summaryrefslogtreecommitdiffstats
path: root/debian/faq.html
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/faq.html1187
1 files changed, 1187 insertions, 0 deletions
diff --git a/debian/faq.html b/debian/faq.html
new file mode 100644
index 0000000..7f02528
--- /dev/null
+++ b/debian/faq.html
@@ -0,0 +1,1187 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html>
+<head>
+<title>OpenSSH FAQ</title>
+<link rev= "made" href= "mailto:www@openbsd.org">
+<meta name= "resource-type" content= "document">
+<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
+<meta name= "description" content= "the OpenSSH FAQ page">
+<meta name= "keywords" content= "OpenSSH,SSH,Secure Shell,faq">
+<meta name= "distribution" content= "global">
+<meta name= "copyright" content= "This document copyright 1999-2010 OpenBSD.">
+</head>
+
+<body bgcolor= "#ffffff" text= "#000000" link= "#23238E">
+<a href="http://www.openssh.com/index.html"><img alt="[OpenSSH]" height="30" width="141" src="images/smalltitle.gif" border="0"></a>
+<p>
+
+<h1>OpenSSH FAQ (Frequently asked questions)</h1>
+
+<hr>
+
+<blockquote>
+<h3><a href= "#1.0">1.0 - What Is OpenSSH and Where Can I Get It?</a></h3>
+<ul>
+<li><a href= "#1.1">1.1 - What is OpenSSH and where can I download it?</a>
+<li><a href= "#1.2">1.2 - Why should it be used?</a>
+<li><a href= "#1.3">1.3 - What Operating Systems are supported?</a>
+<li><a href= "#1.4">1.4 - What about copyright, usage and patents?</a>
+<li><a href= "#1.5">1.5 - Where should I ask for help?</a>
+<li><a href= "#1.6">1.6 - I have found a bug. Where do I report it?</a>
+</ul>
+
+<h3><a href= "#2.0">2.0 - General Questions</a></h3>
+<ul>
+<li><a href= "#2.1">2.1 - Why does ssh/scp make connections from low-numbered ports. My firewall blocks these.</a>
+<li><a href= "#2.2">2.2 - Why is the ssh client setuid root?</a>
+<li><a href= "#2.3">2.3 - Why does SSH 2.3 have problems interoperating with OpenSSH 2.1.1?</a>
+<li><a href= "#2.4">2.4 - Why does OpenSSH print: Dispatch protocol error: type 20</a>
+<li><a href= "#2.5">2.5 - Old versions of commercial SSH encrypt host keys with IDEA.</a>
+<li><a href= "#2.6">2.6 - What are these warning messages about key lengths?</a>
+<li><a href= "#2.7">2.7 - X11 and/or agent forwarding does not work.</a>
+<li><a href= "#2.8">2.8 - After upgrading OpenSSH I lost SSH2 support.</a>
+<li><a href= "#2.9">2.9 - sftp/scp fails at connection, but ssh is OK.</a>
+<li><a href= "#2.10">2.10 - Will you add [foo] to scp?</a>
+<li><a href= "#2.11">2.11 - How do I use port forwarding?</a>
+<li><a href= "#2.12">2.12 - My ssh connection freezes or drops out after N minutes of inactivity.</a>
+<li><a href= "#2.13">2.13 - How do I use scp to copy a file with a colon in it?</a>
+<li><a href= "#2.14">2.14 - Why does OpenSSH report its version to clients?</a>
+</ul>
+
+<h3><a href= "#3.0">3.0 - Portable OpenSSH Questions</a></h3>
+<ul>
+<li><a href= "#3.1">3.1 - Spurious PAM authentication messages in logfiles.</a>
+<li><a href= "#3.2">3.2 - Empty passwords not allowed with PAM authentication.</a>
+<li><a href= "#3.3">3.3 - ssh(1) takes a long time to connect or log in</a>
+<li><a href= "#3.4">3.4 - "Can't locate module net-pf-10" messages in log under Linux.</a>
+<li><a href= "#3.5">3.5 - Password authentication doesn't work (eg on Slackware 7.0 or Red Hat Linux 6.x)</a>
+<li><a href= "#3.6">3.6 - Configure or sshd(8) complain about lack of RSA support</a>
+<li><a href= "#3.7">3.7 - "scp: command not found" errors</a>
+<li><a href= "#3.8">3.8 - Unable to read passphrase</a>
+<li><a href= "#3.9">3.9 - 'configure' missing or make fails</a>
+<li><a href= "#3.10">3.10 - Hangs when exiting ssh</a>
+<li><a href= "#3.11">3.11 - Why does ssh hang on exit?</a>
+<li><a href= "#3.12">3.12 - I upgraded to OpenSSH 3.1 and X11 forwarding stopped working.</a>
+<li><a href= "#3.13">3.13 - I upgraded to OpenSSH 3.8 and some X11 programs stopped working.</a>
+<li><a href= "#3.14">3.14 - I copied my public key to authorized_keys but public-key authentication still doesn't work.</a>
+<li><a href= "#3.15">3.15 - OpenSSH versions and PAM behaviour.</a>
+<li><a href= "#3.16">3.16 - Why doesn't "w" or "who" on AIX 5.x show users logged in via ssh?</a>
+</ul>
+
+</blockquote>
+
+<hr>
+
+<h2><u><a name= "1.0">1.0 - What Is OpenSSH and Where Can I Get It?</a></u></h2>
+
+<h2><a name= "1.1">1.1 - What is OpenSSH and where can I download it?</a></h2>
+
+OpenSSH provides end-to-end encrypted replacement of applications such as
+telnet, rlogin, and ftp.
+Unlike these legacy applications, OpenSSH never passes anything
+(including username and password) over the wire in unencrypted form, and
+provides host authentication, to verify that you really are talking to
+the system that you think you are and that no one else can take over
+that session.
+
+<p>
+The OpenSSH suite includes the
+<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&amp;sektion=1">ssh(1)</a>
+program which replaces rlogin and telnet, and
+<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&amp;sektion=1">scp(1)</a>
+which replaces
+<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=rcp&amp;sektion=1">rcp(1)</a> and
+<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftp&amp;sektion=1">ftp(1)</a>.
