9.23. OpenSSH-10.2p1

9.23.1. Introduction to OpenSSH

The OpenSSH package contains ssh clients and the sshd daemon. This is useful for encrypting authentication and subsequent traffic over a network. The ssh and scp commands are secure implementations of telnet and rcp respectively.

Approximate build time: 0.3 SBU (running the tests takes about 11 minutes)

Required disk space: 50 MB

OpenSSH Dependencies

Optional

Section 9.11, “Which-2.23 and Alternatives” (for tests), libedit, LibreSSL Portable, OpenSC, and libsectok

9.23.2. Installation of OpenSSH

OpenSSH runs as two processes when connecting to other computers. The first process is a privileged process and controls the issuance of privileges as necessary. The second process communicates with the network. Additional installation steps are necessary to set up the proper environment, which are performed by issuing the following commands:

install -v -g sys -m700 -d /var/lib/sshd

groupadd -g 50 sshd

useradd  -c 'sshd PrivSep' \
         -d /var/lib/sshd  \
         -g sshd           \
         -s /bin/false     \
         -u 50 sshd

Prepare OpenSSH by running the following commands:

./configure --prefix=/usr                            \
            --sysconfdir=/etc/ssh                    \
            --with-privsep-path=/var/lib/sshd        \
            --with-default-path=/usr/bin             \
            --with-superuser-path=/usr/sbin:/usr/bin \
            --with-pid-dir=/run

Compile the package:

make

To test the results, issue:

make -j1 tests

Now Install the package:

make install

install -v -m755    contrib/ssh-copy-id /usr/bin

install -v -m644    contrib/ssh-copy-id.1 /usr/share/man/man1

install -v -m755 -d /usr/share/doc/openssh-10.2p1

install -v -m644    INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-10.2p1

9.23.3. Command Explanations

--sysconfdir=/etc/ssh: This prevents the configuration files from being installed in /usr/etc.

--with-default-path=/usr/bin and --with-superuser-path=/usr/sbin:/usr/bin: These set PATH consistent with LFS and BLFS Shadow package.

--with-pid-dir=/run: This prevents OpenSSH from referring to deprecated /var/run.

--with-pam: This parameter enables Linux-PAM support in the build.

--with-kerberos5=/usr: This option is used to include Kerberos 5 support in the build.

--with-libedit: This option enables line editing and history features for sftp.

9.23.4. Configuring OpenSSH

9.23.4.1. Config Files

~/.ssh/*, /etc/ssh/ssh_config, and /etc/ssh/sshd_config

There are no required changes to any of these files. However, you may wish to view the /etc/ssh/ files and make any changes appropriate for the security of your system. One recommended change is that you disable root login via ssh. Execute the following command as the root user to disable root login via ssh:

echo "PermitRootLogin no" >> /etc/ssh/sshd_config

If you want to be able to log in without typing in your password, first create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with ssh-keygen and then copy ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys on the remote computer that you want to log into. You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote computer and you'll also need to enter your password for the ssh-copy-id command to succeed:

ssh-keygen
ssh-copy-id -i ~/.ssh/id_ed25519.pub REMOTE_USERNAME@REMOTE_HOSTNAME

Once you've got passwordless logins working it's actually more secure than logging in with a password (as the private key is much longer than most people's passwords). If you would like to now disable password logins, as the root user:

echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
echo "KbdInteractiveAuthentication no" >> /etc/ssh/sshd_config

Additional configuration information can be found in the man pages for sshd, ssh and ssh-agent.

9.23.4.2. Systemd Unit

To start the SSH server at system boot, install the sshd.service unit included in the https://anduin.linuxfromscratch.org/BLFS/blfs-bootscripts/blfs-bootscripts-20251220.tar.xz package.

Note

Changing the setting of ListenAddress in /etc/sshd/sshd_config is unsupported with the BLFS sshd systemd unit.

make install-sshd

9.23.5. Contents

Installed Programs: scp, sftp, ssh, ssh-add, ssh-agent, ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd

Installed Libraries: None

Installed Directories: /etc/ssh, /usr/share/doc/openssh-10.2p1, and /var/lib/sshd

Short Descriptions

scp	is a file copy program that acts like rcp except it uses an encrypted protocol
sftp	is an FTP-like program that works over the SSH1 and SSH2 protocols
ssh	is an rlogin/rsh-like client program except it uses an encrypted protocol
sshd	is a daemon that listens for ssh login requests
ssh-add	is a tool which adds keys to the ssh-agent
ssh-agent	is an authentication agent that can store private keys
ssh-copy-id	is a script that enables logins on remote machines using local keys
ssh-keygen	is a key generation tool
ssh-keyscan	is a utility for gathering public host keys from a number of hosts

Prev
Wget-1.25.0
Next
cURL-8.18.0
Up
Home