From 94597021fbf5b12b369b7bb3c13af715d8be8c4e Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 27 Apr 2024 13:13:19 +0200 Subject: Adding debian version 1:8.4p1-5+deb11u3. Signed-off-by: Daniel Baumann --- debian/faq.html | 1187 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1187 insertions(+) create mode 100644 debian/faq.html (limited to 'debian/faq.html') diff --git a/debian/faq.html b/debian/faq.html new file mode 100644 index 0000000..7f02528 --- /dev/null +++ b/debian/faq.html @@ -0,0 +1,1187 @@ + + + +OpenSSH FAQ + + + + + + + + + + +[OpenSSH] +

+ +

OpenSSH FAQ (Frequently asked questions)

+ +
+ +
+

1.0 - What Is OpenSSH and Where Can I Get It?

+ + +

2.0 - General Questions

+ + +

3.0 - Portable OpenSSH Questions

+ + +
+ +
+ +

1.0 - What Is OpenSSH and Where Can I Get It?

+ +

1.1 - What is OpenSSH and where can I download it?

+ +OpenSSH provides end-to-end encrypted replacement of applications such as +telnet, rlogin, and ftp. +Unlike these legacy applications, OpenSSH never passes anything +(including username and password) over the wire in unencrypted form, and +provides host authentication, to verify that you really are talking to +the system that you think you are and that no one else can take over +that session. + +

+The OpenSSH suite includes the +ssh(1) +program which replaces rlogin and telnet, and +scp(1) +which replaces +rcp(1) and +ftp(1). +OpenSSH has also added +sftp(1) and +sftp-server(8) +which implement an easier solution for file-transfer. This is based upon the +secsh-filexfer IETF draft. + + +

OpenSSH consists of a number of programs. + +

+ +

Downloading

+ +

+The most recent version of OpenSSH is included with the current +distribution of OpenBSD, and +installed as part of a basic install. + +

+Today, most other operating systems include some version of OpenSSH +(often re-badged or privately labeled), so most users can immediately +use it. +However, sometimes the included versions are quite old, and missing +features of the current release of OpenSSH, and you may wish to install +the current version, or install it on one of the few OSs that lacked it, +and where the OS publisher does not make a modern version available. +You may also wish to use OpenSSH on your embedded application. + +

+Non-OpenBSD users will want to download, compile and install the +multi-platform Portable distribution from a +mirror near you. + + +

1.2 - Why should it be used?

+ +

+OpenSSH is a suite of tools to help secure your network +connections. Here is a list of features: + + +

+ +

+Currently, almost all communications in computer networks are done +without encryption. As a consequence, anyone who has access to any +machine connected to the network can listen in on any communication. +This is being done by hackers, curious administrators, employers, +criminals, industrial spies, and governments. Some networks leak off +enough electromagnetic radiation that data may be captured even from a +distance. + + +

+When you log in, your password goes in the network in plain +text. Thus, any listener can then use your account to do any evil he +likes. Many incidents have been encountered worldwide where crackers +have started programs on workstations without the owner's knowledge +just to listen to the network and collect passwords. Programs for +doing this are available on the Internet, or can be built by a +competent programmer in a few hours. + + +

+Businesses have trade secrets, patent applications in preparation, +pricing information, subcontractor information, client data, personnel +data, financial information, etc. Currently, anyone with access to +the network (any machine on the network) can listen to anything that +goes in the network, without any regard to normal access restrictions. + + +

+Many companies are not aware that information can so easily be +recovered from the network. They trust that their data is safe +since nobody is supposed to know that there is sensitive information +in the network, or because so much other data is transferred in the +network. This is not a safe policy. + + +

1.3 - What operating systems are supported?

+ +

+Even though OpenSSH is developed on +OpenBSD a wide variety of +ports to other operating systems exist. The portable version of OpenSSH +is headed by Damien Miller. +For a quick overview of the portable version of OpenSSH see +OpenSSH Portable Release. +Currently, the supported operating systems are: + + +

+ +

+A list of vendors that include OpenSSH in their distributions +is located in the OpenSSH Users page. + +

1.4 - What about copyrights, usage and patents?

