summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/changelog3
-rw-r--r--debian/faq.html1176
-rwxr-xr-xdebian/rules5
3 files changed, 1183 insertions, 1 deletions
diff --git a/debian/changelog b/debian/changelog
index a027912ca..77f71d580 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -40,6 +40,9 @@ openssh (1:4.7p1-1) UNRELEASED; urgency=low
40 - pam_end() was not being called if authentication failed 40 - pam_end() was not being called if authentication failed
41 (closes: #405041). 41 (closes: #405041).
42 - Manual page datestamps updated (closes: #433181). 42 - Manual page datestamps updated (closes: #433181).
43 * Install the OpenSSH FAQ in /usr/share/doc/openssh-client.
44 - Includes documentation on copying files with colons using scp
45 (closes: #303453).
43 46
44 -- Colin Watson <cjwatson@debian.org> Sun, 23 Dec 2007 12:53:46 +0000 47 -- Colin Watson <cjwatson@debian.org> Sun, 23 Dec 2007 12:53:46 +0000
45 48
diff --git a/debian/faq.html b/debian/faq.html
new file mode 100644
index 000000000..2c4ce4254
--- /dev/null
+++ b/debian/faq.html
@@ -0,0 +1,1176 @@
1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
2<html>
3<head>
4<title>OpenSSH FAQ</title>
5<link rev= "made" href= "mailto:www@openbsd.org">
6<meta name= "resource-type" content= "document">
7<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
8<meta name= "description" content= "the OpenSSH FAQ page">
9<meta name= "keywords" content= "OpenSSH,SSH,Secure Shell,faq">
10<meta name= "distribution" content= "global">
11<meta name= "copyright" content= "This document copyright 1999-2005 OpenBSD.">
12</head>
13
14<body bgcolor= "#ffffff" text= "#000000" link= "#23238E">
15<a href="index.html"><img alt="[OpenSSH]" height="30" width="141" src="images/smalltitle.gif" border="0"></a>
16<p>
17
18<h1>OpenSSH FAQ (Frequently asked questions)</h1>
19
20<strong>Date: 2005/09/20</strong>
21
22<hr>
23
24<blockquote>
25<h3><a href= "#1.0">1.0 - What Is OpenSSH and Where Can I Get It?</a></h3>
26<ul>
27<li><a href= "#1.1">1.1 - What is OpenSSH and where can I download it?</a>
28<li><a href= "#1.2">1.2 - Why should it be used?</a>
29<li><a href= "#1.3">1.3 - What Operating Systems are supported?</a>
30<li><a href= "#1.4">1.4 - What about copyright, usage and patents?</a>
31<li><a href= "#1.5">1.5 - Where should I ask for help?</a>
32</ul>
33
34<h3><a href= "#2.0">2.0 - General Questions</a></h3>
35<ul>
36<li><a href= "#2.1">2.1 - Why does ssh/scp make connections from low-numbered ports. My firewall blocks these.</a>
37<li><a href= "#2.2">2.2 - Why is the ssh client setuid root?</a>
38<li><a href= "#2.3">2.3 - Why does SSH 2.3 have problems interoperating with OpenSSH 2.1.1?</a>
39<li><a href= "#2.4">2.4 - Why does OpenSSH print: Dispatch protocol error: type 20</a>
40<li><a href= "#2.5">2.5 - Old versions of commercial SSH encrypt host keys with IDEA.</a>
41<li><a href= "#2.6">2.6 - What are these warning messages about key lengths?</a>
42<li><a href= "#2.7">2.7 - X11 and/or agent forwarding does not work.</a>
43<li><a href= "#2.8">2.8 - After upgrading OpenSSH I lost SSH2 support.</a>
44<li><a href= "#2.9">2.9 - sftp/scp fails at connection, but ssh is OK.</a>
45<li><a href= "#2.10">2.10 - Will you add [foo] to scp?</a>
46<li><a href= "#2.11">2.11 - How do I use port forwarding?</a>
47<li><a href= "#2.12">2.12 - My ssh connection freezes or drops out after N minutes of inactivity.</a>
48<li><a href= "#2.13">2.13 - How do I use scp to copy a file with a colon in it?</a>
49<li><a href= "#2.14">2.14 - Why does OpenSSH report its version to clients?</a>
50</ul>
51
52<h3><a href= "#3.0">3.0 - Portable OpenSSH Questions</a></h3>
53<ul>
54<li><a href= "#3.1">3.1 - Spurious PAM authentication messages in logfiles.</a>
55<li><a href= "#3.2">3.2 - Empty passwords not allowed with PAM authentication.</a>
56<li><a href= "#3.3">3.3 - ssh(1) takes a long time to connect or log in</a>
57<li><a href= "#3.4">3.4 - "Can't locate module net-pf-10" messages in log under Linux.</a>
58<li><a href= "#3.5">3.5 - Password authentication doesn't work (eg on Slackware 7.0 or Red Hat Linux 6.x)</a>
59<li><a href= "#3.6">3.6 - Configure or sshd(8) complain about lack of RSA support</a>
60<li><a href= "#3.7">3.7 - "scp: command not found" errors</a>
61<li><a href= "#3.8">3.8 - Unable to read passphrase</a>
62<li><a href= "#3.9">3.9 - 'configure' missing or make fails</a>
63<li><a href= "#3.10">3.10 - Hangs when exiting ssh</a>
64<li><a href= "#3.11">3.11 - Why does ssh hang on exit?</a>
65<li><a href= "#3.12">3.12 - I upgraded to OpenSSH 3.1 and X11 forwarding stopped working.</a>
66<li><a href= "#3.13">3.13 - I upgraded to OpenSSH 3.8 and some X11 programs stopped working.</a>
67<li><a href= "#3.14">3.14 - I copied my public key to authorized_keys but public-key authentication still doesn't work.</a>
68<li><a href= "#3.15">3.15 - OpenSSH versions and PAM behaviour.</a>
69<li><a href= "#3.16">3.16 - Why doesn't "w" or "who" on AIX 5.x show users logged in via ssh?</a>
70</ul>
71
72</blockquote>
73
74<hr>
75
76<h2><u><a name= "1.0">1.0 - What Is OpenSSH and Where Can I Get It?</a></u></h2>
77
78<h2><a name= "1.1">1.1 - What is OpenSSH and where can I download it?</a></h2>
79
80<p>
81OpenSSH is a <b>FREE</b> version of the SSH suite of network connectivity
82tools that increasing numbers of people on the Internet are coming to
83rely on. Many users of telnet, rlogin, ftp, and other such programs might
84not realize that their password is transmitted across the Internet
85unencrypted, but it is. OpenSSH encrypts all traffic (including passwords)
86to effectively eliminate eavesdropping, connection hijacking,
87and other network-level attacks.
