diff options
Diffstat (limited to '')
| -rw-r--r-- | debian/faq.html | 1187 |
1 files changed, 1187 insertions, 0 deletions
diff --git a/debian/faq.html b/debian/faq.html new file mode 100644 index 0000000..7f02528 --- /dev/null +++ b/debian/faq.html @@ -0,0 +1,1187 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<html> +<head> +<title>OpenSSH FAQ</title> +<link rev= "made" href= "mailto:www@openbsd.org"> +<meta name= "resource-type" content= "document"> +<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> +<meta name= "description" content= "the OpenSSH FAQ page"> +<meta name= "keywords" content= "OpenSSH,SSH,Secure Shell,faq"> +<meta name= "distribution" content= "global"> +<meta name= "copyright" content= "This document copyright 1999-2010 OpenBSD."> +</head> + +<body bgcolor= "#ffffff" text= "#000000" link= "#23238E"> +<a href="http://www.openssh.com/index.html"><img alt="[OpenSSH]" height="30" width="141" src="images/smalltitle.gif" border="0"></a> +<p> + +<h1>OpenSSH FAQ (Frequently asked questions)</h1> + +<hr> + +<blockquote> +<h3><a href= "#1.0">1.0 - What Is OpenSSH and Where Can I Get It?</a></h3> +<ul> +<li><a href= "#1.1">1.1 - What is OpenSSH and where can I download it?</a> +<li><a href= "#1.2">1.2 - Why should it be used?</a> +<li><a href= "#1.3">1.3 - What Operating Systems are supported?</a> +<li><a href= "#1.4">1.4 - What about copyright, usage and patents?</a> +<li><a href= "#1.5">1.5 - Where should I ask for help?</a> +<li><a href= "#1.6">1.6 - I have found a bug. Where do I report it?</a> +</ul> + +<h3><a href= "#2.0">2.0 - General Questions</a></h3> +<ul> +<li><a href= "#2.1">2.1 - Why does ssh/scp make connections from low-numbered ports. My firewall blocks these.</a> +<li><a href= "#2.2">2.2 - Why is the ssh client setuid root?</a> +<li><a href= "#2.3">2.3 - Why does SSH 2.3 have problems interoperating with OpenSSH 2.1.1?</a> +<li><a href= "#2.4">2.4 - Why does OpenSSH print: Dispatch protocol error: type 20</a> +<li><a href= "#2.5">2.5 - Old versions of commercial SSH encrypt host keys with IDEA.</a> +<li><a href= "#2.6">2.6 - What are these warning messages about key lengths?</a> +<li><a href= "#2.7">2.7 - X11 and/or agent forwarding does not work.</a> +<li><a href= "#2.8">2.8 - After upgrading OpenSSH I lost SSH2 support.</a> +<li><a href= "#2.9">2.9 - sftp/scp fails at connection, but ssh is OK.</a> +<li><a href= "#2.10">2.10 - Will you add [foo] to scp?</a> +<li><a href= "#2.11">2.11 - How do I use port forwarding?</a> +<li><a href= "#2.12">2.12 - My ssh connection freezes or drops out after N minutes of inactivity.</a> +<li><a href= "#2.13">2.13 - How do I use scp to copy a file with a colon in it?</a> +<li><a href= "#2.14">2.14 - Why does OpenSSH report its version to clients?</a> +</ul> + +<h3><a href= "#3.0">3.0 - Portable OpenSSH Questions</a></h3> +<ul> +<li><a href= "#3.1">3.1 - Spurious PAM authentication messages in logfiles.</a> +<li><a href= "#3.2">3.2 - Empty passwords not allowed with PAM authentication.</a> +<li><a href= "#3.3">3.3 - ssh(1) takes a long time to connect or log in</a> +<li><a href= "#3.4">3.4 - "Can't locate module net-pf-10" messages in log under Linux.</a> +<li><a href= "#3.5">3.5 - Password authentication doesn't work (eg on Slackware 7.0 or Red Hat Linux 6.x)</a> +<li><a href= "#3.6">3.6 - Configure or sshd(8) complain about lack of RSA support</a> +<li><a href= "#3.7">3.7 - "scp: command not found" errors</a> +<li><a href= "#3.8">3.8 - Unable to read passphrase</a> +<li><a href= "#3.9">3.9 - 'configure' missing or make fails</a> +<li><a href= "#3.10">3.10 - Hangs when exiting ssh</a> +<li><a href= "#3.11">3.11 - Why does ssh hang on exit?</a> +<li><a href= "#3.12">3.12 - I upgraded to OpenSSH 3.1 and X11 forwarding stopped working.</a> +<li><a href= "#3.13">3.13 - I upgraded to OpenSSH 3.8 and some X11 programs stopped working.</a> +<li><a href= "#3.14">3.14 - I copied my public key to authorized_keys but public-key authentication still doesn't work.</a> +<li><a href= "#3.15">3.15 - OpenSSH versions and PAM behaviour.</a> +<li><a href= "#3.16">3.16 - Why doesn't "w" or "who" on AIX 5.x show users logged in via ssh?</a> +</ul> + +</blockquote> + +<hr> + +<h2><u><a name= "1.0">1.0 - What Is OpenSSH and Where Can I Get It?</a></u></h2> + +<h2><a name= "1.1">1.1 - What is OpenSSH and where can I download it?</a></h2> + +OpenSSH provides end-to-end encrypted replacement of applications such as +telnet, rlogin, and ftp. +Unlike these legacy applications, OpenSSH never passes anything +(including username and password) over the wire in unencrypted form, and +provides host authentication, to verify that you really are talking to +the system that you think you are and that no one else can take over +that session. + +<p> +The OpenSSH suite includes the +<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> +program which replaces rlogin and telnet, and +<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1">scp(1)</a> +which replaces +<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=rcp&sektion=1">rcp(1)</a> and +<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftp&sektion=1">ftp(1)</a>. +OpenSSH has also added +<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a> and +<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8">sftp-server(8)</a> +which implement an easier solution for file-transfer. This is based upon the +<a href="http://www.openssh.com/txt/draft-ietf-secsh-filexfer-02.txt">secsh-filexfer</a> IETF draft. + + +<p><strong>OpenSSH consists of a number of programs.