+OpenSSH has also added
+<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&amp;sektion=1">sftp(1)</a> and
+<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&amp;sektion=8">sftp-server(8)</a>
+which implement an easier solution for file-transfer. This is based upon the
+<a href="http://www.openssh.com/txt/draft-ietf-secsh-filexfer-02.txt">secsh-filexfer</a> IETF draft.
+
+
+<p><strong>OpenSSH consists of a number of programs.</strong>
+
+<ul>
+<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&amp;sektion=8">sshd(8)</a> - Server program run on the server machine. This listens for connections from client machines, and whenever it receives a connection, it performs authentication and starts serving the client.
+Its behaviour is controlled by the config file <i><a
+href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&amp;sektion=5">
+sshd_config(5)</a></i>.
+<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&amp;sektion=1">ssh(1)</a> - This is the client program used to log into another machine or to execute commands on the other machine. <i>slogin</i> is another name for this program.
+Its behaviour is controlled by the global config file <i><a
+href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&amp;sektion=5">
+ssh_config(5)</a></i> and individual users' <i>$HOME/.ssh/config</i> files.
+<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&amp;sektion=1">scp(1)</a> - Securely copies files from one machine to another.
+<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&amp;sektion=1">ssh-keygen(1)</a> - Used to create Pubkey Authentication (RSA or DSA) keys (host keys and user authentication keys).
+<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&amp;sektion=1">ssh-agent(1)</a> - Authentication agent. This can be used to hold RSA keys for authentication.
+<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-add&amp;sektion=1">ssh-add(1)</a> - Used to register new keys with the agent.
+<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&amp;sektion=8">sftp-server(8)</a> - SFTP server subsystem.
+<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&amp;sektion=1">sftp(1)</a> - Secure file transfer program.
+<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keyscan&amp;sektion=1">ssh-keyscan(1)</a> - gather ssh public keys.
+<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keysign&amp;sektion=8">ssh-keysign(8)</a> - ssh helper program for hostbased authentication.
+</ul>
+
+<h3>Downloading</h3>
+
+<p>
+The most recent version of OpenSSH is included with the current
+distribution of <a href="http://www.openbsd.org/">OpenBSD</a>, and
+installed as part of a basic install.
+
+<p>
+Today, most other operating systems include some version of OpenSSH
+(often re-badged or privately labeled), so most users can immediately
+use it.
+However, sometimes the included versions are quite old, and missing
+features of the current release of OpenSSH, and you may wish to install
+the current version, or install it on one of the few OSs that lacked it,
+and where the OS publisher does not make a modern version available.
+You may also wish to use OpenSSH on your embedded application.
+
+<p>
+Non-OpenBSD users will want to download, compile and install the
+multi-platform <a href="http://www.openssh.com/portable.html">Portable</a> distribution from a
+<a href="http://www.openssh.com/portable.html#mirrors">mirror</a> near you.
+
+
+<h2><a name= "1.2">1.2 - Why should it be used?</a></h2>
+
+<p>
+OpenSSH is a suite of tools to help secure your network
+connections. Here is a list of features:
+
+
+<ul>
+ <li>Strong authentication. Closes several security holes (e.g., IP, routing, and DNS spoofing).
+ <li>Improved privacy. All communications are automatically and transparently encrypted.
+ <li>Secure X11 sessions. The program automatically sets DISPLAY on the server machine, and forwards any X11 connections over the secure channel.
+ <li>Arbitrary TCP/IP ports can be redirected through the encrypted channel in both directions (e.g., for e-cash transactions).
+ <li>No retraining needed for normal users.
+ <li>Never trusts the network. Minimal trust on the remote side of the connection. Minimal trust on domain name servers. Pure RSA authentication never trusts anything but the private key.
+ <li>Client RSA-authenticates the server machine in the beginning of every connection to prevent trojan horses (by routing or DNS spoofing) and man-in-the-middle attacks, and the server RSA-authenticates the client machine before accepting <i>.rhosts</i> or <i>/etc/hosts.equiv</i> authentication (to prevent DNS, routing, or IP-spoofing).
+ <li>Host authentication key distribution can be centrally by the administration, automatically when the first connection is made to a machine.
+ <li>Any user can create any number of user authentication RSA keys for his/her own use.
+ <li>The server program has its own server RSA key which is automatically regenerated every hour.
+ <li>An authentication agent, running in the user's laptop or local workstation, can be used to hold the user's RSA authentication keys.
+ <li>The software can be installed and used (with restricted functionality) even without root privileges.
+ <li>The client is customizable in system-wide and per-user configuration files.
+ <li>Optional compression of all data with gzip (including forwarded X11 and TCP/IP port data), which may result in significant speedups on slow connections.
+ <li>Complete replacement for rlogin, rsh, and rcp.
+</ul>
+
+<p>
+Currently, almost all communications in computer networks are done
+without encryption. As a consequence, anyone who has access to any
+machine connected to the network can listen in on any communication.
+This is being done by hackers, curious administrators, employers,
+criminals, industrial spies, and governments. Some networks leak off
+enough electromagnetic radiation that data may be captured even from a
+distance.
+
+
+<p>
+When you log in, your password goes in the network in plain
+text. Thus, any listener can then use your account to do any evil he
+likes. Many incidents have been encountered worldwide where crackers
+have started programs on workstations without the owner's knowledge
+just to listen to the network and collect passwords. Programs for
+doing this are available on the Internet, or can be built by a
+competent programmer in a few hours.
+
+
+<p>
+Businesses have trade secrets, patent applications in preparation,
+pricing information, subcontractor information, client data, personnel
+data, financial information, etc. Currently, anyone with access to
+the network (any machine on the network) can listen to anything that
+goes in the network, without any regard to normal access restrictions.
+
+
+<p>
+Many companies are not aware that information can so easily be
+recovered from the network. They trust that their data is safe
+since nobody is supposed to know that there is sensitive information
+in the network, or because so much other data is transferred in the
+network. This is not a safe policy.
+
+
+<h2><a name= "1.3">1.3 - What operating systems are supported?</a></h2>
+
+<p>
+Even though OpenSSH is developed on
+<a href="http://www.openbsd.org/">OpenBSD</a> a wide variety of
+ports to other operating systems exist. The portable version of OpenSSH
+is headed by <a href="mailto:djm@openbsd.org">Damien Miller</a>.