88
89<p>
90The OpenSSH suite includes the
91<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&amp;sektion=1">ssh(1)</a>
92program which replaces rlogin and telnet, and
93<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&amp;sektion=1">scp(1)</a>
94which replaces
95<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=rcp&amp;sektion=1">rcp(1)</a> and
96<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftp&amp;sektion=1">ftp(1)</a>.
97OpenSSH has also added
98<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&amp;sektion=1">sftp(1)</a> and
99<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&amp;sektion=8">sftp-server(8)</a>
100which implement an easier solution for file-transfer. This is based upon the
101<a href="txt/draft-ietf-secsh-filexfer-02.txt">secsh-filexfer</a> IETF draft.
102
103
104<p><strong>OpenSSH consists of a number of programs.</strong>
105
106<ul>
107<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&amp;sektion=8">sshd(8)</a> - Server program run on the server machine. This listens for connections from client machines, and whenever it receives a connection, it performs authentication and starts serving the client.
108Its behaviour is controlled by the config file <i><a
109href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&amp;sektion=5">
110sshd_config(5)</a></i>.
111<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&amp;sektion=1">ssh(1)</a> - This is the client program used to log into another machine or to execute commands on the other machine. <i>slogin</i> is another name for this program.
112Its behaviour is controlled by the global config file <i><a
113href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&amp;sektion=5">
114ssh_config(5)</a></i> and individual users' <i>$HOME/.ssh/config</i> files.
115<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&amp;sektion=1">scp(1)</a> - Securely copies files from one machine to another.
116<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&amp;sektion=1">ssh-keygen(1)</a> - Used to create Pubkey Authentication (RSA or DSA) keys (host keys and user authentication keys).
117<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&amp;sektion=1">ssh-agent(1)</a> - Authentication agent. This can be used to hold RSA keys for authentication.
118<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-add&amp;sektion=1">ssh-add(1)</a> - Used to register new keys with the agent.
119<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&amp;sektion=8">sftp-server(8)</a> - SFTP server subsystem.
120<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&amp;sektion=1">sftp(1)</a> - Secure file transfer program.
121<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keyscan&amp;sektion=1">ssh-keyscan(1)</a> - gather ssh public keys.
122<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keysign&amp;sektion=8">ssh-keysign(8)</a> - ssh helper program for hostbased authentication.
123</ul>
124
125<h3>Downloading</h3>
126
127<p>
128OpenSSH comes in two downloadable distributions: the native <a
129href="openbsd.html">OpenBSD</a> distribution and the multi-platform
130<a href="portable.html">Portable</a> distribution. If you want
131OpenSSH for a recent OpenBSD or integration into a product, you
132probably want the <a href="openbsd.html">OpenBSD</a> distribution.
133If you want OpenSSH for another platform, or an older OpenBSD, you
134probably want the <a href="portable.html">Portable</a> distribution.
135
136<p>
137When downloading, please use a <a href="portable.html#mirrors">mirror</a>
138near you.
139
140<h2><a name= "1.2">1.2 - Why should it be used?</a></h2>
141
142<p>
143OpenSSH is a suite of tools to help secure your network
144connections. Here is a list of features:
145
146
147<ul>
148 <li>Strong authentication. Closes several security holes (e.g., IP, routing, and DNS spoofing).
149 <li>Improved privacy. All communications are automatically and transparently encrypted.
150 <li>Secure X11 sessions. The program automatically sets DISPLAY on the server machine, and forwards any X11 connections over the secure channel.
151 <li>Arbitrary TCP/IP ports can be redirected through the encrypted channel in both directions (e.g., for e-cash transactions).
152 <li>No retraining needed for normal users.
153 <li>Never trusts the network. Minimal trust on the remote side of the connection. Minimal trust on domain name servers. Pure RSA authentication never trusts anything but the private key.
154 <li>Client RSA-authenticates the server machine in the beginning of every connection to prevent trojan horses (by routing or DNS spoofing) and man-in-the-middle attacks, and the server RSA-authenticates the client machine before accepting <i>.rhosts</i> or <i>/etc/hosts.equiv</i> authentication (to prevent DNS, routing, or IP-spoofing).
155 <li>Host authentication key distribution can be centrally by the administration, automatically when the first connection is made to a machine.
156 <li>Any user can create any number of user authentication RSA keys for his/her own use.
157 <li>The server program has its own server RSA key which is automatically regenerated every hour.
158 <li>An authentication agent, running in the user's laptop or local workstation, can be used to hold the user's RSA authentication keys.
159 <li>The software can be installed and used (with restricted functionality) even without root privileges.
160 <li>The client is customizable in system-wide and per-user configuration files.
161 <li>Optional compression of all data with gzip (including forwarded X11 and TCP/IP port data), which may result in significant speedups on slow connections.
162 <li>Complete replacement for rlogin, rsh, and rcp.
163</ul>
164
165<p>
166Currently, almost all communications in computer networks are done
167without encryption. As a consequence, anyone who has access to any
168machine connected to the network can listen in on any communication.
169This is being done by hackers, curious administrators, employers,
170criminals, industrial spies, and governments. Some networks leak off
171enough electromagnetic radiation that data may be captured even from a
172distance.
173
174
175<p>
176When you log in, your password goes in the network in plain
177text. Thus, any listener can then use your account to do any evil he
178likes. Many incidents have been encountered worldwide where crackers
179have started programs on workstations without the owner's knowledge
180just to listen to the network and collect passwords. Programs for
181doing this are available on the Internet, or can be built by a
182competent programmer in a few hours.
183
184
185<p>
186Businesses have trade secrets, patent applications in preparation,
187pricing information, subcontractor information, client data, personnel
188data, financial information, etc. Currently, anyone with access to
189the network (any machine on the network) can listen to anything that
190goes in the network, without any regard to normal access restrictions.
191
192
193<p>
194Many companies are not aware that information can so easily be
195recovered from the network. They trust that their data is safe
196since nobody is supposed to know that there is sensitive information
197in the network, or because so much other data is transferred in the
198network. This is not a safe policy.
199
200
201<h2><a name= "1.3">1.3 - What operating systems are supported?</a></h2>
202
203<p>
204Even though OpenSSH is developed on
205<a href="http://www.openbsd.org/">OpenBSD</a> a wide variety of
206ports to other operating systems exist. The portable version of OpenSSH
207is headed by <a href="mailto:djm@openbsd.org">Damien Miller</a>.
