diff options
| -rw-r--r-- | ChangeLog | 2 | ||||
| -rw-r--r-- | README | 10 | ||||
| -rw-r--r-- | UPGRADING | 132 |
3 files changed, 8 insertions, 136 deletions
| @@ -1,6 +1,8 @@ | |||
| 1 | 20001106 | 1 | 20001106 |
| 2 | - (djm) Use Jim's new 1.0.3 askpass in Redhat RPMs | 2 | - (djm) Use Jim's new 1.0.3 askpass in Redhat RPMs |
| 3 | - (djm) Manually fix up missed diff hunks (mainly RCS idents) | 3 | - (djm) Manually fix up missed diff hunks (mainly RCS idents) |
| 4 | - (djm) Remove UPGRADING document in favour of a link to the better | ||
| 5 | maintained FAQ on www.openssh.com | ||
| 4 | 6 | ||
| 5 | 20001105 | 7 | 20001105 |
| 6 | - (bal) Sync with OpenBSD: | 8 | - (bal) Sync with OpenBSD: |
| @@ -9,7 +9,7 @@ | |||
| 9 | * you generated host or user keys with v1.2.2 or previous versions, | 9 | * you generated host or user keys with v1.2.2 or previous versions, |
| 10 | * please generate new ones using a more recent version. | 10 | * please generate new ones using a more recent version. |
| 11 | 11 | ||
| 12 | This is the port of OpenBSD's excellent OpenSSH to Linux and other | 12 | This is the port of OpenBSD's excellent OpenSSH[0] to Linux and other |
| 13 | Unices. | 13 | Unices. |
| 14 | 14 | ||
| 15 | OpenSSH is based on the last free version of Tatu Ylonen's SSH with | 15 | OpenSSH is based on the last free version of Tatu Ylonen's SSH with |
| @@ -47,8 +47,9 @@ Other code contribution are accepted, but please follow the OpenBSD | |||
| 47 | style guidelines[5]. | 47 | style guidelines[5]. |
| 48 | 48 | ||
| 49 | Please refer to the INSTALL document for information on how to install | 49 | Please refer to the INSTALL document for information on how to install |
| 50 | OpenSSH on your system. The UPGRADING document details differences | 50 | OpenSSH on your system. There are a number of differences between this |
| 51 | between this port of OpenSSH and F-Secure SSH 1.x. | 51 | port of OpenSSH and F-Secure SSH 1.x, please refer to the OpenSSH FAQ[6] |
| 52 | for details and general tips. | ||
| 52 | 53 | ||
| 53 | Damien Miller <djm@mindrot.org> | 54 | Damien Miller <djm@mindrot.org> |
| 54 | 55 | ||
| @@ -60,9 +61,10 @@ version of SSH released by Tatu Ylonen. | |||
| 60 | 61 | ||
| 61 | References - | 62 | References - |
| 62 | 63 | ||
| 64 | [0] http://www.openssh.com/faq.html | ||
| 63 | [1] http://www.lothar.com/tech/crypto/ | 65 | [1] http://www.lothar.com/tech/crypto/ |
| 64 | [2] ftp://ftp.freesoftware.com/pub/infozip/zlib/ | 66 | [2] ftp://ftp.freesoftware.com/pub/infozip/zlib/ |
| 65 | [3] http://www.openssl.org/ | 67 | [3] http://www.openssl.org/ |
| 66 | [4] http://www.kernel.org/pub/linux/libs/pam/ (PAM is standard on Solaris) | 68 | [4] http://www.kernel.org/pub/linux/libs/pam/ (PAM is standard on Solaris) |
| 67 | [5] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9&apropos=0&manpath=OpenBSD+Current | 69 | [5] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9&apropos=0&manpath=OpenBSD+Current |
| 68 | 70 | [6] http://www.openssh.com/faq.html | |
diff --git a/UPGRADING b/UPGRADING deleted file mode 100644 index df3a23e17..000000000 --- a/UPGRADING +++ /dev/null | |||
| @@ -1,132 +0,0 @@ | |||
| 1 | [ A Japanese translation of this document is available at | ||
| 2 | [ http://www.unixuser.org/%7Eharuyama/security/openssh/index.html | ||
| 3 | [ Thanks to HARUYAMA Seigo <haruyama@nt.phys.s.u-tokyo.ac.jp> | ||