+For a quick overview of the portable version of OpenSSH see
+<a href="http://www.openssh.com/portable.html">OpenSSH Portable Release</a>.
+Currently, the supported operating systems are:
+
+
+<ul>
+ <li>OpenBSD
+ <li>NetBSD
+ <li>FreeBSD
+ <li>AIX
+ <li>HP-UX
+ <li>IRIX
+ <li>Linux
+ <li>NeXT
+ <li>SCO
+ <li>SNI/Reliant Unix
+ <li>Solaris
+ <li>Digital Unix/Tru64/OSF
+ <li>Mac OS X
+ <li>Cygwin
+</ul>
+
+<p>
+A list of vendors that include OpenSSH in their distributions
+is located in the <a href="http://www.openssh.com/users.html">OpenSSH Users page</a>.
+
+<h2><a name= "1.4">1.4 - What about copyrights, usage and patents?</a></h2>
+<p>
+The OpenSSH developers have tried very hard to keep OpenSSH free of any
+patent or copyright problems. To do this, some options had to be
+stripped from OpenSSH. Namely support for patented algorithms.
+
+<p>
+OpenSSH does not support any patented transport algorithms. In SSH1 mode,
+only 3DES and Blowfish are available options. In SSH2 mode, only 3DES,
+Blowfish, CAST128, Arcfour and AES can be selected.
+The patented IDEA algorithm is not supported.
+
+<p>
+OpenSSH provides support for both SSH1 and SSH2 protocols.
+
+<p>
+Since the RSA patent has expired, there are no restrictions on the use
+of RSA algorithm using software, including OpenBSD.
+
+<h2><a name= "1.5">1.5 - Where should I ask for help?</a></h2>
+<p>
+There are many places to turn to for help. In addition to the main
+<a href="http://www.openssh.com/index.html">OpenSSH website</a>,
+there are many mailing lists to try. Before trying any mailing lists,
+please search through all mailing list archives to see if your question
+has already been answered. The OpenSSH Mailing List has been archived and
+put in searchable form and can be found at
+<a href="http://marc.info/?l=openssh-unix-dev&amp;r=1&amp;w=2">marc.info</a>.
+
+<p>
+For more information on subscribing to OpenSSH related mailing lists,
+please see <a href="http://www.openssh.com/list.html">OpenSSH Mailing lists</a>.
+
+<h2><a name= "1.6">1.6 - I have found a bug. Where do I report it?</a></h2>
+<p>
+Information about submitting bug reports can be found at the OpenSSH
+<a href="http://www.openssh.com/report.html">Reporting bugs</a> page.
+<p>
+If you wish to report a security bug, please contact the private developers
+list &lt;<a href="mailto:openssh@openssh.com">openssh@openssh.com</a>&gt;.
+
+<h2><u><a name= "2.0">2.0 - General Questions</a></u></h2>
+
+<h2><a name= "2.1">2.1 - Why does ssh/scp make connections from low-numbered ports.</a></h2>
+<p>
+The OpenSSH client uses low numbered ports for rhosts and rhosts-rsa
+authentication because the server needs to trust the username provided by
+the client. To get around this, you can add the below example to your
+<i>ssh_config</i> or <i>~/.ssh/config</i> file.
+
+
+<blockquote>
+<table border=0 width="800">
+ <tr>
+ <td nowrap bgcolor="#EEEEEE">
+<b>UsePrivilegedPort no</b>
+ </td>
+ </tr>
+</table>
+</blockquote>
+
+<p>
+Or you can specify this option on the command line, using the <b>-o</b>
+option to
+<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&amp;sektion=1">ssh(1)</a> command.
+
+<blockquote>
+<table border=0 width="800">
+ <tr>
+ <td nowrap bgcolor="#EEEEEE">
+$ <b>ssh -o "UsePrivilegedPort no" host.com</b>
+ </td>
+ </tr>
+</table>
+</blockquote>
+
+<h2><a name= "2.2">2.2 - Why is the ssh client setuid root?</a></h2>
+
+<p>
+In conjunction with the previous question, (<a href="#2.1">2.1</a>)
+OpenSSH needs root authority to be able to bind to low-numbered ports to
+facilitate <i>rhosts authentication</i>.
+A privileged port is also required for rhosts-rsa authentication to older
+SSH releases.
+
+<p>
+Additionally, for both <i>rhosts-rsa authentication</i> (in protocol
+version 1) and <i>hostbased authentication</i> (in protocol version 2)
+the ssh client needs to access the <i>private host key</i> in order to
+authenticate the client machine to the server.
+OpenSSH versions prior to 3.3 required the <code>ssh</code> binary to be
+setuid root to enable this, and you may safely remove it if you don't
+want to use these authentication methods.
+
+<p>
+Starting in OpenSSH 3.3, <code>ssh</code> is not setuid by default. <a
+href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keysign">ssh-keysign</a>,
+is used for access to the private hosts keys, and ssh does not use privileged
+source ports by default. If you wish to use a privileged source port, you must
+manually set the setuid bit on <code>ssh</code>.
+
+<h2><a name= "2.3">2.3 - Why does SSH 2.3 have problems interoperating with OpenSSH 2.1.1?</a></h2>
+
+<p>
+SSH 2.3 and earlier versions contain a flaw in their HMAC implementation.
+Their code was not supplying the full data block output from the digest,
+and instead always provided 128 bits. For longer digests, this caused
+SSH 2.3 to not interoperate with OpenSSH.
+
+<p>
+OpenSSH 2.2.0 detects that SSH 2.3 has this flaw. Recent versions of SSH
+will have this bug fixed. Or you can add the following to
+SSH 2.3 <i>sshd2_config</i>.
+
+
+<blockquote>
+<table border=0 width="800">
+ <tr>
+ <td nowrap bgcolor="#EEEEEE">
+<b>Mac hmac-md5</b>
+ </td>
+ </tr>
+</table>
+</blockquote>
+
+<h2><a name= "2.4">2.4 - Why does OpenSSH print: Dispatch protocol error: type 20</a></h2>
+
+<p>
+Problems in interoperation have been seen because older versions of
+OpenSSH did not support session rekeying. However the commercial SSH 2.3
+tries to negotiate this feature, and you might experience connection
+freezes or see the error message &quot;<b>Dispatch protocol error:
+type 20 </b>&quot;.
