Home Explore Help
Register Sign In
trn
/
j-hpn-ssh
mirror of git://github.com/johnsonjh/j-hpn-ssh
Watch 1
Star 1
Fork 0
Files
Branch: master
Branches Tags
j-hpn-ssh
/
README.platform

README.platform 4.0 KB
Permalink History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697 
  1. This file contains notes about OpenSSH on specific platforms.
    2. 

  2. 

  3. AIX
    4. 

  4. 

  5. Beginning with OpenSSH 3.8p1, sshd will honour an account's password
    6. 

  6. expiry settings, where prior to that it did not.  Because of this,
    7. 

  7. it's possible for sites that have used OpenSSH's sshd exclusively to
    8. 

  8. have accounts which have passwords expired longer than the inactive time
    9. 

  9. (ie the "Weeks between password EXPIRATION and LOCKOUT" setting in SMIT
    10. 

  10. or the maxexpired chuser attribute).
    11. 

  11. 

  12. Accounts in this state must have their passwords reset manually by the
    13. 

  13. administrator.  As a precaution, it is recommended that the administrative
    14. 

  14. passwords be reset before upgrading from OpenSSH <3.8.
    15. 

  15. 

  16. As of OpenSSH 4.0p1, configure will attempt to detect if your version
    17. 

  17. and maintenance level of AIX has a working getaddrinfo, and will use it
    18. 

  18. if found.  This will enable IPv6 support.  If for some reason configure
    19. 

  19. gets it wrong, or if you want to build binaries to work on earlier MLs
    20. 

  20. than the build host then you can add "-DBROKEN_GETADDRINFO" to CFLAGS
    21. 

  21. to force the previous IPv4-only behaviour.
    22. 

  22. 

  23. IPv6 known to work: 5.1ML7 5.2ML2 5.2ML5
    24. 

  24. IPv6 known broken: 4.3.3ML11 5.1ML4
    25. 

  25. 

  26. If you wish to use dynamic libraries that aren't in the normal system
    27. 

  27. locations (eg IBM's OpenSSL and zlib packages) then you will need to
    28. 

  28. define the environment variable blibpath before running configure, eg
    29. 

  29. 

  30. blibpath=/lib:/usr/lib:/opt/freeware/lib ./configure \
    31. 

  31.   --with-ssl-dir=/opt/freeware --with-zlib=/opt/freeware
    32. 

  32. 

  33. If sshd is built with the WITH_AIXAUTHENTICATE option (which is enabled
    34. 

  34. by default) then sshd checks that users are permitted via the
    35. 

  35. loginrestrictions() function, in particular that the user has the
    36. 

  36. "rlogin" attribute set.  This check is not done for the root account,
    37. 

  37. instead the PermitRootLogin setting in sshd_config is used.
    38. 

  38. 

  39. If you are using the IBM compiler you probably want to use CC=xlc rather
    40. 

  40. than the default of cc.
    41. 

  41. 

  42. 

  43. Cygwin
    44. 

  44. ------
    45. 

  45. To build on Cygwin, OpenSSH requires the following packages:
    46. 

  46. gcc, gcc-mingw-core, mingw-runtime, binutils, make, openssl,
    47. 

  47. openssl-devel, zlib, minres, minires-devel.
    48. 

  48. 

  49. 

  50. Darwin and MacOS X
    51. 

  51. ------------------
    52. 

  52. Darwin does not provide a tun(4) driver required for OpenSSH-based
    53. 

  53. virtual private networks. The BSD manpage still exists, but the driver
    54. 

  54. has been removed in recent releases of Darwin and MacOS X.
    55. 

  55. 

  56. Nevertheless, tunnel support is known to work with Darwin 8 and
    57. 

  57. MacOS X 10.4 in Point-to-Point (Layer 3) and Ethernet (Layer 2) mode
    58. 

  58. using a third party driver. More information is available at:
    59. 

  59. 	http://www-user.rhrk.uni-kl.de/~nissler/tuntap/
    60. 

  60. 

  61. 

  62. Linux
    63. 

  63. -----
    64. 

  64. 

  65. Some Linux distributions (including Red Hat/Fedora/CentOS) include
    66. 

  66. headers and library links in the -devel RPMs rather than the main
    67. 

  67. binary RPMs. If you get an error about headers, or complaining about a
    68. 

  68. missing prerequisite then you may need to install the equivalent
    69. 

  69. development packages.  On Redhat based distros these may be openssl-devel,
    70. 

  70. zlib-devel and pam-devel, on Debian based distros these may be
    71. 

  71. libssl-dev, libz-dev and libpam-dev.
    72. 

  72. 

  73. 

  74. Solaris
    75. 

  75. -------
    76. 

  76. If you enable BSM auditing on Solaris, you need to update audit_event(4)
    77. 

  77. for praudit(1m) to give sensible output.  The following line needs to be
    78. 

  78. added to /etc/security/audit_event:
    79. 

  79. 

  80. 	32800:AUE_openssh:OpenSSH login:lo
    81. 

  81. 

  82. The BSM audit event range available for third party TCB applications is
    83. 

  83. 32768 - 65535.  Event number 32800 has been chosen for AUE_openssh.
    84. 

  84. There is no official registry of 3rd party event numbers, so if this
    85. 

  85. number is already in use on your system, you may change it at build time
    86. 

  86. by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.
    87. 

  87. 

  88. 

  89. Platforms using PAM
    90. 

  90. -------------------
    91. 

  91. As of OpenSSH 4.3p1, sshd will no longer check /etc/nologin itself when
    92. 

  92. PAM is enabled.  To maintain existing behaviour, pam_nologin should be
    93. 

  93. added to sshd's session stack which will prevent users from starting shell
    94. 

  94. sessions.  Alternatively, pam_nologin can be added to either the auth or
    95. 

  95. account stacks which will prevent authentication entirely, but will still
    96. 

  96. return the output from pam_nologin to the client.
    97. 

  97.