diff options
Diffstat (limited to 'debian/faq.html')
-rw-r--r-- | debian/faq.html | 1176 |
1 files changed, 1176 insertions, 0 deletions
diff --git a/debian/faq.html b/debian/faq.html new file mode 100644 index 000000000..67d55cb52 --- /dev/null +++ b/debian/faq.html | |||
@@ -0,0 +1,1176 @@ | |||
1 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> | ||
2 | <html> | ||
3 | <head> | ||
4 | <title>OpenSSH FAQ</title> | ||
5 | <link rev= "made" href= "mailto:www@openbsd.org"> | ||
6 | <meta name= "resource-type" content= "document"> | ||
7 | <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> | ||
8 | <meta name= "description" content= "the OpenSSH FAQ page"> | ||
9 | <meta name= "keywords" content= "OpenSSH,SSH,Secure Shell,faq"> | ||
10 | <meta name= "distribution" content= "global"> | ||
11 | <meta name= "copyright" content= "This document copyright 1999-2005 OpenBSD."> | ||
12 | </head> | ||
13 | |||
14 | <body bgcolor= "#ffffff" text= "#000000" link= "#23238E"> | ||
15 | <a href="http://www.openssh.org/index.html"><img alt="[OpenSSH]" height="30" width="141" src="images/smalltitle.gif" border="0"></a> | ||
16 | <p> | ||
17 | |||
18 | <h1>OpenSSH FAQ (Frequently asked questions)</h1> | ||
19 | |||
20 | <strong>Date: 2005/09/20</strong> | ||
21 | |||
22 | <hr> | ||
23 | |||
24 | <blockquote> | ||
25 | <h3><a href= "#1.0">1.0 - What Is OpenSSH and Where Can I Get It?</a></h3> | ||
26 | <ul> | ||
27 | <li><a href= "#1.1">1.1 - What is OpenSSH and where can I download it?</a> | ||
28 | <li><a href= "#1.2">1.2 - Why should it be used?</a> | ||
29 | <li><a href= "#1.3">1.3 - What Operating Systems are supported?</a> | ||
30 | <li><a href= "#1.4">1.4 - What about copyright, usage and patents?</a> | ||
31 | <li><a href= "#1.5">1.5 - Where should I ask for help?</a> | ||
32 | </ul> | ||
33 | |||
34 | <h3><a href= "#2.0">2.0 - General Questions</a></h3> | ||
35 | <ul> | ||
36 | <li><a href= "#2.1">2.1 - Why does ssh/scp make connections from low-numbered ports. My firewall blocks these.</a> | ||
37 | <li><a href= "#2.2">2.2 - Why is the ssh client setuid root?</a> | ||
38 | <li><a href= "#2.3">2.3 - Why does SSH 2.3 have problems interoperating with OpenSSH 2.1.1?</a> | ||
39 | <li><a href= "#2.4">2.4 - Why does OpenSSH print: Dispatch protocol error: type 20</a> | ||
40 | <li><a href= "#2.5">2.5 - Old versions of commercial SSH encrypt host keys with IDEA.</a> | ||
41 | <li><a href= "#2.6">2.6 - What are these warning messages about key lengths?</a> | ||
42 | <li><a href= "#2.7">2.7 - X11 and/or agent forwarding does not work.</a> | ||
43 | <li><a href= "#2.8">2.8 - After upgrading OpenSSH I lost SSH2 support.</a> | ||
44 | <li><a href= "#2.9">2.9 - sftp/scp fails at connection, but ssh is OK.</a> | ||
45 | <li><a href= "#2.10">2.10 - Will you add [foo] to scp?</a> | ||
46 | <li><a href= "#2.11">2.11 - How do I use port forwarding?</a> | ||
47 | <li><a href= "#2.12">2.12 - My ssh connection freezes or drops out after N minutes of inactivity.</a> | ||
48 | <li><a href= "#2.13">2.13 - How do I use scp to copy a file with a colon in it?</a> | ||
49 | <li><a href= "#2.14">2.14 - Why does OpenSSH report its version to clients?</a> | ||
50 | </ul> | ||
51 | |||
52 | <h3><a href= "#3.0">3.0 - Portable OpenSSH Questions</a></h3> | ||
53 | <ul> | ||
54 | <li><a href= "#3.1">3.1 - Spurious PAM authentication messages in logfiles.</a> | ||
55 | <li><a href= "#3.2">3.2 - Empty passwords not allowed with PAM authentication.</a> | ||
56 | <li><a href= "#3.3">3.3 - ssh(1) takes a long time to connect or log in</a> | ||
57 | <li><a href= "#3.4">3.4 - "Can't locate module net-pf-10" messages in log under Linux.</a> | ||
58 | <li><a href= "#3.5">3.5 - Password authentication doesn't work (eg on Slackware 7.0 or Red Hat Linux 6.x)</a> | ||
59 | <li><a href= "#3.6">3.6 - Configure or sshd(8) complain about lack of RSA support</a> | ||
60 | <li><a href= "#3.7">3.7 - "scp: command not found" errors</a> | ||
61 | <li><a href= "#3.8">3.8 - Unable to read passphrase</a> | ||
62 | <li><a href= "#3.9">3.9 - 'configure' missing or make fails</a> | ||
63 | <li><a href= "#3.10">3.10 - Hangs when exiting ssh</a> | ||
64 | <li><a href= "#3.11">3.11 - Why does ssh hang on exit?</a> | ||
65 | <li><a href= "#3.12">3.12 - I upgraded to OpenSSH 3.1 and X11 forwarding stopped working.</a> | ||
66 | <li><a href= "#3.13">3.13 - I upgraded to OpenSSH 3.8 and some X11 programs stopped working.</a> | ||
67 | <li><a href= "#3.14">3.14 - I copied my public key to authorized_keys but public-key authentication still doesn't work.</a> | ||
68 | <li><a href= "#3.15">3.15 - OpenSSH versions and PAM behaviour.</a> | ||
69 | <li><a href= "#3.16">3.16 - Why doesn't "w" or "who" on AIX 5.x show users logged in via ssh?</a> | ||
70 | </ul> | ||
71 | |||
72 | </blockquote> | ||
73 | |||
74 | <hr> | ||
75 | |||
76 | <h2><u><a name= "1.0">1.0 - What Is OpenSSH and Where Can I Get It?</a></u></h2> | ||
77 | |||
78 | <h2><a name= "1.1">1.1 - What is OpenSSH and where can I download it?</a></h2> | ||
79 | |||
80 | <p> | ||
81 | OpenSSH is a <b>FREE</b> version of the SSH suite of network connectivity | ||
82 | tools that increasing numbers of people on the Internet are coming to | ||
83 | rely on. Many users of telnet, rlogin, ftp, and other such programs might | ||
84 | not realize that their password is transmitted across the Internet | ||
85 | unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) | ||
86 | to effectively eliminate eavesdropping, connection hijacking, | ||
87 | and other network-level attacks. | ||
88 | |||
89 | <p> | ||
90 | The OpenSSH suite includes the | ||
91 | <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> | ||
92 | program which replaces rlogin and telnet, and | ||
93 | <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1">scp(1)</a> | ||
94 | which replaces | ||
95 | <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=rcp&sektion=1">rcp(1)</a> and | ||
96 | <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftp&sektion=1">ftp(1)</a>. | ||
97 | OpenSSH has also added | ||
98 | <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a> and | ||
99 | <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8">sftp-server(8)</a> | ||
100 | which implement an easier solution for file-transfer. This is based upon the | ||
101 | <a href="http://www.openssh.org/txt/draft-ietf-secsh-filexfer-02.txt">secsh-filexfer</a> IETF draft. | ||
102 | |||
103 | |||
104 | <p><strong>OpenSSH consists of a number of programs.</strong> | ||
105 | |||
106 | <ul> | ||
107 | <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> - Server program run on the server machine. This listens for connections from client machines, and whenever it receives a connection, it performs authentication and starts serving the client. | ||
108 | Its behaviour is controlled by the config file <i><a | ||
109 | href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5"> | ||
110 | sshd_config(5)</a></i>. | ||