+To solve this problem, either upgrade to a recent OpenSSH release or
+disable rekeying by adding the following to your commercial SSH 2.3's
+<i>ssh2_config</i> or <i>sshd2_config</i>.
+
+
+<blockquote>
+<table border=0 width="800">
+ <tr>
+ <td nowrap bgcolor="#EEEEEE">
+<b>RekeyIntervalSeconds 0</b>
+ </td>
+ </tr>
+</table>
+</blockquote>
+
+<h2><a name= "2.5">2.5 - Old versions of commercial SSH encrypt host keys with IDEA.</a></h2>
+
+<p>
+The old versions of SSH used a patented algorithm to encrypt their
+<i>/etc/ssh/ssh_host_key</i>. This problem will manifest as
+<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&amp;sektion=8">sshd(8)</a>
+not being able to read its host key. To solve this, use the command below
+to convert your ssh_host_key to use 3DES.
+<b>NOTE:</b> Use the
+<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&amp;sektion=1">ssh-keygen(1)</a>
+program from the Commercial SSH product, *NOT* OpenSSH for the example
+below.
+
+
+<blockquote>
+<table border=0 width="800">
+ <tr>
+ <td nowrap bgcolor="#EEEEEE">
+# <b>ssh-keygen -u -f /etc/ssh/ssh_host_key</b>
+ </td>
+ </tr>
+</table>
+</blockquote>
+
+<h2><a name= "2.6">2.6 - What are these warning messages about key lengths</a></h2>
+
+<p>
+Commercial SSH's
+<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&amp;sektion=1">ssh-keygen(1)</a>
+program contained a bug which caused it to occasionally generate Pubkey
+Authentication (RSA or DSA) keys which had their Most Significant Bit
+(MSB) unset. Such keys were advertised as being full-length, but are
+actually, half the time, smaller than advertised.
+
+<p>
+OpenSSH will print warning messages when it encounters such keys. To rid
+yourself of these message, edit your <i>known_hosts</i> files and replace the
+incorrect key length (usually "1024") with the correct key length
+(usually "1023").
+
+<h2><a name= "2.7">2.7 - X11 and/or agent forwarding does not work.</a></h2>
+
+<p>
+Check your <i>ssh_config</i> and <i>sshd_config</i>. The default
+configuration files disable authentication agent and X11 forwarding. To
+enable it, put the line below in <i>sshd_config</i>:
+
+<blockquote>
+<table border=0 width="800">
+ <tr>
+ <td nowrap bgcolor="#EEEEEE">
+<b>X11Forwarding yes</b>
+ </td>
+ </tr>
+</table>
+</blockquote>
+
+<p>
+and put the following lines in <i>ssh_config</i>:
+
+<blockquote>
+<table border=0 width="800">
+ <tr>
+ <td nowrap bgcolor="#EEEEEE">
+<b>ForwardAgent yes</b><br>
+<b>ForwardX11 yes</b>
+ </td>
+ </tr>
+</table>
+</blockquote>
+
+<p>
+X11 forwarding requires a working <a
+href="http://www.openbsd.org/cgi-bin/man.cgi?query=xauth&amp;sektion=1"
+>xauth(1)</a> binary. On OpenBSD this is in the <i>xbase</i> file
+set but will probably be different on other platforms. For OpenSSH
+Portable, xauth must be either found at configure time or specified
+via <b>XAuthLocation</b> in sshd_config(5) and ssh_config(5).
+
+<p>
+Note on agent interoperability: There are two different and
+incompatible agent forwarding mechanisms within the SSH2 protocol.
+OpenSSH has always used an extension of the original SSH1 agent
+requests, however some commercial products use a different, non-free
+agent forwarding protocol. This means that agent forwarding cannot
+be used between OpenSSH and those products.
+
+<p>
+<b>NOTE:</b> For users of Linux Mandrake 7.2, Mandrake modifies the
+<i>XAUTHORITY</i> environment variable in <i>/etc/skel/.bashrc</i>,
+and thus any bash user's home directory. This variable is set by OpenSSH
+and for either of the above options to work, you need to comment out
+the line:
+
+
+<blockquote>
+<table border=0 width="800">
+ <tr>
+ <td nowrap bgcolor="#EEEEEE">
+<b># export XAUTHORITY=$HOME/.Xauthority</b>
+ </td>
+ </tr>
+</table>
+</blockquote>
+
+<h2><a name= "2.8">2.8 - After upgrading OpenSSH I lost SSH2 support.</a></h2>
+
+<p>
+Between versions changes can be made to <i>sshd_config</i> or
+<i>ssh_config</i>. You should always check on these changes when upgrading
+versions of OpenSSH. After OpenSSH Version 2.3.0 you need to add the
+following to your <i>sshd_config</i>:
+
+
+<blockquote>
+<table border=0 width="800">
+ <tr>
+ <td nowrap bgcolor="#EEEEEE">
+<b>HostKey /etc/ssh_host_dsa_key</b><br>
+<b>HostKey /etc/ssh_host_rsa_key</b>
+ </td>
+ </tr>
+</table>
+</blockquote>
+
+<h2><a name= "2.9">2.9 - sftp/scp fails at connection, but ssh is OK.</a></h2>
+
+<p>
+sftp and/or scp may fail at connection time if you have shell
+initialization (.profile, .bashrc, .cshrc, etc) which produces output
+for non-interactive sessions. This output confuses the sftp/scp client.
+You can verify if your shell is doing this by executing:
+
+<blockquote>
+<table border=0 width="800">
+ <tr>
+ <td nowrap bgcolor="#EEEEEE">
+<b>ssh yourhost /usr/bin/true</b>
+ </td>
+ </tr>
+</table>
+</blockquote>
+
+<p>
+If the above command produces any output, then you need to modify your
+shell initialization.
+
+<h2><a name= "2.10">2.10 - Will you add [foo] to scp?</a></h2>
+
+<p>
+Short Answer: no.
+
+<p>
+Long Answer: scp is not standardized. The closest thing it has to a
+specification is "what rcp does". Since the same command is used on both ends
+of the connection, adding features or options risks breaking interoperability with other
+implementations.
