[openssh.git] / UPGRADING

[ A Japanese translation of this document is available at
[ http://www.unixuser.org/%7Eharuyama/security/openssh/index.html
[ Thanks to HARUYAMA Seigo <haruyama@nt.phys.s.u-tokyo.ac.jp>

OpenSSH is almost completely compatible with the commercial SSH 1.2.x.
There are, however, a few exceptions that you will need to bear in
mind while upgrading:

1. OpenSSH does not support any patented transport algorithms.

Only 3DES and Blowfish can be selected. This difference may manifest
itself in the ssh command refusing to read its config files.

Solution: Edit /etc/ssh/ssh_config and select a different "Cipher"
option ("3des" or "blowfish").

2. Old versions of commercial SSH encrypt host keys with IDEA

The old versions of SSH used a patented algorithm to encrypt their
/etc/ssh/ssh_host_key

This problem will manifest as sshd not being able to read its host
key.

Solution: You will need to run the *commercial* version of ssh-keygen
on the host's private key:

ssh-keygen -u -f /etc/ssh/ssh_host_key

3. Incompatible changes to sshd_config format.

OpenSSH extends the sshd_config file format in a number of ways. There
is currently one change which is incompatible with the old.

Commercial SSH controlled logging using the "QuietMode" and
"FascistLogging" directives. OpenSSH introduces a more general set of
logging options "SyslogFacility" and "LogLevel". See the sshd manual
page for details.

4. Warning messages about key lengths

Commercial SSH's ssh-keygen program contained a bug which caused it to
occasionally generate RSA keys which had their Most Significant Bit
(MSB) unset. Such keys were advertised as being full-length, but are
actually only half as secure.

OpenSSH will print warning messages when it encounters such keys. To
rid yourself of these message, edit you known_hosts files and replace
the incorrect key length (usually "1024") with the correct key length
(usually "1023").

5. Spurious PAM authentication messages in logfiles

OpenSSH will generate spurious authentication failures at every login, 
similar to "authentication failure; (uid=0) -> root for sshd service".
These are generated because OpenSSH first tries to determine whether a
user needs authentication to login (e.g. empty password). Unfortunatly
PAM likes to log all authentication events, this one included.

If it annoys you too much, set "PermitEmptyPasswords no" in 
sshd_config. This will quiet the error message at the expense of
disabling logins to accounts with no password set. This is the 
default if you use the supplied sshd_config file.

6. Empty passwords not allowed with PAM authentication

To enable empty passwords with a version of OpenSSH built with PAM you
must add the flag "nullok" to the end of the password checking module
in the /etc/pam.d/sshd file. For example:

auth required/lib/security/pam_unix.so shadow nodelay nullok

This must be done in addtion to setting "PermitEmptyPasswords yes"
in the sshd_config file.

There is one caveat when using empty passwords with PAM
authentication: PAM will allow _any_ password when authenticating
an account with an empty password. This breaks the check that sshd
uses to determined whether an account has no password set and grant
users access to the account regardless of the policy specified by
"PermitEmptyPasswords". For this reason, it is recommended that you do
not add the "nullok" directive to your PAM configuration file unless
you specifically wish to allow empty passwords.

7. X11 and/or agent forwarding does not work

Check your ssh_config and sshd_config. The default configuration files
disable authentication agent and X11 forwarding.

8. ssh takes a long time to connect with Linux/glibc 2.1

The glibc shipped with Redhat 6.1 appears to take a long time to resolve
"IPv6 or IPv4" addresses from domain names. This can be kludged around 
with the --with-ipv4-default configure option. This instructs OpenSSH to
use IPv4-only address resolution. (IPv6 lookups may still be made by 
specifying the -6 option).

9. Logins from commercial ssh generate the error "Selected cipher type 
    idea not supported by server"

This error is generated when a commercial ssh which has been configured to
use the 'idea' cipher attempts to connect to an OpenSSH server. To rectify 
this, select a different cipher in ssh_config or ~/.ssh/config (3des for 
security or blowfish for speed).

10. "can't locate module net-pf-10" messages in log under Linux

The Linux kernel is looking (via modprobe) for protocol family 10 (IPv6).
Either 1. load the appropriate kernel module, 2. enter the correct alias
in /etc/modules.conf or 3. disable IPv6 in /etc/modules.conf.