111 | <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> - This is the client program used to log into another machine or to execute commands on the other machine. <i>slogin</i> is another name for this program. | ||
112 | Its behaviour is controlled by the global config file <i><a | ||
113 | href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5"> | ||
114 | ssh_config(5)</a></i> and individual users' <i>$HOME/.ssh/config</i> files. | ||
115 | <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1">scp(1)</a> - Securely copies files from one machine to another. | ||
116 | <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a> - Used to create Pubkey Authentication (RSA or DSA) keys (host keys and user authentication keys). | ||
117 | <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a> - Authentication agent. This can be used to hold RSA keys for authentication. | ||
118 | <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-add&sektion=1">ssh-add(1)</a> - Used to register new keys with the agent. | ||
119 | <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8">sftp-server(8)</a> - SFTP server subsystem. | ||
120 | <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a> - Secure file transfer program. | ||
121 | <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keyscan&sektion=1">ssh-keyscan(1)</a> - gather ssh public keys. | ||
122 | <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keysign&sektion=8">ssh-keysign(8)</a> - ssh helper program for hostbased authentication. | ||
123 | </ul> | ||
124 | |||
125 | <h3>Downloading</h3> | ||
126 | |||
127 | <p> | ||
128 | OpenSSH comes in two downloadable distributions: the native <a | ||
129 | href="http://www.openssh.org/openbsd.html">OpenBSD</a> distribution and the multi-platform | ||
130 | <a href="http://www.openssh.org/portable.html">Portable</a> distribution. If you want | ||
131 | OpenSSH for a recent OpenBSD or integration into a product, you | ||
132 | probably want the <a href="http://www.openssh.org/openbsd.html">OpenBSD</a> distribution. | ||
133 | If you want OpenSSH for another platform, or an older OpenBSD, you | ||
134 | probably want the <a href="http://www.openssh.org/portable.html">Portable</a> distribution. | ||
135 | |||
136 | <p> | ||
137 | When downloading, please use a <a href="http://www.openssh.org/portable.html#mirrors">mirror</a> | ||
138 | near you. | ||
139 | |||
140 | <h2><a name= "1.2">1.2 - Why should it be used?</a></h2> | ||
141 | |||
142 | <p> | ||
143 | OpenSSH is a suite of tools to help secure your network | ||
144 | connections. Here is a list of features: | ||
145 | |||
146 | |||
147 | <ul> | ||
148 | <li>Strong authentication. Closes several security holes (e.g., IP, routing, and DNS spoofing). | ||
149 | <li>Improved privacy. All communications are automatically and transparently encrypted. | ||
150 | <li>Secure X11 sessions. The program automatically sets DISPLAY on the server machine, and forwards any X11 connections over the secure channel. | ||
151 | <li>Arbitrary TCP/IP ports can be redirected through the encrypted channel in both directions (e.g., for e-cash transactions). | ||
152 | <li>No retraining needed for normal users. | ||
153 | <li>Never trusts the network. Minimal trust on the remote side of the connection. Minimal trust on domain name servers. Pure RSA authentication never trusts anything but the private key. | ||
154 | <li>Client RSA-authenticates the server machine in the beginning of every connection to prevent trojan horses (by routing or DNS spoofing) and man-in-the-middle attacks, and the server RSA-authenticates the client machine before accepting <i>.rhosts</i> or <i>/etc/hosts.equiv</i> authentication (to prevent DNS, routing, or IP-spoofing). | ||
155 | <li>Host authentication key distribution can be centrally by the administration, automatically when the first connection is made to a machine. | ||
156 | <li>Any user can create any number of user authentication RSA keys for his/her own use. | ||
157 | <li>The server program has its own server RSA key which is automatically regenerated every hour. | ||
158 | <li>An authentication agent, running in the user's laptop or local workstation, can be used to hold the user's RSA authentication keys. | ||
159 | <li>The software can be installed and used (with restricted functionality) even without root privileges. | ||
160 | <li>The client is customizable in system-wide and per-user configuration files. | ||
161 | <li>Optional compression of all data with gzip (including forwarded X11 and TCP/IP port data), which may result in significant speedups on slow connections. | ||
162 | <li>Complete replacement for rlogin, rsh, and rcp. | ||
163 | </ul> | ||
164 | |||
165 | <p> | ||
166 | Currently, almost all communications in computer networks are done | ||
167 | without encryption. As a consequence, anyone who has access to any | ||
168 | machine connected to the network can listen in on any communication. | ||
169 | This is being done by hackers, curious administrators, employers, | ||
170 | criminals, industrial spies, and governments. Some networks leak off | ||
171 | enough electromagnetic radiation that data may be captured even from a | ||
172 | distance. | ||
173 | |||
174 | |||
175 | <p> | ||
176 | When you log in, your password goes in the network in plain | ||
177 | text. Thus, any listener can then use your account to do any evil he | ||
178 | likes. Many incidents have been encountered worldwide where crackers | ||
179 | have started programs on workstations without the owner's knowledge | ||
180 | just to listen to the network and collect passwords. Programs for | ||
181 | doing this are available on the Internet, or can be built by a | ||
182 | competent programmer in a few hours. | ||
183 | |||
184 | |||
185 | <p> | ||
186 | Businesses have trade secrets, patent applications in preparation, | ||
187 | pricing information, subcontractor information, client data, personnel | ||
188 | data, financial information, etc. Currently, anyone with access to | ||
189 | the network (any machine on the network) can listen to anything that | ||
190 | goes in the network, without any regard to normal access restrictions. | ||
191 | |||
192 | |||
193 | <p> | ||
194 | Many companies are not aware that information can so easily be | ||
195 | recovered from the network. They trust that their data is safe | ||
196 | since nobody is supposed to know that there is sensitive information | ||
197 | in the network, or because so much other data is transferred in the | ||
198 | network. This is not a safe policy. | ||
199 | |||
200 | |||
201 | <h2><a name= "1.3">1.3 - What operating systems are supported?</a></h2> | ||
202 | |||
203 | <p> | ||
204 | Even though OpenSSH is developed on | ||
205 | <a href="http://www.openbsd.org/">OpenBSD</a> a wide variety of | ||
206 | ports to other operating systems exist. The portable version of OpenSSH | ||
207 | is headed by <a href="mailto:djm@openbsd.org">Damien Miller</a>. | ||
208 | For a quick overview of the portable version of OpenSSH see | ||
