• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..--

contrib/21-Oct-2017-4,6463,285

openbsd-compat/21-Oct-2017-20,06013,060

regress/21-Oct-2017-16,79313,525

.skipped-commit-idsD21-Oct-2017681 1211

CREDITSD26-Jul-20155.4 KiB10699

ChangeLogD21-Oct-2017269.5 KiB9,2035,986

FREEBSD-upgradeD12-Aug-20165.8 KiB184118

FREEBSD-vendorD26-Jul-2015205 76

INSTALLD21-Oct-20179.3 KiB276189

LICENCED26-Jul-201515.7 KiB341296

Makefile.inD21-Oct-201723.2 KiB599513

OVERVIEWD12-Aug-20166.5 KiB169124

PROTOCOLD21-Oct-201716.4 KiB458341

PROTOCOL.agentD21-Oct-201718.3 KiB583426

PROTOCOL.certkeysD21-Oct-201711.1 KiB288231

PROTOCOL.chacha20poly1305D21-Oct-20174.5 KiB10884

PROTOCOL.keyD26-Jul-20151.5 KiB6951

PROTOCOL.krlD12-Aug-20165 KiB170116

PROTOCOL.muxD12-Aug-20166.1 KiB229165

READMED21-Oct-20172.8 KiB7052

README.dnsD26-Jul-20151.6 KiB4830

README.platformD12-Aug-20164 KiB10075

README.privsepD26-Jul-20152.6 KiB6447

README.tunD26-Jul-20154.8 KiB13398

TODOD26-Jul-20152.7 KiB8766

aclocal.m4D26-Jul-20155.3 KiB180171

addrmatch.cD12-Aug-201610.9 KiB500354

atomicio.cD12-Aug-20164.4 KiB171122

atomicio.hD26-Jul-20152.1 KiB5213

audit-bsm.cD26-Jul-201511.9 KiB458323

audit-linux.cD21-Oct-20173.5 KiB12978

audit.cD26-Jul-20155.7 KiB187105

audit.hD26-Jul-20152.3 KiB5827

auth-bsdauth.cD12-Aug-20163.6 KiB14699

auth-chall.cD12-Aug-20163.6 KiB12689

auth-krb5.cD21-Oct-20176.9 KiB273200

auth-options.cD21-Oct-201716.2 KiB643560

auth-options.hD12-Aug-20161.2 KiB4120

auth-pam.cD21-Oct-201731.8 KiB1,268983

auth-pam.hD21-Oct-20172 KiB5323

auth-passwd.cD21-Oct-20176.4 KiB226149

auth-rh-rsa.cD21-Oct-20173.1 KiB11064

auth-rhosts.cD21-Oct-20179.4 KiB344226

auth-rsa.cD12-Aug-20169.1 KiB350205

auth-shadow.cD26-Jul-20154.2 KiB14387

auth-sia.cD26-Jul-20153.1 KiB11570

auth-sia.hD26-Jul-20151.4 KiB324

auth-skey.cD26-Jul-20152.8 KiB10966

auth.cD21-Oct-201723.4 KiB902672

auth.hD21-Oct-20177.5 KiB233155

auth1.cD12-Aug-201610.1 KiB445308

auth2-chall.cD21-Oct-20179.2 KiB382304

auth2-gss.cD12-Aug-20168 KiB300200

auth2-hostbased.cD21-Oct-20177.3 KiB252197

auth2-kbdint.cD12-Aug-20162.1 KiB7033

auth2-none.cD12-Aug-20162.2 KiB7641

auth2-passwd.cD12-Aug-20162.4 KiB8246

auth2-pubkey.cD12-Aug-201628.8 KiB1,111872

auth2.cD21-Oct-201717 KiB648502

authfd.cD12-Aug-201617.9 KiB722568

authfd.hD12-Aug-20163.1 KiB9355

authfile.cD21-Oct-201713.9 KiB584448

authfile.hD12-Aug-20162.3 KiB5320

bitmap.cD12-Aug-20164.4 KiB213170

bitmap.hD12-Aug-20161.8 KiB5715

blocks.cD26-Jul-20156.5 KiB249215

bufaux.cD12-Aug-20165.1 KiB260192

bufbn.cD12-Aug-20162.5 KiB11073

bufec.cD12-Aug-20161.9 KiB7543

buffer.cD12-Aug-20162.6 KiB11979

buffer.hD12-Aug-20163.5 KiB10059

buildpkg.sh.inD26-Jul-201517.6 KiB678526

canohost.cD21-Oct-20174.7 KiB205143

canohost.hD21-Oct-2017842 279

chacha.cD26-Jul-20155.3 KiB220188

chacha.hD12-Aug-2016975 3621

channels.cD21-Oct-2017113 KiB4,2903,415

