version;</title> + + <para>The <application>OpenSSH</application> package contains + <command>ssh</command> clients and the <command>sshd</command> daemon. + This is useful for encrypting authentication and subsequent traffic + over a network. The <command>ssh</command> and <command>scp</command> + commands are secure implementions of <command>telnet</command> and + <command>rcp</command> respectively.</para> + + &lfs70_checked; + + <indexterm zone="openssh"> + <primary sortas="a-OpenSSH">OpenSSH</primary> + </indexterm> + + <sect2 role="package"> + <title>Introduction to OpenSSH</title> + + <bridgehead renderas="sect3">Package Information</bridgehead> + <itemizedlist spacing="compact"> + <listitem> + <para>Download (HTTP): <ulink url="&openssh-download-http;"/></para> + </listitem> + <listitem> + <para>Download (FTP): <ulink url="&openssh-download-ftp;"/></para> + </listitem> + <listitem> + <para>Download MD5 sum: &openssh-md5sum;</para> + </listitem> + <listitem> + <para>Download size: &openssh-size;</para> + </listitem> + <listitem> + <para>Estimated disk space required: &openssh-buildsize;</para> + </listitem> + <listitem> + <para>Estimated build time: &openssh-time;</para> + </listitem> + </itemizedlist> + + <bridgehead renderas="sect3">OpenSSH Dependencies</bridgehead> + + <bridgehead renderas="sect4">Required</bridgehead> + <para role="required"><xref linkend="openssl"/></para> + + <bridgehead renderas="sect4">Optional</bridgehead> + <para role="optional"><xref linkend="linux-pam"/>, + <xref linkend="tcpwrappers"/>, + <xref linkend="x-window-system"/>, + <xref linkend="mitkrb"/> or <xref linkend="heimdal"/>, + <ulink url="http://www.thrysoee.dk/editline/";>libedit</ulink> + (provides a command-line history feature to <command>sftp</command>), + <ulink url="http://www.opensc-project.org/";>OpenSC</ulink>, and + <ulink + url="http://www.citi.umich.edu/projects/smartcard/sectok.html";>libsectok</ulink></para> + + <bridgehead renderas="sect4">Optional Runtime (Used only to gather entropy)</bridgehead> + <para role="optional"><xref linkend="icedtea6"/> or <xref linkend="jdk"/>, + <xref linkend="net-tools"/>, and + <xref linkend="sysstat"/>.</para> + + <para condition="html" role="usernotes">User Notes: + <ulink url='&blfs-wiki;/OpenSSH'/></para> + + </sect2> + + <sect2 role="installation"> + <title>Installation of OpenSSH</title> + + <para><application>OpenSSH</application> runs as two processes when + connecting to other computers. The first process is a privileged process + and controls the issuance of privileges as necessary. The second process + communicates with the network. Additional installation steps are necessary + to set up the proper environment, which are performed by issuing the + following commands as the <systemitem class="username">root</systemitem> + user:</para> + +<screen role="root"><userinput>install -v -m700 -d /var/lib/sshd && +chown -v root:sys /var/lib/sshd && +groupadd -g 50 sshd && +useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd \ + -s /bin/false -u 50 sshd</userinput></screen> + + <para><application>OpenSSH</application> is very sensitive to changes in + the linked <application>OpenSSL</application> libraries. If you recompile + <application>OpenSSL</application>, <application>OpenSSH</application> may + fail to start up. An alternative is to link against the static + <application>OpenSSL</application> library. To link against the static + library, execute the following command:</para> + +<screen><userinput>sed -i 's@-lcrypto@/usr/lib/libcrypto.a -ldl@' configure</userinput></screen> + + <para>Install <application>OpenSSH</application> by running + the following commands:</para> + +<screen><userinput>sed -i.bak 's/ -ldes//' configure && +./configure --prefix=/usr \ + --sysconfdir=/etc/ssh \ + --datadir=/usr/share/sshd \ + --libexecdir=/usr/lib/openssh \ + --with-md5-passwords \ + --with-privsep-path=/var/lib/sshd && +make</userinput></screen> + + <para>If you linked <application>tcp_wrappers</application> into the + build using the <option>--with-tcp-wrappers</option> parameter, ensure + you add 127.0.0.1 to the sshd line in <filename>/etc/hosts.allow</filename> + if you have a restrictive <filename>/etc/hosts.deny</filename> file, or the + test suite will fail. Additionally, the testsuite requires an installed + copy of <command>scp</command> to complete the multiplexing tests. To + run the test suite, first copy the scp program to + <filename class="directory">/usr/bin</filename>, making sure that you + back up any existing copy first.