+
+<p>
+New features are more likely in sftp, since the protocol is standardized
+(well, a <a href="http://www.ietf.org/html.charters/OLD/secsh-charter.html">
+draft standard</a>), extensible, and the client and server are decoupled.
+
+<h2><a name= "2.11">2.11 - How do I use port forwarding?</a></h2>
+
+<p>
+If the remote server is running sshd(8), it may be possible to
+``tunnel'' certain services via ssh. This may be desirable, for
+example, to encrypt POP or SMTP connections, even though the software
+does not directly support encrypted communications. Tunnelling uses
+port forwarding to create a connection between the client and server.
+The client software must be able to specify a non-standard port to
+connect to for this to work.
+
+<p>
+The idea is that the user connects to the remote host using ssh,
+and specifies which port on the client's machine should be used to
+forward connections to the remote server. After that it is possible
+to start the service which is to be encrypted (e.g. fetchmail, irc)
+on the client machine, specifying the same local port passed to
+ssh, and the connection will be tunnelled through ssh. By default,
+the system running the forward will only accept connections from
+itself.
+
+<p>
+The options most relevant to tunnelling are the -L and -R options,
+which allow the user to forward connections, the -D option, which
+permits dynamic port forwarding, the -g option, which permits other
+hosts to use port forwards, and the -f option, which instructs ssh
+to put itself in the background after authentication. See the <a
+href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&amp;sektion=1"
+>ssh(1)</a> man page for further details.
+
+<p>
+This is an example of tunnelling an IRC session from client machine
+``127.0.0.1'' (localhost) to remote server ``server.example.com'':
+
+<blockquote>
+<table border=0 width="800">
+ <tr>
+ <td nowrap bgcolor="#EEEEEE">
+<b>ssh -f -L 1234:server.example.com:6667 server.example.com sleep 10<br>
+irc -c '#users' -p 1234 pinky 127.0.0.1</b>
+ </td>
+ </tr>
+</table>
+</blockquote>
+
+<p>
+This tunnels a connection to IRC server server.example.com, joining
+channel ``#users'', using the nickname ``pinky''. The local port used
+in this example is 1234. It does not matter which port is used, as
+long as it's greater than 1023 (remember, only root can open sockets on
+privileged ports) and doesn't conflict with any ports already in use.
+The connection is forwarded to port 6667 on the remote server, since
+that's the standard port for IRC services.
+
+<p>
+The remote command ``sleep 10'' was specified to allow an amount
+of time (10 seconds, in the example) to start the service which is to
+be tunnelled. If no connections are made within the time specified,
+ssh will exit. If more time is required, the sleep(1) value can be
+increased appropriately or, alternatively, the example above could
+be added as a function to the user's shell. See ksh(1) and csh(1)
+for more details about user-defined functions.
+
+<p>
+ssh also has an -N option, convenient for use with port forwarding:
+if -N is specified, it is not necessary to specify a remote command
+(``sleep 10'' in the example above). However, use of this option
+causes ssh to wait around for ever (as opposed to exiting after a
+remote command has completed), and the user must take care to manually
+kill(1) the process afterwards.
+
+<h2><a name= "2.12">2.12 - My ssh connection freezes or drops out after N minutes of inactivity.</a></h2>
+
+<p>
+This is usually the result of a packet filter or NAT device
+timing out your TCP connection due to inactivity. You can enable
+<b>ClientAliveInterval</b> in the server's <i><a
+href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&amp;sektion=5">
+sshd_config</a></i>, or enable <b>ServerAliveInterval</b> in the
+client's <i><a
+href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&amp;sektion=5">
+ssh_config</a></i> (the latter is available in OpenSSH 3.8 and newer).
+
+<p>
+Enabling either option and setting the interval for less than the time
+it takes to time out your session will ensure that the connection is
+kept "fresh" in the device's connection table.
+
+<h2><a name= "2.13">2.13 - How do I use scp to copy a file with a colon in it?</a></h2>
+
+<b><a
+href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&amp;sektion=1">
+scp</a></b> will interpret the component before the colon to be a remote
+server name and attempt to connect to it. To prevent this, refer to
+the file by a relative or absolute path, eg:
+
+<blockquote>
+<table border=0 width="800">
+ <tr>
+ <td nowrap bgcolor="#EEEEEE">
+$ scp ./source:file sshserver:
+ </td>
+ </tr>
+</table>
+</blockquote>
+
+<h2><a name= "2.14">2.14 - Why does OpenSSH report its version to clients?</a></h2>
+
+<p>
+OpenSSH, like most SSH implementations, reports its name and version to clients
+when they connect, e.g.
+</p>
+
+<blockquote>
+SSH-2.0-OpenSSH_3.9
+</blockquote>
+
+<p>
+This information is used by clients and servers to enable protocol
+compatibility tweaks to work around changed, buggy or missing features in
+the implementation they are talking to. This protocol feature checking is
+still required at present because versions with incompatibilities are still
+in wide use.
+</p>
+
+<h2><u><a name= "3.0">3.0 - Portable OpenSSH Questions</a></u></h2>
+
+<h2><a name= "3.1">3.1 - Spurious PAM authentication messages in logfiles.</a></h2>
+
+<p>
+The portable version of OpenSSH will generate spurious authentication
+failures at every login, similar to:
+
+
+<blockquote>
+<table border=0 width="800">
+ <tr>
+ <td nowrap bgcolor="#EEEEEE">
+&quot;<b>authentication failure; (uid=0) -&gt; root for sshd service</b>&quot;
+ </td>
+ </tr>
+</table>
+</blockquote>
+
+<p>
+These are generated because OpenSSH first tries to determine whether a
+user needs authentication to login (e.g. empty password). Unfortunately
+PAM likes to log all authentication events, this one included.
+
+<p>
+If it annoys you too much, set &quot;<b>PermitEmptyPasswords no</b>&quot;
+in <i>sshd_config</i>. This will quiet the error message at the expense
+of disabling logins to accounts with no password set.
+This is the default if you use the supplied <i>sshd_config</i> file.