</strong> + +<ul> +<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> - Server program run on the server machine. This listens for connections from client machines, and whenever it receives a connection, it performs authentication and starts serving the client. +Its behaviour is controlled by the config file <i><a +href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5"> +sshd_config(5)</a></i>. +<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> - This is the client program used to log into another machine or to execute commands on the other machine. <i>slogin</i> is another name for this program. +Its behaviour is controlled by the global config file <i><a +href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5"> +ssh_config(5)</a></i> and individual users' <i>$HOME/.ssh/config</i> files. +<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1">scp(1)</a> - Securely copies files from one machine to another. +<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a> - Used to create Pubkey Authentication (RSA or DSA) keys (host keys and user authentication keys). +<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a> - Authentication agent. This can be used to hold RSA keys for authentication. +<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-add&sektion=1">ssh-add(1)</a> - Used to register new keys with the agent. +<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8">sftp-server(8)</a> - SFTP server subsystem. +<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a> - Secure file transfer program. +<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keyscan&sektion=1">ssh-keyscan(1)</a> - gather ssh public keys. +<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keysign&sektion=8">ssh-keysign(8)</a> - ssh helper program for hostbased authentication. +</ul> + +<h3>Downloading</h3> + +<p> +The most recent version of OpenSSH is included with the current +distribution of <a href="http://www.openbsd.org/">OpenBSD</a>, and +installed as part of a basic install. + +<p> +Today, most other operating systems include some version of OpenSSH +(often re-badged or privately labeled), so most users can immediately +use it. +However, sometimes the included versions are quite old, and missing +features of the current release of OpenSSH, and you may wish to install +the current version, or install it on one of the few OSs that lacked it, +and where the OS publisher does not make a modern version available. +You may also wish to use OpenSSH on your embedded application. + +<p> +Non-OpenBSD users will want to download, compile and install the +multi-platform <a href="http://www.openssh.com/portable.html">Portable</a> distribution from a +<a href="http://www.openssh.com/portable.html#mirrors">mirror</a> near you. + + +<h2><a name= "1.2">1.2 - Why should it be used?</a></h2> + +<p> +OpenSSH is a suite of tools to help secure your network +connections. Here is a list of features: + + +<ul> + <li>Strong authentication. Closes several security holes (e.g., IP, routing, and DNS spoofing). + <li>Improved privacy. All communications are automatically and transparently encrypted. + <li>Secure X11 sessions. The program automatically sets DISPLAY on the server machine, and forwards any X11 connections over the secure channel. + <li>Arbitrary TCP/IP ports can be redirected through the encrypted channel in both directions (e.g., for e-cash transactions). + <li>No retraining needed for normal users. + <li>Never trusts the network. Minimal trust on the remote side of the connection. Minimal trust on domain name servers. Pure RSA authentication never trusts anything but the private key. + <li>Client RSA-authenticates the server machine in the beginning of every connection to prevent trojan horses (by routing or DNS spoofing) and man-in-the-middle attacks, and the server RSA-authenticates the client machine before accepting <i>.rhosts</i> or <i>/etc/hosts.equiv</i> authentication (to prevent DNS, routing, or IP-spoofing). + <li>Host authentication key distribution can be centrally by the administration, automatically when the first connection is made to a machine. + <li>Any user can create any number of user authentication RSA keys for his/her own use. + <li>The server program has its own server RSA key which is automatically regenerated every hour. + <li>An authentication agent, running in the user's laptop or local workstation, can be used to hold the user's RSA authentication keys. + <li>The software can be installed and used (with restricted functionality) even without root privileges. + <li>The client is customizable in system-wide and per-user configuration files. + <li>Optional compression of all data with gzip (including forwarded X11 and TCP/IP port data), which may result in significant speedups on slow connections. + <li>Complete replacement for rlogin, rsh, and rcp. +</ul> + +<p> +Currently, almost all communications in computer networks are done +without encryption. As a consequence, anyone who has access to any +machine connected to the network can listen in on any communication. +This is being done by hackers, curious administrators, employers, +criminals, industrial spies, and governments. Some networks leak off +enough electromagnetic radiation that data may be captured even from a +distance. + + +<p> +When you log in, your password goes in the network in plain +text. Thus, any listener can then use your account to do any evil he +likes. Many incidents have been encountered worldwide where crackers +have started programs on workstations without the owner's knowledge +just to listen to the network and collect passwords. Programs for +doing this are available on the Internet, or can be built by a +competent programmer in a few hours. + + +<p> +Businesses have trade secrets, patent applications in preparation, +pricing information, subcontractor information, client data, personnel +data, financial information, etc. Currently, anyone with access to +the network (any machine on the network) can listen to anything that +goes in the network, without any regard to normal access restrictions. + + +<p> +Many companies are not aware that information can so easily be +recovered from the network. They trust that their data is safe +since nobody is supposed to know that there is sensitive information +in the network, or because so much other data is transferred in the +network. This is not a safe policy. + + +<h2><a name= "1.3">1.3 - What operating systems are supported?