209 | <a href="http://www.openssh.org/portable.html">OpenSSH Portable Release</a>. | ||
210 | Currently, the supported operating systems are: | ||
211 | |||
212 | |||
213 | <ul> | ||
214 | <li>OpenBSD | ||
215 | <li>NetBSD | ||
216 | <li>FreeBSD | ||
217 | <li>AIX | ||
218 | <li>HP-UX | ||
219 | <li>IRIX | ||
220 | <li>Linux | ||
221 | <li>NeXT | ||
222 | <li>SCO | ||
223 | <li>SNI/Reliant Unix | ||
224 | <li>Solaris | ||
225 | <li>Digital Unix/Tru64/OSF | ||
226 | <li>Mac OS X | ||
227 | <li>Cygwin | ||
228 | </ul> | ||
229 | |||
230 | <p> | ||
231 | A list of vendors that include OpenSSH in their distributions | ||
232 | is located in the <a href="http://www.openssh.org/users.html">OpenSSH Users page</a>. | ||
233 | |||
234 | <h2><a name= "1.4">1.4 - What about copyrights, usage and patents?</a></h2> | ||
235 | <p> | ||
236 | The OpenSSH developers have tried very hard to keep OpenSSH free of any | ||
237 | patent or copyright problems. To do this, some options had to be | ||
238 | stripped from OpenSSH. Namely support for patented algorithms. | ||
239 | |||
240 | <p> | ||
241 | OpenSSH does not support any patented transport algorithms. In SSH1 mode, | ||
242 | only 3DES and Blowfish are available options. In SSH2 mode, only 3DES, | ||
243 | Blowfish, CAST128, Arcfour and AES can be selected. | ||
244 | The patented IDEA algorithm is not supported. | ||
245 | |||
246 | <p> | ||
247 | OpenSSH provides support for both SSH1 and SSH2 protocols. | ||
248 | |||
249 | <p> | ||
250 | Since the RSA patent has expired, there are no restrictions on the use | ||
251 | of RSA algorithm using software, including OpenBSD. | ||
252 | |||
253 | <h2><a name= "1.5">1.5 - Where should I ask for help?</a></h2> | ||
254 | <p> | ||
255 | There are many places to turn to for help. In addition to the main | ||
256 | <a href="http://www.openssh.org/index.html">OpenSSH website</a>, | ||
257 | there are many mailing lists to try. Before trying any mailing lists, | ||
258 | please search through all mailing list archives to see if your question | ||
259 | has already been answered. The OpenSSH Mailing List has been archived and | ||
260 | put in searchable form and can be found at | ||
261 | <a href="http://marc.info/?l=openssh-unix-dev&r=1&w=2">marc.info</a>. | ||
262 | |||
263 | <p> | ||
264 | For more information on subscribing to OpenSSH related mailing lists, | ||
265 | please see <a href="http://www.openssh.org/list.html">OpenSSH Mailing lists</a>. | ||
266 | |||
267 | <p> | ||
268 | Information about submitting bug reports can be found at the OpenSSH | ||
269 | <a href="http://www.openssh.org/report.html">Reporting bugs</a> page. | ||
270 | |||
271 | <h2><u><a name= "2.0">2.0 - General Questions</a></u></h2> | ||
272 | |||
273 | <h2><a name= "2.1">2.1 - Why does ssh/scp make connections from low-numbered ports.</a></h2> | ||
274 | <p> | ||
275 | The OpenSSH client uses low numbered ports for rhosts and rhosts-rsa | ||
276 | authentication because the server needs to trust the username provided by | ||
277 | the client. To get around this, you can add the below example to your | ||
278 | <i>ssh_config</i> or <i>~/.ssh/config</i> file. | ||
279 | |||
280 | |||
281 | <blockquote> | ||
282 | <table border=0 width="800"> | ||
283 | <tr> | ||
284 | <td nowrap bgcolor="#EEEEEE"> | ||
285 | <b>UsePrivilegedPort no</b> | ||
286 | </td> | ||
287 | </tr> | ||
288 | </table> | ||
289 | </blockquote> | ||
290 | |||
291 | <p> | ||
292 | Or you can specify this option on the command line, using the <b>-o</b> | ||
293 | option to | ||
294 | <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> command. | ||
295 | |||
296 | <blockquote> | ||
297 | <table border=0 width="800"> | ||
298 | <tr> | ||
299 | <td nowrap bgcolor="#EEEEEE"> | ||
300 | $ <b>ssh -o "UsePrivilegedPort no" host.com</b> | ||
301 | </td> | ||
302 | </tr> | ||
303 | </table> | ||
304 | </blockquote> | ||
305 | |||
306 | <h2><a name= "2.2">2.2 - Why is the ssh client setuid root?</a></h2> | ||
307 | |||
308 | <p> | ||
309 | In conjunction with the previous question, (<a href="#2.1">2.1</a>) | ||
310 | OpenSSH needs root authority to be able to bind to low-numbered ports to | ||
311 | facilitate <i>rhosts authentication</i>. | ||
312 | A privileged port is also required for rhosts-rsa authentication to older | ||
313 | SSH releases. | ||
314 | |||
315 | <p> | ||
316 | Additionally, for both <i>rhosts-rsa authentication</i> (in protocol | ||
317 | version 1) and <i>hostbased authentication</i> (in protocol version 2) | ||
318 | the ssh client needs to access the <i>private host key</i> in order to | ||
319 | authenticate the client machine to the server. | ||
320 | OpenSSH versions prior to 3.3 required the <code>ssh</code> binary to be | ||
321 | setuid root to enable this, and you may safely remove it if you don't | ||
322 | want to use these authentication methods. | ||
323 | |||
324 | <p> | ||
325 | Starting in OpenSSH 3.3, <code>ssh</code> is not setuid by default. <a | ||
326 | href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keysign">ssh-keysign</a>, | ||
327 | is used for access to the private hosts keys, and ssh does not use privileged | ||
328 | source ports by default. If you wish to use a privileged source port, you must | ||
329 | manually set the setuid bit on <code>ssh</code>. | ||
330 | |||
331 | <h2><a name= "2.3">2.3 - Why does SSH 2.3 have problems interoperating with OpenSSH 2.1.1?</a></h2> | ||
332 | |||
333 | <p> | ||
334 | SSH 2.3 and earlier versions contain a flaw in their HMAC implementation. | ||
335 | Their code was not supplying the full data block output from the digest, | ||
336 | and instead always provided 128 bits. For longer digests, this caused | ||
337 | SSH 2.3 to not interoperate with OpenSSH. | ||
338 | |||
339 | <p> | ||
340 | OpenSSH 2.2.0 detects that SSH 2.3 has this flaw. Recent versions of SSH | ||
341 | will have this bug fixed. Or you can add the following to | ||
342 | SSH 2.3 <i>sshd2_config</i>. | ||
343 | |||
344 | |||
345 | <blockquote> | ||
346 | <table border=0 width="800"> | ||
347 | <tr> | ||
348 | <td nowrap bgcolor="#EEEEEE"> | ||
349 | <b>Mac hmac-md5</b> | ||
350 | </td> | ||
351 | </tr> | ||
352 | </table> | ||
353 | </blockquote> | ||
354 | |||
355 | <h2><a name= "2.4">2.4 - Why does OpenSSH print: Dispatch protocol error: type 20</a></h2> | ||
356 | |||
357 | <p> | ||
358 | Problems in interoperation have been seen because older versions of | ||
359 | OpenSSH did not support session rekeying. However the commercial SSH 2.3 | ||
360 | tries to negotiate this feature, and you might experience connection | ||
361 | freezes or see the error message "<b>Dispatch protocol error: | ||
362 | type 20 </b>". | ||
363 | To solve this problem, either upgrade to a recent OpenSSH release or | ||
364 | disable rekeying by adding the following to your commercial SSH 2.3's | ||
365 | <i>ssh2_config</i> or <i>sshd2_config</i>. | ||
366 | |||
367 | |||
368 | <blockquote> | ||
369 | <table border=0 width="800"> | ||
370 | <tr> | ||