208For a quick overview of the portable version of OpenSSH see
209<a href="portable.html">OpenSSH Portable Release</a>.
210Currently, the supported operating systems are:
211
212
213<ul>
214 <li>OpenBSD
215 <li>NetBSD
216 <li>FreeBSD
217 <li>AIX
218 <li>HP-UX
219 <li>IRIX
220 <li>Linux
221 <li>NeXT
222 <li>SCO
223 <li>SNI/Reliant Unix
224 <li>Solaris
225 <li>Digital Unix/Tru64/OSF
226 <li>Mac OS X
227 <li>Cygwin
228</ul>
229
230<p>
231A list of vendors that include OpenSSH in their distributions
232is located in the <a href="users.html">OpenSSH Users page</a>.
233
234<h2><a name= "1.4">1.4 - What about copyrights, usage and patents?</a></h2>
235<p>
236The OpenSSH developers have tried very hard to keep OpenSSH free of any
237patent or copyright problems. To do this, some options had to be
238stripped from OpenSSH. Namely support for patented algorithms.
239
240<p>
241OpenSSH does not support any patented transport algorithms. In SSH1 mode,
242only 3DES and Blowfish are available options. In SSH2 mode, only 3DES,
243Blowfish, CAST128, Arcfour and AES can be selected.
244The patented IDEA algorithm is not supported.
245
246<p>
247OpenSSH provides support for both SSH1 and SSH2 protocols.
248
249<p>
250Since the RSA patent has expired, there are no restrictions on the use
251of RSA algorithm using software, including OpenBSD.
252
253<h2><a name= "1.5">1.5 - Where should I ask for help?</a></h2>
254<p>
255There are many places to turn to for help. In addition to the main
256<a href="index.html">OpenSSH website</a>,
257there are many mailing lists to try. Before trying any mailing lists,
258please search through all mailing list archives to see if your question
259has already been answered. The OpenSSH Mailing List has been archived and
260put in searchable form and can be found at
261<a href="http://marc.info/?l=openssh-unix-dev&amp;r=1&amp;w=2">marc.info</a>.
262
263<p>
264For more information on subscribing to OpenSSH related mailing lists,
265please see <a href="list.html">OpenSSH Mailing lists</a>.
266
267<p>
268Information about submitting bug reports can be found at the OpenSSH
269<a href="report.html">Reporting bugs</a> page.
270
271<h2><u><a name= "2.0">2.0 - General Questions</a></u></h2>
272
273<h2><a name= "2.1">2.1 - Why does ssh/scp make connections from low-numbered ports.</a></h2>
274<p>
275The OpenSSH client uses low numbered ports for rhosts and rhosts-rsa
276authentication because the server needs to trust the username provided by
277the client. To get around this, you can add the below example to your
278<i>ssh_config</i> or <i>~/.ssh/config</i> file.
279
280
281<blockquote>
282<table border=0 width="800">
283 <tr>
284 <td nowrap bgcolor="#EEEEEE">
285<b>UsePrivilegedPort no</b>
286 </td>
287 </tr>
288</table>
289</blockquote>
290
291<p>
292Or you can specify this option on the command line, using the <b>-o</b>
293option to
294<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&amp;sektion=1">ssh(1)</a> command.
295
296<blockquote>
297<table border=0 width="800">
298 <tr>
299 <td nowrap bgcolor="#EEEEEE">
300$ <b>ssh -o "UsePrivilegedPort no" host.com</b>
301 </td>
302 </tr>
303</table>
304</blockquote>
305
306<h2><a name= "2.2">2.2 - Why is the ssh client setuid root?</a></h2>
307
308<p>
309In conjunction with the previous question, (<a href="#2.1">2.1</a>)
310OpenSSH needs root authority to be able to bind to low-numbered ports to
311facilitate <i>rhosts authentication</i>.
312A privileged port is also required for rhosts-rsa authentication to older
313SSH releases.
314
315<p>
316Additionally, for both <i>rhosts-rsa authentication</i> (in protocol
317version 1) and <i>hostbased authentication</i> (in protocol version 2)
318the ssh client needs to access the <i>private host key</i> in order to
319authenticate the client machine to the server.
320OpenSSH versions prior to 3.3 required the <code>ssh</code> binary to be
321setuid root to enable this, and you may safely remove it if you don't
322want to use these authentication methods.
323
324<p>
325Starting in OpenSSH 3.3, <code>ssh</code> is not setuid by default. <a
326href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keysign">ssh-keysign</a>,
327is used for access to the private hosts keys, and ssh does not use privileged
328source ports by default. If you wish to use a privileged source port, you must
329manually set the setuid bit on <code>ssh</code>.
330
331<h2><a name= "2.3">2.3 - Why does SSH 2.3 have problems interoperating with OpenSSH 2.1.1?</a></h2>
332
333<p>
334SSH 2.3 and earlier versions contain a flaw in their HMAC implementation.
335Their code was not supplying the full data block output from the digest,
336and instead always provided 128 bits. For longer digests, this caused
337SSH 2.3 to not interoperate with OpenSSH.
338
339<p>
340OpenSSH 2.2.0 detects that SSH 2.3 has this flaw. Recent versions of SSH
341will have this bug fixed. Or you can add the following to
342SSH 2.3 <i>sshd2_config</i>.
343
344
345<blockquote>
346<table border=0 width="800">
347 <tr>
348 <td nowrap bgcolor="#EEEEEE">
349<b>Mac hmac-md5</b>
350 </td>
351 </tr>
352</table>
353</blockquote>
354
355<h2><a name= "2.4">2.4 - Why does OpenSSH print: Dispatch protocol error: type 20</a></h2>
356
357<p>
358Problems in interoperation have been seen because older versions of
359OpenSSH did not support session rekeying. However the commercial SSH 2.3
360tries to negotiate this feature, and you might experience connection
361freezes or see the error message &quot;<b>Dispatch protocol error:
362type 20 </b>&quot;.
363To solve this problem, either upgrade to a recent OpenSSH release or
364disable rekeying by adding the following to your commercial SSH 2.3's
365<i>ssh2_config</i> or <i>sshd2_config</i>.