</a></h2> + +<p> +Even though OpenSSH is developed on +<a href="http://www.openbsd.org/">OpenBSD</a> a wide variety of +ports to other operating systems exist. The portable version of OpenSSH +is headed by <a href="mailto:djm@openbsd.org">Damien Miller</a>. +For a quick overview of the portable version of OpenSSH see +<a href="http://www.openssh.com/portable.html">OpenSSH Portable Release</a>. +Currently, the supported operating systems are: + + +<ul> + <li>OpenBSD + <li>NetBSD + <li>FreeBSD + <li>AIX + <li>HP-UX + <li>IRIX + <li>Linux + <li>NeXT + <li>SCO + <li>SNI/Reliant Unix + <li>Solaris + <li>Digital Unix/Tru64/OSF + <li>Mac OS X + <li>Cygwin +</ul> + +<p> +A list of vendors that include OpenSSH in their distributions +is located in the <a href="http://www.openssh.com/users.html">OpenSSH Users page</a>. + +<h2><a name= "1.4">1.4 - What about copyrights, usage and patents?</a></h2> +<p> +The OpenSSH developers have tried very hard to keep OpenSSH free of any +patent or copyright problems. To do this, some options had to be +stripped from OpenSSH. Namely support for patented algorithms. + +<p> +OpenSSH does not support any patented transport algorithms. In SSH1 mode, +only 3DES and Blowfish are available options. In SSH2 mode, only 3DES, +Blowfish, CAST128, Arcfour and AES can be selected. +The patented IDEA algorithm is not supported. + +<p> +OpenSSH provides support for both SSH1 and SSH2 protocols. + +<p> +Since the RSA patent has expired, there are no restrictions on the use +of RSA algorithm using software, including OpenBSD. + +<h2><a name= "1.5">1.5 - Where should I ask for help?</a></h2> +<p> +There are many places to turn to for help. In addition to the main +<a href="http://www.openssh.com/index.html">OpenSSH website</a>, +there are many mailing lists to try. Before trying any mailing lists, +please search through all mailing list archives to see if your question +has already been answered. The OpenSSH Mailing List has been archived and +put in searchable form and can be found at +<a href="http://marc.info/?l=openssh-unix-dev&r=1&w=2">marc.info</a>. + +<p> +For more information on subscribing to OpenSSH related mailing lists, +please see <a href="http://www.openssh.com/list.html">OpenSSH Mailing lists</a>. + +<h2><a name= "1.6">1.6 - I have found a bug. Where do I report it?</a></h2> +<p> +Information about submitting bug reports can be found at the OpenSSH +<a href="http://www.openssh.com/report.html">Reporting bugs</a> page. +<p> +If you wish to report a security bug, please contact the private developers +list <<a href="mailto:openssh@openssh.com">openssh@openssh.com</a>>. + +<h2><u><a name= "2.0">2.0 - General Questions</a></u></h2> + +<h2><a name= "2.1">2.1 - Why does ssh/scp make connections from low-numbered ports.</a></h2> +<p> +The OpenSSH client uses low numbered ports for rhosts and rhosts-rsa +authentication because the server needs to trust the username provided by +the client. To get around this, you can add the below example to your +<i>ssh_config</i> or <i>~/.ssh/config</i> file. + + +<blockquote> +<table border=0 width="800"> + <tr> + <td nowrap bgcolor="#EEEEEE"> +<b>UsePrivilegedPort no</b> + </td> + </tr> +</table> +</blockquote> + +<p> +Or you can specify this option on the command line, using the <b>-o</b> +option to +<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> command. + +<blockquote> +<table border=0 width="800"> + <tr> + <td nowrap bgcolor="#EEEEEE"> +$ <b>ssh -o "UsePrivilegedPort no" host.com</b> + </td> + </tr> +</table> +</blockquote> + +<h2><a name= "2.2">2.2 - Why is the ssh client setuid root?</a></h2> + +<p> +In conjunction with the previous question, (<a href="#2.1">2.1</a>) +OpenSSH needs root authority to be able to bind to low-numbered ports to +facilitate <i>rhosts authentication</i>. +A privileged port is also required for rhosts-rsa authentication to older +SSH releases. + +<p> +Additionally, for both <i>rhosts-rsa authentication</i> (in protocol +version 1) and <i>hostbased authentication</i> (in protocol version 2) +the ssh client needs to access the <i>private host key</i> in order to +authenticate the client machine to the server. +OpenSSH versions prior to 3.3 required the <code>ssh</code> binary to be +setuid root to enable this, and you may safely remove it if you don't +want to use these authentication methods. + +<p> +Starting in OpenSSH 3.3, <code>ssh</code> is not setuid by default. <a +href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keysign">ssh-keysign</a>, +is used for access to the private hosts keys, and ssh does not use privileged +source ports by default. If you wish to use a privileged source port, you must +manually set the setuid bit on <code>ssh</code>. + +<h2><a name= "2.3">2.3 - Why does SSH 2.3 have problems interoperating with OpenSSH 2.1.1?