INSTALL - security/openssh-library - Rivoreo Source Code Repositories

 1. Prerequisites
 ----------------

 You will need working installations of Zlib and OpenSSL.

 Zlib:
 http://www.cdrom.com/pub/infozip/zlib/

 OpenSSL:
 http://www.openssl.org/

 RPMs of OpenSSL are available in the support/ directory of the OpenSSH
 mirror site. OpenSSH requires OpenSSL version 0.9.5 or later.

 OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system
 supports it. PAM is standard on Redhat and Debian Linux and on Solaris.

 PAM:
 http://www.kernel.org/pub/linux/libs/pam/

 If you wish to build the GNOME passphrase requester, you will need the GNOME
 libraries and headers.

 GNOME:
 http://www.gnome.org/

 Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11
 passphrase requester. This is maintained separately at:

 http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/index.html

 If you are planning to use OpenSSH on a Unix which lacks a Kernel random
 number generator (/dev/urandom), you will need to install the Entropy
 Gathering Daemon (or similar). You will also need to specify the
 --with-egd-pool option to ./configure.

 EGD:
 http://www.lothar.com/tech/crypto/

 GNU Make:
 ftp://ftp.gnu.org/gnu/make/

 OpenSSH has only been tested with GNU make. It may work with other
 'make' programs, but you are on your own.

 2. Building / Installation
 --------------------------

 To install OpenSSH with default options:

 ./configure
 make
 make install

 This will install the OpenSSH binaries in /usr/local/bin, configuration files
 in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different
 installation prefix, use the --prefix option to configure:

 ./configure --prefix=/opt
 make
 make install

 Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override
 specific paths, for example:

 ./configure --prefix=/opt --sysconfdir=/etc/ssh
 make
 make install

 This will install the binaries in /opt/{bin,lib,sbin}, but will place the
 configuration files in /etc/ssh.

 If you are using PAM, you will need to manually install a PAM
 control file as "/etc/pam.d/sshd" (or wherever your system
 prefers to keep them). A generic PAM configuration is included as
 "contrib/sshd.pam.generic", you may need to edit it before using it on
 your system. If you are using a recent version of Redhat Linux, the
 config file in contrib/redhat/sshd.pam should be more useful.

 There are a few other options to the configure script:

 --with-rsh=PATH allows you to specify the path to your rsh program.
 Normally ./configure will search the current $PATH for 'rsh'. You
 may need to specify this option if rsh is not in your path or has a
 different name.

 --without-pam will disable PAM support. PAM is automatically detected
 and switched on if found.

 --enable-gnome-askpass will build the GNOME passphrase dialog. You
 need a working installation of GNOME, including the development
 headers, for this to work.

 --with-random=/some/file allows you to specify an alternate source of
 random numbers (the default is /dev/urandom). Unless you are absolutly
 sure of what you are doing, it is best to leave this alone.

 --with-egd-pool=/some/file allows you to enable Entropy Gathering
 Daemon support and to specify a EGD pool socket. You will need to
 use this if your Unix does not support the /dev/urandom device (or
 similar). The file argument refers to the EGD pool file, not the
 EGD program itself. Please refer to the EGD documentation.

 --with-lastlog=FILE will specify the location of the lastlog file.
 ./configure searches a few locations for lastlog, but may not find
 it if lastlog is installed in a different place.

 --without-lastlog will disable lastlog support entirely.

 --with-kerberos4=PATH will enable Kerberos IV support. You will need
 to have the Kerberos libraries and header files installed for this
 to work. Use the optional PATH argument to specify the root of your
 Kerberos installation.

 --with-afs=PATH will enable AFS support. You will need to have the
 Kerberos IV and the AFS libraries and header files installed for this
 to work.  Use the optional PATH argument to specify the root of your
 AFS installation. AFS requires Kerberos support to be enabled.

 --with-skey will enable S/Key one time password support. You will need
 the S/Key libraries and header files installed for this to work.

 --with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny)
 support. You will need libwrap.a and tcpd.h installed.

 --with-md5-passwords will enable the use of MD5 passwords. Enable this
 if your operating system uses MD5 passwords without using PAM.