366
367
368<blockquote>
369<table border=0 width="800">
370 <tr>
371 <td nowrap bgcolor="#EEEEEE">
372<b>RekeyIntervalSeconds 0</b>
373 </td>
374 </tr>
375</table>
376</blockquote>
377
378<h2><a name= "2.5">2.5 - Old versions of commercial SSH encrypt host keys with IDEA.</a></h2>
379
380<p>
381The old versions of SSH used a patented algorithm to encrypt their
382<i>/etc/ssh/ssh_host_key</i>. This problem will manifest as
383<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&amp;sektion=8">sshd(8)</a>
384not being able to read its host key. To solve this, use the command below
385to convert your ssh_host_key to use 3DES.
386<b>NOTE:</b> Use the
387<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&amp;sektion=1">ssh-keygen(1)</a>
388program from the Commercial SSH product, *NOT* OpenSSH for the example
389below.
390
391
392<blockquote>
393<table border=0 width="800">
394 <tr>
395 <td nowrap bgcolor="#EEEEEE">
396# <b>ssh-keygen -u -f /etc/ssh/ssh_host_key</b>
397 </td>
398 </tr>
399</table>
400</blockquote>
401
402<h2><a name= "2.6">2.6 - What are these warning messages about key lengths</a></h2>
403
404<p>
405Commercial SSH's
406<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&amp;sektion=1">ssh-keygen(1)</a>
407program contained a bug which caused it to occasionally generate Pubkey
408Authentication (RSA or DSA) keys which had their Most Significant Bit
409(MSB) unset. Such keys were advertised as being full-length, but are
410actually, half the time, smaller than advertised.
411
412<p>
413OpenSSH will print warning messages when it encounters such keys. To rid
414yourself of these message, edit your <i>known_hosts</i> files and replace the
415incorrect key length (usually "1024") with the correct key length
416(usually "1023").
417
418<h2><a name= "2.7">2.7 - X11 and/or agent forwarding does not work.</a></h2>
419
420<p>
421Check your <i>ssh_config</i> and <i>sshd_config</i>. The default
422configuration files disable authentication agent and X11 forwarding. To
423enable it, put the line below in <i>sshd_config</i>:
424
425<blockquote>
426<table border=0 width="800">
427 <tr>
428 <td nowrap bgcolor="#EEEEEE">
429<b>X11Forwarding yes</b>
430 </td>
431 </tr>
432</table>
433</blockquote>
434
435<p>
436and put the following lines in <i>ssh_config</i>:
437
438<blockquote>
439<table border=0 width="800">
440 <tr>
441 <td nowrap bgcolor="#EEEEEE">
442<b>ForwardAgent yes</b><br>
443<b>ForwardX11 yes</b>
444 </td>
445 </tr>
446</table>
447</blockquote>
448
449<p>
450X11 forwarding requires a working <a
451href="http://www.openbsd.org/cgi-bin/man.cgi?query=xauth&amp;sektion=1"
452>xauth(1)</a> binary. On OpenBSD this is in the <i>xbase</i> file
453set but will probably be different on other platforms. For OpenSSH
454Portable, xauth must be either found at configure time or specified
455via <b>XAuthLocation</b> in sshd_config(5) and ssh_config(5).
456
457<p>
458Note on agent interoperability: There are two different and
459incompatible agent forwarding mechanisms within the SSH2 protocol.
460OpenSSH has always used an extension of the original SSH1 agent
461requests, however some commercial products use a different, non-free
462agent forwarding protocol. This means that agent forwarding cannot
463be used between OpenSSH and those products.
464
465<p>
466<b>NOTE:</b> For users of Linux Mandrake 7.2, Mandrake modifies the
467<i>XAUTHORITY</i> environment variable in <i>/etc/skel/.bashrc</i>,
468and thus any bash user's home directory. This variable is set by OpenSSH
469and for either of the above options to work, you need to comment out
470the line:
471
472
473<blockquote>
474<table border=0 width="800">
475 <tr>
476 <td nowrap bgcolor="#EEEEEE">
477<b># export XAUTHORITY=$HOME/.Xauthority</b>
478 </td>
479 </tr>
480</table>
481</blockquote>
482
483<h2><a name= "2.8">2.8 - After upgrading OpenSSH I lost SSH2 support.</a></h2>
484
485<p>
486Between versions changes can be made to <i>sshd_config</i> or
487<i>ssh_config</i>. You should always check on these changes when upgrading
488versions of OpenSSH. After OpenSSH Version 2.3.0 you need to add the
489following to your <i>sshd_config</i>:
490
491
492<blockquote>
493<table border=0 width="800">
494 <tr>
495 <td nowrap bgcolor="#EEEEEE">
496<b>HostKey /etc/ssh_host_dsa_key</b><br>
497<b>HostKey /etc/ssh_host_rsa_key</b>
498 </td>
499 </tr>
500</table>
501</blockquote>
502
503<h2><a name= "2.9">2.9 - sftp/scp fails at connection, but ssh is OK.</a></h2>
504
505<p>
506sftp and/or scp may fail at connection time if you have shell
507initialization (.profile, .bashrc, .cshrc, etc) which produces output
508for non-interactive sessions. This output confuses the sftp/scp client.
509You can verify if your shell is doing this by executing:
510
511<blockquote>
512<table border=0 width="800">
513 <tr>
514 <td nowrap bgcolor="#EEEEEE">
515<b>ssh yourhost /usr/bin/true</b>
516 </td>
517 </tr>
518</table>
519</blockquote>
520
521<p>
522If the above command produces any output, then you need to modify your
523shell initialization.
524
525<h2><a name= "2.10">2.10 - Will you add [foo] to scp?</a></h2>
526
527<p>
528Short Answer: no.
529
530<p>
531Long Answer: scp is not standardized. The closest thing it has to a
532specification is "what rcp does". Since the same command is used on both ends
533of the connection, adding features or options risks breaking interoperability with other
534implementations.
535
536<p>
537New features are more likely in sftp, since the protocol is standardized
538(well, a <a href="http://www.ietf.org/html.charters/secsh-charter.html">
539draft standard</a>), extensible, and the client and server are decoupled.
540
541<h2><a name= "2.11">2.11 - How do I use port forwarding?</a></h2>
542
543<p>
544If the remote server is running sshd(8), it may be possible to
545``tunnel'' certain services via ssh. This may be desirable, for
546example, to encrypt POP or SMTP connections, even though the software
547does not directly support encrypted communications. Tunnelling uses
548port forwarding to create a connection between the client and server.
549The client software must be able to specify a non-standard port to
550connect to for this to work.
551
552<p>
553The idea is that the user connects to the remote host using ssh,
554and specifies which port on the client's machine should be used to
555forward connections to the remote server. After that it is possible
556to start the service which is to be encrypted (e.g. fetchmail, irc)
557on the client machine, specifying the same local port passed to
558ssh, and the connection will be tunnelled through ssh. By default,
559the system running the forward will only accept connections from
560itself.