</a></h2> + +<p> +SSH 2.3 and earlier versions contain a flaw in their HMAC implementation. +Their code was not supplying the full data block output from the digest, +and instead always provided 128 bits. For longer digests, this caused +SSH 2.3 to not interoperate with OpenSSH. + +<p> +OpenSSH 2.2.0 detects that SSH 2.3 has this flaw. Recent versions of SSH +will have this bug fixed. Or you can add the following to +SSH 2.3 <i>sshd2_config</i>. + + +<blockquote> +<table border=0 width="800"> + <tr> + <td nowrap bgcolor="#EEEEEE"> +<b>Mac hmac-md5</b> + </td> + </tr> +</table> +</blockquote> + +<h2><a name= "2.4">2.4 - Why does OpenSSH print: Dispatch protocol error: type 20</a></h2> + +<p> +Problems in interoperation have been seen because older versions of +OpenSSH did not support session rekeying. However the commercial SSH 2.3 +tries to negotiate this feature, and you might experience connection +freezes or see the error message "<b>Dispatch protocol error: +type 20 </b>". +To solve this problem, either upgrade to a recent OpenSSH release or +disable rekeying by adding the following to your commercial SSH 2.3's +<i>ssh2_config</i> or <i>sshd2_config</i>. + + +<blockquote> +<table border=0 width="800"> + <tr> + <td nowrap bgcolor="#EEEEEE"> +<b>RekeyIntervalSeconds 0</b> + </td> + </tr> +</table> +</blockquote> + +<h2><a name= "2.5">2.5 - Old versions of commercial SSH encrypt host keys with IDEA.</a></h2> + +<p> +The old versions of SSH used a patented algorithm to encrypt their +<i>/etc/ssh/ssh_host_key</i>. This problem will manifest as +<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> +not being able to read its host key. To solve this, use the command below +to convert your ssh_host_key to use 3DES. +<b>NOTE:</b> Use the +<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a> +program from the Commercial SSH product, *NOT* OpenSSH for the example +below. + + +<blockquote> +<table border=0 width="800"> + <tr> + <td nowrap bgcolor="#EEEEEE"> +# <b>ssh-keygen -u -f /etc/ssh/ssh_host_key</b> + </td> + </tr> +</table> +</blockquote> + +<h2><a name= "2.6">2.6 - What are these warning messages about key lengths</a></h2> + +<p> +Commercial SSH's +<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a> +program contained a bug which caused it to occasionally generate Pubkey +Authentication (RSA or DSA) keys which had their Most Significant Bit +(MSB) unset. Such keys were advertised as being full-length, but are +actually, half the time, smaller than advertised. + +<p> +OpenSSH will print warning messages when it encounters such keys. To rid +yourself of these message, edit your <i>known_hosts</i> files and replace the +incorrect key length (usually "1024") with the correct key length +(usually "1023"). + +<h2><a name= "2.7">2.7 - X11 and/or agent forwarding does not work.</a></h2> + +<p> +Check your <i>ssh_config</i> and <i>sshd_config</i>. The default +configuration files disable authentication agent and X11 forwarding. To +enable it, put the line below in <i>sshd_config</i>: + +<blockquote> +<table border=0 width="800"> + <tr> + <td nowrap bgcolor="#EEEEEE"> +<b>X11Forwarding yes</b> + </td> + </tr> +</table> +</blockquote> + +<p> +and put the following lines in <i>ssh_config</i>: + +<blockquote> +<table border=0 width="800"> + <tr> + <td nowrap bgcolor="#EEEEEE"> +<b>ForwardAgent yes</b><br> +<b>ForwardX11 yes</b> + </td> + </tr> +</table> +</blockquote> + +<p> +X11 forwarding requires a working <a +href="http://www.openbsd.org/cgi-bin/man.cgi?query=xauth&sektion=1" +>xauth(1)</a> binary. On OpenBSD this is in the <i>xbase</i> file +set but will probably be different on other platforms. For OpenSSH +Portable, xauth must be either found at configure time or specified +via <b>XAuthLocation</b> in sshd_config(5) and ssh_config(5). + +<p> +Note on agent interoperability: There are two different and +incompatible agent forwarding mechanisms within the SSH2 protocol. +OpenSSH has always used an extension of the original SSH1 agent +requests, however some commercial products use a different, non-free +agent forwarding protocol. This means that agent forwarding cannot +be used between OpenSSH and those products. + +<p> +<b>NOTE:</b> For users of Linux Mandrake 7.2, Mandrake modifies the +<i>XAUTHORITY</i> environment variable in <i>/etc/skel/.bashrc</i>, +and thus any bash user's home directory. This variable is set by OpenSSH +and for either of the above options to work, you need to comment out +the line: + + +<blockquote> +<table border=0 width="800"> + <tr> + <td nowrap bgcolor="#EEEEEE"> +<b># export XAUTHORITY=$HOME/.Xauthority</b> + </td> + </tr> +</table> +</blockquote> + +<h2><a name= "2.8">2.8 - After upgrading OpenSSH I lost SSH2 support.</a></h2> + +<p> +Between versions changes can be made to <i>sshd_config</i> or +<i>ssh_config</i>. You should always check on these changes when upgrading +versions of OpenSSH. After OpenSSH Version 2.3.0 you need to add the +following to your <i>sshd_config</i>: + + +<blockquote> +<table border=0 width="800"> + <tr> + <td nowrap bgcolor="#EEEEEE"> +<b>HostKey /etc/ssh_host_dsa_key</b><br> +<b>HostKey /etc/ssh_host_rsa_key</b> + </td> + </tr> +</table> +</blockquote> + +<h2><a name= "2.9">2.9 - sftp/scp fails at connection, but ssh is OK.</a></h2> + +<p> +sftp and/or scp may fail at connection time if you have shell +initialization (.profile, .bashrc, .cshrc, etc) which produces output +for non-interactive sessions. This output confuses the sftp/scp client. +You can verify if your shell is doing this by executing: + +<blockquote> +<table border=0 width="800"> + <tr> + <td nowrap bgcolor="#EEEEEE"> +<b>ssh yourhost /usr/bin/true</b> + </td> + </tr> +</table> +</blockquote> + +<p> +If the above command produces any output, then you need to modify your +shell initialization. + +<h2><a name= "2.10">2.10 - Will you add [foo] to scp?