channels.hD12-Aug-201611.6 KiB316209

cipher-3des1.cD12-Aug-20164.2 KiB156107

cipher-aes.cD26-Jul-20154.5 KiB162119

cipher-aesctr.cD12-Aug-20162.1 KiB8450

cipher-aesctr.hD12-Aug-20161.3 KiB3613

cipher-bf1.cD21-Oct-20172.8 KiB10462

cipher-chachapoly.cD12-Aug-20163.7 KiB11970

cipher-chachapoly.hD12-Aug-20161.6 KiB4219

cipher-ctr.cD12-Aug-20163.6 KiB147103

cipher.cD21-Oct-201717.2 KiB665541

cipher.hD12-Aug-20164.4 KiB10659

cleanup.cD26-Jul-20151 KiB3310

clientloop.cD21-Oct-201774.8 KiB2,7321,960

clientloop.hD12-Aug-20163.5 KiB8028

compat.cD21-Oct-20179.1 KiB326279

compat.hD12-Aug-20162.9 KiB7847

config.guessD12-Aug-201644 KiB1,5441,337

config.hD21-Oct-201748.4 KiB1,779312

config.subD26-Jul-201534.9 KiB1,7941,651

configure.acD21-Oct-2017139.5 KiB5,1574,835

crc32.cD26-Jul-20154.9 KiB10677

crc32.hD26-Jul-20151.4 KiB314

crypto_api.hD26-Jul-20151.3 KiB4526

deattack.cD12-Aug-20164.1 KiB166106

deattack.hD12-Aug-20161 KiB3913

defines.hD21-Oct-201721.6 KiB874652

dh.cD21-Oct-201714.6 KiB469373

dh.hD21-Oct-20172.6 KiB8133

digest-libc.cD12-Aug-20165.9 KiB265214

digest-openssl.cD12-Aug-20165 KiB206158

digest.hD12-Aug-20162.5 KiB7233

dispatch.cD12-Aug-20163.7 KiB143102

dispatch.hD12-Aug-20162.3 KiB5925

dns.cD12-Aug-20169 KiB352253

dns.hD12-Aug-20162 KiB5824

ed25519.cD26-Jul-20153.1 KiB145105

entropy.cD12-Aug-20166.1 KiB245171

entropy.hD26-Jul-20151.5 KiB387

fatal.cD26-Jul-20151.6 KiB4613

fe25519.cD26-Jul-20158.1 KiB338278

fe25519.hD26-Jul-20152.3 KiB7142

fixalgorithmsD26-Jul-2015422 2713

fixpathsD26-Jul-2015499 2312

fixprogsD26-Jul-20151.6 KiB7353

freebsd-configure.shD21-Oct-20171.1 KiB4526

freebsd-post-merge.shD12-Aug-2016305 158

freebsd-pre-merge.shD12-Aug-2016509 1812

ge25519.cD26-Jul-201511 KiB322249

ge25519.hD12-Aug-20161.4 KiB4425

ge25519_base.dataD26-Jul-2015164.6 KiB859856

groupaccess.cD12-Aug-20163.4 KiB12973

groupaccess.hD26-Jul-20151.5 KiB367

gss-genr.cD12-Aug-20167.3 KiB284193

gss-serv-krb5.cD12-Aug-20165.6 KiB213144

gss-serv.cD12-Aug-201610.1 KiB397250

hash.cD26-Jul-20151.8 KiB7755

hmac.cD12-Aug-20165.1 KiB198150

hmac.hD12-Aug-20161.6 KiB3915

hostfile.cD12-Aug-201622.3 KiB853652

hostfile.hD12-Aug-20163.8 KiB10961

includes.hD12-Aug-20163.8 KiB177133

install-shD26-Jul-20155.5 KiB252153

kex.cD21-Oct-201725.3 KiB1,020856

kex.hD21-Oct-20177.3 KiB241186

kexc25519.cD21-Oct-20174.6 KiB13492

kexc25519c.cD12-Aug-20165.1 KiB171121

kexc25519s.cD12-Aug-20165 KiB160115

kexdh.cD21-Oct-20173.2 KiB9561

kexdhc.cD21-Oct-20176 KiB221174

kexdhs.cD21-Oct-20176.1 KiB225171

kexecdh.cD12-Aug-20163.5 KiB10166

kexecdhc.cD12-Aug-20166.3 KiB229175

kexecdhs.cD12-Aug-20166 KiB209156

kexgex.cD12-Aug-20163.6 KiB10369

kexgexc.cD12-Aug-20167.6 KiB273219

kexgexs.cD21-Oct-20177.2 KiB255196

key.cD21-Oct-20178.4 KiB427355

key.hD12-Aug-20164.1 KiB10667

krb5_config.hD26-Jul-2015388 1210

krl.cD12-Aug-201633.9 KiB1,2991,069

krl.hD12-Aug-20162.5 KiB6535

