summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog2
-rw-r--r--README10
-rw-r--r--UPGRADING132
3 files changed, 8 insertions, 136 deletions
diff --git a/ChangeLog b/ChangeLog
index 78c5bc892..6dda1243f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,8 @@
120001106 120001106
2 - (djm) Use Jim's new 1.0.3 askpass in Redhat RPMs 2 - (djm) Use Jim's new 1.0.3 askpass in Redhat RPMs
3 - (djm) Manually fix up missed diff hunks (mainly RCS idents) 3 - (djm) Manually fix up missed diff hunks (mainly RCS idents)
4 - (djm) Remove UPGRADING document in favour of a link to the better
5 maintained FAQ on www.openssh.com
4 6
520001105 720001105
6 - (bal) Sync with OpenBSD: 8 - (bal) Sync with OpenBSD:
diff --git a/README b/README
index 10a8877f8..f94e2ed1c 100644
--- a/README
+++ b/README
@@ -9,7 +9,7 @@
9* you generated host or user keys with v1.2.2 or previous versions, 9* you generated host or user keys with v1.2.2 or previous versions,
10* please generate new ones using a more recent version. 10* please generate new ones using a more recent version.
11 11
12This is the port of OpenBSD's excellent OpenSSH to Linux and other 12This is the port of OpenBSD's excellent OpenSSH[0] to Linux and other
13Unices. 13Unices.
14 14
15OpenSSH is based on the last free version of Tatu Ylonen's SSH with 15OpenSSH is based on the last free version of Tatu Ylonen's SSH with
@@ -47,8 +47,9 @@ Other code contribution are accepted, but please follow the OpenBSD
47style guidelines[5]. 47style guidelines[5].
48 48
49Please refer to the INSTALL document for information on how to install 49Please refer to the INSTALL document for information on how to install
50OpenSSH on your system. The UPGRADING document details differences 50OpenSSH on your system. There are a number of differences between this
51between this port of OpenSSH and F-Secure SSH 1.x. 51port of OpenSSH and F-Secure SSH 1.x, please refer to the OpenSSH FAQ[6]
52for details and general tips.
52 53
53Damien Miller <djm@mindrot.org> 54Damien Miller <djm@mindrot.org>
54 55
@@ -60,9 +61,10 @@ version of SSH released by Tatu Ylonen.
60 61
61References - 62References -
62 63
64[0] http://www.openssh.com/faq.html
63[1] http://www.lothar.com/tech/crypto/ 65[1] http://www.lothar.com/tech/crypto/
64[2] ftp://ftp.freesoftware.com/pub/infozip/zlib/ 66[2] ftp://ftp.freesoftware.com/pub/infozip/zlib/
65[3] http://www.openssl.org/ 67[3] http://www.openssl.org/
66[4] http://www.kernel.org/pub/linux/libs/pam/ (PAM is standard on Solaris) 68[4] http://www.kernel.org/pub/linux/libs/pam/ (PAM is standard on Solaris)
67[5] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9&apropos=0&manpath=OpenBSD+Current 69[5] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9&apropos=0&manpath=OpenBSD+Current
68 70[6] http://www.openssh.com/faq.html
diff --git a/UPGRADING b/UPGRADING
deleted file mode 100644
index df3a23e17..000000000
--- a/UPGRADING
+++ /dev/null
@@ -1,132 +0,0 @@
1[ A Japanese translation of this document is available at
2[ http://www.unixuser.org/%7Eharuyama/security/openssh/index.html
3[ Thanks to HARUYAMA Seigo <haruyama@nt.phys.s.u-tokyo.ac.jp>
4
5OpenSSH is almost completely compatible with the commercial SSH 1.2.x.
6There are, however, a few exceptions that you will need to bear in
7mind while upgrading:
8
91. OpenSSH does not support any patented transport algorithms.
10
11Only 3DES and Blowfish can be selected. This difference may manifest
12itself in the ssh command refusing to read its config files.
13
14Solution: Edit /etc/ssh/ssh_config and select a different "Cipher"
15option ("3des" or "blowfish").
16
172. Old versions of commercial SSH encrypt host keys with IDEA
18
19The old versions of SSH used a patented algorithm to encrypt their
20/etc/ssh/ssh_host_key
21
22This problem will manifest as sshd not being able to read its host
23key.