+

+The OpenSSH developers have tried very hard to keep OpenSSH free of any +patent or copyright problems. To do this, some options had to be +stripped from OpenSSH. Namely support for patented algorithms. + +

+OpenSSH does not support any patented transport algorithms. In SSH1 mode, +only 3DES and Blowfish are available options. In SSH2 mode, only 3DES, +Blowfish, CAST128, Arcfour and AES can be selected. +The patented IDEA algorithm is not supported. + +

+OpenSSH provides support for both SSH1 and SSH2 protocols. + +

+Since the RSA patent has expired, there are no restrictions on the use +of RSA algorithm using software, including OpenBSD. + +

1.5 - Where should I ask for help?

+

+There are many places to turn to for help. In addition to the main +OpenSSH website, +there are many mailing lists to try. Before trying any mailing lists, +please search through all mailing list archives to see if your question +has already been answered. The OpenSSH Mailing List has been archived and +put in searchable form and can be found at +marc.info. + +

+For more information on subscribing to OpenSSH related mailing lists, +please see OpenSSH Mailing lists. + +

1.6 - I have found a bug. Where do I report it?

+

+Information about submitting bug reports can be found at the OpenSSH +Reporting bugs page. +

+If you wish to report a security bug, please contact the private developers +list <openssh@openssh.com>. + +

2.0 - General Questions

+ +

2.1 - Why does ssh/scp make connections from low-numbered ports.

+

+The OpenSSH client uses low numbered ports for rhosts and rhosts-rsa +authentication because the server needs to trust the username provided by +the client. To get around this, you can add the below example to your +ssh_config or ~/.ssh/config file. + + +

+ + + + +
+UsePrivilegedPort no +
+
+ +

+Or you can specify this option on the command line, using the -o +option to +ssh(1) command. + +

+ + + + +
+$ ssh -o "UsePrivilegedPort no" host.com +
+
+ +

2.2 - Why is the ssh client setuid root?

+ +

+In conjunction with the previous question, (2.1) +OpenSSH needs root authority to be able to bind to low-numbered ports to +facilitate rhosts authentication. +A privileged port is also required for rhosts-rsa authentication to older +SSH releases. + +

+Additionally, for both rhosts-rsa authentication (in protocol +version 1) and hostbased authentication (in protocol version 2) +the ssh client needs to access the private host key in order to +authenticate the client machine to the server. +OpenSSH versions prior to 3.3 required the ssh binary to be +setuid root to enable this, and you may safely remove it if you don't +want to use these authentication methods. + +

+Starting in OpenSSH 3.3, ssh is not setuid by default. ssh-keysign, +is used for access to the private hosts keys, and ssh does not use privileged +source ports by default. If you wish to use a privileged source port, you must +manually set the setuid bit on ssh. + +

2.3 - Why does SSH 2.3 have problems interoperating with OpenSSH 2.1.1?

+ +

+SSH 2.3 and earlier versions contain a flaw in their HMAC implementation. +Their code was not supplying the full data block output from the digest, +and instead always provided 128 bits. For longer digests, this caused +SSH 2.3 to not interoperate with OpenSSH. + +

+OpenSSH 2.2.0 detects that SSH 2.3 has this flaw. Recent versions of SSH +will have this bug fixed. Or you can add the following to +SSH 2.3 sshd2_config. + + +

+ + + + +
+Mac hmac-md5 +
+
+ +

2.4 - Why does OpenSSH print: Dispatch protocol error: type 20

+ +

+Problems in interoperation have been seen because older versions of +OpenSSH did not support session rekeying. However the commercial SSH 2.3 +tries to negotiate this feature, and you might experience connection +freezes or see the error message "Dispatch protocol error: +type 20 ". +To solve this problem, either upgrade to a recent OpenSSH release or +disable rekeying by adding the following to your commercial SSH 2.3's +ssh2_config or sshd2_config. + + +

+ + + + +
+RekeyIntervalSeconds 0 +
+
+ +

2.5 - Old versions of commercial SSH encrypt host keys with IDEA.