log.cD21-Oct-201710.6 KiB471362

log.hD21-Oct-20172.6 KiB8157

loginrec.cD12-Aug-201642 KiB1,7301,105

loginrec.hD26-Jul-20154.6 KiB13251

logintest.cD26-Jul-20158.6 KiB309214

mac.cD21-Oct-20177.5 KiB269215

mac.hD21-Oct-20172 KiB5424

match.cD12-Aug-20167.2 KiB278144

match.hD12-Aug-20161 KiB2811

md-sha256.cD26-Jul-20152.2 KiB8754

md5crypt.cD26-Jul-20154 KiB168102

md5crypt.hD26-Jul-2015803 258

mdoc2man.awkD26-Jul-20158.4 KiB371339

misc.cD21-Oct-201726 KiB1,246979

misc.hD21-Oct-20174.6 KiB14399

mkinstalldirsD26-Jul-2015691 4123

moduliD21-Oct-2017241.1 KiB209208

moduli.5D12-Aug-20163.6 KiB128127

moduli.cD12-Aug-201620.5 KiB810494

monitor.cD21-Oct-201750.7 KiB2,0741,622

monitor.hD12-Aug-20164 KiB9960

monitor_fdpass.cD21-Oct-20174.7 KiB188146

monitor_fdpass.hD26-Jul-20151.5 KiB355

monitor_mm.cD12-Aug-20168.5 KiB358244

monitor_mm.hD26-Jul-20152.2 KiB6325

monitor_wrap.cD21-Oct-201725 KiB1,095817

monitor_wrap.hD21-Oct-20174 KiB11163

msg.cD12-Aug-20162.8 KiB9560

msg.hD12-Aug-20161.5 KiB336

mux.cD21-Oct-201758.2 KiB2,2141,818

myproposal.hD21-Oct-20175.4 KiB198147

nchan.cD26-Jul-201512.8 KiB532435

nchan.msD26-Jul-20153.9 KiB10074

nchan2.msD26-Jul-20153.4 KiB8964

opacket.cD12-Aug-20165.8 KiB338269

opacket.hD21-Oct-20176.4 KiB161151

openssh.xml.inD26-Jul-20152.8 KiB9161

opensshd.init.inD12-Aug-20162 KiB9368

packet.cD21-Oct-201782.3 KiB3,0182,342

packet.hD21-Oct-20177.1 KiB208149

pathnames.hD21-Oct-20176 KiB18376

pkcs11.hD26-Jul-201541.4 KiB1,3581,119

platform-pledge.cD12-Aug-20161.9 KiB7227

platform-tracing.cD21-Oct-20171.5 KiB4422

platform.cD21-Oct-20175 KiB218140

platform.hD21-Oct-20171.5 KiB4017

poly1305.cD26-Jul-20154.5 KiB161121

poly1305.hD12-Aug-2016645 2311

progressmeter.cD21-Oct-20177.5 KiB307220

progressmeter.hD12-Aug-20161.4 KiB282

readconf.cD21-Oct-201778.3 KiB2,7102,237

readconf.hD21-Oct-20177.9 KiB220156

readpass.cD12-Aug-20165 KiB194139

rijndael.cD12-Aug-201651.6 KiB1,1301,009

rijndael.hD12-Aug-20162.1 KiB5721

rsa.cD12-Aug-20165 KiB189107

rsa.hD12-Aug-2016864 278

sandbox-capsicum.cD12-Aug-20163.4 KiB12479

sandbox-darwin.cD26-Jul-20152.5 KiB9957

sandbox-null.cD26-Jul-20151.6 KiB7336

sandbox-pledge.cD12-Aug-20161.8 KiB7847

sandbox-rlimit.cD26-Jul-20152.4 KiB9860

sandbox-seccomp-filter.cD21-Oct-20178.3 KiB328251

sandbox-solaris.cD12-Aug-20162.7 KiB10971

sandbox-systrace.cD12-Aug-20166.2 KiB219163

sc25519.cD26-Jul-20157.2 KiB309255

sc25519.hD26-Jul-20152.8 KiB8146

scp.1D21-Oct-20175.1 KiB246245

scp.cD12-Feb-201931.9 KiB1,3741,132

servconf.cD21-Oct-201772.3 KiB2,4192,081

servconf.hD12-Aug-20169.9 KiB255179

serverloop.cD21-Oct-201739.4 KiB1,4111,021

serverloop.hD26-Jul-20151,016 285

session.cD21-Oct-201768.1 KiB2,8382,096

session.hD21-Oct-20172.6 KiB8749

sftp-client.cD21-Oct-201748.9 KiB1,8991,547

sftp-client.hD12-Aug-20164.3 KiB14353

sftp-common.cD12-Aug-20166.9 KiB261207

sftp-common.hD12-Aug-20162 KiB5319