+
+<h2><a name= "3.2">3.2 - Empty passwords not allowed with PAM authentication.</a></h2>
+
+<p>
+To enable empty passwords with a version of OpenSSH built with PAM you
+must add the flag nullok to the end of the password checking module
+in the <i>/etc/pam.d/sshd</i> file. For example:
+
+<blockquote>
+<table border=0 width="800">
+ <tr>
+ <td nowrap bgcolor="#EEEEEE">
+auth required/lib/security/pam_unix.so shadow nodelay nullok
+ </td>
+ </tr>
+</table>
+</blockquote>
+
+<p>
+This must be done in addition to setting &quot;<b>PermitEmptyPasswords
+yes</b>&quot; in the <i>sshd_config</i> file.
+
+<p>
+There is one caveat when using empty passwords with PAM authentication:
+PAM will allow any password when authenticating an account with an empty
+password. This breaks the check that
+<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&amp;sektion=8">sshd(8)</a>
+uses to determine whether an account has no password set and grant
+users access to the account regardless of the policy specified by
+<b>PermitEmptyPasswords</b>. For this reason, it is recommended that you
+do not add the <b>nullok</b> directive to your PAM configuration file
+unless you specifically wish to allow empty passwords.
+
+
+<h2><a name= "3.3">3.3 - ssh(1) takes a long time to connect or log
+in</a></h2>
+
+<p>
+Large delays (more than 10 seconds) are typically caused by a problem with
+name resolution:
+<ul>
+<li>Some versions of glibc (notably glibc 2.1 shipped with Red Hat 6.1)
+can take a long time to resolve "IPv6 or IPv4" addresses from domain
+names. This can be worked around with by specifying <b>AddressFamily
+inet</b> option in <i>ssh_config</i>.</li>
+
+<li>There may be a DNS lookup problem, either at the client or server.
+You can use the <code>nslookup</code> command to check this on both client
+and server by looking up the other end's name and IP address. In
+addition, on the server look up the name returned by the client's
+IP-name lookup. You can disable most of the server-side lookups by
+setting <b>UseDNS no</b> in <i>sshd_config</i>.</li>
+</ul>
+
+<p>
+Delays less than 10 seconds can have other causes.
+
+<ul>
+
+<li>OpenSSH releases prior to 3.8 had an <i>moduli</i> file with
+moduli that were just smaller than what sshd would look for, and
+as a result, sshd would end up using moduli significantly larger
+than requested, which resulted in a speed penalty. Replacing the
+<i>moduli</i> file will resolve this (note that in most cases this
+file will not be replaced during an upgrade and must be replaced
+manually).</li>
+
+<li>OpenSSH releases prior to 3.8 had a flaw in <code>ssh</code> that
+would cause it to request moduli larger than intended (which when
+combined with the above resulted in significant slowdowns).
+Upgrading the client to 3.8 or higher will resolve this issue.</li>
+
+<li>If either the client or server lack a kernel-based random number
+device (eg Solaris &lt; 9, AIX &lt; 5.2, HP-UX &lt; 11.11) and no
+substitute is available (eg <a href=
+"ftp://ftp.ayamura.org/pub/prngd/">prngd</a>) it's possible that
+one of the programs called by <code>ssh-rand-helper</code> to
+generate entropy is hanging. This can be investigated by running
+it in debug mode:
+
+<blockquote>
+<table border=0 width="800">
+ <tr>
+ <td nowrap bgcolor="#EEEEEE">
+/usr/local/libexec/ssh-rand-helper -vvv
+ </td>
+ </tr>
+</table>
+</blockquote>
+
+Any significant delays should be investigated and rectified, or the
+corresponding commands should be removed from <i>ssh_prng_cmds</i>.
+</li>
+
+</ul>
+
+<h3>How slow is "slow"?</h3>
+Under normal conditions, the speed of SSH logins is dependant on
+CPU speed of client and server. For comparison the following are
+typical connect times for <code>time ssh localhost true</code>
+with a 1024-bit RSA key on otherwise unloaded hosts. OpenSSH and
+OpenSSL were compiled with gcc 3.3.x.
+
+<p>
+<table>
+<tr><th>CPU</th><th>Time (SSHv1)<a href="#3.3fn1">[1]</a></th>
+ <th>Time (SSHv2)</th></tr>
+<tr><td>170MHz SPARC/sun4m</td><td>0.74 sec</td><td>1.25 sec</td></tr>
+<tr><td>236MHz HPPA/8200<a href="#3.3fn2">[2]</a></td><td>0.44 sec</td>
+ <td>0.79 sec</td></tr>
+<tr><td>375MHz PowerPC/604e</td><td>0.38 sec</td><td>0.51 sec</td></tr>
+<tr><td>933MHz VIA Ezra</td><td>0.34 sec</td><td>0.44 sec</td></tr>
+<tr><td>2.1GHz Athlon XP 2600+</td><td>0.14 sec</td><td>0.22 sec</td></tr>
+</table>
+
+<br>
+
+<a name="3.3fn1">[1]</a> The SSHv1 protocol is faster but is
+cryptographically weaker than SSHv2.<br>
+
+<a name="3.3fn2">[2]</a> At the time of writing, gcc generates
+relatively slow code on HPPA for RSA and Diffie-Hellman operations
+(see <a href= "http://gcc.gnu.org/bugzilla/show_bug.cgi?id=7625">gcc
+bug #7625</a> and <a
+href="http://marc.info/?l=openssh-unix-dev&amp;m=102646106016694">
+discussion on openssh-unix-dev</a>).
+
+<h2><a name= "3.4">3.4 - "Can't locate module net-pf-10" messages in log under Linux.</a></h2>
+
+<p>
+The Linux kernel is looking (via modprobe) for protocol family 10 (IPv6).
+Either load the appropriate kernel module, enter the correct alias in
+<i>/etc/modules.conf</i> or disable IPv6 in <i>/etc/modules.conf</i>.
+
+
+<p>
+For some silly reason <i>/etc/modules.conf</i> may also be named
+<i>/etc/conf.modules</i>.
+
+
+<h2><a name= "3.5">3.5 - Password authentication doesn't work (eg on Slackware 7.0 or Red Hat 6.x)</a></h2>
+
+<p>
+If the password is correct password the login is still denied, the
+usual cause is that the system is configured to use MD5-type passwords
+but the
+<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=crypt&amp;sektion=3"
+>crypt(3)</a> function used by sshd doesn't understand them.
+
+<p>
+Affected accounts will have password strings in <i>/etc/passwd</i>
+or <i>/etc/shadow</i> that start with <b>$1$</b>.