561
562<p>
563The options most relevant to tunnelling are the -L and -R options,
564which allow the user to forward connections, the -D option, which
565permits dynamic port forwarding, the -g option, which permits other
566hosts to use port forwards, and the -f option, which instructs ssh
567to put itself in the background after authentication. See the <a
568href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&amp;sektion=1"
569>ssh(1)</a> man page for further details.
570
571<p>
572This is an example of tunnelling an IRC session from client machine
573``127.0.0.1'' (localhost) to remote server ``server.example.com'':
574
575<blockquote>
576<table border=0 width="800">
577 <tr>
578 <td nowrap bgcolor="#EEEEEE">
579<b>ssh -f -L 1234:server.example.com:6667 server.example.com sleep 10<br>
580irc -c '#users' -p 1234 pinky 127.0.0.1</b>
581 </td>
582 </tr>
583</table>
584</blockquote>
585
586<p>
587This tunnels a connection to IRC server server.example.com, joining
588channel ``#users'', using the nickname ``pinky''. The local port used
589in this example is 1234. It does not matter which port is used, as
590long as it's greater than 1023 (remember, only root can open sockets on
591privileged ports) and doesn't conflict with any ports already in use.
592The connection is forwarded to port 6667 on the remote server, since
593that's the standard port for IRC services.
594
595<p>
596The remote command ``sleep 10'' was specified to allow an amount
597of time (10 seconds, in the example) to start the service which is to
598be tunnelled. If no connections are made within the time specified,
599ssh will exit. If more time is required, the sleep(1) value can be
600increased appropriately or, alternatively, the example above could
601be added as a function to the user's shell. See ksh(1) and csh(1)
602for more details about user-defined functions.
603
604<p>
605ssh also has an -N option, convenient for use with port forwarding:
606if -N is specified, it is not necessary to specify a remote command
607(``sleep 10'' in the example above). However, use of this option
608causes ssh to wait around for ever (as opposed to exiting after a
609remote command has completed), and the user must take care to manually
610kill(1) the process afterwards.
611
612<h2><a name= "2.12">2.12 - My ssh connection freezes or drops out after N minutes of inactivity.</a></h2>
613
614<p>
615This is usually the result of a packet filter or NAT device
616timing out your TCP connection due to inactivity. You can enable
617<b>ClientAliveInterval</b> in the server's <i><a
618href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&amp;sektion=5">
619sshd_config</a></i>, or enable <b>ServerAliveInterval</b> in the
620client's <i><a
621href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&amp;sektion=5">
622ssh_config</a></i> (the latter is available in OpenSSH 3.8 and newer).
623
624<p>
625Enabling either option and setting the interval for less than the time
626it takes to time out your session will ensure that the connection is
627kept "fresh" in the device's connection table.
628
629<h2><a name= "2.13">2.13 - How do I use scp to copy a file with a colon in it?</a></h2>
630
631<b><a
632href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&amp;sektion=1">
633scp</a></b> will interpret the component before the colon to be a remote
634server name and attempt to connect to it. To prevent this, refer to
635the file by a relative or absolute path, eg:
636
637<blockquote>
638<table border=0 width="800">
639 <tr>
640 <td nowrap bgcolor="#EEEEEE">
641$ scp ./source:file sshserver:
642 </td>
643 </tr>
644</table>
645</blockquote>
646
647<h2><a name= "2.14">2.14 - Why does OpenSSH report its version to clients?</a></h2>
648
649<p>
650OpenSSH, like most SSH implementations, reports its name and version to clients
651when they connect, e.g.
652</p>
653
654<blockquote>
655SSH-2.0-OpenSSH_3.9
656</blockquote>
657
658<p>
659This information is used by clients and servers to enable protocol
660compatibility tweaks to work around changed, buggy or missing features in
661the implementation they are talking to. This protocol feature checking is
662still required at present because the SSH protocol has not been yet published
663as a RFC and more incompatible changes may be made before this happens.
664</p>
665
666<h2><u><a name= "3.0">3.0 - Portable OpenSSH Questions</a></u></h2>
667
668<h2><a name= "3.1">3.1 - Spurious PAM authentication messages in logfiles.</a></h2>
669
670<p>
671The portable version of OpenSSH will generate spurious authentication
672failures at every login, similar to:
673
674
675<blockquote>
676<table border=0 width="800">
677 <tr>
678 <td nowrap bgcolor="#EEEEEE">
679&quot;<b>authentication failure; (uid=0) -&gt; root for sshd service</b>&quot;
680 </td>
681 </tr>
682</table>
683</blockquote>
684
685<p>
686These are generated because OpenSSH first tries to determine whether a
687user needs authentication to login (e.g. empty password). Unfortunately
688PAM likes to log all authentication events, this one included.
689
690<p>
691If it annoys you too much, set &quot;<b>PermitEmptyPasswords no</b>&quot;
692in <i>sshd_config</i>. This will quiet the error message at the expense
693of disabling logins to accounts with no password set.
694This is the default if you use the supplied <i>sshd_config</i> file.
695
696<h2><a name= "3.2">3.2 - Empty passwords not allowed with PAM authentication.</a></h2>
697
698<p>
699To enable empty passwords with a version of OpenSSH built with PAM you
700must add the flag nullok to the end of the password checking module
701in the <i>/etc/pam.d/sshd</i> file. For example:
702
703<blockquote>
704<table border=0 width="800">
705 <tr>
706 <td nowrap bgcolor="#EEEEEE">
707auth required/lib/security/pam_unix.so shadow nodelay nullok
708 </td>
709 </tr>
710</table>
711</blockquote>
712
713<p>
714This must be done in addition to setting &quot;<b>PermitEmptyPasswords
715yes</b>&quot; in the <i>sshd_config</i> file.
716
717<p>
718There is one caveat when using empty passwords with PAM authentication:
719PAM will allow any password when authenticating an account with an empty
720password. This breaks the check that
721<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&amp;sektion=8">sshd(8)</a>
722uses to determine whether an account has no password set and grant
723users access to the account regardless of the policy specified by
724<b>PermitEmptyPasswords</b>. For this reason, it is recommended that you
725do not add the <b>nullok</b> directive to your PAM configuration file
726unless you specifically wish to allow empty passwords.