sftp-glob.cD12-Aug-20163.4 KiB15195

sftp-server-main.cD12-Aug-20161.5 KiB5428

sftp-server.8D12-Aug-20165 KiB171170

sftp-server.cD21-Oct-201742.3 KiB1,7101,453

sftp.1D21-Oct-201714.5 KiB629628

sftp.cD21-Oct-201756.9 KiB2,4592,022

sftp.hD26-Jul-20153.3 KiB10255

smult_curve25519_ref.cD26-Jul-20156.7 KiB266227

ssh-add.1D12-Aug-20166.6 KiB213212

ssh-add.cD12-Aug-201615.7 KiB623511

ssh-agent.1D12-Aug-20166.8 KiB221220

ssh-agent.cD21-Oct-201736.2 KiB1,4621,225

ssh-dss.cD21-Oct-20175.8 KiB221169

ssh-ecdsa.cD21-Oct-20175.2 KiB190140

ssh-ed25519.cD21-Oct-20174.2 KiB168134

ssh-gss.hD12-Aug-20164.6 KiB13688

ssh-keygen.1D21-Oct-201726.1 KiB871870

ssh-keygen.cD21-Oct-201772.4 KiB2,7492,358

ssh-keyscan.1D12-Aug-20164.3 KiB181180

ssh-keyscan.cD21-Oct-201719 KiB851724

ssh-keysign.8D12-Aug-20162.9 KiB9493

ssh-keysign.cD12-Aug-20168.4 KiB309226

ssh-pkcs11-client.cD12-Aug-20165.2 KiB243194

ssh-pkcs11-helper.8D12-Aug-20161.3 KiB4443

ssh-pkcs11-helper.cD12-Aug-20168 KiB376294

ssh-pkcs11.cD12-Aug-201618.3 KiB696579

ssh-pkcs11.hD12-Aug-20161.1 KiB257

ssh-rsa.cD21-Oct-20179.3 KiB357288

ssh-sandbox.hD26-Jul-20151.1 KiB256

ssh.1D21-Oct-201744 KiB1,7131,712

ssh.cD21-Oct-201763.1 KiB2,1991,679

ssh.hD12-Aug-20162.9 KiB10621

ssh1.hD21-Oct-20174.1 KiB9258

ssh2.hD21-Oct-20175.7 KiB17578

ssh_api.cD21-Oct-201713.8 KiB542431

ssh_api.hD12-Aug-20164.3 KiB13831

ssh_configD21-Oct-20171.7 KiB5449

ssh_config.5D21-Oct-201751.2 KiB1,8931,892

ssh_namespace.hD21-Oct-201748 KiB938920

sshbuf-getput-basic.cD21-Oct-20179.2 KiB465382

sshbuf-getput-crypto.cD12-Aug-20165.6 KiB225179

sshbuf-misc.cD21-Oct-20173.5 KiB162129

sshbuf.cD12-Aug-20169.1 KiB405322

sshbuf.hD21-Oct-201711.5 KiB349165

sshconnect.cD12-Aug-201642.4 KiB1,5461,193

sshconnect.hD12-Aug-20162.7 KiB7837

sshconnect1.cD12-Aug-201622.2 KiB779515

sshconnect2.cD21-Oct-201750.6 KiB1,9251,545

sshd.8D12-Aug-201631.9 KiB1,0151,014

sshd.cD21-Oct-201774.5 KiB2,7641,985

sshd_configD21-Oct-20173.6 KiB136109

sshd_config.5D21-Oct-201748.8 KiB1,7861,785

ssherr.cD12-Aug-20164.8 KiB142123

ssherr.hD12-Aug-20163.2 KiB8560

sshkey.cD21-Oct-201796.4 KiB3,9183,378

sshkey.hD21-Oct-20178.1 KiB231174

sshlogin.cD12-Aug-20165.1 KiB16590

sshlogin.hD26-Jul-2015935 248

sshpty.cD12-Aug-20165.9 KiB241174

sshpty.hD26-Jul-20151,009 289

sshtty.cD26-Jul-20152.9 KiB9752

survey.sh.inD26-Jul-20151.7 KiB7049

ttymodes.cD21-Oct-201710.4 KiB490352

ttymodes.hD21-Oct-20175.3 KiB179104

uidswap.cD12-Aug-20167.9 KiB264171

uidswap.hD26-Jul-2015716 194

umac.cD12-Aug-201645.5 KiB1,277763

umac.hD26-Jul-20154.6 KiB13042

umac128.cD26-Jul-2015385 1412

utf8.cD21-Oct-20176.6 KiB291200

utf8.hD21-Oct-20171.1 KiB257

uuencode.cD12-Aug-20162.9 KiB9649

uuencode.hD26-Jul-20151.5 KiB303

verify.cD26-Jul-2015668 5040

version.hD21-Oct-2017434 169

xmalloc.cD12-Aug-20162.1 KiB10775

xmalloc.hD12-Aug-20161 KiB278

README