| 4 | |||
| 5 | OpenSSH is almost completely compatible with the commercial SSH 1.2.x. | ||
| 6 | There are, however, a few exceptions that you will need to bear in | ||
| 7 | mind while upgrading: | ||
| 8 | |||
| 9 | 1. OpenSSH does not support any patented transport algorithms. | ||
| 10 | |||
| 11 | Only 3DES and Blowfish can be selected. This difference may manifest | ||
| 12 | itself in the ssh command refusing to read its config files. | ||
| 13 | |||
| 14 | Solution: Edit /etc/ssh/ssh_config and select a different "Cipher" | ||
| 15 | option ("3des" or "blowfish"). | ||
| 16 | |||
| 17 | 2. Old versions of commercial SSH encrypt host keys with IDEA | ||
| 18 | |||
| 19 | The old versions of SSH used a patented algorithm to encrypt their | ||
| 20 | /etc/ssh/ssh_host_key | ||
| 21 | |||
| 22 | This problem will manifest as sshd not being able to read its host | ||
| 23 | key. | ||
| 24 | |||
| 25 | Solution: You will need to run the *commercial* version of ssh-keygen | ||
| 26 | on the host's private key: | ||
| 27 | |||
| 28 | ssh-keygen -u -f /etc/ssh/ssh_host_key | ||
| 29 | |||
| 30 | 3. Incompatible changes to sshd_config format. | ||
| 31 | |||
| 32 | OpenSSH extends the sshd_config file format in a number of ways. There | ||
| 33 | is currently one change which is incompatible with the old. | ||
| 34 | |||
| 35 | Commercial SSH controlled logging using the "QuietMode" and | ||
| 36 | "FascistLogging" directives. OpenSSH introduces a more general set of | ||
| 37 | logging options "SyslogFacility" and "LogLevel". See the sshd manual | ||
| 38 | page for details. | ||
| 39 | |||
| 40 | 4. Warning messages about key lengths | ||
| 41 | |||
| 42 | Commercial SSH's ssh-keygen program contained a bug which caused it to | ||
| 43 | occasionally generate RSA keys which had their Most Significant Bit | ||
| 44 | (MSB) unset. Such keys were advertised as being full-length, but are | ||
| 45 | actually only half as secure. | ||
| 46 | |||
| 47 | OpenSSH will print warning messages when it encounters such keys. To | ||
| 48 | rid yourself of these message, edit you known_hosts files and replace | ||
| 49 | the incorrect key length (usually "1024") with the correct key length | ||
| 50 | (usually "1023"). | ||
| 51 | |||
| 52 | 5. Spurious PAM authentication messages in logfiles | ||
| 53 | |||
| 54 | OpenSSH will generate spurious authentication failures at every login, | ||
| 55 | similar to "authentication failure; (uid=0) -> root for sshd service". | ||
| 56 | These are generated because OpenSSH first tries to determine whether a | ||
| 57 | user needs authentication to login (e.g. empty password). Unfortunatly | ||
| 58 | PAM likes to log all authentication events, this one included. | ||
| 59 | |||
| 60 | If it annoys you too much, set "PermitEmptyPasswords no" in | ||
| 61 | sshd_config. This will quiet the error message at the expense of | ||
| 62 | disabling logins to accounts with no password set. This is the | ||
| 63 | default if you use the supplied sshd_config file. | ||
| 64 | |||
| 65 | 6. Empty passwords not allowed with PAM authentication | ||
| 66 | |||
| 67 | To enable empty passwords with a version of OpenSSH built with PAM you | ||
| 68 | must add the flag "nullok" to the end of the password checking module | ||
| 69 | in the /etc/pam.d/sshd file. For example: | ||