 --with-utmpx enables utmpx support. utmpx support is automatic for
 some platforms.

 --without-shadow disables shadow password support.

 --with-ipaddr-display forces the use of a numeric IP address in the
 $DISPLAY environment variable. Some broken systems need this.

 --with-default-path=PATH allows you to specify a default $PATH for sessions
 started by sshd. This replaces the standard path entirely.

 --with-pid-dir=PATH specifies the directory in which the ssh.pid file is
 created.

 --with-xauth=PATH specifies the location of the xauth binary

 --with-ipv4-default instructs OpenSSH to use IPv4 by default for new
 connections. Normally OpenSSH will try attempt to lookup both IPv6 and
 IPv4 addresses. On Linux/glibc-2.1.2 this causes long delays in name
 resolution. If this option is specified, you can still attempt to
 connect to IPv6 addresses using the command line option '-6'.

 --with-ssl-dir=DIR allows you to specify where your OpenSSL libraries
 are installed.

 --with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
 real (AF_INET) IPv4 addresses. Works around some quirks on Linux.

 If you need to pass special options to the compiler or linker, you
 can specify these as enviornment variables before running ./configure.
 For example:

 CFLAGS="-O -m486" LFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure

 3. Configuration
 ----------------

 The runtime configuration files are installed by in ${prefix}/etc or
 whatever you specified as your --sysconfdir (/usr/local/etc by default).

 The default configuration should be instantly usable, though you should
 review it to ensure that it matches your security requirements.

 To generate a host key, run "make host-key". Alternately you can do so
 manually using the following command:

 /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N ''

 Replacing /etc/ssh with the correct path to the configuration directory.
 (${prefix}/etc or whatever you specified with --sysconfdir during
 configuration)

 If you have configured OpenSSH with EGD support, ensure that EGD is
 running and has collected some Entropy.

 For more information on configuration, please refer to the manual pages
 for sshd, ssh and ssh-agent.

 4. Problems?
 ------------

 If you experience problems compiling, installing or running OpenSSH.
 Please refer to the "reporting bugs" section of the webpage at
 http://violet.ibs.com.au/openssh/
	1. Prerequisites
	----------------

	You will need working installations of Zlib and OpenSSL.

	Zlib:
	http://www.cdrom.com/pub/infozip/zlib/

	OpenSSL:
	http://www.openssl.org/

	RPMs of OpenSSL are available in the support/ directory of the OpenSSH
	mirror site. OpenSSH requires OpenSSL version 0.9.5 or later.

	OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system
	supports it. PAM is standard on Redhat and Debian Linux and on Solaris.

	PAM:
	http://www.kernel.org/pub/linux/libs/pam/

	If you wish to build the GNOME passphrase requester, you will need the GNOME
	libraries and headers.

	GNOME:
	http://www.gnome.org/

	Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11
	passphrase requester. This is maintained separately at:

	http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/index.html

	If you are planning to use OpenSSH on a Unix which lacks a Kernel random
	number generator (/dev/urandom), you will need to install the Entropy
	Gathering Daemon (or similar). You will also need to specify the
	--with-egd-pool option to ./configure.

	EGD:
	http://www.lothar.com/tech/crypto/

	GNU Make:
	ftp://ftp.gnu.org/gnu/make/

	OpenSSH has only been tested with GNU make. It may work with other
	'make' programs, but you are on your own.

	2. Building / Installation
	--------------------------

	To install OpenSSH with default options:

	./configure
	make
	make install

	This will install the OpenSSH binaries in /usr/local/bin, configuration files
	in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different
	installation prefix, use the --prefix option to configure:

	./configure --prefix=/opt
	make
	make install

	Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override
	specific paths, for example:

	./configure --prefix=/opt --sysconfdir=/etc/ssh
	make
	make install

	This will install the binaries in /opt/{bin,lib,sbin}, but will place the
	configuration files in /etc/ssh.

	If you are using PAM, you will need to manually install a PAM
	control file as "/etc/pam.d/sshd" (or wherever your system
	prefers to keep them). A generic PAM configuration is included as
	"contrib/sshd.pam.generic", you may need to edit it before using it on
	your system. If you are using a recent version of Redhat Linux, the
	config file in contrib/redhat/sshd.pam should be more useful.

