blob: 56585de4b7cae7e202e972bed377f937b3c392e9 [file] [log] [blame]
Damien Millera7cafae1999-11-16 08:02:27 +11001OpenSSH is almost completely compatible with the commercial SSH 1.2.x.
2There are, however, a few exceptions that you will need to bear in
3mind while upgrading:
4
51. OpenSSH does not support any patented transport algorithms.
6
7Only 3DES and Blowfish can be selected. This difference may manifest
8itself in the ssh command refusing to read its config files.
9
10Solution: Edit /etc/ssh/ssh_config and select a different "Cipher"
11option ("3des" or "blowfish").
12
132. Old versions of commercial SSH encrypt host keys with IDEA
14
15The old versions of SSH used a patented algorithm to encrypt their
16/etc/ssh/ssh_host_key
17
18This problem will manifest as sshd not being able to read its host
19key.
20
21Solution: You will need to run the *commercial* version of ssh-keygen
22on the host's private key:
23
24ssh-keygen -u /etc/ssh/ssh_host_key
25
263. Incompatible changes to sshd_config format.
27
28OpenSSH extends the sshd_config file format in a number of ways. There
29is currently one change which is incompatible with the old.
30
31Commercial SSH controlled logging using the "QuietMode" and
32"FascistLogging" directives. OpenSSH introduces a more general set of
33logging options "SyslogFacility" and "LogLevel". See the sshd manual
34page for details.
35
Damien Millerbf3f6ef1999-11-25 13:50:10 +1100364. Warning messages about key lengths
37
38Commercial SSH's ssh-keygen program contained a bug which caused it to
39occasionally generate RSA keys which had their Most Significant Bit
40(MSB) unset. Such keys were advertised as being full-length, but are
41actually only half as secure.
42
43OpenSSH will print warning messages when it encounters such keys. To
44rid yourself of these message, edit you known_hosts files and replace
45the incorrect key length (usually "1024") with the correct key length
46(usually "1023").
47
Damien Millerd49621e1999-12-26 14:04:33 +1100485. Spurious PAM authentication messages in logfiles
49
50OpenSSH will generate spurious authentication failures at every login,
51similar to "authentication failure; (uid=0) -> root for sshd service".
52These are generated because OpenSSH first tries to determine whether a
53user needs authentication to login (e.g. empty password). Unfortunatly
54PAM likes to log all authentication events, this one included.
55
Damien Miller373d2911999-12-27 10:45:54 +110056If it annoys you too much, set "PermitEmptyPasswords no" in
57sshd_config. This will quiet the error message at the expense of
Damien Miller438dfa91999-12-27 11:27:12 +110058disabling logins to accounts with no password set. This is the
59default if you use the supplied sshd_config file.