| 70 | |||
| 71 | auth required/lib/security/pam_unix.so shadow nodelay nullok | ||
| 72 | |||
| 73 | This must be done in addtion to setting "PermitEmptyPasswords yes" | ||
| 74 | in the sshd_config file. | ||
| 75 | |||
| 76 | There is one caveat when using empty passwords with PAM | ||
| 77 | authentication: PAM will allow _any_ password when authenticating | ||
| 78 | an account with an empty password. This breaks the check that sshd | ||
| 79 | uses to determined whether an account has no password set and grant | ||
| 80 | users access to the account regardless of the policy specified by | ||
| 81 | "PermitEmptyPasswords". For this reason, it is recommended that you do | ||
| 82 | not add the "nullok" directive to your PAM configuration file unless | ||
| 83 | you specifically wish to allow empty passwords. | ||
| 84 | |||
| 85 | 7. X11 and/or agent forwarding does not work | ||
| 86 | |||
| 87 | Check your ssh_config and sshd_config. The default configuration files | ||
| 88 | disable authentication agent and X11 forwarding. | ||
| 89 | |||
| 90 | 8. ssh takes a long time to connect with Linux/glibc 2.1 | ||
| 91 | |||
| 92 | The glibc shipped with Redhat 6.1 appears to take a long time to resolve | ||
| 93 | "IPv6 or IPv4" addresses from domain names. This can be kludged around | ||
| 94 | with the --with-ipv4-default configure option. This instructs OpenSSH to | ||
| 95 | use IPv4-only address resolution. (IPv6 lookups may still be made by | ||
| 96 | specifying the -6 option). | ||
| 97 | |||
| 98 | 9. Logins from commercial ssh generate the error "Selected cipher type | ||
| 99 | idea not supported by server" | ||
| 100 | |||
| 101 | This error is generated when a commercial ssh which has been configured to | ||
| 102 | use the 'idea' cipher attempts to connect to an OpenSSH server. To rectify | ||
| 103 | this, select a different cipher in ssh_config or ~/.ssh/config (3des for | ||
| 104 | security or blowfish for speed). | ||
| 105 | |||
| 106 | 10. "can't locate module net-pf-10" messages in log under Linux | ||
| 107 | |||
| 108 | The Linux kernel is looking (via modprobe) for protocol family 10 (IPv6). | ||
| 109 | Either 1. load the appropriate kernel module, 2. enter the correct alias | ||
| 110 | in /etc/modules.conf or 3. disable IPv6 in /etc/modules.conf. | ||
| 111 | |||
| 112 | For some silly reason /etc/modules.conf may also be named /etc/conf.modules | ||
| 113 | |||
| 114 | 11. Password authentication doesn't work on Slackware 7.0 | ||
| 115 | |||
| 116 | Configure OpenSSH with --with-md5-passwords | ||
| 117 | |||
| 118 | 12. ./configure or sshd complain about lack of RSA support | ||
| 119 | |||
| 120 | Ensure that your OpenSSL libraries have been built to include RSA support | ||
| 121 | either internally or through RSAref. | ||
| 122 | |||
| 123 | 13. "scp: command not found" errors | ||
| 124 | |||
| 125 | scp must be in the default PATH on both the client and the server. You may | ||
| 126 | need to use the --with-default-path option to specify a custom path to | ||
| 127 | search on the server. This option replaces the default path, so you need | ||
| 128 | to specify all the current directories on your path as well as where you | ||
| 129 | have installed scp. For example: | ||
| 130 | |||
| 131 | ./configure --with-default-path=/bin:/usr/bin:/usr/local/bin:/path/to/scp | ||
| 132 | |||