	There are a few other options to the configure script:

	--with-rsh=PATH allows you to specify the path to your rsh program.
	Normally ./configure will search the current $PATH for 'rsh'. You
	may need to specify this option if rsh is not in your path or has a
	different name.

	--without-pam will disable PAM support. PAM is automatically detected
	and switched on if found.

	--enable-gnome-askpass will build the GNOME passphrase dialog. You
	need a working installation of GNOME, including the development
	headers, for this to work.

	--with-random=/some/file allows you to specify an alternate source of
	random numbers (the default is /dev/urandom). Unless you are absolutly
	sure of what you are doing, it is best to leave this alone.

	--with-egd-pool=/some/file allows you to enable Entropy Gathering
	Daemon support and to specify a EGD pool socket. You will need to
	use this if your Unix does not support the /dev/urandom device (or
	similar). The file argument refers to the EGD pool file, not the
	EGD program itself. Please refer to the EGD documentation.

	--with-lastlog=FILE will specify the location of the lastlog file.
	./configure searches a few locations for lastlog, but may not find
	it if lastlog is installed in a different place.

	--without-lastlog will disable lastlog support entirely.

	--with-kerberos4=PATH will enable Kerberos IV support. You will need
	to have the Kerberos libraries and header files installed for this
	to work. Use the optional PATH argument to specify the root of your
	Kerberos installation.

	--with-afs=PATH will enable AFS support. You will need to have the
	Kerberos IV and the AFS libraries and header files installed for this
	to work. Use the optional PATH argument to specify the root of your
	AFS installation. AFS requires Kerberos support to be enabled.

	--with-skey will enable S/Key one time password support. You will need
	the S/Key libraries and header files installed for this to work.

	--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow\|deny)
	support. You will need libwrap.a and tcpd.h installed.

	--with-md5-passwords will enable the use of MD5 passwords. Enable this
	if your operating system uses MD5 passwords without using PAM.

	--with-utmpx enables utmpx support. utmpx support is automatic for
	some platforms.

	--without-shadow disables shadow password support.

	--with-ipaddr-display forces the use of a numeric IP address in the
	$DISPLAY environment variable. Some broken systems need this.

	--with-default-path=PATH allows you to specify a default $PATH for sessions
	started by sshd. This replaces the standard path entirely.

	--with-pid-dir=PATH specifies the directory in which the ssh.pid file is
	created.

	--with-xauth=PATH specifies the location of the xauth binary

	--with-ipv4-default instructs OpenSSH to use IPv4 by default for new
	connections. Normally OpenSSH will try attempt to lookup both IPv6 and
	IPv4 addresses. On Linux/glibc-2.1.2 this causes long delays in name
	resolution. If this option is specified, you can still attempt to
	connect to IPv6 addresses using the command line option '-6'.

	--with-ssl-dir=DIR allows you to specify where your OpenSSL libraries
	are installed.

	--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
	real (AF_INET) IPv4 addresses. Works around some quirks on Linux.

	If you need to pass special options to the compiler or linker, you
	can specify these as enviornment variables before running ./configure.
	For example:

	CFLAGS="-O -m486" LFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure

	3. Configuration
	----------------

	The runtime configuration files are installed by in ${prefix}/etc or
	whatever you specified as your --sysconfdir (/usr/local/etc by default).

	The default configuration should be instantly usable, though you should
	review it to ensure that it matches your security requirements.

	To generate a host key, run "make host-key". Alternately you can do so
	manually using the following command:

	/usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N ''

	Replacing /etc/ssh with the correct path to the configuration directory.
	(${prefix}/etc or whatever you specified with --sysconfdir during
	configuration)

	If you have configured OpenSSH with EGD support, ensure that EGD is
	running and has collected some Entropy.

	For more information on configuration, please refer to the manual pages
	for sshd, ssh and ssh-agent.

	4. Problems?
	------------

	If you experience problems compiling, installing or running OpenSSH.
	Please refer to the "reporting bugs" section of the webpage at
	http://violet.ibs.com.au/openssh/