371 | <td nowrap bgcolor="#EEEEEE"> | ||
372 | <b>RekeyIntervalSeconds 0</b> | ||
373 | </td> | ||
374 | </tr> | ||
375 | </table> | ||
376 | </blockquote> | ||
377 | |||
378 | <h2><a name= "2.5">2.5 - Old versions of commercial SSH encrypt host keys with IDEA.</a></h2> | ||
379 | |||
380 | <p> | ||
381 | The old versions of SSH used a patented algorithm to encrypt their | ||
382 | <i>/etc/ssh/ssh_host_key</i>. This problem will manifest as | ||
383 | <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> | ||
384 | not being able to read its host key. To solve this, use the command below | ||
385 | to convert your ssh_host_key to use 3DES. | ||
386 | <b>NOTE:</b> Use the | ||
387 | <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a> | ||
388 | program from the Commercial SSH product, *NOT* OpenSSH for the example | ||
389 | below. | ||
390 | |||
391 | |||
392 | <blockquote> | ||
393 | <table border=0 width="800"> | ||
394 | <tr> | ||
395 | <td nowrap bgcolor="#EEEEEE"> | ||
396 | # <b>ssh-keygen -u -f /etc/ssh/ssh_host_key</b> | ||
397 | </td> | ||
398 | </tr> | ||
399 | </table> | ||
400 | </blockquote> | ||
401 | |||
402 | <h2><a name= "2.6">2.6 - What are these warning messages about key lengths</a></h2> | ||
403 | |||
404 | <p> | ||
405 | Commercial SSH's | ||
406 | <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a> | ||
407 | program contained a bug which caused it to occasionally generate Pubkey | ||
408 | Authentication (RSA or DSA) keys which had their Most Significant Bit | ||
409 | (MSB) unset. Such keys were advertised as being full-length, but are | ||
410 | actually, half the time, smaller than advertised. | ||
411 | |||
412 | <p> | ||
413 | OpenSSH will print warning messages when it encounters such keys. To rid | ||
414 | yourself of these message, edit your <i>known_hosts</i> files and replace the | ||
415 | incorrect key length (usually "1024") with the correct key length | ||
416 | (usually "1023"). | ||
417 | |||
418 | <h2><a name= "2.7">2.7 - X11 and/or agent forwarding does not work.</a></h2> | ||
419 | |||
420 | <p> | ||
421 | Check your <i>ssh_config</i> and <i>sshd_config</i>. The default | ||
422 | configuration files disable authentication agent and X11 forwarding. To | ||
423 | enable it, put the line below in <i>sshd_config</i>: | ||
424 | |||
425 | <blockquote> | ||
426 | <table border=0 width="800"> | ||
427 | <tr> | ||
428 | <td nowrap bgcolor="#EEEEEE"> | ||
429 | <b>X11Forwarding yes</b> | ||
430 | </td> | ||
431 | </tr> | ||
432 | </table> | ||
433 | </blockquote> | ||
434 | |||
435 | <p> | ||
436 | and put the following lines in <i>ssh_config</i>: | ||
437 | |||
438 | <blockquote> | ||
439 | <table border=0 width="800"> | ||
440 | <tr> | ||
441 | <td nowrap bgcolor="#EEEEEE"> | ||
442 | <b>ForwardAgent yes</b><br> | ||
443 | <b>ForwardX11 yes</b> | ||
444 | </td> | ||
445 | </tr> | ||
446 | </table> | ||
447 | </blockquote> | ||
448 | |||
449 | <p> | ||
450 | X11 forwarding requires a working <a | ||
451 | href="http://www.openbsd.org/cgi-bin/man.cgi?query=xauth&sektion=1" | ||
452 | >xauth(1)</a> binary. On OpenBSD this is in the <i>xbase</i> file | ||
453 | set but will probably be different on other platforms. For OpenSSH | ||
454 | Portable, xauth must be either found at configure time or specified | ||
455 | via <b>XAuthLocation</b> in sshd_config(5) and ssh_config(5). | ||
456 | |||
457 | <p> | ||
458 | Note on agent interoperability: There are two different and | ||
459 | incompatible agent forwarding mechanisms within the SSH2 protocol. | ||
460 | OpenSSH has always used an extension of the original SSH1 agent | ||
461 | requests, however some commercial products use a different, non-free | ||
462 | agent forwarding protocol. This means that agent forwarding cannot | ||
463 | be used between OpenSSH and those products. | ||
464 | |||
465 | <p> | ||
466 | <b>NOTE:</b> For users of Linux Mandrake 7.2, Mandrake modifies the | ||
467 | <i>XAUTHORITY</i> environment variable in <i>/etc/skel/.bashrc</i>, | ||
468 | and thus any bash user's home directory. This variable is set by OpenSSH | ||
469 | and for either of the above options to work, you need to comment out | ||
470 | the line: | ||
471 | |||
472 | |||
473 | <blockquote> | ||
474 | <table border=0 width="800"> | ||
475 | <tr> | ||
476 | <td nowrap bgcolor="#EEEEEE"> | ||
477 | <b># export XAUTHORITY=$HOME/.Xauthority</b> | ||
478 | </td> | ||
479 | </tr> | ||
480 | </table> | ||
481 | </blockquote> | ||
482 | |||
483 | <h2><a name= "2.8">2.8 - After upgrading OpenSSH I lost SSH2 support.</a></h2> | ||
484 | |||
485 | <p> | ||
486 | Between versions changes can be made to <i>sshd_config</i> or | ||
487 | <i>ssh_config</i>. You should always check on these changes when upgrading | ||
488 | versions of OpenSSH. After OpenSSH Version 2.3.0 you need to add the | ||
489 | following to your <i>sshd_config</i>: | ||
490 | |||
491 | |||
492 | <blockquote> | ||
493 | <table border=0 width="800"> | ||
494 | <tr> | ||
495 | <td nowrap bgcolor="#EEEEEE"> | ||
496 | <b>HostKey /etc/ssh_host_dsa_key</b><br> | ||
497 | <b>HostKey /etc/ssh_host_rsa_key</b> | ||
498 | </td> | ||
499 | </tr> | ||
500 | </table> | ||
501 | </blockquote> | ||
502 | |||
503 | <h2><a name= "2.9">2.9 - sftp/scp fails at connection, but ssh is OK.</a></h2> | ||
504 | |||
505 | <p> | ||
506 | sftp and/or scp may fail at connection time if you have shell | ||
507 | initialization (.profile, .bashrc, .cshrc, etc) which produces output | ||
508 | for non-interactive sessions. This output confuses the sftp/scp client. | ||
509 | You can verify if your shell is doing this by executing: | ||
510 | |||
511 | <blockquote> | ||
512 | <table border=0 width="800"> | ||
513 | <tr> | ||
514 | <td nowrap bgcolor="#EEEEEE"> | ||
515 | <b>ssh yourhost /usr/bin/true</b> | ||
516 | </td> | ||
517 | </tr> | ||
518 | </table> | ||
519 | </blockquote> | ||
520 | |||
521 | <p> | ||
522 | If the above command produces any output, then you need to modify your | ||
523 | shell initialization. | ||
524 | |||
525 | <h2><a name= "2.10">2.10 - Will you add [foo] to scp?</a></h2> | ||
526 | |||
527 | <p> | ||
528 | Short Answer: no. | ||
529 | |||
530 | <p> | ||
531 | Long Answer: scp is not standardized. The closest thing it has to a | ||
532 | specification is "what rcp does". Since the same command is used on both ends | ||
533 | of the connection, adding features or options risks breaking interoperability with other | ||
534 | implementations. | ||
535 | |||
536 | <p> | ||
537 | New features are more likely in sftp, since the protocol is standardized | ||
538 | (well, a <a href="http://www.ietf.org/html.charters/secsh-charter.html"> | ||
539 | draft standard</a>), extensible, and the client and server are decoupled. | ||
540 | |||
541 | <h2><a name= "2.11">2.11 - How do I use port forwarding?</a></h2> | ||
542 | |||
543 | <p> | ||
544 | If the remote server is running sshd(8), it may be possible to | ||
545 | ``tunnel'' certain services via ssh. This may be desirable, for | ||