1See http://www.openssh.com/txt/release-7.3p1 for the release notes.
2
3Please read http://www.openssh.com/report.html for bug reporting
4instructions and note that we do not use Github for bug reporting or
5patch/pull-request management.
6
7- A Japanese translation of this document and of the OpenSSH FAQ is
8- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
9- Thanks to HARUYAMA Seigo <haruyama@unixuser.org>
10
11This is the port of OpenBSD's excellent OpenSSH[0] to Linux and other
12Unices.
13
14OpenSSH is based on the last free version of Tatu Ylonen's sample
15implementation with all patent-encumbered algorithms removed (to
16external libraries), all known security bugs fixed, new features
17reintroduced and many other clean-ups.  OpenSSH has been created by
18Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt,
19and Dug Song. It has a homepage at http://www.openssh.com/
20
21This port consists of the re-introduction of autoconf support, PAM
22support, EGD[1]/PRNGD[2] support and replacements for OpenBSD library
23functions that are (regrettably) absent from other unices. This port
24has been best tested on AIX, Cygwin, HP-UX, Linux, MacOS/X,
25NetBSD, OpenBSD, OpenServer, Solaris, Unicos, and UnixWare.
26
27This version actively tracks changes in the OpenBSD CVS repository.
28
29The PAM support is now more functional than the popular packages of
30commercial ssh-1.2.x. It checks "account" and "session" modules for
31all logins, not just when using password authentication.
32
33OpenSSH depends on Zlib[3], OpenSSL[4] and optionally PAM[5].
34
35There is now several mailing lists for this port of OpenSSH. Please
36refer to http://www.openssh.com/list.html for details on how to join.
37
38Please send bug reports and patches to the mailing list
39openssh-unix-dev@mindrot.org. The list is open to posting by
40unsubscribed users.Code contribution are welcomed, but please follow the
41OpenBSD style guidelines[6].
42
43Please refer to the INSTALL document for information on how to install
44OpenSSH on your system. There are a number of differences between this
45port of OpenSSH and F-Secure SSH 1.x, please refer to the OpenSSH FAQ[7]
46for details and general tips.
47
48Damien Miller <djm@mindrot.org>
49
50Miscellania -
51
52This version of OpenSSH is based upon code retrieved from the OpenBSD
53CVS repository which in turn was based on the last free sample
54implementation released by Tatu Ylonen.
55
56References -
57
58[0] http://www.openssh.com/faq.html
59[1] http://www.lothar.com/tech/crypto/
60[2] http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
61[3] http://www.gzip.org/zlib/
62[4] http://www.openssl.org/
63[5] http://www.openpam.org
64    http://www.kernel.org/pub/linux/libs/pam/
65    (PAM also is standard on Solaris and HP-UX 11)
66[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
67[7] http://www.openssh.com/faq.html
68
69$Id: README,v 1.87 2014/08/10 01:35:06 djm Exp $
70