+ +

+The old versions of SSH used a patented algorithm to encrypt their +/etc/ssh/ssh_host_key. This problem will manifest as +sshd(8) +not being able to read its host key. To solve this, use the command below +to convert your ssh_host_key to use 3DES. +NOTE: Use the +ssh-keygen(1) +program from the Commercial SSH product, *NOT* OpenSSH for the example +below. + + +

+ + + + +
+# ssh-keygen -u -f /etc/ssh/ssh_host_key +
+
+ +

2.6 - What are these warning messages about key lengths

+ +

+Commercial SSH's +ssh-keygen(1) +program contained a bug which caused it to occasionally generate Pubkey +Authentication (RSA or DSA) keys which had their Most Significant Bit +(MSB) unset. Such keys were advertised as being full-length, but are +actually, half the time, smaller than advertised. + +

+OpenSSH will print warning messages when it encounters such keys. To rid +yourself of these message, edit your known_hosts files and replace the +incorrect key length (usually "1024") with the correct key length +(usually "1023"). + +

2.7 - X11 and/or agent forwarding does not work.

+ +

+Check your ssh_config and sshd_config. The default +configuration files disable authentication agent and X11 forwarding. To +enable it, put the line below in sshd_config: + +

+ + + + +
+X11Forwarding yes +
+
+ +

+and put the following lines in ssh_config: + +

+ + + + +
+ForwardAgent yes
+ForwardX11 yes +
+
+ +

+X11 forwarding requires a working xauth(1) binary. On OpenBSD this is in the xbase file +set but will probably be different on other platforms. For OpenSSH +Portable, xauth must be either found at configure time or specified +via XAuthLocation in sshd_config(5) and ssh_config(5). + +

+Note on agent interoperability: There are two different and +incompatible agent forwarding mechanisms within the SSH2 protocol. +OpenSSH has always used an extension of the original SSH1 agent +requests, however some commercial products use a different, non-free +agent forwarding protocol. This means that agent forwarding cannot +be used between OpenSSH and those products. + +

+NOTE: For users of Linux Mandrake 7.2, Mandrake modifies the +XAUTHORITY environment variable in /etc/skel/.bashrc, +and thus any bash user's home directory. This variable is set by OpenSSH +and for either of the above options to work, you need to comment out +the line: + + +

+ + + + +
+# export XAUTHORITY=$HOME/.Xauthority +
+
+ +

2.8 - After upgrading OpenSSH I lost SSH2 support.

+ +

+Between versions changes can be made to sshd_config or +ssh_config. You should always check on these changes when upgrading +versions of OpenSSH. After OpenSSH Version 2.3.0 you need to add the +following to your sshd_config: + + +

+ + + + +
+HostKey /etc/ssh_host_dsa_key
+HostKey /etc/ssh_host_rsa_key +
+
+ +

2.9 - sftp/scp fails at connection, but ssh is OK.

+ +

+sftp and/or scp may fail at connection time if you have shell +initialization (.profile, .bashrc, .cshrc, etc) which produces output +for non-interactive sessions. This output confuses the sftp/scp client. +You can verify if your shell is doing this by executing: + +

+ + + + +
+ssh yourhost /usr/bin/true +
+
+ +

+If the above command produces any output, then you need to modify your +shell initialization. + +

2.10 - Will you add [foo] to scp?

+ +

+Short Answer: no. + +

+Long Answer: scp is not standardized. The closest thing it has to a +specification is "what rcp does". Since the same command is used on both ends +of the connection, adding features or options risks breaking interoperability with other +implementations. + +

+New features are more likely in sftp, since the protocol is standardized +(well, a +draft standard), extensible, and the client and server are decoupled. + +

2.11 - How do I use port forwarding?

+ +

+If the remote server is running sshd(8), it may be possible to +``tunnel'' certain services via ssh. This may be desirable, for +example, to encrypt POP or SMTP connections, even though the software +does not directly support encrypted communications. Tunnelling uses +port forwarding to create a connection between the client and server. +The client software must be able to specify a non-standard port to +connect to for this to work. + +

+The idea is that the user connects to the remote host using ssh, +and specifies which port on the client's machine should be used to +forward connections to the remote server. After that it is possible +to start the service which is to be encrypted (e.g. fetchmail, irc) +on the client machine, specifying the same local port passed to +ssh, and the connection will be tunnelled through ssh. By default, +the system running the forward will only accept connections from +itself. + +

+The options most relevant to tunnelling are the -L and -R options, +which allow the user to forward connections, the -D option, which +permits dynamic port forwarding, the -g option, which permits other +hosts to use port forwards, and the -f option, which instructs ssh +to put itself in the background after authentication. See the ssh(1) man page for further details. + +

