OpenSSH (SSH, The Secure Shell: The Definitive Guide)

4.3. OpenSSH

OpenSSH is a free implementation of SSH-1 and SSH-2, obtained from the OpenSSH web site:

http://www.openssh.com/

Since it is developed by the OpenBSD Project, the main version of OpenSSH is specifically for the OpenBSD Unix operating system, and is in fact included in the base OpenBSD installation. As a separate but related effort, another team maintains a "portable" version that compiles on a variety of Unix flavors and tracks the main development effort. The supported platforms include Linux, Solaris AIX, IRIX, HP/UX, FreeBSD, and NetBSD (OpenSSH is included in FreeBSD as well). The portable version carries a "p" suffix. For example, 2.1.1p4 is the fourth release of the portable version of OpenSSH 2.1.1.

4.3.1. Prerequisites

OpenSSH depends on two other software packages: OpenSSL and zlib. OpenSSL is a cryptographic library available at http://www.openssl.com/; all the cryptography used in OpenSSH is pulled from OpenSSL. zlib is a library of data-compression routines, available at http://www.info-zip.org/pub/infozip/zlib/. Before compiling OpenSSH, you must obtain and install these packages.

4.3.2. Building

Building OpenSSH is similar to building SSH1 and SSH2, with the same configure; make; make install sequence. In some versions of OpenSSH prior to 2.2.0, though, make install didn't generate and install the host keys automatically. If your host keys are missing, you can install them with make host-key.

4.3.3. PAM

By default, OpenSSH uses PAM for password authentication. PAM, the Pluggable Authentication Modules system, is a generic framework for authentication, authorization, and accounting (AAA). The idea is that programs call PAM to perform AAA functions, leaving the sysadmin free to configure individual programs to use various kinds of authentication, via dynamically loaded libraries. Visit http://www.kernel.org/pub/linux/libs/pam/ for more information on PAM.

Generally, if a program uses PAM, some host configuration is necessary to describe how PAM should behave for that program. The PAM ). configuration files are usually in the directory /etc/pam.d.

WARNING: On many operating systems that use PAM, including RedHat Linux, OpenSSH builds with PAM support by default (you can turn this off using configure -- without-pam However, you must then configure PAM on the host to know about sshd, or password authentication will not work. By default, PAM normally denies authentication for programs not specifically configured to use it.

PAM configuration for SSH is usually just a matter of copying the appropriate sshd.pam file from the distribution's contrib directory into place as /etc/pam.d/sshd. Sample files are included for various flavors of Unix.

Note that you don't need to restart sshd when you change the PAM configuration; the configuration files are checked on every use of PAM.

4.3.4. Randomness

The main OpenSSH code base relies on the host operating system to provide a source of entropy, or randomness, via a device driver accessed through /dev/urandom. This is because the OpenBSD operating system has this device. If you build OpenSSH on a platform lacking such a device, such as Solaris, it needs an alternative source of randomness. There are two choices:

Use the built-in, "internal entropy-gathering" system

Install the "Entropy Gathering Daemon" (EGD) package (http://www.lothar.com/tech/crypto/)

OpenSSH defaults to the first choice, the internal system, unless you configure it with EGD. The internal system uses a configurable set of commands that monitor changing aspects of the system operation, mixing their output together. You can control which commands are used and how, with the file /etc/ssh_prng_cmds.

4.3.5. Compilation Flags

As with the other SSH implementations, OpenSSH has a number of compilation flags, many the same, some different. Here are the most important ones to know:

-- without-pam Disable PAM support: Omit PAM support from OpenSSH. This flag isn't normally necessary, since the configure process detects whether the host has PAM, and if so, you probably want to use it.
-- with-md5-passwords Enable use of MD5 passwords
-- without-shadow Disable shadow password support: These options control OpenSSH's treatment of the Unix account database (passwd map). They are relevant only if OpenSSH isn't using PAM, since otherwise PAM deals with reading the account information, not the OpenSSH code proper.

Enable -- with-md5-passwords if your system uses MD5 instead of the traditional crypt function to hash passwords, and you are not using PAM.

"Shadow passwords" refers to the practice of keeping the hashed password in a restricted file /etc/shadow (/etc/passwd must be world-readable). Use -- without-shadow to suppress reading of the /etc/shadow file, should it be necessary.
-- with-ssl-dir= PATH Set path to OpenSSL installation: If OpenSSL isn't installed in the usual place, /usr/local/ssl, use this flag to indicate its location.
-- with-xauth=PATH Set path to xauth program: In OpenSSH, the default location of the xauth program is a compile-time parameter.
-- with-random=FILE Read randomness from given file: Specify the character device file providing a source of random bits, normally /dev/urandom.
-- with-egd-pool=FILE Read randomness from EGD pool FILE (default none): If you install EGD as described earlier, use this flag to have OpenSSH use EGD as its randomness source.
-- with-kerberos4=PATH Enable Kerberos-4 support
-- with-afs=PATH Enable AFS support: These flags apply to Kerberos-4 and AFS. [Section 3.4.2.4, "Kerberos authentication"] Note that there's no Kerberos-5 support in OpenSSH.
-- with-skey Enable S/Key support: Enable support for the S/Key one-time password system for password authentication. [Section 3.4.2.5, "One-time passwords"]
-- with-tcp-wrappers Enable TCP-wrappers support: Equivalent to the SSH1 configure flag -- with-libwrap . [Section 4.1.5.3, "TCP/IP support"]
-- with-ipaddr-display Use IP address instead of hostname in $DISPLAY: In X forwarding, use DISPLAY values of the form 192.168.10.1:10.0 instead of hostname:10.0. This flag works around certain buggy X libraries that do weird things with the hostname version, using some sort of IPC mechanism for talking to the X server rather than TCP.
-- with-default-path=PATH Default server PATH: The default path OpenSSH uses when attempting to run a subprogram.
-- with-ipv4-default Use IPv4 unless "-6" is given
-- with-4in6 Check for and convert IPv4 in IPv6 mapped addresses: OpenSSH supports IPv6, the next-generation TCP/IP protocol suite that is still in the development and very early deployment stages in the Internet (the current version of IP is IPv4). The default configuration of OpenSSH attempts to use IPv6 where possible, and sometimes this results in problems. If you encounter errors mentioning "af=10" or "address family 10," that's IPv6, and you should try the -4 runtime option, or compiling -- with-ipv4-default.
-- with-pid-dir=PATH Specify location of ssh.pid file: Location of the OpenSSH pid file, where it stores the pid of the currently running daemon. The default is /var/run/sshd.pid.