</para> + + <para>To run the test suite, issue the following commands:</para> + +<screen role="root"><userinput>make tests 2>&1 | tee check.log +grep FATAL check.log</userinput></screen> + + <para>If the above command produces no 'FATAL' errors, then proceed + with the installation, as the + <systemitem class="username">root</systemitem> user:</para> + +<screen role="root"><userinput>make install && +install -v -m755 -d /usr/share/doc/openssh-&openssh-version; && +install -v -m644 INSTALL LICENCE OVERVIEW README* \ + /usr/share/doc/openssh-&openssh-version;</userinput></screen> + + </sect2> + + <sect2 role="commands"> + <title>Command Explanations</title> + + <para><command>sed -i.bak 's/ -ldes//' configure</command>: + This command fixes a build crash if you used the + <option>--with-kerberos5</option> parameter and you built the + <application>Heimdal</application> package in accordance with the BLFS + instructions. The command is harmless in all other instances.</para> + + <para><parameter>--sysconfdir=/etc/ssh</parameter>: This prevents + the configuration files from being installed in + <filename class="directory">/usr/etc</filename>.</para> + + <para><parameter>--datadir=/usr/share/sshd</parameter>: This switch + puts the Ssh.bin file (used for SmartCard authentication) in + <filename class="directory">/usr/share/sshd</filename>.</para> + + <para><parameter>--with-md5-passwords</parameter>: This is required + with the default configuration of Shadow password suite in LFS.</para> + + <para><parameter>--libexecdir=/usr/lib/openssh</parameter>: This parameter + changes the installation path of some programs to + <filename class="directory">/usr/lib/openssh</filename> instead of + <filename class="directory">/usr/libexec</filename>.</para> + + <para><parameter>--with-pam</parameter>: This parameter enables + <application>Linux-PAM</application> support in the build.</para> + + <para><parameter>--with-xauth=/usr/bin/xauth</parameter>: Set the + default location for the <command>xauth</command> binary for X + authentication. Change the location if <command>xauth</command> will + be installed to a different path. This can also be controlled from + <filename>sshd_config</filename> with the XAuthLocation keyword. + You can omit this switch if <application>Xorg</application> is already + installed. + </para> + + <para><parameter>--with-kerberos5=/usr</parameter>: This option is used to + include Heimdal support in the build.</para> + + </sect2> + + <sect2 role="configuration"> + <title>Configuring OpenSSH</title> + + <para>If you are only going to use the <command>ssh</command> or + <command>scp</command> clients, no configuration or boot scripts are + required.</para> + + <sect3 id="openssh-config"> + <title>Config Files</title> + + <para><filename>~/.ssh/*</filename>, + <filename>/etc/ssh/ssh_config</filename>, and + <filename>/etc/ssh/sshd_config</filename></para> + + <indexterm zone="openssh openssh-config"> + <primary sortas="e-AA.ssh">~/.ssh/*</primary> + </indexterm> + + <indexterm zone="openssh openssh-config"> + <primary sortas="e-etc-ssh-ssh_config">/etc/ssh/ssh_config</primary> + </indexterm> + + <indexterm zone="openssh openssh-config"> + <primary sortas="e-etc-ssh-sshd_config">/etc/ssh/sshd_config</primary> + </indexterm> + + <para>There are no required changes to any of these files. However, + you may wish to view the <filename class='directory'>/etc/ssh/</filename> + files and make any changes appropriate for the security of your system. + One recommended change is that you disable + <systemitem class='username'>root</systemitem> login via + <command>ssh</command>. Execute the following command as the + <systemitem class='username'>root</systemitem> user to disable + <systemitem class='username'>root</systemitem> login via + <command>ssh</command>:</para> + +<screen role="root"><userinput>echo "PermitRootLogin no" >> /etc/ssh/sshd_config</userinput></screen> + + <para>If you added <application>LinuxPAM</application> support, then you + will need to add a configuration file for + <application>sshd</application> and enable use of + <application>LinuxPAM</application>. Issue the following commands as the + <systemitem class='username'>root</systemitem> user:</para> + +<screen role="root"><userinput>sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd && +chmod 644 /etc/pam.d/sshd && +echo "USEPAM yes" >> /etc/ssh/sshd_config</userinput></screen> + + <para>Additional configuration information can be found in the man + pages for <command>sshd</command>, <command>ssh</command> and + <command>ssh-agent</command>.</para> + + </sect3> + + <sect3 id="openssh-init"> + <title>Boot Script</title> + + <para>To start the SSH server at system boot, install the + <filename>/etc/rc.d/init.d/sshd</filename> init script included + in the <xref linkend="bootscripts"/> package.