727
728
729<h2><a name= "3.3">3.3 - ssh(1) takes a long time to connect or log
730in</a></h2>
731
732<p>
733Large delays (more that 10 seconds) are typically caused a problem with
734name resolution:
735<ul>
736<li>Some versions of glibc (notably glibc 2.1 shipped with Red Hat 6.1)
737can take a long time to resolve "IPv6 or IPv4" addresses from domain
738names. This can be worked around with by specifying <b>AddressFamily
739inet</b> option in <i>ssh_config</i>.</li>
740
741<li>There may be a DNS lookup problem, either at the client or server.
742You can use the <code>nslookup</code> command to check this on both client
743and server by looking up the other end's name and IP address. In
744addition, on the server look up the name returned by the client's
745IP-name lookup. You can disable most of the server-side lookups by
746setting <b>UseDNS no</b> in <i>sshd_config</i>.</li>
747</ul>
748
749<p>
750Delays less than 10 seconds can have other causes.
751
752<ul>
753
754<li>OpenSSH releases prior to 3.8 had an <i>moduli</i> file with
755moduli that were just smaller than what sshd would look for, and
756as a result, sshd would end up using moduli significantly larger
757than requested, which resulted in a speed penalty. Replacing the
758<i>moduli</i> file will resolve this (note that in most cases this
759file will not be replaced during an upgrade and must be replaced
760manually).</li>
761
762<li>OpenSSH releases prior to 3.8 had a flaw in <code>ssh</code> that
763would cause it to request moduli larger than intended (which when
764combined with the above resulted in significant slowdowns).
765Upgrading the client to 3.8 or higher will resolve this issue.</li>
766
767<li>If either the client or server lack a kernel-based random number
768device (eg Solaris &lt; 9, AIX &lt; 5.2, HP-UX &lt; 11.11) and no
769substitute is available (eg <a href=
770"ftp://ftp.ayamura.org/pub/prngd/">prngd</a>) it's possible that
771one of the programs called by <code>ssh-rand-helper</code> to
772generate entropy is hanging. This can be investigated by running
773it in debug mode:
774
775<blockquote>
776<table border=0 width="800">
777 <tr>
778 <td nowrap bgcolor="#EEEEEE">
779/usr/local/libexec/ssh-rand-helper -vvv
780 </td>
781 </tr>
782</table>
783</blockquote>
784
785Any significant delays should be investigated and rectified, or the
786corresponding commands should be removed from <i>ssh_prng_cmds</i>.
787</li>
788
789</ul>
790
791<h3>How slow is "slow"?</h3>
792Under normal conditions, the speed of SSH logins is dependant on
793CPU speed of client and server. For comparison the following are
794typical connect times for <code>time ssh localhost true</code>
795with a 1024-bit RSA key on otherwise unloaded hosts. OpenSSH and
796OpenSSL were compiled with gcc 3.3.x.
797
798<p>
799<table>
800<tr><th>CPU</th><th>Time (SSHv1)<a href="#3.3fn1">[1]</a></th>
801 <th>Time (SSHv2)</th></tr>
802<tr><td>170MHz SPARC/sun4m</td><td>0.74 sec</td><td>1.25 sec</td></tr>
803<tr><td>236MHz HPPA/8200<a href="#3.3fn2">[2]</a></td><td>0.44 sec</td>
804 <td>0.79 sec</td></tr>
805<tr><td>375MHz PowerPC/604e</td><td>0.38 sec</td><td>0.51 sec</td></tr>
806<tr><td>933MHz VIA Ezra</td><td>0.34 sec</td><td>0.44 sec</td></tr>
807<tr><td>2.1GHz Athlon XP 2600+</td><td>0.14 sec</td><td>0.22 sec</td></tr>
808</table>
809
810<br>
811
812<a name="3.3fn1">[1]</a> The SSHv1 protocol is faster but is
813cryptographically weaker than SSHv2.<br>
814
815<a name="3.3fn2">[2]</a> At the time of writing, gcc generates
816relatively slow code on HPPA for RSA and Diffie-Hellman operations
817(see <a href= "http://gcc.gnu.org/bugzilla/show_bug.cgi?id=7625">gcc
818bug #7625</a> and <a
819href="http://marc.info/?l=openssh-unix-dev&amp;m=102646106016694">
820discussion on openssh-unix-dev</a>).
821
822<h2><a name= "3.4">3.4 - "Can't locate module net-pf-10" messages in log under Linux.</a></h2>
823
824<p>
825The Linux kernel is looking (via modprobe) for protocol family 10 (IPv6).
826Either load the appropriate kernel module, enter the correct alias in
827<i>/etc/modules.conf</i> or disable IPv6 in <i>/etc/modules.conf</i>.
828
829
830<p>
831For some silly reason <i>/etc/modules.conf</i> may also be named
832<i>/etc/conf.modules</i>.
833
834
835<h2><a name= "3.5">3.5 - Password authentication doesn't work (eg on Slackware 7.0 or Red Hat 6.x)</a></h2>
836
837<p>
838If the password is correct password the login is still denied, the
839usual cause is that the system is configured to use MD5-type passwords
840but the
841<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=crypt&amp;sektion=3"
842>crypt(3)</a> function used by sshd doesn't understand them.
843
844<p>
845Affected accounts will have password strings in <i>/etc/passwd</i>
846or <i>/etc/shadow</i> that start with <b>$1$</b>.
847If password authentication fails for new accounts or accounts with
848recently changed passwords, but works for old accounts, this is the
849likely culprit.
850
851<p>
852The underlying cause is that some versions of OpenSSL have a crypt(3)
853function that does not understand MD5 passwords, and the link order of
854sshd means that OpenSSL's crypt(3) is used instead of the system's.
855OpensSSH's configure attempts to correct for this but is not always
856successful.
857
858<p>
859There are several possible solutions:
860
861<ul>
862<li>
863<p>
864Enable sshd's built-in support for MD5 passwords at build time.
865
866<blockquote>
867<table border=0 width="800">
868 <tr>
869 <td nowrap bgcolor="#EEEEEE">
870./configure --with-md5-passwords [options]
871 </td>
872 </tr>
873</table>
874</blockquote>
875
876This is safe even if you have both types of encryption as sshd will
877select the correct algorithm for each account automatically.
878
879<li>
880<p>
881If your system has a separate libcrypt library (eg Slackware 7) then you
882can manually add -lcrypt to the LIBS list so it's used instead of
883OpenSSL's:
884
885<blockquote>
886<table border=0 width="800">
887 <tr>
888 <td nowrap bgcolor="#EEEEEE">
889LIBS=-lcrypt ./configure [options]
890 </td>
891 </tr>
892</table>
893</blockquote>
894
895<li>
896<p>
897If your platforms supports PAM, you may configure sshd to use it
898(see <a href= "#3.15" >section 3.15</a>). This will mean that sshd will
899not verify passwords itself but will defer to the configured PAM modules.