24
25Solution: You will need to run the *commercial* version of ssh-keygen
26on the host's private key:
27
28ssh-keygen -u -f /etc/ssh/ssh_host_key
29
303. Incompatible changes to sshd_config format.
31
32OpenSSH extends the sshd_config file format in a number of ways. There
33is currently one change which is incompatible with the old.
34
35Commercial SSH controlled logging using the "QuietMode" and
36"FascistLogging" directives. OpenSSH introduces a more general set of
37logging options "SyslogFacility" and "LogLevel". See the sshd manual
38page for details.
39
404. Warning messages about key lengths
41
42Commercial SSH's ssh-keygen program contained a bug which caused it to
43occasionally generate RSA keys which had their Most Significant Bit
44(MSB) unset. Such keys were advertised as being full-length, but are
45actually only half as secure.
46
47OpenSSH will print warning messages when it encounters such keys. To
48rid yourself of these message, edit you known_hosts files and replace
49the incorrect key length (usually "1024") with the correct key length
50(usually "1023").
51
525. Spurious PAM authentication messages in logfiles
53
54OpenSSH will generate spurious authentication failures at every login,
55similar to "authentication failure; (uid=0) -> root for sshd service".
56These are generated because OpenSSH first tries to determine whether a
57user needs authentication to login (e.g. empty password). Unfortunatly
58PAM likes to log all authentication events, this one included.
59
60If it annoys you too much, set "PermitEmptyPasswords no" in
61sshd_config. This will quiet the error message at the expense of
62disabling logins to accounts with no password set. This is the
63default if you use the supplied sshd_config file.
64
656. Empty passwords not allowed with PAM authentication
66
67To enable empty passwords with a version of OpenSSH built with PAM you
68must add the flag "nullok" to the end of the password checking module
69in the /etc/pam.d/sshd file. For example:
70
71auth required/lib/security/pam_unix.so shadow nodelay nullok
72
73This must be done in addtion to setting "PermitEmptyPasswords yes"
74in the sshd_config file.
75
76There is one caveat when using empty passwords with PAM
77authentication: PAM will allow _any_ password when authenticating
78an account with an empty password. This breaks the check that sshd
79uses to determined whether an account has no password set and grant
80users access to the account regardless of the policy specified by
81"PermitEmptyPasswords". For this reason, it is recommended that you do
82not add the "nullok" directive to your PAM configuration file unless
83you specifically wish to allow empty passwords.
84
857. X11 and/or agent forwarding does not work
86
87Check your ssh_config and sshd_config. The default configuration files
88disable authentication agent and X11 forwarding.
89
908. ssh takes a long time to connect with Linux/glibc 2.1
91
92The glibc shipped with Redhat 6.1 appears to take a long time to resolve
93"IPv6 or IPv4" addresses from domain names. This can be kludged around
94with the --with-ipv4-default configure option. This instructs OpenSSH to
95use IPv4-only address resolution. (IPv6 lookups may still be made by
96specifying the -6 option).
97
989. Logins from commercial ssh generate the error "Selected cipher type
99 idea not supported by server"
100
101This error is generated when a commercial ssh which has been configured to
102use the 'idea' cipher attempts to connect to an OpenSSH server. To rectify
103this, select a different cipher in ssh_config or ~/.ssh/config (3des for
104security or blowfish for speed).
105
10610. "can't locate module net-pf-10" messages in log under Linux
107
108The Linux kernel is looking (via modprobe) for protocol family 10 (IPv6).
109Either 1. load the appropriate kernel module, 2. enter the correct alias
110in /etc/modules.conf or 3. disable IPv6 in /etc/modules.conf.
111
112For some silly reason /etc/modules.conf may also be named /etc/conf.modules
113
11411. Password authentication doesn't work on Slackware 7.0
115
116Configure OpenSSH with --with-md5-passwords
117
11812. ./configure or sshd complain about lack of RSA support
119
120Ensure that your OpenSSL libraries have been built to include RSA support
121either internally or through RSAref.
122
12313. "scp: command not found" errors
124
125scp must be in the default PATH on both the client and the server. You may
126need to use the --with-default-path option to specify a custom path to
127search on the server. This option replaces the default path, so you need
128to specify all the current directories on your path as well as where you
129have installed scp. For example:
130
131./configure --with-default-path=/bin:/usr/bin:/usr/local/bin:/path/to/scp
132