</para> + + <indexterm zone="openssh openssh-init"> + <primary sortas="f-sshd">sshd</primary> + </indexterm> + +<screen role="root"><userinput>make install-sshd</userinput></screen> + + </sect3> + + </sect2> + + <sect2 role="content"> + <title>Contents</title> + + <segmentedlist> + <segtitle>Installed Programs</segtitle> + <segtitle>Installed Libraries</segtitle> + <segtitle>Installed Directories</segtitle> + + <seglistitem> + <seg>scp, sftp, sftp-server, slogin, ssh, sshd, ssh-add, ssh-agent, + ssh-keygen, ssh-keyscan, and ssh-keysign</seg> + <seg>None</seg> + <seg>/etc/ssh, /var/lib/sshd, /usr/lib/openssh, and + /usr/share/doc/openssh-&openssh-version;</seg> + </seglistitem> + </segmentedlist> + + <variablelist> + <bridgehead renderas="sect3">Short Descriptions</bridgehead> + <?dbfo list-presentation="list"?> + <?dbhtml list-presentation="table"?> + + <varlistentry id="scp"> + <term><command>scp</command></term> + <listitem> + <para>is a file copy program that acts like <command>rcp</command> + except it uses an encrypted protocol.</para> + <indexterm zone="openssh scp"> + <primary sortas="b-scp">scp</primary> + </indexterm> + </listitem> + </varlistentry> + + <varlistentry id="sftp"> + <term><command>sftp</command></term> + <listitem> + <para>is an FTP-like program that works over + SSH1 and SSH2 protocols.</para> + <indexterm zone="openssh sftp"> + <primary sortas="b-sftp">sftp</primary> + </indexterm> + </listitem> + </varlistentry> + + <varlistentry id="sftp-server"> + <term><command>sftp-server</command></term> + <listitem> + <para>is an SFTP server subsystem. This program is not normally + called directly by the user.</para> + <indexterm zone="openssh sftp-server"> + <primary sortas="b-sftp-server">sftp-server</primary> + </indexterm> + </listitem> + </varlistentry> + + <varlistentry id="slogin"> + <term><command>slogin</command></term> + <listitem> + <para>is a symlink to <command>ssh</command>.</para> + <indexterm zone="openssh slogin"> + <primary sortas="g-slogin">slogin</primary> + </indexterm> + </listitem> + </varlistentry> + + <varlistentry id="ssh"> + <term><command>ssh</command></term> + <listitem> + <para>is an <command>rlogin</command>/<command>rsh</command>-like + client program except it uses an encrypted protocol.</para> + <indexterm zone="openssh ssh"> + <primary sortas="b-ssh">ssh</primary> + </indexterm> + </listitem> + </varlistentry> + + <varlistentry id="sshd"> + <term><command>sshd</command></term> + <listitem> + <para>is a daemon that listens for <command>ssh</command> login + requests.</para> + <indexterm zone="openssh sshd"> + <primary sortas="b-sshd">sshd</primary> + </indexterm> + </listitem> + </varlistentry> + + <varlistentry id="ssh-add"> + <term><command>ssh-add</command></term> + <listitem> + <para>is a tool which adds keys to the + <command>ssh-agent</command>.</para> + <indexterm zone="openssh ssh-add"> + <primary sortas="b-ssh-add">ssh-add</primary> + </indexterm> + </listitem> + </varlistentry> + + <varlistentry id="ssh-agent"> + <term><command>ssh-agent</command></term> + <listitem> + <para>is an authentication agent that can store private keys.</para> + <indexterm zone="openssh ssh-agent"> + <primary sortas="b-ssh-agent">ssh-agent</primary> + </indexterm> + </listitem> + </varlistentry> + + <varlistentry id="ssh-keygen"> + <term><command>ssh-keygen</command></term> + <listitem> + <para>is a key generation tool.</para> + <indexterm zone="openssh ssh-keygen"> + <primary sortas="b-ssh-keygen">ssh-keygen</primary> + </indexterm> + </listitem> + </varlistentry> + + <varlistentry id="ssh-keyscan"> + <term><command>ssh-keyscan</command></term> + <listitem> + <para>is a utility for gathering public host keys from a + number of hosts.</para> + <indexterm zone="openssh ssh-keyscan"> + <primary sortas="b-ssh-keyscan">ssh-keyscan</primary> + </indexterm> + </listitem> + </varlistentry> + + <varlistentry id="ssh-keysign"> + <term><command>ssh-keysign</command></term> + <listitem> + <para>is used by <command>ssh</command> to access the local host + keys and generate the digital signature required during hostbased + authentication with SSH protocol version 2. This program is not normally + called directly by the user.</para> + <indexterm zone="openssh ssh-keysign"> + <primary sortas="b-ssh-keysign">ssh-keysign</primary> + </indexterm> + </listitem> + </varlistentry> + + </variablelist> + + </sect2> + +</sect1> Modified: trunk/BOOK/postlfs/security/security.xml =================================================================== --- trunk/BOOK/postlfs/security/security.xml 2011-10-19 23:44:14 UTC (rev 8901) +++ trunk/BOOK/postlfs/security/security.xml 2011-10-19 23:51:59 UTC (rev 8902) @@ -42,6 +42,7 @@ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="openssl.xml"/> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="cacerts.xml"/> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="gnutls.xml"/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="openssh.xml"/> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="cracklib.xml"/> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="linux-pam.xml"/> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="shadow.xml"/> -- http://linuxfromscratch.org/mailman/listinfo/blfs-book FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