900</ul>
901
902<h2><a name= "3.6">3.6 - Configure or sshd(8) complain about lack of RSA or DSA support</a></h2>
903
904<p>
905Ensure that your OpenSSL libraries have been built to include RSA or DSA
906support either internally or through RSAref.
907
908
909<h2><a name= "3.7">3.7 - "scp: command not found" errors</a></h2>
910
911<p>
912<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&amp;sektion=1">scp(1)</a>
913must be in the default PATH on both the client and the server. You may
914need to use the <b>--with-default-path</b> option to specify a custom
915path to search on the server. This option replaces the default path,
916so you need to specify all the current directories on your path as well
917as where you have installed scp. For example:
918
919<blockquote>
920<table border=0 width="800">
921 <tr>
922 <td nowrap bgcolor="#EEEEEE">
923$ <b>./configure --with-default-path=/bin:/usr/bin:/usr/local/bin:/path/to/scp</b>
924 </td>
925 </tr>
926</table>
927</blockquote>
928
929<p>
930Note that configuration by the server's admin will take precedence over the
931setting of <b>--with-default-path</b>. This includes resetting PATH in
932<i>/etc/profile</i>, PATH in <i>/etc/environment</i> on AIX, or (for 3.7p1 and
933above) setting PATH or SUPATH in <i>/etc/default/login</i> on Solaris or
934Reliant Unix.
935
936<h2><a name= "3.8">3.8 - Unable to read passphrase</a></h2>
937
938<p>
939Some operating systems set <i>/dev/tty</i> with incorrect modes, causing
940the reading of passwords to fail with the following error:
941
942<blockquote>
943<table border=0 width="800">
944 <tr>
945 <td nowrap bgcolor="#EEEEEE">
946You have no controlling tty. Cannot read passphrase.
947 </td>
948 </tr>
949</table>
950</blockquote>
951
952<p>
953The solution to this is to reset the permissions on <i>/dev/tty</i>
954to mode 0666 and report the error as a bug to your OS vendor.
955
956
957<h2><a name= "3.9">3.9 - 'configure' missing or make fails</a></h2>
958
959<p>
960If there is no 'configure' file in the tar.gz file that you downloaded
961or make fails with "missing separator" errors, you have probably
962downloaded the OpenBSD distribution of OpenSSH and are attempting to
963compile it on another platform. Please refer to the information on the
964<a href="portable.html">portable version</a>.
965
966
967<h2><a name= "3.10">3.10 - Hangs when exiting ssh</a></h2>
968
969<p>
970OpenSSH may hang when exiting. This can occur when there is an active
971background process. This is known to occur on Linux and HP-UX.
972The problem can be verified by doing the following:
973
974<blockquote>
975<table border=0 width="800">
976 <tr>
977 <td nowrap bgcolor="#EEEEEE">
978$ <b>sleep 20 &amp; exit</b>
979 </td>
980 </tr>
981</table>
982</blockquote>
983
984Try to use this instead:
985<blockquote>
986<table border=0 width="800">
987 <tr>
988 <td nowrap bgcolor="#EEEEEE">
989$ <b>sleep 20 &lt; /dev/null &gt; /dev/null 2&gt;&amp;1 &amp;</b>
990 </td>
991 </tr>
992</table>
993</blockquote>
994
995<p>
996A work around for bash users is to place <b>"shopt -s huponexit"</b>
997in either /etc/bashrc or ~/.bashrc. Otherwise, consult your shell's
998man page for an option to enable it to send a HUP signal to active
999jobs when exiting. See <a
1000href="http://bugzilla.mindrot.org/show_bug.cgi?id=52">bug #52</a>
1001for other workarounds.
1002
1003<h2><a name= "3.11">3.11 - Why does ssh hang on exit?</a></h2>
1004
1005<p>
1006When executing
1007<blockquote>
1008<table border=0 width="800">
1009 <tr>
1010 <td nowrap bgcolor="#EEEEEE">
1011$ <b>ssh host command</b>
1012 </td>
1013 </tr>
1014</table>
1015</blockquote>
1016ssh <b>needs</b> to hang, because it needs to wait:
1017<ul>
1018<li>
1019until it can be sure that <code>command</code> does not need
1020more input.
1021<li>
1022until it can be sure that <code>command</code> does not produce
1023more output.
1024<li>
1025until <code>command</code> exits because sshd needs to tell
1026the exit status from <code>command</code> to ssh.
1027</ul>
1028<p>
1029
1030<h2><a name= "3.12">3.12 - I upgraded to OpenSSH 3.1 and X11
1031forwarding stopped working.</a></h2>
1032
1033Starting with OpenSSH 3.1, the sshd x11 forwarding server listens on
1034localhost by default; see the sshd <b>X11UseLocalhost</b> option to
1035revert to prior behaviour if your older X11 clients do not function
1036with this configuration.<p>
1037
1038In general, X11 clients using X11 R6 should work with the default
1039setting. Some vendors, including HP, ship X11 clients with R6
1040and R5 libs, so some clients will work, and others will not work.
1041This is true for HP-UX 11.X.<p>
1042
1043<h2><a name= "3.13">3.13 - I upgraded to OpenSSH 3.8 and some
1044X11 programs stopped working.</a></h2>
1045
1046<p>
1047As documented in the <a href="txt/release-3.8">3.8 release notes</a>,
1048<code>ssh</code> will now use untrusted X11 cookies by
1049default. The previous behaviour can be restored by setting
1050<b>ForwardX11Trusted yes</b> in <i>ssh_config</i>.
1051
1052<p>
1053Possible symptoms include:<br>
1054<code>BadWindow (invalid Window parameter)<br>
1055BadAccess (attempt to access private resource denied)<br>
1056X Error of failed request: BadAtom (invalid Atom parameter)<br>
1057Major opcode of failed request: 20 (X_GetProperty)<br></code>
1058
1059<h2><a name= "3.14">3.14 - I copied my public key to authorized_keys
1060but public-key authentication still doesn't work.</a></h2>
1061
1062<p>
1063Typically this is caused by the file permissions on $HOME, $HOME/.ssh or
1064$HOME/.ssh/authorized_keys being more permissive than sshd allows by default.
1065
1066<p>
1067In this case, it can be solved by executing the following on the server.
