mirror of git://anongit.mindrot.org/openssh.git synced 2025-02-15 05:16:54 +00:00

Portable OpenSSH

Go to file

Darren Tucker b7afd8a4ec Handle OpenSSL >=3 ABI compatibility. Beyond OpenSSL 3.0, the ABI compatibility guarantees are wider (only major must match instead of major and minor in earlier versions). bz#3548, ok djm@		2023-05-08 20:12:59 +10:00
.github	Add macos-13 test target.	2023-05-01 18:04:35 +10:00
contrib	crank version	2023-03-16 08:27:54 +11:00
m4
openbsd-compat	Handle OpenSSL >=3 ABI compatibility.	2023-05-08 20:12:59 +10:00
regress	upstream: Remove compat code for OpenSSL 1.0.*	2023-03-28 19:03:10 +11:00
.depend	depend	2023-03-16 08:28:19 +11:00
.git_allowed_signers
.git_allowed_signers.asc
.gitignore
.skipped-commit-ids
addr.c	upstream: fix test: getnameinfo returns a non-zero value on error, not	2023-03-27 14:31:57 +11:00
addr.h
addrmatch.c
atomicio.c
atomicio.h
audit-bsm.c
audit-linux.c
audit.c
audit.h
auth2-chall.c
auth2-gss.c	upstream: clamp max number of GSSAPI mechanisms to 2048; ok dtucker	2023-03-31 15:32:37 +11:00
auth2-hostbased.c
auth2-kbdint.c
auth2-none.c
auth2-passwd.c
auth2-pubkey.c
auth2-pubkeyfile.c
auth2.c
auth-bsdauth.c
auth-krb5.c
auth-options.c	upstream: fix memory leak; Coverity CID 291848	2023-03-29 12:22:23 +11:00
auth-options.h
auth-pam.c	Limit the number of PAM environment variables.	2023-03-09 18:32:48 +11:00
auth-pam.h
auth-passwd.c
auth-rhosts.c
auth-shadow.c
auth-sia.c
auth-sia.h
auth.c
auth.h
authfd.c	upstream: modify parentheses in conditionals to make it clearer what is	2023-03-10 10:40:02 +11:00
authfd.h
authfile.c	upstream: Check pointer for NULL before deref.	2023-03-14 18:35:31 +11:00
authfile.h
bitmap.c
bitmap.h
buildpkg.sh.in
canohost.c	upstream: Return immediately from get_sock_port	2023-03-31 16:17:22 +11:00
canohost.h
chacha.c
chacha.h
channels.c	don't call connect() on negative socket	2023-03-31 14:17:22 +11:00
channels.h
cipher-aes.c	remove support for old libcrypto	2023-03-24 13:56:25 +11:00
cipher-aesctr.c
cipher-aesctr.h
cipher-chachapoly-libcrypto.c
cipher-chachapoly.c
cipher-chachapoly.h
cipher.c
cipher.h
cleanup.c
clientloop.c	upstream: Move up null check and simplify process_escapes.	2023-04-03 18:35:04 +10:00
clientloop.h
compat.c
compat.h
config.guess
config.sub
configure.ac	put back SSLeay_version compat in configure test	2023-03-24 15:26:26 +11:00
CREDITS
crypto_api.h
defines.h
dh.c
dh.h
digest-libc.c
digest-openssl.c
digest.h
dispatch.c
dispatch.h
dns.c	upstream: Plug mem leak on error path. Coverity CID 405026, ok djm@.	2023-03-10 15:42:37 +11:00
dns.h
ed25519.c
ed25519.sh
entropy.c
entropy.h
fatal.c
fixalgorithms
fixpaths
groupaccess.c
groupaccess.h
gss-genr.c
gss-serv-krb5.c
gss-serv.c
hash.c
hmac.c
hmac.h
hostfile.c
hostfile.h
includes.h
INSTALL	remove support for old libcrypto	2023-03-24 13:56:25 +11:00
install-sh
kex.c	upstream: Limit number of entries in SSH2_MSG_EXT_INFO	2023-03-12 22:02:18 +11:00
kex.h
kexc25519.c
kexdh.c
kexecdh.c
kexgen.c
kexgex.c
kexgexc.c
kexgexs.c	upstream: Ignore return from sshpkt_disconnect	2023-03-29 12:33:32 +11:00
kexsntrup761x25519.c
krl.c	upstream: Free KRL ptr in addition to its contents.	2023-03-14 18:35:50 +11:00
krl.h
LICENCE
log.c
log.h
loginrec.c
loginrec.h
logintest.c
mac.c
mac.h
Makefile.in
match.c	upstream: match_user() shouldn't be called with user==NULL unless	2023-04-06 13:27:16 +10:00
match.h
mdoc2man.awk
misc.c	child_set_eng: verify both env pointer and count.	2023-03-30 14:08:35 +11:00
misc.h
mkinstalldirs
moduli	upstream: Import regenerated moduli.	2023-05-01 19:13:18 +10:00
moduli.5
moduli.c
monitor_fdpass.c
monitor_fdpass.h
monitor_wrap.c	upstream: Check fd against >=0 instead of >0 in error path. The	2023-03-31 15:06:19 +11:00
monitor_wrap.h