</a></h2> + +<p> +Short Answer: no. + +<p> +Long Answer: scp is not standardized. The closest thing it has to a +specification is "what rcp does". Since the same command is used on both ends +of the connection, adding features or options risks breaking interoperability with other +implementations. + +<p> +New features are more likely in sftp, since the protocol is standardized +(well, a <a href="http://www.ietf.org/html.charters/OLD/secsh-charter.html"> +draft standard</a>), extensible, and the client and server are decoupled. + +<h2><a name= "2.11">2.11 - How do I use port forwarding?</a></h2> + +<p> +If the remote server is running sshd(8), it may be possible to +``tunnel'' certain services via ssh. This may be desirable, for +example, to encrypt POP or SMTP connections, even though the software +does not directly support encrypted communications. Tunnelling uses +port forwarding to create a connection between the client and server. +The client software must be able to specify a non-standard port to +connect to for this to work. + +<p> +The idea is that the user connects to the remote host using ssh, +and specifies which port on the client's machine should be used to +forward connections to the remote server. After that it is possible +to start the service which is to be encrypted (e.g. fetchmail, irc) +on the client machine, specifying the same local port passed to +ssh, and the connection will be tunnelled through ssh. By default, +the system running the forward will only accept connections from +itself. + +<p> +The options most relevant to tunnelling are the -L and -R options, +which allow the user to forward connections, the -D option, which +permits dynamic port forwarding, the -g option, which permits other +hosts to use port forwards, and the -f option, which instructs ssh +to put itself in the background after authentication. See the <a +href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1" +>ssh(1)</a> man page for further details. + +<p> +This is an example of tunnelling an IRC session from client machine +``127.0.0.1'' (localhost) to remote server ``server.example.com'': + +<blockquote> +<table border=0 width="800"> + <tr> + <td nowrap bgcolor="#EEEEEE"> +<b>ssh -f -L 1234:server.example.com:6667 server.example.com sleep 10<br> +irc -c '#users' -p 1234 pinky 127.0.0.1</b> + </td> + </tr> +</table> +</blockquote> + +<p> +This tunnels a connection to IRC server server.example.com, joining +channel ``#users'', using the nickname ``pinky''. The local port used +in this example is 1234. It does not matter which port is used, as +long as it's greater than 1023 (remember, only root can open sockets on +privileged ports) and doesn't conflict with any ports already in use. +The connection is forwarded to port 6667 on the remote server, since +that's the standard port for IRC services. + +<p> +The remote command ``sleep 10'' was specified to allow an amount +of time (10 seconds, in the example) to start the service which is to +be tunnelled. If no connections are made within the time specified, +ssh will exit. If more time is required, the sleep(1) value can be +increased appropriately or, alternatively, the example above could +be added as a function to the user's shell. See ksh(1) and csh(1) +for more details about user-defined functions. + +<p> +ssh also has an -N option, convenient for use with port forwarding: +if -N is specified, it is not necessary to specify a remote command +(``sleep 10'' in the example above). However, use of this option +causes ssh to wait around for ever (as opposed to exiting after a +remote command has completed), and the user must take care to manually +kill(1) the process afterwards. + +<h2><a name= "2.12">2.12 - My ssh connection freezes or drops out after N minutes of inactivity.</a></h2> + +<p> +This is usually the result of a packet filter or NAT device +timing out your TCP connection due to inactivity. You can enable +<b>ClientAliveInterval</b> in the server's <i><a +href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5"> +sshd_config</a></i>, or enable <b>ServerAliveInterval</b> in the +client's <i><a +href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5"> +ssh_config</a></i> (the latter is available in OpenSSH 3.8 and newer). + +<p> +Enabling either option and setting the interval for less than the time +it takes to time out your session will ensure that the connection is +kept "fresh" in the device's connection table. + +<h2><a name= "2.13">2.13 - How do I use scp to copy a file with a colon in it?</a></h2> + +<b><a +href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1"> +scp</a></b> will interpret the component before the colon to be a remote +server name and attempt to connect to it. To prevent this, refer to +the file by a relative or absolute path, eg: + +<blockquote> +<table border=0 width="800"> + <tr> + <td nowrap bgcolor="#EEEEEE"> +$ scp ./source:file sshserver: + </td> + </tr> +</table> +</blockquote> + +<h2><a name= "2.14">2.14 - Why does OpenSSH report its version to clients?</a></h2> + +<p> +OpenSSH, like most SSH implementations, reports its name and version to clients +when they connect, e.g. +</p> + +<blockquote> +SSH-2.0-OpenSSH_3.9 +</blockquote> + +<p> +This information is used by clients and servers to enable protocol +compatibility tweaks to work around changed, buggy or missing features in +the implementation they are talking to. This protocol feature checking is +still required at present because versions with incompatibilities are still +in wide use. +</p> + +<h2><u><a name= "3.0">3.0 - Portable OpenSSH Questions</a></u></h2> + +<h2><a name= "3.1">3.1 - Spurious PAM authentication messages in logfiles.