+If password authentication fails for new accounts or accounts with
+recently changed passwords, but works for old accounts, this is the
+likely culprit.
+
+<p>
+The underlying cause is that some versions of OpenSSL have a crypt(3)
+function that does not understand MD5 passwords, and the link order of
+sshd means that OpenSSL's crypt(3) is used instead of the system's.
+OpensSSH's configure attempts to correct for this but is not always
+successful.
+
+<p>
+There are several possible solutions:
+
+<ul>
+<li>
+<p>
+Enable sshd's built-in support for MD5 passwords at build time.
+
+<blockquote>
+<table border=0 width="800">
+ <tr>
+ <td nowrap bgcolor="#EEEEEE">
+./configure --with-md5-passwords [options]
+ </td>
+ </tr>
+</table>
+</blockquote>
+
+This is safe even if you have both types of encryption as sshd will
+select the correct algorithm for each account automatically.
+
+<li>
+<p>
+If your system has a separate libcrypt library (eg Slackware 7) then you
+can manually add -lcrypt to the LIBS list so it's used instead of
+OpenSSL's:
+
+<blockquote>
+<table border=0 width="800">
+ <tr>
+ <td nowrap bgcolor="#EEEEEE">
+LIBS=-lcrypt ./configure [options]
+ </td>
+ </tr>
+</table>
+</blockquote>
+
+<li>
+<p>
+If your platforms supports PAM, you may configure sshd to use it
+(see <a href= "#3.15" >section 3.15</a>). This will mean that sshd will
+not verify passwords itself but will defer to the configured PAM modules.
+</ul>
+
+<h2><a name= "3.6">3.6 - Configure or sshd(8) complain about lack of RSA or DSA support</a></h2>
+
+<p>
+Ensure that your OpenSSL libraries have been built to include RSA or DSA
+support either internally or through RSAref.
+
+
+<h2><a name= "3.7">3.7 - "scp: command not found" errors</a></h2>
+
+<p>
+<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&amp;sektion=1">scp(1)</a>
+must be in the default PATH on both the client and the server. You may
+need to use the <b>--with-default-path</b> option to specify a custom
+path to search on the server. This option replaces the default path,
+so you need to specify all the current directories on your path as well
+as where you have installed scp. For example:
+
+<blockquote>
+<table border=0 width="800">
+ <tr>
+ <td nowrap bgcolor="#EEEEEE">
+$ <b>./configure --with-default-path=/bin:/usr/bin:/usr/local/bin:/path/to/scp</b>
+ </td>
+ </tr>
+</table>
+</blockquote>
+
+<p>
+Note that configuration by the server's admin will take precedence over the
+setting of <b>--with-default-path</b>. This includes resetting PATH in
+<i>/etc/profile</i>, PATH in <i>/etc/environment</i> on AIX, or (for 3.7p1 and
+above) setting PATH or SUPATH in <i>/etc/default/login</i> on Solaris or
+Reliant Unix.
+
+<h2><a name= "3.8">3.8 - Unable to read passphrase</a></h2>
+
+<p>
+Some operating systems set <i>/dev/tty</i> with incorrect modes, causing
+the reading of passwords to fail with the following error:
+
+<blockquote>
+<table border=0 width="800">
+ <tr>
+ <td nowrap bgcolor="#EEEEEE">
+You have no controlling tty. Cannot read passphrase.
+ </td>
+ </tr>
+</table>
+</blockquote>
+
+<p>
+The solution to this is to reset the permissions on <i>/dev/tty</i>
+to mode 0666 and report the error as a bug to your OS vendor.
+
+
+<h2><a name= "3.9">3.9 - 'configure' missing or make fails</a></h2>
+
+<p>
+If there is no 'configure' file in the tar.gz file that you downloaded
+or make fails with "missing separator" errors, you have probably
+downloaded the OpenBSD distribution of OpenSSH and are attempting to
+compile it on another platform. Please refer to the information on the
+<a href="http://www.openssh.com/portable.html">portable version</a>.
+
+
+<h2><a name= "3.10">3.10 - Hangs when exiting ssh</a></h2>
+
+<p>
+OpenSSH may hang when exiting. This can occur when there is an active
+background process. This is known to occur on Linux and HP-UX.
+The problem can be verified by doing the following:
+
+<blockquote>
+<table border=0 width="800">
+ <tr>
+ <td nowrap bgcolor="#EEEEEE">
+$ <b>sleep 20 &amp; exit</b>
+ </td>
+ </tr>
+</table>
+</blockquote>
+
+Try to use this instead:
+<blockquote>
+<table border=0 width="800">
+ <tr>
+ <td nowrap bgcolor="#EEEEEE">
+$ <b>sleep 20 &lt; /dev/null &gt; /dev/null 2&gt;&amp;1 &amp;</b>
+ </td>
+ </tr>
+</table>
+</blockquote>
+
+<p>
+A work around for bash users is to place <b>"shopt -s huponexit"</b>
+in either /etc/bashrc or ~/.bashrc. Otherwise, consult your shell's
+man page for an option to enable it to send a HUP signal to active
+jobs when exiting. See <a
+href="http://bugzilla.mindrot.org/show_bug.cgi?id=52">bug #52</a>
+for other workarounds.
+
+<h2><a name= "3.11">3.11 - Why does ssh hang on exit?</a></h2>
+
+<p>
+When executing
+<blockquote>
+<table border=0 width="800">
+ <tr>
+ <td nowrap bgcolor="#EEEEEE">
+$ <b>ssh host command</b>
+ </td>
+ </tr>
+</table>
+</blockquote>
+ssh <b>needs</b> to hang, because it needs to wait:
+<ul>
+<li>
+until it can be sure that <code>command</code> does not need
+more input.
+<li>
+until it can be sure that <code>command</code> does not produce
+more output.
+<li>
+until <code>command</code> exits because sshd needs to tell
+the exit status from <code>command</code> to ssh.
+</ul>
+<p>
+
+<h2><a name= "3.12">3.12 - I upgraded to OpenSSH 3.1 and X11
+forwarding stopped working.</a></h2>
+
+Starting with OpenSSH 3.1, the sshd x11 forwarding server listens on
+localhost by default; see the sshd <b>X11UseLocalhost</b> option to
+revert to prior behaviour if your older X11 clients do not function
+with this configuration.<p>
+
+In general, X11 clients using X11 R6 should work with the default
+setting. Some vendors, including HP, ship X11 clients with R6
+and R5 libs, so some clients will work, and others will not work.