README.dns

1How to verify host keys using OpenSSH and DNS
2---------------------------------------------
3
4OpenSSH contains support for verifying host keys using DNS as described in
5draft-ietf-secsh-dns-05.txt. The document contains very brief instructions
6on how to use this feature. Configuring DNS is out of the scope of this
7document.
8
9
10(1) Server: Generate and publish the DNS RR
11
12To create a DNS resource record (RR) containing a fingerprint of the
13public host key, use the following command:
14
15	ssh-keygen -r hostname -f keyfile -g
16
17where "hostname" is your fully qualified hostname and "keyfile" is the
18file containing the public host key file. If you have multiple keys,
19you should generate one RR for each key.
20
21In the example above, ssh-keygen will print the fingerprint in a
22generic DNS RR format parsable by most modern name server
23implementations. If your nameserver has support for the SSHFP RR
24you can omit the -g flag and ssh-keygen will print a standard SSHFP RR.
25
26To publish the fingerprint using the DNS you must add the generated RR
27to your DNS zone file and sign your zone.
28
29
30(2) Client: Enable ssh to verify host keys using DNS
31
32To enable the ssh client to verify host keys using DNS, you have to
33add the following option to the ssh configuration file
34($HOME/.ssh/config or /etc/ssh/ssh_config):
35
36    VerifyHostKeyDNS yes
37
38Upon connection the client will try to look up the fingerprint RR
39using DNS. If the fingerprint received from the DNS server matches
40the remote host key, the user will be notified.
41
42
43	Jakob Schlyter
44	Wesley Griffin
45
46
47$OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $
48

README.platform

1This file contains notes about OpenSSH on specific platforms.
2
3AIX
4---
5As of OpenSSH 3.8p1, sshd will now honour an accounts password expiry
6settings, where previously it did not.  Because of this, it's possible for
7sites that have used OpenSSH's sshd exclusively to have accounts which
8have passwords expired longer than the inactive time (ie the "Weeks between
9password EXPIRATION and LOCKOUT" setting in SMIT or the maxexpired
10chuser attribute).
11
12Accounts in this state must have their passwords reset manually by the
13administrator.  As a precaution, it is recommended that the administrative
14passwords be reset before upgrading from OpenSSH <3.8.
15
16As of OpenSSH 4.0, configure will attempt to detect if your version
17and maintenance level of AIX has a working getaddrinfo, and will use it
18if found.  This will enable IPv6 support.  If for some reason configure
19gets it wrong, or if you want to build binaries to work on earlier MLs
20than the build host then you can add "-DBROKEN_GETADDRINFO" to CFLAGS
21to force the previous IPv4-only behaviour.
22
23IPv6 known to work: 5.1ML7 5.2ML2 5.2ML5
24IPv6 known broken: 4.3.3ML11 5.1ML4
25
26If you wish to use dynamic libraries that aren't in the normal system
27locations (eg IBM's OpenSSL and zlib packages) then you will need to
28define the environment variable blibpath before running configure, eg
29
30blibpath=/lib:/usr/lib:/opt/freeware/lib ./configure \
31  --with-ssl-dir=/opt/freeware --with-zlib=/opt/freeware
32
33If sshd is built with the WITH_AIXAUTHENTICATE option (which is enabled
34by default) then sshd checks that users are permitted via the
35loginrestrictions() function, in particular that the user has the
36"rlogin" attribute set.  This check is not done for the root account,
37instead the PermitRootLogin setting in sshd_config is used.
38
39If you are using the IBM compiler you probably want to use CC=xlc rather
40than the default of cc.
41
42
43Cygwin
44------
45To build on Cygwin, OpenSSH requires the following packages:
46gcc, gcc-mingw-core, mingw-runtime, binutils, make, openssl,
47openssl-devel, zlib, minres, minires-devel.
48
49
50Darwin and MacOS X
51------------------
52Darwin does not provide a tun(4) driver required for OpenSSH-based
53virtual private networks. The BSD manpage still exists, but the driver
54has been removed in recent releases of Darwin and MacOS X.
55
56Nevertheless, tunnel support is known to work with Darwin 8 and
57MacOS X 10.4 in Point-to-Point (Layer 3) and Ethernet (Layer 2) mode
58using a third party driver. More information is available at:
59	http://www-user.rhrk.uni-kl.de/~nissler/tuntap/
60
61
62Linux
63-----
64
65Some Linux distributions (including Red Hat/Fedora/CentOS) include
66headers and library links in the -devel RPMs rather than the main
67binary RPMs. If you get an error about headers, or complaining about a
68missing prerequisite then you may need to install the equivalent
69development packages.  On Redhat based distros these may be openssl-devel,
70zlib-devel and pam-devel, on Debian based distros these may be
71libssl-dev, libz-dev and libpam-dev.
72
73
74Solaris
75-------
76If you enable BSM auditing on Solaris, you need to update audit_event(4)
77for praudit(1m) to give sensible output.  The following line needs to be
78added to /etc/security/audit_event:
79
80	32800:AUE_openssh:OpenSSH login:lo
81
82The BSM audit event range available for third party TCB applications is
8332768 - 65535.  Event number 32800 has been choosen for AUE_openssh.
84There is no official registry of 3rd party event numbers, so if this
85number is already in use on your system, you may change it at build time
86by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.
87
88
89Platforms using PAM
90-------------------
91As of OpenSSH 4.3p1, sshd will no longer check /etc/nologin itself when
92PAM is enabled.  To maintain existing behaviour, pam_nologin should be
93added to sshd's session stack which will prevent users from starting shell
94sessions.  Alternatively, pam_nologin can be added to either the auth or
95account stacks which will prevent authentication entirely, but will still
96return the output from pam_nologin to the client.
97
98
99$Id: README.platform,v 1.10 2009/08/28 23:14:48 dtucker Exp $
100