</a></h2> + +<p> +The portable version of OpenSSH will generate spurious authentication +failures at every login, similar to: + + +<blockquote> +<table border=0 width="800"> + <tr> + <td nowrap bgcolor="#EEEEEE"> +"<b>authentication failure; (uid=0) -> root for sshd service</b>" + </td> + </tr> +</table> +</blockquote> + +<p> +These are generated because OpenSSH first tries to determine whether a +user needs authentication to login (e.g. empty password). Unfortunately +PAM likes to log all authentication events, this one included. + +<p> +If it annoys you too much, set "<b>PermitEmptyPasswords no</b>" +in <i>sshd_config</i>. This will quiet the error message at the expense +of disabling logins to accounts with no password set. +This is the default if you use the supplied <i>sshd_config</i> file. + +<h2><a name= "3.2">3.2 - Empty passwords not allowed with PAM authentication.</a></h2> + +<p> +To enable empty passwords with a version of OpenSSH built with PAM you +must add the flag nullok to the end of the password checking module +in the <i>/etc/pam.d/sshd</i> file. For example: + +<blockquote> +<table border=0 width="800"> + <tr> + <td nowrap bgcolor="#EEEEEE"> +auth required/lib/security/pam_unix.so shadow nodelay nullok + </td> + </tr> +</table> +</blockquote> + +<p> +This must be done in addition to setting "<b>PermitEmptyPasswords +yes</b>" in the <i>sshd_config</i> file. + +<p> +There is one caveat when using empty passwords with PAM authentication: +PAM will allow any password when authenticating an account with an empty +password. This breaks the check that +<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> +uses to determine whether an account has no password set and grant +users access to the account regardless of the policy specified by +<b>PermitEmptyPasswords</b>. For this reason, it is recommended that you +do not add the <b>nullok</b> directive to your PAM configuration file +unless you specifically wish to allow empty passwords. + + +<h2><a name= "3.3">3.3 - ssh(1) takes a long time to connect or log +in</a></h2> + +<p> +Large delays (more than 10 seconds) are typically caused by a problem with +name resolution: +<ul> +<li>Some versions of glibc (notably glibc 2.1 shipped with Red Hat 6.1) +can take a long time to resolve "IPv6 or IPv4" addresses from domain +names. This can be worked around with by specifying <b>AddressFamily +inet</b> option in <i>ssh_config</i>.</li> + +<li>There may be a DNS lookup problem, either at the client or server. +You can use the <code>nslookup</code> command to check this on both client +and server by looking up the other end's name and IP address. In +addition, on the server look up the name returned by the client's +IP-name lookup. You can disable most of the server-side lookups by +setting <b>UseDNS no</b> in <i>sshd_config</i>.</li> +</ul> + +<p> +Delays less than 10 seconds can have other causes. + +<ul> + +<li>OpenSSH releases prior to 3.8 had an <i>moduli</i> file with +moduli that were just smaller than what sshd would look for, and +as a result, sshd would end up using moduli significantly larger +than requested, which resulted in a speed penalty. Replacing the +<i>moduli</i> file will resolve this (note that in most cases this +file will not be replaced during an upgrade and must be replaced +manually).</li> + +<li>OpenSSH releases prior to 3.8 had a flaw in <code>ssh</code> that +would cause it to request moduli larger than intended (which when +combined with the above resulted in significant slowdowns). +Upgrading the client to 3.8 or higher will resolve this issue.</li> + +<li>If either the client or server lack a kernel-based random number +device (eg Solaris < 9, AIX < 5.2, HP-UX < 11.11) and no +substitute is available (eg <a href= +"ftp://ftp.ayamura.org/pub/prngd/">prngd</a>) it's possible that +one of the programs called by <code>ssh-rand-helper</code> to +generate entropy is hanging. This can be investigated by running +it in debug mode: + +<blockquote> +<table border=0 width="800"> + <tr> + <td nowrap bgcolor="#EEEEEE"> +/usr/local/libexec/ssh-rand-helper -vvv + </td> + </tr> +</table> +</blockquote> + +Any significant delays should be investigated and rectified, or the +corresponding commands should be removed from <i>ssh_prng_cmds</i>. +</li> + +</ul> + +<h3>How slow is "slow"?</h3> +Under normal conditions, the speed of SSH logins is dependant on +CPU speed of client and server. For comparison the following are +typical connect times for <code>time ssh localhost true</code> +with a 1024-bit RSA key on otherwise unloaded hosts. OpenSSH and +OpenSSL were compiled with gcc 3.3.x. + +<p> +<table> +<tr><th>CPU</th><th>Time (SSHv1)<a href="#3.3fn1">[1]</a></th> + <th>Time (SSHv2)</th></tr> +<tr><td>170MHz SPARC/sun4m</td><td>0.74 sec</td><td>1.25 sec</td></tr> +<tr><td>236MHz HPPA/8200<a href="#3.3fn2">[2]</a></td><td>0.44 sec</td> + <td>0.79 sec</td></tr> +<tr><td>375MHz PowerPC/604e</td><td>0.38 sec</td><td>0.51 sec</td></tr> +<tr><td>933MHz VIA Ezra</td><td>0.34 sec</td><td>0.44 sec</td></tr> +<tr><td>2.1GHz Athlon XP 2600+</td><td>0.14 sec</td><td>0.22 sec</td></tr> +</table> + +<br> + +<a name="3.3fn1">[1]</a> The SSHv1 protocol is faster but is +cryptographically weaker than SSHv2.<br> + +<a name="3.3fn2">[2]</a> At the time of writing, gcc generates +relatively slow code on HPPA for RSA and Diffie-Hellman operations +(see <a href= "http://gcc.gnu.org/bugzilla/show_bug.cgi?id=7625">gcc +bug #7625</a> and <a +href="http://marc.info/?l=openssh-unix-dev&m=102646106016694"> +discussion on openssh-unix-dev</a>). + +<h2><a name= "3.4">3.4 - "Can't locate module net-pf-10" messages in log under Linux.