+This is true for HP-UX 11.X.<p>
+
+<h2><a name= "3.13">3.13 - I upgraded to OpenSSH 3.8 and some
+X11 programs stopped working.</a></h2>
+
+<p>
+As documented in the <a href="http://www.openssh.com/txt/release-3.8">3.8 release notes</a>,
+<code>ssh</code> will now use untrusted X11 cookies by
+default. The previous behaviour can be restored by setting
+<b>ForwardX11Trusted yes</b> in <i>ssh_config</i>.
+
+<p>
+Possible symptoms include:<br>
+<code>BadWindow (invalid Window parameter)<br>
+BadAccess (attempt to access private resource denied)<br>
+X Error of failed request: BadAtom (invalid Atom parameter)<br>
+Major opcode of failed request: 20 (X_GetProperty)<br></code>
+
+<h2><a name= "3.14">3.14 - I copied my public key to authorized_keys
+but public-key authentication still doesn't work.</a></h2>
+
+<p>
+Typically this is caused by the file permissions on $HOME, $HOME/.ssh or
+$HOME/.ssh/authorized_keys being more permissive than sshd allows by default.
+
+<p>
+In this case, it can be solved by executing the following on the server.
+<blockquote>
+<table border=0 width="800">
+<tr>
+ <td nowrap bgcolor="#EEEEEE">
+$ <b>chmod go-w $HOME $HOME/.ssh</b><br>
+$ <b>chmod 600 $HOME/.ssh/authorized_keys</b><br>
+$ <b>chown `whoami` $HOME/.ssh/authorized_keys</b><br>
+ </td>
+</tr>
+</table>
+</blockquote>
+
+<p>
+If this is not possible for some reason, an alternative is to set
+<b>StrictModes no</b> in <i>sshd_config</i>, however this is not
+recommended.
+
+<h2><a name= "3.15">3.15 - OpenSSH versions and PAM behaviour.</a></h2>
+
+Portable OpenSSH has a configure-time option to enable sshd's use of the
+<a href="http://www.opengroup.org/onlinepubs/008329799/">PAM</a>
+(Pluggable Authentication Modules) interface.
+
+<blockquote>
+<table border=0 width="800">
+ <tr>
+ <td nowrap bgcolor="#EEEEEE">
+./configure --with-pam [options]
+ </td>
+ </tr>
+</table>
+</blockquote>
+
+To use PAM at all, this option must be provided at build time.
+The run-time behaviour when PAM is built in varies with the version of
+Portable OpenSSH, and on later versions it must also be enabled by setting
+<b>UsePAM</b> to <b>yes</b> in <i>sshd_config</i>.
+
+<p>
+The behaviour of the relevant authentications options when PAM support is built
+in is summarised by the following table.
+
+<p>
+<table border="1">
+ <tr> <th>Version</th> <th>UsePAM</th> <th>PasswordAuthentication</th> <th>ChallengeResponseAuthentication</th> </tr>
+ <tr>
+ <td>&lt;=3.6.1p2</td>
+ <td>Not applicable</td>
+ <td>Uses PAM</td>
+ <td>Uses PAM if <b>PAMAuthenticationViaKbdInt</b> is enabled</td>
+ </tr>
+ <tr>
+ <td>3.7p1 - 3.7.1p1</td>
+ <td>Defaults to <b>yes</b></td>
+ <td>Does not use PAM</td>
+ <td>Uses PAM if <b>UsePAM</b> is enabled</td>
+ </tr>
+ <tr>
+ <td>3.7.1p2 - 3.8.1p1</td>
+ <td>Defaults to <b>no</b></td>
+ <td>Does not use PAM <a href="#3.15fn1">[1]</a></td>
+ <td>Uses PAM if <b>UsePAM</b> is enabled</td>
+ </tr>
+ <tr>
+ <td>3.9p1</td>
+ <td>Defaults to <b>no</b></td>
+ <td>Uses PAM if <b>UsePAM</b> is enabled</td>
+ <td>Uses PAM if <b>UsePAM</b> is enabled</td>
+ </tr>
+</table>
+<p>
+
+<a name= "3.15fn1">[1]</a> Some vendors, notably Redhat/Fedora, have
+backported the PasswordAuthentication from 3.9p1 to their 3.8x based
+packages. If you're using a vendor-supplied package then consult their
+documentation.
+
+<p>
+OpenSSH Portable's PAM interface still has problems with a few modules,
+however we hope that this number will reduce in the future. As at the
+3.9p1 release, the known problems are:
+
+<ul>
+ <li>Modules relying on module-private data (eg pam_dhkeys, pam_krb5, AFS)
+ may fail to correctly establish credentials (bug <a
+ href="http://bugzilla.mindrot.org/show_bug.cgi?id=688">#688</a>) when
+ authenticating via <b>ChallengeResponseAuthentication</b>.
+ <b>PasswordAuthentication</b> with 3.9p1 and above should work.
+</ul>
+
+You can also check <a
+href="http://bugzilla.mindrot.org/buglist.cgi?product=Portable+OpenSSH&amp;bug_status=RESOLVED&amp;bug_status=NEW&amp;bug_status=ACCEPTED&amp;component=PAM+support"
+>bugzilla for current PAM issues</a>.
+
+<h2><a name= "3.16">3.16 - Why doesn't "w" or "who" on AIX 5.x show users
+logged in via ssh?</a></h2>
+
+Between AIX 4.3.3 and AIX 5.x, the format of the wtmp struct changed. This
+means that sshd binaries built on AIX 4.x will not correctly write wtmp
+entries when run on AIX 5.x. This can be fixed by simply recompiling
+sshd on an AIX 5.x system and using that.
+
+<hr>
+<a href="http://www.openssh.com/index.html"><img height=24 width=24 src="back.gif" border=0 alt=OpenSSH></a>
+<a href="mailto:www@openbsd.org">www@openbsd.org</a>
+<br>
+<small>$OpenBSD: faq.html,v 1.113 2012/04/21 12:12:22 dtucker Exp $</small>
+
+</body>
+</html>