546 | example, to encrypt POP or SMTP connections, even though the software | ||
547 | does not directly support encrypted communications. Tunnelling uses | ||
548 | port forwarding to create a connection between the client and server. | ||
549 | The client software must be able to specify a non-standard port to | ||
550 | connect to for this to work. | ||
551 | |||
552 | <p> | ||
553 | The idea is that the user connects to the remote host using ssh, | ||
554 | and specifies which port on the client's machine should be used to | ||
555 | forward connections to the remote server. After that it is possible | ||
556 | to start the service which is to be encrypted (e.g. fetchmail, irc) | ||
557 | on the client machine, specifying the same local port passed to | ||
558 | ssh, and the connection will be tunnelled through ssh. By default, | ||
559 | the system running the forward will only accept connections from | ||
560 | itself. | ||
561 | |||
562 | <p> | ||
563 | The options most relevant to tunnelling are the -L and -R options, | ||
564 | which allow the user to forward connections, the -D option, which | ||
565 | permits dynamic port forwarding, the -g option, which permits other | ||
566 | hosts to use port forwards, and the -f option, which instructs ssh | ||
567 | to put itself in the background after authentication. See the <a | ||
568 | href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1" | ||
569 | >ssh(1)</a> man page for further details. | ||
570 | |||
571 | <p> | ||
572 | This is an example of tunnelling an IRC session from client machine | ||
573 | ``127.0.0.1'' (localhost) to remote server ``server.example.com'': | ||
574 | |||
575 | <blockquote> | ||
576 | <table border=0 width="800"> | ||
577 | <tr> | ||
578 | <td nowrap bgcolor="#EEEEEE"> | ||
579 | <b>ssh -f -L 1234:server.example.com:6667 server.example.com sleep 10<br> | ||
580 | irc -c '#users' -p 1234 pinky 127.0.0.1</b> | ||
581 | </td> | ||
582 | </tr> | ||
583 | </table> | ||
584 | </blockquote> | ||
585 | |||
586 | <p> | ||
587 | This tunnels a connection to IRC server server.example.com, joining | ||
588 | channel ``#users'', using the nickname ``pinky''. The local port used | ||
589 | in this example is 1234. It does not matter which port is used, as | ||
590 | long as it's greater than 1023 (remember, only root can open sockets on | ||
591 | privileged ports) and doesn't conflict with any ports already in use. | ||
592 | The connection is forwarded to port 6667 on the remote server, since | ||
593 | that's the standard port for IRC services. | ||
594 | |||
595 | <p> | ||
596 | The remote command ``sleep 10'' was specified to allow an amount | ||
597 | of time (10 seconds, in the example) to start the service which is to | ||
598 | be tunnelled. If no connections are made within the time specified, | ||
599 | ssh will exit. If more time is required, the sleep(1) value can be | ||
600 | increased appropriately or, alternatively, the example above could | ||
601 | be added as a function to the user's shell. See ksh(1) and csh(1) | ||
602 | for more details about user-defined functions. | ||
603 | |||
604 | <p> | ||
605 | ssh also has an -N option, convenient for use with port forwarding: | ||
606 | if -N is specified, it is not necessary to specify a remote command | ||
607 | (``sleep 10'' in the example above). However, use of this option | ||
608 | causes ssh to wait around for ever (as opposed to exiting after a | ||
609 | remote command has completed), and the user must take care to manually | ||
610 | kill(1) the process afterwards. | ||
611 | |||
612 | <h2><a name= "2.12">2.12 - My ssh connection freezes or drops out after N minutes of inactivity.</a></h2> | ||
613 | |||
614 | <p> | ||
615 | This is usually the result of a packet filter or NAT device | ||
616 | timing out your TCP connection due to inactivity. You can enable | ||
617 | <b>ClientAliveInterval</b> in the server's <i><a | ||
618 | href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5"> | ||
619 | sshd_config</a></i>, or enable <b>ServerAliveInterval</b> in the | ||
620 | client's <i><a | ||
621 | href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5"> | ||
622 | ssh_config</a></i> (the latter is available in OpenSSH 3.8 and newer). | ||
623 | |||
624 | <p> | ||
625 | Enabling either option and setting the interval for less than the time | ||
626 | it takes to time out your session will ensure that the connection is | ||
627 | kept "fresh" in the device's connection table. | ||
628 | |||
629 | <h2><a name= "2.13">2.13 - How do I use scp to copy a file with a colon in it?</a></h2> | ||
630 | |||
631 | <b><a | ||
632 | href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1"> | ||
633 | scp</a></b> will interpret the component before the colon to be a remote | ||
634 | server name and attempt to connect to it. To prevent this, refer to | ||
635 | the file by a relative or absolute path, eg: | ||
636 | |||
637 | <blockquote> | ||
638 | <table border=0 width="800"> | ||
639 | <tr> | ||
640 | <td nowrap bgcolor="#EEEEEE"> | ||
641 | $ scp ./source:file sshserver: | ||
642 | </td> | ||
643 | </tr> | ||
644 | </table> | ||
645 | </blockquote> | ||
646 | |||
647 | <h2><a name= "2.14">2.14 - Why does OpenSSH report its version to clients?</a></h2> | ||
648 | |||
649 | <p> | ||
650 | OpenSSH, like most SSH implementations, reports its name and version to clients | ||
651 | when they connect, e.g. | ||
652 | </p> | ||
653 | |||
654 | <blockquote> | ||
655 | SSH-2.0-OpenSSH_3.9 | ||
656 | </blockquote> | ||
657 | |||
658 | <p> | ||
659 | This information is used by clients and servers to enable protocol | ||
660 | compatibility tweaks to work around changed, buggy or missing features in | ||
661 | the implementation they are talking to. This protocol feature checking is | ||
662 | still required at present because the SSH protocol has not been yet published | ||
663 | as a RFC and more incompatible changes may be made before this happens. | ||
664 | </p> | ||
665 | |||
666 | <h2><u><a name= "3.0">3.0 - Portable OpenSSH Questions</a></u></h2> | ||
667 | |||
668 | <h2><a name= "3.1">3.1 - Spurious PAM authentication messages in logfiles.</a></h2> | ||
669 | |||
670 | <p> | ||
671 | The portable version of OpenSSH will generate spurious authentication | ||
672 | failures at every login, similar to: | ||
673 | |||
674 | |||
675 | <blockquote> | ||
676 | <table border=0 width="800"> | ||
677 | <tr> | ||
678 | <td nowrap bgcolor="#EEEEEE"> | ||
679 | "<b>authentication failure; (uid=0) -> root for sshd service</b>" | ||
680 | </td> | ||
681 | </tr> | ||
682 | </table> | ||
683 | </blockquote> | ||
684 | |||
685 | <p> | ||
686 | These are generated because OpenSSH first tries to determine whether a | ||
687 | user needs authentication to login (e.g. empty password). Unfortunately | ||
688 | PAM likes to log all authentication events, this one included. | ||
689 | |||
690 | <p> | ||
691 | If it annoys you too much, set "<b>PermitEmptyPasswords no</b>" | ||