monitor.c	Limit the number of PAM environment variables.	2023-03-09 18:32:48 +11:00
monitor.h
msg.c
msg.h
mux.c
myproposal.h
nchan2.ms
nchan.c
nchan.ms
openssh.xml.in
opensshd.init.in
OVERVIEW
packet.c	upstream: remove redundant ssh!=NULL check; we'd already	2023-04-06 13:27:17 +10:00
packet.h
pathnames.h
pkcs11.h
platform-misc.c
platform-pledge.c
platform-tracing.c
platform.c
platform.h
poly1305.c
poly1305.h
progressmeter.c	upstream: remove duplicate signal.h include	2023-04-17 09:21:14 +10:00
progressmeter.h
PROTOCOL
PROTOCOL.agent	upstream: fix double words ok dtucker@	2023-04-17 09:21:13 +10:00
PROTOCOL.certkeys
PROTOCOL.chacha20poly1305
PROTOCOL.key
PROTOCOL.krl
PROTOCOL.mux
PROTOCOL.sshsig
PROTOCOL.u2f
readconf.c	upstream: don't leak arg2 on parse_pubkey_algos error path; ok	2023-03-31 15:32:37 +11:00
readconf.h
README	crank version	2023-03-16 08:27:54 +11:00
README.dns
README.md
README.platform
README.privsep
README.tun
readpass.c
rijndael.c
rijndael.h
sandbox-capsicum.c
sandbox-darwin.c
sandbox-null.c
sandbox-pledge.c
sandbox-rlimit.c
sandbox-seccomp-filter.c
sandbox-solaris.c
sandbox-systrace.c
scp.1
scp.c	upstream: Explicitly ignore return from waitpid here too.	2023-03-31 17:01:01 +11:00
SECURITY.md
servconf.c
servconf.h
serverloop.c
serverloop.h
session.c
session.h
sftp-client.c	upstream: adjust ftruncate() logic to handle servers that reorder	2023-05-01 08:56:04 +10:00
sftp-client.h
sftp-common.c	upstream: don't attempt to decode a ridiculous number of	2023-03-31 15:06:20 +11:00
sftp-common.h
sftp-glob.c
sftp-realpath.c
sftp-server-main.c
sftp-server.8
sftp-server.c	upstream: fix double words ok dtucker@	2023-04-17 09:21:13 +10:00
sftp-usergroup.c
sftp-usergroup.h
sftp.1
sftp.c	upstream: fix double words ok dtucker@	2023-04-17 09:21:13 +10:00
sftp.h
sk-api.h
sk-usbhid.c	upstream: Remove compat code for OpenSSL < 1.1.*	2023-03-28 19:03:29 +11:00
smult_curve25519_ref.c
sntrup761.c
sntrup761.sh
srclimit.c
srclimit.h
ssh2.h
ssh_api.c
ssh_api.h
ssh_config
ssh_config.5	upstream: Add tilde and environment variable expansion to	2023-03-27 15:03:53 +11:00
ssh-add.1
ssh-add.c
ssh-agent.1
ssh-agent.c	upstream: Explictly ignore return codes	2023-03-31 16:17:46 +11:00
ssh-dss.c
ssh-ecdsa-sk.c
ssh-ecdsa.c
ssh-ed25519-sk.c
ssh-ed25519.c
ssh-gss.h
ssh-keygen.1
ssh-keygen.c	upstream: fix double words ok dtucker@	2023-04-17 09:21:13 +10:00
ssh-keyscan.1
ssh-keyscan.c	upstream: don't print key if printing hostname failed; with/ok	2023-03-31 15:32:36 +11:00
ssh-keysign.8
ssh-keysign.c
ssh-pkcs11-client.c
ssh-pkcs11-helper.8
ssh-pkcs11-helper.c
ssh-pkcs11.c
ssh-pkcs11.h
ssh-rsa.c
ssh-sandbox.h
ssh-sk-client.c
ssh-sk-helper.8
ssh-sk-helper.c
ssh-sk.c
ssh-sk.h
ssh-xmss.c
ssh.1
ssh.c	upstream: Check for ProxyJump=none in CanonicalizeHostname logic.	2023-04-26 14:38:21 +10:00
ssh.h
sshbuf-getput-basic.c
sshbuf-getput-crypto.c
sshbuf-io.c
sshbuf-misc.c
sshbuf.c
sshbuf.h
sshconnect2.c	upstream: Re-split the merge of the reorder-hostkeys test.	2023-03-09 18:32:48 +11:00
sshconnect.c	upstream: Explicitly ignore return from fcntl	2023-03-12 22:01:44 +11:00
sshconnect.h
sshd_config
sshd_config.5
sshd.8
sshd.c
ssherr.c
ssherr.h
sshkey-xmss.c
sshkey-xmss.h
sshkey.c	upstream: remove unused variable; prompted by Coverity CID 291879	2023-03-31 15:06:19 +11:00
sshkey.h
sshlogin.c
sshlogin.h
sshpty.c
sshpty.h
sshsig.c	upstream: simplify sshsig_find_principals() similar to what happened to	2023-04-06 13:57:28 +10:00
sshsig.h
sshtty.c
survey.sh.in
TODO
ttymodes.c
ttymodes.h
uidswap.c
uidswap.h
umac128.c
umac.c
umac.h
utf8.c
utf8.h
version.h	upstream: openssh-9.3	2023-03-16 08:21:56 +11:00
xmalloc.c
xmalloc.h
xmss_commons.c
xmss_commons.h
xmss_fast.c
xmss_fast.h
xmss_hash_address.c
xmss_hash_address.h
xmss_hash.c
xmss_hash.h
xmss_wots.c
xmss_wots.h

