blob: df3a23e17ad346eec127bd11e65ab5e31038c195 [file] [log] [blame]
Damien Miller17872522000-02-02 20:56:20 +11001[ A Japanese translation of this document is available at
2[ http://www.unixuser.org/%7Eharuyama/security/openssh/index.html
3[ Thanks to HARUYAMA Seigo <haruyama@nt.phys.s.u-tokyo.ac.jp>
4
Damien Millera7cafae1999-11-16 08:02:27 +11005OpenSSH is almost completely compatible with the commercial SSH 1.2.x.
6There are, however, a few exceptions that you will need to bear in
7mind while upgrading:
8
91. OpenSSH does not support any patented transport algorithms.
10
11Only 3DES and Blowfish can be selected. This difference may manifest
12itself in the ssh command refusing to read its config files.
13
14Solution: Edit /etc/ssh/ssh_config and select a different "Cipher"
15option ("3des" or "blowfish").
16
172. Old versions of commercial SSH encrypt host keys with IDEA
18
19The old versions of SSH used a patented algorithm to encrypt their
20/etc/ssh/ssh_host_key
21
22This problem will manifest as sshd not being able to read its host
23key.
24
25Solution: You will need to run the *commercial* version of ssh-keygen
26on the host's private key:
27
Damien Miller17872522000-02-02 20:56:20 +110028ssh-keygen -u -f /etc/ssh/ssh_host_key
Damien Millera7cafae1999-11-16 08:02:27 +110029
303. Incompatible changes to sshd_config format.
31
32OpenSSH extends the sshd_config file format in a number of ways. There
33is currently one change which is incompatible with the old.
34
35Commercial SSH controlled logging using the "QuietMode" and
36"FascistLogging" directives. OpenSSH introduces a more general set of
37logging options "SyslogFacility" and "LogLevel". See the sshd manual
38page for details.
39
Damien Millerbf3f6ef1999-11-25 13:50:10 +1100404. Warning messages about key lengths
41
42Commercial SSH's ssh-keygen program contained a bug which caused it to
43occasionally generate RSA keys which had their Most Significant Bit
44(MSB) unset. Such keys were advertised as being full-length, but are
45actually only half as secure.
46
47OpenSSH will print warning messages when it encounters such keys. To
48rid yourself of these message, edit you known_hosts files and replace
49the incorrect key length (usually "1024") with the correct key length
50(usually "1023").
51
Damien Millerd49621e1999-12-26 14:04:33 +1100525. Spurious PAM authentication messages in logfiles
53
54OpenSSH will generate spurious authentication failures at every login,
55similar to "authentication failure; (uid=0) -> root for sshd service".
56These are generated because OpenSSH first tries to determine whether a
57user needs authentication to login (e.g. empty password). Unfortunatly
58PAM likes to log all authentication events, this one included.
59
Damien Miller373d2911999-12-27 10:45:54 +110060If it annoys you too much, set "PermitEmptyPasswords no" in
61sshd_config. This will quiet the error message at the expense of
Damien Miller438dfa91999-12-27 11:27:12 +110062disabling logins to accounts with no password set. This is the
63default if you use the supplied sshd_config file.
Damien Millere9c8f4d2000-01-03 20:00:52 +110064
656. Empty passwords not allowed with PAM authentication
66
67To enable empty passwords with a version of OpenSSH built with PAM you
68must add the flag "nullok" to the end of the password checking module
69in the /etc/pam.d/sshd file. For example:
70
71auth required/lib/security/pam_unix.so shadow nodelay nullok
72
73This must be done in addtion to setting "PermitEmptyPasswords yes"
74in the sshd_config file.
75
76There is one caveat when using empty passwords with PAM
77authentication: PAM will allow _any_ password when authenticating
78an account with an empty password. This breaks the check that sshd
79uses to determined whether an account has no password set and grant
80users access to the account regardless of the policy specified by
81"PermitEmptyPasswords". For this reason, it is recommended that you do
82not add the "nullok" directive to your PAM configuration file unless
83you specifically wish to allow empty passwords.
84
Damien Miller17872522000-02-02 20:56:20 +1100857. X11 and/or agent forwarding does not work
Damien Millereab2ce02000-01-20 23:58:22 +110086
87Check your ssh_config and sshd_config. The default configuration files
88disable authentication agent and X11 forwarding.
89
Damien Miller17872522000-02-02 20:56:20 +1100908. ssh takes a long time to connect with Linux/glibc 2.1
Damien Millereab2ce02000-01-20 23:58:22 +110091
92The glibc shipped with Redhat 6.1 appears to take a long time to resolve
93"IPv6 or IPv4" addresses from domain names. This can be kludged around
94with the --with-ipv4-default configure option. This instructs OpenSSH to
95use IPv4-only address resolution. (IPv6 lookups may still be made by
96specifying the -6 option).
97
Damien Miller17872522000-02-02 20:56:20 +1100989. Logins from commercial ssh generate the error "Selected cipher type
Damien Millerc85f9b42000-01-29 10:20:21 +110099 idea not supported by server"
100
101This error is generated when a commercial ssh which has been configured to
102use the 'idea' cipher attempts to connect to an OpenSSH server. To rectify
103this, select a different cipher in ssh_config or ~/.ssh/config (3des for
104security or blowfish for speed).
105
Damien Miller204ad072000-03-02 23:56:12 +110010610. "can't locate module net-pf-10" messages in log under Linux
107
108The Linux kernel is looking (via modprobe) for protocol family 10 (IPv6).
109Either 1. load the appropriate kernel module, 2. enter the correct alias
110in /etc/modules.conf or 3. disable IPv6 in /etc/modules.conf.
111
112For some silly reason /etc/modules.conf may also be named /etc/conf.modules
113
11411. Password authentication doesn't work on Slackware 7.0
115
116Configure OpenSSH with --with-md5-passwords
117
11812. ./configure or sshd complain about lack of RSA support
119
120Ensure that your OpenSSL libraries have been built to include RSA support
121either internally or through RSAref.
122
Damien Millerca9a49c2000-03-16 12:23:13 +110012313. "scp: command not found" errors
124
125scp must be in the default PATH on both the client and the server. You may
126need to use the --with-default-path option to specify a custom path to
Damien Miller29ea30d2000-03-17 10:54:15 +1100127search on the server. This option replaces the default path, so you need
128to specify all the current directories on your path as well as where you
129have installed scp. For example:
130
131./configure --with-default-path=/bin:/usr/bin:/usr/local/bin:/path/to/scp
Damien Millerca9a49c2000-03-16 12:23:13 +1100132