+This is an example of tunnelling an IRC session from client machine +``127.0.0.1'' (localhost) to remote server ``server.example.com'': + +

+ + + + +
+ssh -f -L 1234:server.example.com:6667 server.example.com sleep 10
+irc -c '#users' -p 1234 pinky 127.0.0.1
+
+
+ +

+This tunnels a connection to IRC server server.example.com, joining +channel ``#users'', using the nickname ``pinky''. The local port used +in this example is 1234. It does not matter which port is used, as +long as it's greater than 1023 (remember, only root can open sockets on +privileged ports) and doesn't conflict with any ports already in use. +The connection is forwarded to port 6667 on the remote server, since +that's the standard port for IRC services. + +

+The remote command ``sleep 10'' was specified to allow an amount +of time (10 seconds, in the example) to start the service which is to +be tunnelled. If no connections are made within the time specified, +ssh will exit. If more time is required, the sleep(1) value can be +increased appropriately or, alternatively, the example above could +be added as a function to the user's shell. See ksh(1) and csh(1) +for more details about user-defined functions. + +

+ssh also has an -N option, convenient for use with port forwarding: +if -N is specified, it is not necessary to specify a remote command +(``sleep 10'' in the example above). However, use of this option +causes ssh to wait around for ever (as opposed to exiting after a +remote command has completed), and the user must take care to manually +kill(1) the process afterwards. + +

2.12 - My ssh connection freezes or drops out after N minutes of inactivity.

+ +

+This is usually the result of a packet filter or NAT device +timing out your TCP connection due to inactivity. You can enable +ClientAliveInterval in the server's +sshd_config, or enable ServerAliveInterval in the +client's +ssh_config (the latter is available in OpenSSH 3.8 and newer). + +

+Enabling either option and setting the interval for less than the time +it takes to time out your session will ensure that the connection is +kept "fresh" in the device's connection table. + +

2.13 - How do I use scp to copy a file with a colon in it?

+ + +scp will interpret the component before the colon to be a remote +server name and attempt to connect to it. To prevent this, refer to +the file by a relative or absolute path, eg: + +
+ + + + +
+$ scp ./source:file sshserver: +
+
+ +

2.14 - Why does OpenSSH report its version to clients?

+ +

+OpenSSH, like most SSH implementations, reports its name and version to clients +when they connect, e.g. +

+ +
+SSH-2.0-OpenSSH_3.9 +
+ +

+This information is used by clients and servers to enable protocol +compatibility tweaks to work around changed, buggy or missing features in +the implementation they are talking to. This protocol feature checking is +still required at present because versions with incompatibilities are still +in wide use. +

+ +

3.0 - Portable OpenSSH Questions

+ +

3.1 - Spurious PAM authentication messages in logfiles.

+ +

+The portable version of OpenSSH will generate spurious authentication +failures at every login, similar to: + + +

+ + + + +
+"authentication failure; (uid=0) -> root for sshd service" +
+
+ +

+These are generated because OpenSSH first tries to determine whether a +user needs authentication to login (e.g. empty password). Unfortunately +PAM likes to log all authentication events, this one included. + +

+If it annoys you too much, set "PermitEmptyPasswords no" +in sshd_config. This will quiet the error message at the expense +of disabling logins to accounts with no password set. +This is the default if you use the supplied sshd_config file. + +

3.2 - Empty passwords not allowed with PAM authentication.

+ +

+To enable empty passwords with a version of OpenSSH built with PAM you +must add the flag nullok to the end of the password checking module +in the /etc/pam.d/sshd file. For example: + +

+ + + + +
+auth required/lib/security/pam_unix.so shadow nodelay nullok +
+
+ +

+This must be done in addition to setting "PermitEmptyPasswords +yes" in the sshd_config file. + +

+There is one caveat when using empty passwords with PAM authentication: +PAM will allow any password when authenticating an account with an empty +password. This breaks the check that +sshd(8) +uses to determine whether an account has no password set and grant +users access to the account regardless of the policy specified by +PermitEmptyPasswords. For this reason, it is recommended that you +do not add the nullok directive to your PAM configuration file +unless you specifically wish to allow empty passwords. + + +

3.3 - ssh(1) takes a long time to connect or log +in

+ +

+Large delays (more than 10 seconds) are typically caused by a problem with +name resolution: +

+ +

+Delays less than 10 seconds can have other causes. + +

+ +

How slow is "slow"?

