is a free implementation of SSH-1 and SSH-2, obtained from the
OpenSSH web site:
Since it is developed by the OpenBSD Project, the main version of
OpenSSH is specifically for the OpenBSD Unix operating system, and is
in fact included in the base OpenBSD installation. As a separate but
related effort, another team maintains a "portable"
version that compiles on a variety of Unix flavors and tracks the
main development effort. The supported platforms include Linux,
Solaris AIX, IRIX, HP/UX, FreeBSD, and NetBSD (OpenSSH is included in
FreeBSD as well). The portable version carries a "p"
suffix. For example, 2.1.1p4 is the fourth release of the portable
version of OpenSSH 2.1.1.
OpenSSH depends on two other software packages:
and zlib. OpenSSL is a
cryptographic library available at http://www.openssl.com/; all the cryptography
used in OpenSSH is pulled from OpenSSL. zlib is a library of
data-compression routines, available at http://www.info-zip.org/pub/infozip/zlib/.
Before compiling OpenSSH, you must obtain and install these packages.
Building OpenSSH is similar to building SSH1 and SSH2, with the same
configure; make; make install
sequence. In some versions of OpenSSH prior to 2.2.0, though,
make install didn't generate and install the
host keys automatically. If your host keys are missing, you can
install them with make host-key.
By default, OpenSSH uses
PAM for password
authentication. PAM, the Pluggable Authentication Modules system, is
a generic framework for authentication,
authorization, and accounting (AAA). The idea is that programs call
PAM to perform AAA functions, leaving the sysadmin free to configure
individual programs to use various kinds of authentication, via
dynamically loaded libraries. Visit http://www.kernel.org/pub/linux/libs/pam/ for
more information on PAM.
Generally, if a program uses PAM, some host configuration is
necessary to describe how PAM should behave for that program. The PAM
configuration files are usually in the directory /etc/pam.d.
WARNING: On many operating systems that use PAM, including RedHat Linux,
OpenSSH builds with PAM support by default (you can turn this off
using configure -- without-pam
you must then configure PAM on the host to know about
sshd, or password authentication will not work. By
default, PAM normally denies authentication for programs not
specifically configured to use it.
PAM configuration for SSH is usually just a matter of copying the
appropriate sshd.pam file from the
distribution's contrib directory into
place as /etc/pam.d/sshd. Sample files are
included for various flavors of Unix.
Note that you don't need to restart sshd
when you change the PAM configuration; the configuration files are
checked on every use of PAM.
The main OpenSSH code base relies on the host operating system to
provide a source of entropy, or randomness,
via a device driver accessed through
/dev/urandom. This is because the OpenBSD
operating system has this device. If you build OpenSSH on a platform
lacking such a device, such as Solaris, it needs an alternative
source of randomness. There are two choices:
OpenSSH defaults to the first choice, the internal system, unless you
configure it with EGD. The internal system uses a configurable set of
commands that monitor changing aspects of the system operation,
mixing their output together. You can control which commands are used
and how, with the file
4.3.5. Compilation Flags
As with the other SSH implementations,
OpenSSH has a number of
compilation flags, many the same, some different. Here are the most
important ones to know:
-- without-pam Disable PAM support
Omit PAM support from OpenSSH. This flag isn't normally
necessary, since the configure process detects
whether the host has PAM, and if so, you probably want to use it.
-- with-md5-passwords Enable use of MD5 passwords
-- without-shadow Disable shadow password support
These options control OpenSSH's treatment of the Unix account
database (passwd map). They are relevant only if OpenSSH isn't
using PAM, since otherwise PAM deals with reading the account
information, not the OpenSSH code proper.
Enable -- with-md5-passwords if
your system uses MD5 instead of the traditional
crypt function to hash passwords, and you are
not using PAM.
"Shadow passwords" refers to the practice of keeping the
hashed password in a restricted file
/etc/shadow (/etc/passwd must be
-- without-shadow to suppress
reading of the /etc/shadow file, should it be
-- with-ssl-dir= PATH Set path to OpenSSL installation
If OpenSSL isn't installed
in the usual place, /usr/local/ssl, use this
flag to indicate its location.
-- with-xauth=PATH Set path to xauth program
In OpenSSH, the default location of the
program is a compile-time parameter.
-- with-random=FILE Read randomness from given file
Specify the character device file providing a source of random bits,
Read randomness from EGD pool FILE (default none)
If you install EGD as described earlier, use this flag to have
OpenSSH use EGD as its randomness source.
Enable Kerberos-4 support
-- with-afs=PATH Enable AFS support
These flags apply to
AFS. [Section 22.214.171.124, "Kerberos authentication"] Note that
there's no Kerberos-5 support in OpenSSH.
-- with-skey Enable S/Key support
Enable support for the
one-time password system for password
authentication. [Section 126.96.36.199, "One-time passwords"]
-- with-tcp-wrappers Enable TCP-wrappers support
Equivalent to the SSH1 configure flag
. [Section 188.8.131.52, "TCP/IP support"]
-- with-ipaddr-display Use IP address instead of hostname in $DISPLAY
In X forwarding, use
DISPLAY values of the form
192.168.10.1:10.0 instead of hostname:10.0. This flag works around
certain buggy X libraries that do weird things with the hostname
version, using some sort of IPC mechanism for talking to the X server
rather than TCP.
Default server PATH
The default path OpenSSH uses when attempting to run a subprogram.
-- with-ipv4-default Use IPv4 unless "-6" is given
-- with-4in6 Check for and convert IPv4 in IPv6 mapped addresses
OpenSSH supports IPv6, the next-generation TCP/IP protocol suite that
is still in the development and very early deployment stages in the
Internet (the current version of IP is IPv4). The default
configuration of OpenSSH attempts to use IPv6 where possible, and
sometimes this results in problems. If you encounter errors
mentioning "af=10" or "address family 10,"
that's IPv6, and you should try the -4 runtime
option, or compiling
-- with-pid-dir=PATH Specify location of ssh.pid file
Location of the OpenSSH pid file,
where it stores the pid of the currently running daemon. The default
|4.2. F-Secure SSH Server||4.4. Software Inventory||