README.md

Portable OpenSSH

OpenSSH is a complete implementation of the SSH protocol (version 2) for secure remote login, command execution and file transfer. It includes a client ssh and server sshd, file transfer utilities scp and sftp as well as tools for key generation (ssh-keygen), run-time key storage (ssh-agent) and a number of supporting programs.

This is a port of OpenBSD's OpenSSH to most Unix-like operating systems, including Linux, OS X and Cygwin. Portable OpenSSH polyfills OpenBSD APIs that are not available elsewhere, adds sshd sandboxing for more operating systems and includes support for OS-native authentication and auditing (e.g. using PAM).

Documentation

The official documentation for OpenSSH are the man pages for each tool:

Stable Releases

Stable release tarballs are available from a number of download mirrors. We recommend the use of a stable release for most users. Please read the release notes for details of recent changes and potential incompatibilities.

Building Portable OpenSSH

Dependencies

Portable OpenSSH is built using autoconf and make. It requires a working C compiler, standard library and headers.

libcrypto from either LibreSSL or OpenSSL may also be used. OpenSSH may be built without either of these, but the resulting binaries will have only a subset of the cryptographic algorithms normally available.

zlib is optional; without it transport compression is not supported.

FIDO security token support needs libfido2 and its dependencies and will be enabled automatically if they are found.

In addition, certain platforms and build-time options may require additional dependencies; see README.platform for details about your platform.

Building a release

Releases include a pre-built copy of the configure script and may be built using:

tar zxvf openssh-X.YpZ.tar.gz
cd openssh
./configure # [options]
make && make tests

See the Build-time Customisation section below for configure options. If you plan on installing OpenSSH to your system, then you will usually want to specify destination paths.

Building from git

If building from git, you'll need autoconf installed to build the configure script. The following commands will check out and build portable OpenSSH from git:

git clone https://github.com/openssh/openssh-portable # or https://anongit.mindrot.org/openssh.git
cd openssh-portable
autoreconf
./configure
make && make tests

Build-time Customisation

There are many build-time customisation options available. All Autoconf destination path flags (e.g. --prefix) are supported (and are usually required if you want to install OpenSSH).

For a full list of available flags, run ./configure --help but a few of the more frequently-used ones are described below. Some of these flags will require additional libraries and/or headers be installed.

Flag	Meaning
`--with-pam`	Enable PAM support. OpenPAM, Linux PAM and Solaris PAM are supported.
`--with-libedit`	Enable libedit support for sftp.
`--with-kerberos5`	Enable Kerberos/GSSAPI support. Both Heimdal and MIT Kerberos implementations are supported.
`--with-selinux`	Enable SELinux support.

Development

Portable OpenSSH development is discussed on the openssh-unix-dev mailing list (archive mirror). Bugs and feature requests are tracked on our Bugzilla.

Reporting bugs

Non-security bugs may be reported to the developers via Bugzilla or via the mailing list above. Security bugs should be reported to openssh@openssh.com.