692 | in <i>sshd_config</i>. This will quiet the error message at the expense | ||
693 | of disabling logins to accounts with no password set. | ||
694 | This is the default if you use the supplied <i>sshd_config</i> file. | ||
695 | |||
696 | <h2><a name= "3.2">3.2 - Empty passwords not allowed with PAM authentication.</a></h2> | ||
697 | |||
698 | <p> | ||
699 | To enable empty passwords with a version of OpenSSH built with PAM you | ||
700 | must add the flag nullok to the end of the password checking module | ||
701 | in the <i>/etc/pam.d/sshd</i> file. For example: | ||
702 | |||
703 | <blockquote> | ||
704 | <table border=0 width="800"> | ||
705 | <tr> | ||
706 | <td nowrap bgcolor="#EEEEEE"> | ||
707 | auth required/lib/security/pam_unix.so shadow nodelay nullok | ||
708 | </td> | ||
709 | </tr> | ||
710 | </table> | ||
711 | </blockquote> | ||
712 | |||
713 | <p> | ||
714 | This must be done in addition to setting "<b>PermitEmptyPasswords | ||
715 | yes</b>" in the <i>sshd_config</i> file. | ||
716 | |||
717 | <p> | ||
718 | There is one caveat when using empty passwords with PAM authentication: | ||
719 | PAM will allow any password when authenticating an account with an empty | ||
720 | password. This breaks the check that | ||
721 | <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> | ||
722 | uses to determine whether an account has no password set and grant | ||
723 | users access to the account regardless of the policy specified by | ||
724 | <b>PermitEmptyPasswords</b>. For this reason, it is recommended that you | ||
725 | do not add the <b>nullok</b> directive to your PAM configuration file | ||
726 | unless you specifically wish to allow empty passwords. | ||
727 | |||
728 | |||
729 | <h2><a name= "3.3">3.3 - ssh(1) takes a long time to connect or log | ||
730 | in</a></h2> | ||
731 | |||
732 | <p> | ||
733 | Large delays (more that 10 seconds) are typically caused a problem with | ||
734 | name resolution: | ||
735 | <ul> | ||
736 | <li>Some versions of glibc (notably glibc 2.1 shipped with Red Hat 6.1) | ||
737 | can take a long time to resolve "IPv6 or IPv4" addresses from domain | ||
738 | names. This can be worked around with by specifying <b>AddressFamily | ||
739 | inet</b> option in <i>ssh_config</i>.</li> | ||
740 | |||
741 | <li>There may be a DNS lookup problem, either at the client or server. | ||
742 | You can use the <code>nslookup</code> command to check this on both client | ||
743 | and server by looking up the other end's name and IP address. In | ||
744 | addition, on the server look up the name returned by the client's | ||
745 | IP-name lookup. You can disable most of the server-side lookups by | ||
746 | setting <b>UseDNS no</b> in <i>sshd_config</i>.</li> | ||
747 | </ul> | ||
748 | |||
749 | <p> | ||
750 | Delays less than 10 seconds can have other causes. | ||
751 | |||
752 | <ul> | ||
753 | |||
754 | <li>OpenSSH releases prior to 3.8 had an <i>moduli</i> file with | ||
755 | moduli that were just smaller than what sshd would look for, and | ||
756 | as a result, sshd would end up using moduli significantly larger | ||
757 | than requested, which resulted in a speed penalty. Replacing the | ||
758 | <i>moduli</i> file will resolve this (note that in most cases this | ||
759 | file will not be replaced during an upgrade and must be replaced | ||
760 | manually).</li> | ||
761 | |||
762 | <li>OpenSSH releases prior to 3.8 had a flaw in <code>ssh</code> that | ||
763 | would cause it to request moduli larger than intended (which when | ||
764 | combined with the above resulted in significant slowdowns). | ||
765 | Upgrading the client to 3.8 or higher will resolve this issue.</li> | ||
766 | |||
767 | <li>If either the client or server lack a kernel-based random number | ||
768 | device (eg Solaris < 9, AIX < 5.2, HP-UX < 11.11) and no | ||
769 | substitute is available (eg <a href= | ||
770 | "ftp://ftp.ayamura.org/pub/prngd/">prngd</a>) it's possible that | ||
771 | one of the programs called by <code>ssh-rand-helper</code> to | ||
772 | generate entropy is hanging. This can be investigated by running | ||
773 | it in debug mode: | ||
774 | |||
775 | <blockquote> | ||
776 | <table border=0 width="800"> | ||
777 | <tr> | ||
778 | <td nowrap bgcolor="#EEEEEE"> | ||
779 | /usr/local/libexec/ssh-rand-helper -vvv | ||
780 | </td> | ||
781 | </tr> | ||
782 | </table> | ||
783 | </blockquote> | ||
784 | |||
785 | Any significant delays should be investigated and rectified, or the | ||
786 | corresponding commands should be removed from <i>ssh_prng_cmds</i>. | ||
787 | </li> | ||
788 | |||
789 | </ul> | ||
790 | |||
791 | <h3>How slow is "slow"?</h3> | ||
792 | Under normal conditions, the speed of SSH logins is dependant on | ||
793 | CPU speed of client and server. For comparison the following are | ||
794 | typical connect times for <code>time ssh localhost true</code> | ||
795 | with a 1024-bit RSA key on otherwise unloaded hosts. OpenSSH and | ||
796 | OpenSSL were compiled with gcc 3.3.x. | ||
797 | |||
798 | <p> | ||
799 | <table> | ||
800 | <tr><th>CPU</th><th>Time (SSHv1)<a href="#3.3fn1">[1]</a></th> | ||
801 | <th>Time (SSHv2)</th></tr> | ||
802 | <tr><td>170MHz SPARC/sun4m</td><td>0.74 sec</td><td>1.25 sec</td></tr> | ||
803 | <tr><td>236MHz HPPA/8200<a href="#3.3fn2">[2]</a></td><td>0.44 sec</td> | ||
804 | <td>0.79 sec</td></tr> | ||
805 | <tr><td>375MHz PowerPC/604e</td><td>0.38 sec</td><td>0.51 sec</td></tr> | ||
806 | <tr><td>933MHz VIA Ezra</td><td>0.34 sec</td><td>0.44 sec</td></tr> | ||
807 | <tr><td>2.1GHz Athlon XP 2600+</td><td>0.14 sec</td><td>0.22 sec</td></tr> | ||
808 | </table> | ||
809 | |||
810 | <br> | ||
811 | |||
812 | <a name="3.3fn1">[1]</a> The SSHv1 protocol is faster but is | ||
813 | cryptographically weaker than SSHv2.<br> | ||
814 | |||
815 | <a name="3.3fn2">[2]</a> At the time of writing, gcc generates | ||
816 | relatively slow code on HPPA for RSA and Diffie-Hellman operations | ||
817 | (see <a href= "http://gcc.gnu.org/bugzilla/show_bug.cgi?id=7625">gcc | ||
818 | bug #7625</a> and <a | ||
819 | href="http://marc.info/?l=openssh-unix-dev&m=102646106016694"> | ||
820 | discussion on openssh-unix-dev</a>). | ||
821 | |||
822 | <h2><a name= "3.4">3.4 - "Can't locate module net-pf-10" messages in log under Linux.</a></h2> | ||
823 | |||
824 | <p> | ||
825 | The Linux kernel is looking (via modprobe) for protocol family 10 (IPv6). | ||
826 | Either load the appropriate kernel module, enter the correct alias in | ||
827 | <i>/etc/modules.conf</i> or disable IPv6 in <i>/etc/modules.conf</i>. | ||
828 | |||
829 | |||
830 | <p> | ||
831 | For some silly reason <i>/etc/modules.conf</i> may also be named | ||
832 | <i>/etc/conf.modules</i>. | ||
833 | |||
834 | |||
835 | <h2><a name= "3.5">3.5 - Password authentication doesn't work (eg on Slackware 7.0 or Red Hat 6.x)</a></h2> | ||
836 | |||
837 | <p> | ||
838 | If the password is correct password the login is still denied, the | ||