</a></h2> + +<p> +The Linux kernel is looking (via modprobe) for protocol family 10 (IPv6). +Either load the appropriate kernel module, enter the correct alias in +<i>/etc/modules.conf</i> or disable IPv6 in <i>/etc/modules.conf</i>. + + +<p> +For some silly reason <i>/etc/modules.conf</i> may also be named +<i>/etc/conf.modules</i>. + + +<h2><a name= "3.5">3.5 - Password authentication doesn't work (eg on Slackware 7.0 or Red Hat 6.x)</a></h2> + +<p> +If the password is correct password the login is still denied, the +usual cause is that the system is configured to use MD5-type passwords +but the +<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=crypt&sektion=3" +>crypt(3)</a> function used by sshd doesn't understand them. + +<p> +Affected accounts will have password strings in <i>/etc/passwd</i> +or <i>/etc/shadow</i> that start with <b>$1$</b>. +If password authentication fails for new accounts or accounts with +recently changed passwords, but works for old accounts, this is the +likely culprit. + +<p> +The underlying cause is that some versions of OpenSSL have a crypt(3) +function that does not understand MD5 passwords, and the link order of +sshd means that OpenSSL's crypt(3) is used instead of the system's. +OpensSSH's configure attempts to correct for this but is not always +successful. + +<p> +There are several possible solutions: + +<ul> +<li> +<p> +Enable sshd's built-in support for MD5 passwords at build time. + +<blockquote> +<table border=0 width="800"> + <tr> + <td nowrap bgcolor="#EEEEEE"> +./configure --with-md5-passwords [options] + </td> + </tr> +</table> +</blockquote> + +This is safe even if you have both types of encryption as sshd will +select the correct algorithm for each account automatically. + +<li> +<p> +If your system has a separate libcrypt library (eg Slackware 7) then you +can manually add -lcrypt to the LIBS list so it's used instead of +OpenSSL's: + +<blockquote> +<table border=0 width="800"> + <tr> + <td nowrap bgcolor="#EEEEEE"> +LIBS=-lcrypt ./configure [options] + </td> + </tr> +</table> +</blockquote> + +<li> +<p> +If your platforms supports PAM, you may configure sshd to use it +(see <a href= "#3.15" >section 3.15</a>). This will mean that sshd will +not verify passwords itself but will defer to the configured PAM modules. +</ul> + +<h2><a name= "3.6">3.6 - Configure or sshd(8) complain about lack of RSA or DSA support</a></h2> + +<p> +Ensure that your OpenSSL libraries have been built to include RSA or DSA +support either internally or through RSAref. + + +<h2><a name= "3.7">3.7 - "scp: command not found" errors</a></h2> + +<p> +<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1">scp(1)</a> +must be in the default PATH on both the client and the server. You may +need to use the <b>--with-default-path</b> option to specify a custom +path to search on the server. This option replaces the default path, +so you need to specify all the current directories on your path as well +as where you have installed scp. For example: + +<blockquote> +<table border=0 width="800"> + <tr> + <td nowrap bgcolor="#EEEEEE"> +$ <b>./configure --with-default-path=/bin:/usr/bin:/usr/local/bin:/path/to/scp</b> + </td> + </tr> +</table> +</blockquote> + +<p> +Note that configuration by the server's admin will take precedence over the +setting of <b>--with-default-path</b>. This includes resetting PATH in +<i>/etc/profile</i>, PATH in <i>/etc/environment</i> on AIX, or (for 3.7p1 and +above) setting PATH or SUPATH in <i>/etc/default/login</i> on Solaris or +Reliant Unix. + +<h2><a name= "3.8">3.8 - Unable to read passphrase</a></h2> + +<p> +Some operating systems set <i>/dev/tty</i> with incorrect modes, causing +the reading of passwords to fail with the following error: + +<blockquote> +<table border=0 width="800"> + <tr> + <td nowrap bgcolor="#EEEEEE"> +You have no controlling tty. Cannot read passphrase. + </td> + </tr> +</table> +</blockquote> + +<p> +The solution to this is to reset the permissions on <i>/dev/tty</i> +to mode 0666 and report the error as a bug to your OS vendor. + + +<h2><a name= "3.9">3.9 - 'configure' missing or make fails</a></h2> + +<p> +If there is no 'configure' file in the tar.gz file that you downloaded +or make fails with "missing separator" errors, you have probably +downloaded the OpenBSD distribution of OpenSSH and are attempting to +compile it on another platform. Please refer to the information on the +<a href="http://www.openssh.com/portable.html">portable version</a>. + + +<h2><a name= "3.10">3.10 - Hangs when exiting ssh</a></h2> + +<p> +OpenSSH may hang when exiting. This can occur when there is an active +background process. This is known to occur on Linux and HP-UX. +The problem can be verified by doing the following: + +<blockquote> +<table border=0 width="800"> + <tr> + <td nowrap bgcolor="#EEEEEE"> +$ <b>sleep 20 & exit</b> + </td> + </tr> +</table> +</blockquote> + +Try to use this instead: +<blockquote> +<table border=0 width="800"> + <tr> + <td nowrap bgcolor="#EEEEEE"> +$ <b>sleep 20 < /dev/null > /dev/null 2>&1 &</b> + </td> + </tr> +</table> +</blockquote> + +<p> +A work around for bash users is to place <b>"shopt -s huponexit"</b> +in either /etc/bashrc or ~/.bashrc. Otherwise, consult your shell's +man page for an option to enable it to send a HUP signal to active +jobs when exiting. See <a +href="http://bugzilla.mindrot.org/show_bug.cgi?id=52">bug #52</a> +for other workarounds. + +<h2><a name= "3.11">3.11 - Why does ssh hang on exit?