Zirconium Linux From Scratch - Version r12.4-45-systemd

Chapter 8. Network Utilities

OpenSSH-10.2p1

Introduction to OpenSSH

The OpenSSH package contains ssh clients and the sshd daemon. This is useful for encrypting authentication and subsequent traffic over a network. The ssh and scp commands are secure implementations of telnet and rcp respectively.

Package Information

  • Download (HTTP): https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-10.2p1.tar.gz

  • Download SHA256 Sum: ccc42c0419937959263fa1dbd16dafc18c56b984c03562d2937ce56a60f798b2

  • Download MD5 sum: 801b5ad6da38e0045de20dd5dd2f6a80

  • Download size: 1,974 KB

  • Estimated disk space required: 50 MB (add 22 MB for tests)

  • Estimated build time: 0.3 SBU (running the tests takes about 11 minutes, irrespective of processor speed)

OpenSSH Dependencies

Optional

"gdb" Linux-PAM-1.7.1 (PAM configuration files from Shadow-4.18.0 are used to create openssh ones), Xorg7 Applications "mitkrb", Which-2.23 (for tests), libedit, LibreSSL Portable, OpenSC, and libsectok

Installation of OpenSSH

OpenSSH runs as two processes when connecting to other computers. The first process is a privileged process and controls the issuance of privileges as necessary. The second process communicates with the network. Additional installation steps are necessary to set up the proper environment, which are performed by issuing the following commands: 

install -v -g sys -m700 -d /var/lib/sshd

groupadd -g 50 sshd
useradd  -c 'sshd PrivSep' \
         -d /var/lib/sshd  \
         -g sshd           \
         -s /bin/false     \
         -u 50 sshd

Configure OpenSSH by running the following commands: 

./configure --prefix=/usr                            \
            --sysconfdir=/etc/ssh                    \
            --with-privsep-path=/var/lib/sshd        \
            --with-default-path=/usr/bin             \
            --with-superuser-path=/usr/sbin:/usr/bin \
            --with-pid-dir=/run

Now compile OpenSSH by running the following commands: 

make

Now test the results: 

make -j1 tests
[Note]

Note

To run the test suite with logging, issue the following commands: 

make tests 2>&1 | tee check.log
grep FATAL check.log

Now Install OpenSSH by running the following commands: 

make install

install -v -m755    contrib/ssh-copy-id /usr/bin
install -v -m644    contrib/ssh-copy-id.1 /usr/share/man/man1

install -v -m755 -d /usr/share/doc/openssh-10.2p1
install -v -m644    INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-10.2p1

Command Explanations

--sysconfdir=/etc/ssh: This prevents the configuration files from being installed in /usr/etc.

--with-default-path=/usr/bin and --with-superuser-path=/usr/sbin:/usr/bin: These set PATH consistent with LFS and BLFS Shadow package.

--with-pid-dir=/run: This prevents OpenSSH from referring to deprecated /var/run.

--with-pam: This parameter enables Linux-PAM support in the build.

--with-xauth=$XORG_PREFIX/bin/xauth: Set the default location for the xauth binary for X authentication. The environment variable XORG_PREFIX should be set following 'xorg-env'. This can also be controlled from sshd_config with the XAuthLocation keyword. You can omit this switch if xauth (one of "xorg7-app") is already installed.

--with-kerberos5=/usr: This option is used to include Kerberos 5 support in the build.

--with-libedit: This option enables line editing and history features for sftp.

Configuring OpenSSH

Config Files

~/.ssh/*, /etc/ssh/ssh_config, and /etc/ssh/sshd_config

If you want to be able to log in without before any ssh-keygen is availble issue commands: 

echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config
echo "KbdInteractiveAuthentication yes" >> /etc/ssh/sshd_config

Additional configuration information can be found in the man pages for sshd, ssh and ssh-agent.

Systemd Unit

To start the SSH server at system boot, install the sshd.service unit included in the "systemd-units" package.

[Note]

Note

Changing the setting of ListenAddress in /etc/sshd/sshd_config is unsupported with the BLFS sshd systemd unit.

Now Create the systemd init files: 

cat > /usr/lib/systemd/system/sshd.service << "EOF"
[Unit]
Description=OpenSSH Daemon

[Service]
ExecStart=/usr/sbin/sshd -D
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=always

[Install]
WantedBy=multi-user.target
EOF

cat > /usr/lib/systemd/system/sshd.socket << "EOF"
[Unit]
Conflicts=sshd.service

[Socket]
ListenStream=22
Accept=yes

[Install]
WantedBy=sockets.target
EOF

cat > /usr/lib/systemd/system/sshd@.service << "EOF"
[Unit]
Description=SSH Per-Connection Server

[Service]
ExecStart=-/usr/sbin/sshd -i
StandardInput=socket
StandardError=journal
EOF

Contents

Installed Programs: scp, sftp, ssh, ssh-add, ssh-agent, ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
Installed Libraries: None
Installed Directories: /etc/ssh, /usr/share/doc/openssh-10.2p1, and /var/lib/sshd

Short Descriptions

scp

is a file copy program that acts like rcp except it uses an encrypted protocol

sftp

is an FTP-like program that works over the SSH1 and SSH2 protocols

ssh

is an rlogin/rsh-like client program except it uses an encrypted protocol

sshd

is a daemon that listens for ssh login requests

ssh-add

is a tool which adds keys to the ssh-agent

ssh-agent

is an authentication agent that can store private keys

ssh-copy-id

is a script that enables logins on remote machines using local keys

ssh-keygen

is a key generation tool

ssh-keyscan

is a utility for gathering public host keys from a number of hosts