README.privsep

1Privilege separation, or privsep, is method in OpenSSH by which
2operations that require root privilege are performed by a separate
3privileged monitor process.  Its purpose is to prevent privilege
4escalation by containing corruption to an unprivileged process.
5More information is available at:
6	http://www.citi.umich.edu/u/provos/ssh/privsep.html
7
8Privilege separation is now enabled by default; see the
9UsePrivilegeSeparation option in sshd_config(5).
10
11On systems which lack mmap or anonymous (MAP_ANON) memory mapping,
12compression must be disabled in order for privilege separation to
13function.
14
15When privsep is enabled, during the pre-authentication phase sshd will
16chroot(2) to "/var/empty" and change its privileges to the "sshd" user
17and its primary group.  sshd is a pseudo-account that should not be
18used by other daemons, and must be locked and should contain a
19"nologin" or invalid shell.
20
21You should do something like the following to prepare the privsep
22preauth environment:
23
24	# mkdir /var/empty
25	# chown root:sys /var/empty
26	# chmod 755 /var/empty
27	# groupadd sshd
28	# useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
29
30/var/empty should not contain any files.
31
32configure supports the following options to change the default
33privsep user and chroot directory:
34
35  --with-privsep-path=xxx Path for privilege separation chroot
36  --with-privsep-user=user Specify non-privileged user for privilege separation
37
38Privsep requires operating system support for file descriptor passing.
39Compression will be disabled on systems without a working mmap MAP_ANON.
40
41PAM-enabled OpenSSH is known to function with privsep on AIX, FreeBSD,
42HP-UX (including Trusted Mode), Linux, NetBSD and Solaris.
43
44On Cygwin, Tru64 Unix, OpenServer, and Unicos only the pre-authentication
45part of privsep is supported.  Post-authentication privsep is disabled
46automatically (so you won't see the additional process mentioned below).
47
48Note that for a normal interactive login with a shell, enabling privsep
49will require 1 additional process per login session.
50
51Given the following process listing (from HP-UX):
52
53     UID   PID  PPID  C    STIME TTY       TIME COMMAND
54    root  1005     1  0 10:45:17 ?         0:08 /opt/openssh/sbin/sshd -u0
55    root  6917  1005  0 15:19:16 ?         0:00 sshd: stevesk [priv]
56 stevesk  6919  6917  0 15:19:17 ?         0:03 sshd: stevesk@2
57 stevesk  6921  6919  0 15:19:17 pts/2     0:00 -bash
58
59process 1005 is the sshd process listening for new connections.
60process 6917 is the privileged monitor process, 6919 is the user owned
61sshd process and 6921 is the shell process.
62
63$Id: README.privsep,v 1.16 2005/06/04 23:21:41 djm Exp $
64