</a></h2> + +<p> +When executing +<blockquote> +<table border=0 width="800"> + <tr> + <td nowrap bgcolor="#EEEEEE"> +$ <b>ssh host command</b> + </td> + </tr> +</table> +</blockquote> +ssh <b>needs</b> to hang, because it needs to wait: +<ul> +<li> +until it can be sure that <code>command</code> does not need +more input. +<li> +until it can be sure that <code>command</code> does not produce +more output. +<li> +until <code>command</code> exits because sshd needs to tell +the exit status from <code>command</code> to ssh. +</ul> +<p> + +<h2><a name= "3.12">3.12 - I upgraded to OpenSSH 3.1 and X11 +forwarding stopped working.</a></h2> + +Starting with OpenSSH 3.1, the sshd x11 forwarding server listens on +localhost by default; see the sshd <b>X11UseLocalhost</b> option to +revert to prior behaviour if your older X11 clients do not function +with this configuration.<p> + +In general, X11 clients using X11 R6 should work with the default +setting. Some vendors, including HP, ship X11 clients with R6 +and R5 libs, so some clients will work, and others will not work. +This is true for HP-UX 11.X.<p> + +<h2><a name= "3.13">3.13 - I upgraded to OpenSSH 3.8 and some +X11 programs stopped working.</a></h2> + +<p> +As documented in the <a href="http://www.openssh.com/txt/release-3.8">3.8 release notes</a>, +<code>ssh</code> will now use untrusted X11 cookies by +default. The previous behaviour can be restored by setting +<b>ForwardX11Trusted yes</b> in <i>ssh_config</i>. + +<p> +Possible symptoms include:<br> +<code>BadWindow (invalid Window parameter)<br> +BadAccess (attempt to access private resource denied)<br> +X Error of failed request: BadAtom (invalid Atom parameter)<br> +Major opcode of failed request: 20 (X_GetProperty)<br></code> + +<h2><a name= "3.14">3.14 - I copied my public key to authorized_keys +but public-key authentication still doesn't work.</a></h2> + +<p> +Typically this is caused by the file permissions on $HOME, $HOME/.ssh or +$HOME/.ssh/authorized_keys being more permissive than sshd allows by default. + +<p> +In this case, it can be solved by executing the following on the server. +<blockquote> +<table border=0 width="800"> +<tr> + <td nowrap bgcolor="#EEEEEE"> +$ <b>chmod go-w $HOME $HOME/.ssh</b><br> +$ <b>chmod 600 $HOME/.ssh/authorized_keys</b><br> +$ <b>chown `whoami` $HOME/.ssh/authorized_keys</b><br> + </td> +</tr> +</table> +</blockquote> + +<p> +If this is not possible for some reason, an alternative is to set +<b>StrictModes no</b> in <i>sshd_config</i>, however this is not +recommended. + +<h2><a name= "3.15">3.15 - OpenSSH versions and PAM behaviour.</a></h2> + +Portable OpenSSH has a configure-time option to enable sshd's use of the +<a href="http://www.opengroup.org/onlinepubs/008329799/">PAM</a> +(Pluggable Authentication Modules) interface. + +<blockquote> +<table border=0 width="800"> + <tr> + <td nowrap bgcolor="#EEEEEE"> +./configure --with-pam [options] + </td> + </tr> +</table> +</blockquote> + +To use PAM at all, this option must be provided at build time. +The run-time behaviour when PAM is built in varies with the version of +Portable OpenSSH, and on later versions it must also be enabled by setting +<b>UsePAM</b> to <b>yes</b> in <i>sshd_config</i>. + +<p> +The behaviour of the relevant authentications options when PAM support is built +in is summarised by the following table. + +<p> +<table border="1"> + <tr> <th>Version</th> <th>UsePAM</th> <th>PasswordAuthentication</th> <th>ChallengeResponseAuthentication</th> </tr> + <tr> + <td><=3.6.1p2</td> + <td>Not applicable</td> + <td>Uses PAM</td> + <td>Uses PAM if <b>PAMAuthenticationViaKbdInt</b> is enabled</td> + </tr> + <tr> + <td>3.7p1 - 3.7.1p1</td> + <td>Defaults to <b>yes</b></td> + <td>Does not use PAM</td> + <td>Uses PAM if <b>UsePAM</b> is enabled</td> + </tr> + <tr> + <td>3.7.1p2 - 3.8.1p1</td> + <td>Defaults to <b>no</b></td> + <td>Does not use PAM <a href="#3.15fn1">[1]</a></td> + <td>Uses PAM if <b>UsePAM</b> is enabled</td> + </tr> + <tr> + <td>3.9p1</td> + <td>Defaults to <b>no</b></td> + <td>Uses PAM if <b>UsePAM</b> is enabled</td> + <td>Uses PAM if <b>UsePAM</b> is enabled</td> + </tr> +</table> +<p> + +<a name= "3.15fn1">[1]</a> Some vendors, notably Redhat/Fedora, have +backported the PasswordAuthentication from 3.9p1 to their 3.8x based +packages. If you're using a vendor-supplied package then consult their +documentation. + +<p> +OpenSSH Portable's PAM interface still has problems with a few modules, +however we hope that this number will reduce in the future. As at the +3.9p1 release, the known problems are: + +<ul> + <li>Modules relying on module-private data (eg pam_dhkeys, pam_krb5, AFS) + may fail to correctly establish credentials (bug <a + href="http://bugzilla.mindrot.org/show_bug.cgi?id=688">#688</a>) when + authenticating via <b>ChallengeResponseAuthentication</b>. + <b>PasswordAuthentication</b> with 3.9p1 and above should work. +</ul> + +You can also check <a +href="http://bugzilla.mindrot.org/buglist.cgi?product=Portable+OpenSSH&bug_status=RESOLVED&bug_status=NEW&bug_status=ACCEPTED&component=PAM+support" +>bugzilla for current PAM issues</a>. + +<h2><a name= "3.16">3.16 - Why doesn't "w" or "who" on AIX 5.x show users +logged in via ssh?</a></h2> + +Between AIX 4.3.3 and AIX 5.x, the format of the wtmp struct changed. This +means that sshd binaries built on AIX 4.x will not correctly write wtmp +entries when run on AIX 5.x. This can be fixed by simply recompiling +sshd on an AIX 5.x system and using that. + +<hr> +<a href="http://www.openssh.com/index.html"><img height=24 width=24 src="back.gif" border=0 alt=OpenSSH></a> +<a href="mailto:www@openbsd.org">www@openbsd.org</a> +<br> +<small>$OpenBSD: faq.html,v 1.113 2012/04/21 12:12:22 dtucker Exp $</small> + +</body> +</html> |