+Under normal conditions, the speed of SSH logins is dependant on +CPU speed of client and server. For comparison the following are +typical connect times for time ssh localhost true +with a 1024-bit RSA key on otherwise unloaded hosts. OpenSSH and +OpenSSL were compiled with gcc 3.3.x. + +

+ + + + + + + + + +
CPUTime (SSHv1)[1]Time (SSHv2)
170MHz SPARC/sun4m0.74 sec1.25 sec
236MHz HPPA/8200[2]0.44 sec0.79 sec
375MHz PowerPC/604e0.38 sec0.51 sec
933MHz VIA Ezra0.34 sec0.44 sec
2.1GHz Athlon XP 2600+0.14 sec0.22 sec
+ +
+ +[1] The SSHv1 protocol is faster but is +cryptographically weaker than SSHv2.
+ +[2] At the time of writing, gcc generates +relatively slow code on HPPA for RSA and Diffie-Hellman operations +(see gcc +bug #7625 and +discussion on openssh-unix-dev). + +

3.4 - "Can't locate module net-pf-10" messages in log under Linux.

+ +

+The Linux kernel is looking (via modprobe) for protocol family 10 (IPv6). +Either load the appropriate kernel module, enter the correct alias in +/etc/modules.conf or disable IPv6 in /etc/modules.conf. + + +

+For some silly reason /etc/modules.conf may also be named +/etc/conf.modules. + + +

3.5 - Password authentication doesn't work (eg on Slackware 7.0 or Red Hat 6.x)

+ +

+If the password is correct password the login is still denied, the +usual cause is that the system is configured to use MD5-type passwords +but the +crypt(3) function used by sshd doesn't understand them. + +

+Affected accounts will have password strings in /etc/passwd +or /etc/shadow that start with $1$. +If password authentication fails for new accounts or accounts with +recently changed passwords, but works for old accounts, this is the +likely culprit. + +

+The underlying cause is that some versions of OpenSSL have a crypt(3) +function that does not understand MD5 passwords, and the link order of +sshd means that OpenSSL's crypt(3) is used instead of the system's. +OpensSSH's configure attempts to correct for this but is not always +successful. + +

+There are several possible solutions: + +

+ +

3.6 - Configure or sshd(8) complain about lack of RSA or DSA support

+ +

+Ensure that your OpenSSL libraries have been built to include RSA or DSA +support either internally or through RSAref. + + +

3.7 - "scp: command not found" errors

+ +

+scp(1) +must be in the default PATH on both the client and the server. You may +need to use the --with-default-path option to specify a custom +path to search on the server. This option replaces the default path, +so you need to specify all the current directories on your path as well +as where you have installed scp. For example: + +

+ + + + +
+$ ./configure --with-default-path=/bin:/usr/bin:/usr/local/bin:/path/to/scp +
+
+ +

+Note that configuration by the server's admin will take precedence over the +setting of --with-default-path. This includes resetting PATH in +/etc/profile, PATH in /etc/environment on AIX, or (for 3.7p1 and +above) setting PATH or SUPATH in /etc/default/login on Solaris or +Reliant Unix. + +

3.8 - Unable to read passphrase

+ +

+Some operating systems set /dev/tty with incorrect modes, causing +the reading of passwords to fail with the following error: + +

+ + + + +
+You have no controlling tty. Cannot read passphrase. +
+
+ +

+The solution to this is to reset the permissions on /dev/tty +to mode 0666 and report the error as a bug to your OS vendor. + + +

3.9 - 'configure' missing or make fails

+ +

+If there is no 'configure' file in the tar.gz file that you downloaded +or make fails with "missing separator" errors, you have probably +downloaded the OpenBSD distribution of OpenSSH and are attempting to +compile it on another platform. Please refer to the information on the +portable version. + + +

3.10 - Hangs when exiting ssh

+ +

+OpenSSH may hang when exiting. This can occur when there is an active +background process. This is known to occur on Linux and HP-UX. +The problem can be verified by doing the following: + +

+ + + + +
+$ sleep 20 & exit +
+
+ +Try to use this instead: +
+ + + + +
+$ sleep 20 < /dev/null > /dev/null 2>&1 & +
+
+ +

+A work around for bash users is to place "shopt -s huponexit" +in either /etc/bashrc or ~/.bashrc. Otherwise, consult your shell's +man page for an option to enable it to send a HUP signal to active +jobs when exiting. See bug #52 +for other workarounds. + +

3.11 - Why does ssh hang on exit?