839 | usual cause is that the system is configured to use MD5-type passwords | ||
840 | but the | ||
841 | <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=crypt&sektion=3" | ||
842 | >crypt(3)</a> function used by sshd doesn't understand them. | ||
843 | |||
844 | <p> | ||
845 | Affected accounts will have password strings in <i>/etc/passwd</i> | ||
846 | or <i>/etc/shadow</i> that start with <b>$1$</b>. | ||
847 | If password authentication fails for new accounts or accounts with | ||
848 | recently changed passwords, but works for old accounts, this is the | ||
849 | likely culprit. | ||
850 | |||
851 | <p> | ||
852 | The underlying cause is that some versions of OpenSSL have a crypt(3) | ||
853 | function that does not understand MD5 passwords, and the link order of | ||
854 | sshd means that OpenSSL's crypt(3) is used instead of the system's. | ||
855 | OpensSSH's configure attempts to correct for this but is not always | ||
856 | successful. | ||
857 | |||
858 | <p> | ||
859 | There are several possible solutions: | ||
860 | |||
861 | <ul> | ||
862 | <li> | ||
863 | <p> | ||
864 | Enable sshd's built-in support for MD5 passwords at build time. | ||
865 | |||
866 | <blockquote> | ||
867 | <table border=0 width="800"> | ||
868 | <tr> | ||
869 | <td nowrap bgcolor="#EEEEEE"> | ||
870 | ./configure --with-md5-passwords [options] | ||
871 | </td> | ||
872 | </tr> | ||
873 | </table> | ||
874 | </blockquote> | ||
875 | |||
876 | This is safe even if you have both types of encryption as sshd will | ||
877 | select the correct algorithm for each account automatically. | ||
878 | |||
879 | <li> | ||
880 | <p> | ||
881 | If your system has a separate libcrypt library (eg Slackware 7) then you | ||
882 | can manually add -lcrypt to the LIBS list so it's used instead of | ||
883 | OpenSSL's: | ||
884 | |||
885 | <blockquote> | ||
886 | <table border=0 width="800"> | ||
887 | <tr> | ||
888 | <td nowrap bgcolor="#EEEEEE"> | ||
889 | LIBS=-lcrypt ./configure [options] | ||
890 | </td> | ||
891 | </tr> | ||
892 | </table> | ||
893 | </blockquote> | ||
894 | |||
895 | <li> | ||
896 | <p> | ||
897 | If your platforms supports PAM, you may configure sshd to use it | ||
898 | (see <a href= "#3.15" >section 3.15</a>). This will mean that sshd will | ||
899 | not verify passwords itself but will defer to the configured PAM modules. | ||
900 | </ul> | ||
901 | |||
902 | <h2><a name= "3.6">3.6 - Configure or sshd(8) complain about lack of RSA or DSA support</a></h2> | ||
903 | |||
904 | <p> | ||
905 | Ensure that your OpenSSL libraries have been built to include RSA or DSA | ||
906 | support either internally or through RSAref. | ||
907 | |||
908 | |||
909 | <h2><a name= "3.7">3.7 - "scp: command not found" errors</a></h2> | ||
910 | |||
911 | <p> | ||
912 | <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1">scp(1)</a> | ||
913 | must be in the default PATH on both the client and the server. You may | ||
914 | need to use the <b>--with-default-path</b> option to specify a custom | ||
915 | path to search on the server. This option replaces the default path, | ||
916 | so you need to specify all the current directories on your path as well | ||
917 | as where you have installed scp. For example: | ||
918 | |||
919 | <blockquote> | ||
920 | <table border=0 width="800"> | ||
921 | <tr> | ||
922 | <td nowrap bgcolor="#EEEEEE"> | ||
923 | $ <b>./configure --with-default-path=/bin:/usr/bin:/usr/local/bin:/path/to/scp</b> | ||
924 | </td> | ||
925 | </tr> | ||
926 | </table> | ||
927 | </blockquote> | ||
928 | |||
929 | <p> | ||
930 | Note that configuration by the server's admin will take precedence over the | ||
931 | setting of <b>--with-default-path</b>. This includes resetting PATH in | ||
932 | <i>/etc/profile</i>, PATH in <i>/etc/environment</i> on AIX, or (for 3.7p1 and | ||
933 | above) setting PATH or SUPATH in <i>/etc/default/login</i> on Solaris or | ||
934 | Reliant Unix. | ||
935 | |||
936 | <h2><a name= "3.8">3.8 - Unable to read passphrase</a></h2> | ||
937 | |||
938 | <p> | ||
939 | Some operating systems set <i>/dev/tty</i> with incorrect modes, causing | ||
940 | the reading of passwords to fail with the following error: | ||
941 | |||
942 | <blockquote> | ||
943 | <table border=0 width="800"> | ||
944 | <tr> | ||
945 | <td nowrap bgcolor="#EEEEEE"> | ||
946 | You have no controlling tty. Cannot read passphrase. | ||
947 | </td> | ||
948 | </tr> | ||
949 | </table> | ||
950 | </blockquote> | ||
951 | |||
952 | <p> | ||
953 | The solution to this is to reset the permissions on <i>/dev/tty</i> | ||
954 | to mode 0666 and report the error as a bug to your OS vendor. | ||
955 | |||
956 | |||
957 | <h2><a name= "3.9">3.9 - 'configure' missing or make fails</a></h2> | ||
958 | |||
959 | <p> | ||
960 | If there is no 'configure' file in the tar.gz file that you downloaded | ||
961 | or make fails with "missing separator" errors, you have probably | ||
962 | downloaded the OpenBSD distribution of OpenSSH and are attempting to | ||
963 | compile it on another platform. Please refer to the information on the | ||
964 | <a href="http://www.openssh.org/portable.html">portable version</a>. | ||
965 | |||
966 | |||
967 | <h2><a name= "3.10">3.10 - Hangs when exiting ssh</a></h2> | ||
968 | |||
969 | <p> | ||
970 | OpenSSH may hang when exiting. This can occur when there is an active | ||
971 | background process. This is known to occur on Linux and HP-UX. | ||
972 | The problem can be verified by doing the following: | ||
973 | |||
974 | <blockquote> | ||
975 | <table border=0 width="800"> | ||
976 | <tr> | ||
977 | <td nowrap bgcolor="#EEEEEE"> | ||
978 | $ <b>sleep 20 & exit</b> | ||
979 | </td> | ||
980 | </tr> | ||
981 | </table> | ||
982 | </blockquote> | ||
983 | |||
984 | Try to use this instead: | ||
985 | <blockquote> | ||
986 | <table border=0 width="800"> | ||
987 | <tr> | ||
988 | <td nowrap bgcolor="#EEEEEE"> | ||
989 | $ <b>sleep 20 < /dev/null > /dev/null 2>&1 &</b> | ||
990 | </td> | ||
991 | </tr> | ||
992 | </table> | ||
993 | </blockquote> | ||
994 | |||
995 | <p> | ||
996 | A work around for bash users is to place <b>"shopt -s huponexit"</b> | ||
997 | in either /etc/bashrc or ~/.bashrc. Otherwise, consult your shell's | ||
998 | man page for an option to enable it to send a HUP signal to active | ||
999 | jobs when exiting. See <a | ||
1000 | href="http://bugzilla.mindrot.org/show_bug.cgi?id=52">bug #52</a> | ||
1001 | for other workarounds. | ||
1002 | |||
1003 | <h2><a name= "3.11">3.11 - Why does ssh hang on exit?</a></h2> | ||
1004 | |||
1005 | <p> | ||
1006 | When executing | ||
1007 | <blockquote> | ||
1008 | <table border=0 width="800"> | ||
1009 | <tr> | ||
1010 | <td nowrap bgcolor="#EEEEEE"> | ||
1011 | $ <b>ssh host command</b> | ||
1012 | </td> | ||
1013 | </tr> | ||
1014 | </table> | ||
1015 | </blockquote> | ||
1016 | ssh <b>needs</b> to hang, because it needs to wait: | ||
1017 | <ul> | ||
1018 | <li> | ||
1019 | until it can be sure that <code>command</code> does not need | ||
1020 | more input. | ||
1021 | <li> | ||