1068<blockquote>
1069<table border=0 width="800">
1070<tr>
1071 <td nowrap bgcolor="#EEEEEE">
1072$ <b>chmod go-w $HOME $HOME/.ssh</b><br>
1073$ <b>chmod 600 $HOME/.ssh/authorized_keys</b>
1074 </td>
1075</tr>
1076</table>
1077</blockquote>
1078
1079<p>
1080If this is not possible for some reason, an alternative is to set
1081<b>StrictModes no</b> in <i>sshd_config</i>, however this is not
1082recommended.
1083
1084<h2><a name= "3.15">3.15 - OpenSSH versions and PAM behaviour.</a></h2>
1085
1086Portable OpenSSH has a configure-time option to enable sshd's use of the
1087<a href="http://www.opengroup.org/onlinepubs/008329799/">PAM</a>
1088(Pluggable Authentication Modules) interface.
1089
1090<blockquote>
1091<table border=0 width="800">
1092 <tr>
1093 <td nowrap bgcolor="#EEEEEE">
1094./configure --with-pam [options]
1095 </td>
1096 </tr>
1097</table>
1098</blockquote>
1099
1100To use PAM at all, this option must be provided at build time.
1101The run-time behaviour when PAM is built in varies with the version of
1102Portable OpenSSH, and on later versions it must also be enabled by setting
1103<b>UsePAM</b> to <b>yes</b> in <i>sshd_config</i>.
1104
1105<p>
1106The behaviour of the relevant authentications options when PAM support is built
1107in is summarised by the following table.
1108
1109<p>
1110<table border="1">
1111 <tr> <th>Version</th> <th>UsePAM</th> <th>PasswordAuthentication</th> <th>ChallengeResponseAuthentication</th> </tr>
1112 <tr>
1113 <td>&lt;=3.6.1p2</td>
1114 <td>Not applicable</td>
1115 <td>Uses PAM</td>
1116 <td>Uses PAM if <b>PAMAuthenticationViaKbdInt</b> is enabled</td>
1117 </tr>
1118 <tr>
1119 <td>3.7p1 - 3.7.1p1</td>
1120 <td>Defaults to <b>yes</b></td>
1121 <td>Does not use PAM</td>
1122 <td>Uses PAM if <b>UsePAM</b> is enabled</td>
1123 </tr>
1124 <tr>
1125 <td>3.7.1p2 - 3.8.1p1</td>
1126 <td>Defaults to <b>no</b></td>
1127 <td>Does not use PAM <a href="#3.15fn1">[1]</a></td>
1128 <td>Uses PAM if <b>UsePAM</b> is enabled</td>
1129 </tr>
1130 <tr>
1131 <td>3.9p1</td>
1132 <td>Defaults to <b>no</b></td>
1133 <td>Uses PAM if <b>UsePAM</b> is enabled</td>
1134 <td>Uses PAM if <b>UsePAM</b> is enabled</td>
1135 </tr>
1136</table>
1137<p>
1138
1139<a name= "3.15fn1">[1]</a> Some vendors, notably Redhat/Fedora, have
1140backported the PasswordAuthentication from 3.9p1 to their 3.8x based
1141packages. If you're using a vendor-supplied package then consult their
1142documentation.
1143
1144<p>
1145OpenSSH Portable's PAM interface still has problems with a few modules,
1146however we hope that this number will reduce in the future. As at the
11473.9p1 release, the known problems are:
1148
1149<ul>
1150 <li>Modules relying on module-private data (eg pam_dhkeys, pam_krb5, AFS)
1151 may fail to correctly establish credentials (bug <a
1152 href="http://bugzilla.mindrot.org/show_bug.cgi?id=688">#688</a>) when
1153 authenticating via <b>ChallengeResponseAuthentication</b>.
1154 <b>PasswordAuthentication</b> with 3.9p1 and above should work.
1155</ul>
1156
1157You can also check <a
1158href="http://bugzilla.mindrot.org/buglist.cgi?product=Portable+OpenSSH&amp;bug_status=RESOLVED&amp;bug_status=NEW&amp;bug_status=ACCEPTED&amp;component=PAM+support"
1159>bugzilla for current PAM issues</a>.
1160
1161<h2><a name= "3.16">3.16 - Why doesn't "w" or "who" on AIX 5.x show users
1162logged in via ssh?</a></h2>
1163
1164Between AIX 4.3.3 and AIX 5.x, the format of the wtmp struct changed. This
1165means that sshd binaries built on AIX 4.x will not correctly write wtmp
1166entries when run on AIX 5.x. This can be fixed by simply recompiling
1167sshd on an AIX 5.x system and using that.
1168
1169<hr>
1170<a href="index.html"><img height=24 width=24 src="back.gif" border=0 alt=OpenSSH></a>
1171<a href="mailto:www@openbsd.org">www@openbsd.org</a>
1172<br>
1173<small>$OpenBSD: faq.html,v 1.107 2007/06/20 18:14:15 miod Exp $</small>
1174
1175</body>
1176</html>
diff --git a/debian/rules b/debian/rules
index 14c10e7d1..46c1344bb 100755
--- a/debian/rules
+++ b/debian/rules
@@ -219,7 +219,7 @@ binary-openssh-client: build install
219 dh_testdir 219 dh_testdir
220 dh_testroot 220 dh_testroot
221 dh_installdebconf 221 dh_installdebconf
222 dh_installdocs OVERVIEW README README.dns README.tun 222 dh_installdocs OVERVIEW README README.dns README.tun faq.html
223 cat debian/copyright.head LICENCE > debian/openssh-client/usr/share/doc/openssh-client/copyright 223 cat debian/copyright.head LICENCE > debian/openssh-client/usr/share/doc/openssh-client/copyright
224 dh_installchangelogs ChangeLog ChangeLog.gssapi 224 dh_installchangelogs ChangeLog ChangeLog.gssapi
225 install -m644 debian/openssh-client.lintian debian/openssh-client/usr/share/lintian/overrides/openssh-client 225 install -m644 debian/openssh-client.lintian debian/openssh-client/usr/share/lintian/overrides/openssh-client
@@ -354,6 +354,9 @@ binary-openssh-server-udeb: build install
354 354
355binary: binary-indep binary-arch 355binary: binary-indep binary-arch
356 356
357faq:
358 wget -O debian/faq.html http://www.openssh.org/faq.html
359
357.PHONY: build clean binary-indep binary-arch binary install 360.PHONY: build clean binary-indep binary-arch binary install
358.PHONY: build-deb build-udeb 361.PHONY: build-deb build-udeb
359.PHONY: binary-openssh-client binary-openssh-server binary-ssh 362.PHONY: binary-openssh-client binary-openssh-server binary-ssh