+ +

+When executing +

+ + + + +
+$ ssh host command +
+
+ssh needs to hang, because it needs to wait: + +

+ +

3.12 - I upgraded to OpenSSH 3.1 and X11 +forwarding stopped working.

+ +Starting with OpenSSH 3.1, the sshd x11 forwarding server listens on +localhost by default; see the sshd X11UseLocalhost option to +revert to prior behaviour if your older X11 clients do not function +with this configuration.

+ +In general, X11 clients using X11 R6 should work with the default +setting. Some vendors, including HP, ship X11 clients with R6 +and R5 libs, so some clients will work, and others will not work. +This is true for HP-UX 11.X.

+ +

3.13 - I upgraded to OpenSSH 3.8 and some +X11 programs stopped working.

+ +

+As documented in the 3.8 release notes, +ssh will now use untrusted X11 cookies by +default. The previous behaviour can be restored by setting +ForwardX11Trusted yes in ssh_config. + +

+Possible symptoms include:
+BadWindow (invalid Window parameter)
+BadAccess (attempt to access private resource denied)
+X Error of failed request: BadAtom (invalid Atom parameter)
+Major opcode of failed request: 20 (X_GetProperty)
+ +

3.14 - I copied my public key to authorized_keys +but public-key authentication still doesn't work.

+ +

+Typically this is caused by the file permissions on $HOME, $HOME/.ssh or +$HOME/.ssh/authorized_keys being more permissive than sshd allows by default. + +

+In this case, it can be solved by executing the following on the server. +

+ + + + +
+$ chmod go-w $HOME $HOME/.ssh
+$ chmod 600 $HOME/.ssh/authorized_keys
+$ chown `whoami` $HOME/.ssh/authorized_keys
+
+
+ +

+If this is not possible for some reason, an alternative is to set +StrictModes no in sshd_config, however this is not +recommended. + +

3.15 - OpenSSH versions and PAM behaviour.

+ +Portable OpenSSH has a configure-time option to enable sshd's use of the +PAM +(Pluggable Authentication Modules) interface. + +
+ + + + +
+./configure --with-pam [options] +
+
+ +To use PAM at all, this option must be provided at build time. +The run-time behaviour when PAM is built in varies with the version of +Portable OpenSSH, and on later versions it must also be enabled by setting +UsePAM to yes in sshd_config. + +

+The behaviour of the relevant authentications options when PAM support is built +in is summarised by the following table. + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + +
Version UsePAM PasswordAuthentication ChallengeResponseAuthentication
<=3.6.1p2Not applicableUses PAMUses PAM if PAMAuthenticationViaKbdInt is enabled
3.7p1 - 3.7.1p1Defaults to yesDoes not use PAMUses PAM if UsePAM is enabled
3.7.1p2 - 3.8.1p1Defaults to noDoes not use PAM [1]Uses PAM if UsePAM is enabled
3.9p1Defaults to noUses PAM if UsePAM is enabledUses PAM if UsePAM is enabled
+

+ +[1] Some vendors, notably Redhat/Fedora, have +backported the PasswordAuthentication from 3.9p1 to their 3.8x based +packages. If you're using a vendor-supplied package then consult their +documentation. + +

+OpenSSH Portable's PAM interface still has problems with a few modules, +however we hope that this number will reduce in the future. As at the +3.9p1 release, the known problems are: + +

+ +You can also check bugzilla for current PAM issues. + +

3.16 - Why doesn't "w" or "who" on AIX 5.x show users +logged in via ssh?

+ +Between AIX 4.3.3 and AIX 5.x, the format of the wtmp struct changed. This +means that sshd binaries built on AIX 4.x will not correctly write wtmp +entries when run on AIX 5.x. This can be fixed by simply recompiling +sshd on an AIX 5.x system and using that. + +
+OpenSSH +www@openbsd.org +
+$OpenBSD: faq.html,v 1.113 2012/04/21 12:12:22 dtucker Exp $ + + + -- cgit v1.2.3