README.tun

1How to use OpenSSH-based virtual private networks
2-------------------------------------------------
3
4OpenSSH contains support for VPN tunneling using the tun(4) network
5tunnel pseudo-device which is available on most platforms, either for
6layer 2 or 3 traffic.
7
8The following brief instructions on how to use this feature use
9a network configuration specific to the OpenBSD operating system.
10
11(1) Server: Enable support for SSH tunneling
12
13To enable the ssh server to accept tunnel requests from the client, you
14have to add the following option to the ssh server configuration file
15(/etc/ssh/sshd_config):
16
17	PermitTunnel yes
18
19Restart the server or send the hangup signal (SIGHUP) to let the server
20reread it's configuration.
21
22(2) Server: Restrict client access and assign the tunnel
23
24The OpenSSH server simply uses the file /root/.ssh/authorized_keys to
25restrict the client to connect to a specified tunnel and to
26automatically start the related interface configuration command. These
27settings are optional but recommended:
28
29	tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... reyk@openbsd.org
30
31(3) Client: Configure the local network tunnel interface
32
33Use the hostname.if(5) interface-specific configuration file to set up
34the network tunnel configuration with OpenBSD. For example, use the
35following configuration in /etc/hostname.tun0 to set up the layer 3
36tunnel on the client:
37
38	inet 192.168.5.1 255.255.255.252 192.168.5.2
39
40OpenBSD also supports layer 2 tunneling over the tun device by adding
41the link0 flag:
42
43	inet 192.168.1.78 255.255.255.0 192.168.1.255 link0
44
45Layer 2 tunnels can be used in combination with an Ethernet bridge(4)
46interface, like the following example for /etc/bridgename.bridge0:
47
48	add tun0
49	add sis0
50	up
51
52(4) Client: Configure the OpenSSH client
53
54To establish tunnel forwarding for connections to a specified
55remote host by default, use the following ssh client configuration for
56the privileged user (in /root/.ssh/config):
57
58	Host sshgateway
59		Tunnel yes
60		TunnelDevice 0:any
61		PermitLocalCommand yes
62	        LocalCommand sh /etc/netstart tun0
63
64A more complicated configuration is possible to establish a tunnel to
65a remote host which is not directly accessible by the client.
66The following example describes a client configuration to connect to
67the remote host over two ssh hops in between. It uses the OpenSSH
68ProxyCommand in combination with the nc(1) program to forward the final
69ssh tunnel destination over multiple ssh sessions.
70
71	Host access.somewhere.net
72	        User puffy
73	Host dmzgw
74	        User puffy
75	        ProxyCommand ssh access.somewhere.net nc dmzgw 22
76	Host sshgateway
77	        Tunnel Ethernet
78	        TunnelDevice 0:any
79	        PermitLocalCommand yes
80	        LocalCommand sh /etc/netstart tun0
81	        ProxyCommand ssh dmzgw nc sshgateway 22
82
83The following network plan illustrates the previous configuration in
84combination with layer 2 tunneling and Ethernet bridging.
85
86+--------+       (          )      +----------------------+
87| Client |------(  Internet  )-----| access.somewhere.net |
88+--------+       (          )      +----------------------+
89    : 192.168.1.78                             |
90    :.............................         +-------+
91     Forwarded ssh connection    :         | dmzgw |
92     Layer 2 tunnel              :         +-------+
93                                 :             |
94                                 :             |
95                                 :      +------------+
96                                 :......| sshgateway |
97                                      | +------------+
98--- real connection                 Bridge ->  |          +----------+
99... "virtual connection"                     [ X ]--------| somehost |
100[X] switch                                                +----------+
101                                                          192.168.1.25
102
103(5) Client: Connect to the server and establish the tunnel
104
105Finally connect to the OpenSSH server to establish the tunnel by using
106the following command:
107
108	ssh sshgateway
109
110It is also possible to tell the client to fork into the background after
111the connection has been successfully established:
112
113	ssh -f sshgateway true
114
115Without the ssh configuration done in step (4), it is also possible
116to use the following command lines:
117
118	ssh -fw 0:1 sshgateway true
119	ifconfig tun0 192.168.5.1 192.168.5.2 netmask 255.255.255.252
120
121Using OpenSSH tunnel forwarding is a simple way to establish secure
122and ad hoc virtual private networks. Possible fields of application
123could be wireless networks or administrative VPN tunnels.
124
125Nevertheless, ssh tunneling requires some packet header overhead and
126runs on top of TCP. It is still suggested to use the IP Security
127Protocol (IPSec) for robust and permanent VPN connections and to
128interconnect corporate networks.
129
130	Reyk Floeter
131
132$OpenBSD: README.tun,v 1.4 2006/03/28 00:12:31 deraadt Exp $
133