1022 | until it can be sure that <code>command</code> does not produce | ||
1023 | more output. | ||
1024 | <li> | ||
1025 | until <code>command</code> exits because sshd needs to tell | ||
1026 | the exit status from <code>command</code> to ssh. | ||
1027 | </ul> | ||
1028 | <p> | ||
1029 | |||
1030 | <h2><a name= "3.12">3.12 - I upgraded to OpenSSH 3.1 and X11 | ||
1031 | forwarding stopped working.</a></h2> | ||
1032 | |||
1033 | Starting with OpenSSH 3.1, the sshd x11 forwarding server listens on | ||
1034 | localhost by default; see the sshd <b>X11UseLocalhost</b> option to | ||
1035 | revert to prior behaviour if your older X11 clients do not function | ||
1036 | with this configuration.<p> | ||
1037 | |||
1038 | In general, X11 clients using X11 R6 should work with the default | ||
1039 | setting. Some vendors, including HP, ship X11 clients with R6 | ||
1040 | and R5 libs, so some clients will work, and others will not work. | ||
1041 | This is true for HP-UX 11.X.<p> | ||
1042 | |||
1043 | <h2><a name= "3.13">3.13 - I upgraded to OpenSSH 3.8 and some | ||
1044 | X11 programs stopped working.</a></h2> | ||
1045 | |||
1046 | <p> | ||
1047 | As documented in the <a href="http://www.openssh.org/txt/release-3.8">3.8 release notes</a>, | ||
1048 | <code>ssh</code> will now use untrusted X11 cookies by | ||
1049 | default. The previous behaviour can be restored by setting | ||
1050 | <b>ForwardX11Trusted yes</b> in <i>ssh_config</i>. | ||
1051 | |||
1052 | <p> | ||
1053 | Possible symptoms include:<br> | ||
1054 | <code>BadWindow (invalid Window parameter)<br> | ||
1055 | BadAccess (attempt to access private resource denied)<br> | ||
1056 | X Error of failed request: BadAtom (invalid Atom parameter)<br> | ||
1057 | Major opcode of failed request: 20 (X_GetProperty)<br></code> | ||
1058 | |||
1059 | <h2><a name= "3.14">3.14 - I copied my public key to authorized_keys | ||
1060 | but public-key authentication still doesn't work.</a></h2> | ||
1061 | |||
1062 | <p> | ||
1063 | Typically this is caused by the file permissions on $HOME, $HOME/.ssh or | ||
1064 | $HOME/.ssh/authorized_keys being more permissive than sshd allows by default. | ||
1065 | |||
1066 | <p> | ||
1067 | In this case, it can be solved by executing the following on the server. | ||
1068 | <blockquote> | ||
1069 | <table border=0 width="800"> | ||
1070 | <tr> | ||
1071 | <td nowrap bgcolor="#EEEEEE"> | ||
1072 | $ <b>chmod go-w $HOME $HOME/.ssh</b><br> | ||
1073 | $ <b>chmod 600 $HOME/.ssh/authorized_keys</b> | ||
1074 | </td> | ||
1075 | </tr> | ||
1076 | </table> | ||
1077 | </blockquote> | ||
1078 | |||
1079 | <p> | ||
1080 | If this is not possible for some reason, an alternative is to set | ||
1081 | <b>StrictModes no</b> in <i>sshd_config</i>, however this is not | ||
1082 | recommended. | ||
1083 | |||
1084 | <h2><a name= "3.15">3.15 - OpenSSH versions and PAM behaviour.</a></h2> | ||
1085 | |||
1086 | Portable OpenSSH has a configure-time option to enable sshd's use of the | ||
1087 | <a href="http://www.opengroup.org/onlinepubs/008329799/">PAM</a> | ||
1088 | (Pluggable Authentication Modules) interface. | ||
1089 | |||
1090 | <blockquote> | ||
1091 | <table border=0 width="800"> | ||
1092 | <tr> | ||
1093 | <td nowrap bgcolor="#EEEEEE"> | ||
1094 | ./configure --with-pam [options] | ||
1095 | </td> | ||
1096 | </tr> | ||
1097 | </table> | ||
1098 | </blockquote> | ||
1099 | |||
1100 | To use PAM at all, this option must be provided at build time. | ||
1101 | The run-time behaviour when PAM is built in varies with the version of | ||
1102 | Portable OpenSSH, and on later versions it must also be enabled by setting | ||
1103 | <b>UsePAM</b> to <b>yes</b> in <i>sshd_config</i>. | ||
1104 | |||
1105 | <p> | ||
1106 | The behaviour of the relevant authentications options when PAM support is built | ||
1107 | in is summarised by the following table. | ||
1108 | |||
1109 | <p> | ||
1110 | <table border="1"> | ||
1111 | <tr> <th>Version</th> <th>UsePAM</th> <th>PasswordAuthentication</th> <th>ChallengeResponseAuthentication</th> </tr> | ||
1112 | <tr> | ||
1113 | <td><=3.6.1p2</td> | ||
1114 | <td>Not applicable</td> | ||
1115 | <td>Uses PAM</td> | ||
1116 | <td>Uses PAM if <b>PAMAuthenticationViaKbdInt</b> is enabled</td> | ||
1117 | </tr> | ||
1118 | <tr> | ||
1119 | <td>3.7p1 - 3.7.1p1</td> | ||
1120 | <td>Defaults to <b>yes</b></td> | ||
1121 | <td>Does not use PAM</td> | ||
1122 | <td>Uses PAM if <b>UsePAM</b> is enabled</td> | ||
1123 | </tr> | ||
1124 | <tr> | ||
1125 | <td>3.7.1p2 - 3.8.1p1</td> | ||
1126 | <td>Defaults to <b>no</b></td> | ||
1127 | <td>Does not use PAM <a href="#3.15fn1">[1]</a></td> | ||
1128 | <td>Uses PAM if <b>UsePAM</b> is enabled</td> | ||
1129 | </tr> | ||
1130 | <tr> | ||
1131 | <td>3.9p1</td> | ||
1132 | <td>Defaults to <b>no</b></td> | ||
1133 | <td>Uses PAM if <b>UsePAM</b> is enabled</td> | ||
1134 | <td>Uses PAM if <b>UsePAM</b> is enabled</td> | ||
1135 | </tr> | ||
1136 | </table> | ||
1137 | <p> | ||
1138 | |||
1139 | <a name= "3.15fn1">[1]</a> Some vendors, notably Redhat/Fedora, have | ||
1140 | backported the PasswordAuthentication from 3.9p1 to their 3.8x based | ||
1141 | packages. If you're using a vendor-supplied package then consult their | ||
1142 | documentation. | ||
1143 | |||
1144 | <p> | ||
1145 | OpenSSH Portable's PAM interface still has problems with a few modules, | ||
1146 | however we hope that this number will reduce in the future. As at the | ||
1147 | 3.9p1 release, the known problems are: | ||
1148 | |||
1149 | <ul> | ||
1150 | <li>Modules relying on module-private data (eg pam_dhkeys, pam_krb5, AFS) | ||
1151 | may fail to correctly establish credentials (bug <a | ||
1152 | href="http://bugzilla.mindrot.org/show_bug.cgi?id=688">#688</a>) when | ||
1153 | authenticating via <b>ChallengeResponseAuthentication</b>. | ||
1154 | <b>PasswordAuthentication</b> with 3.9p1 and above should work. | ||
1155 | </ul> | ||
1156 | |||
1157 | You can also check <a | ||
1158 | href="http://bugzilla.mindrot.org/buglist.cgi?product=Portable+OpenSSH&bug_status=RESOLVED&bug_status=NEW&bug_status=ACCEPTED&component=PAM+support" | ||
1159 | >bugzilla for current PAM issues</a>. | ||
1160 | |||
1161 | <h2><a name= "3.16">3.16 - Why doesn't "w" or "who" on AIX 5.x show users | ||
1162 | logged in via ssh?</a></h2> | ||
1163 | |||
1164 | Between AIX 4.3.3 and AIX 5.x, the format of the wtmp struct changed. This | ||
1165 | means that sshd binaries built on AIX 4.x will not correctly write wtmp | ||
1166 | entries when run on AIX 5.x. This can be fixed by simply recompiling | ||
1167 | sshd on an AIX 5.x system and using that. | ||
1168 | |||
1169 | <hr> | ||
1170 | <a href="http://www.openssh.org/index.html"><img height=24 width=24 src="back.gif" border=0 alt=OpenSSH></a> | ||
1171 | <a href="mailto:www@openbsd.org">www@openbsd.org</a> | ||
1172 | <br> | ||
1173 | <small>$OpenBSD: faq.html,v 1.107 2007/06/20 18:14:15 miod Exp $</small> | ||
1174 | |||
1175 | </body> | ||
1176 | </html> | ||