For some silly reason /etc/modules.conf may also be named /etc/conf.modules

11. Password authentication doesn't work on Slackware 7.0

Configure OpenSSH with --with-md5-passwords

12. ./configure or sshd complain about lack of RSA support

Ensure that your OpenSSL libraries have been built to include RSA support
either internally or through RSAref.

13. "scp: command not found" errors

scp must be in the default PATH on both the client and the server. You may
need to use the --with-default-path option to specify a custom path to
search on the server. This option replaces the default path, so you need
to specify all the current directories on your path as well as where you
have installed scp. For example: 

./configure --with-default-path=/bin:/usr/bin:/usr/local/bin:/path/to/scp
Commit	Line	Data
6b1f3fdb	1	[ A Japanese translation of this document is available at
	2	[ http://www.unixuser.org/%7Eharuyama/security/openssh/index.html
	3	[ Thanks to HARUYAMA Seigo <haruyama@nt.phys.s.u-tokyo.ac.jp>
	4
43ac0186	5	OpenSSH is almost completely compatible with the commercial SSH 1.2.x.
	6	There are, however, a few exceptions that you will need to bear in
	7	mind while upgrading:
	8
	9	1. OpenSSH does not support any patented transport algorithms.
	10
	11	Only 3DES and Blowfish can be selected. This difference may manifest
	12	itself in the ssh command refusing to read its config files.
	13
	14	Solution: Edit /etc/ssh/ssh_config and select a different "Cipher"
	15	option ("3des" or "blowfish").
	16
	17	2. Old versions of commercial SSH encrypt host keys with IDEA
	18
	19	The old versions of SSH used a patented algorithm to encrypt their
	20	/etc/ssh/ssh_host_key
	21
	22	This problem will manifest as sshd not being able to read its host
	23	key.
	24
	25	Solution: You will need to run the commercial version of ssh-keygen
	26	on the host's private key:
	27
6b1f3fdb	28	ssh-keygen -u -f /etc/ssh/ssh_host_key
43ac0186	29
	30	3. Incompatible changes to sshd_config format.
	31
	32	OpenSSH extends the sshd_config file format in a number of ways. There
	33	is currently one change which is incompatible with the old.
	34
	35	Commercial SSH controlled logging using the "QuietMode" and
	36	"FascistLogging" directives. OpenSSH introduces a more general set of
	37	logging options "SyslogFacility" and "LogLevel". See the sshd manual
	38	page for details.
	39
3dbefdb8	40	4. Warning messages about key lengths
	41
	42	Commercial SSH's ssh-keygen program contained a bug which caused it to
	43	occasionally generate RSA keys which had their Most Significant Bit
	44	(MSB) unset. Such keys were advertised as being full-length, but are
	45	actually only half as secure.
	46
	47	OpenSSH will print warning messages when it encounters such keys. To
	48	rid yourself of these message, edit you known_hosts files and replace
	49	the incorrect key length (usually "1024") with the correct key length
	50	(usually "1023").
	51
20c43d8c	52	5. Spurious PAM authentication messages in logfiles
	53
	54	OpenSSH will generate spurious authentication failures at every login,
	55	similar to "authentication failure; (uid=0) -> root for sshd service".
	56	These are generated because OpenSSH first tries to determine whether a
	57	user needs authentication to login (e.g. empty password). Unfortunatly
	58	PAM likes to log all authentication events, this one included.
	59
36a5b38e	60	If it annoys you too much, set "PermitEmptyPasswords no" in
36a5b38e	61	sshd_config. This will quiet the error message at the expense of
6fe60c5e	62	disabling logins to accounts with no password set. This is the
6fe60c5e	63	default if you use the supplied sshd_config file.
607d73e6	64
	65	6. Empty passwords not allowed with PAM authentication
	66
	67	To enable empty passwords with a version of OpenSSH built with PAM you
	68	must add the flag "nullok" to the end of the password checking module
	69	in the /etc/pam.d/sshd file. For example:
	70
	71	auth required/lib/security/pam_unix.so shadow nodelay nullok
	72
	73	This must be done in addtion to setting "PermitEmptyPasswords yes"
	74	in the sshd_config file.
	75
	76	There is one caveat when using empty passwords with PAM
	77	authentication: PAM will allow _any_ password when authenticating
	78	an account with an empty password. This breaks the check that sshd
	79	uses to determined whether an account has no password set and grant
	80	users access to the account regardless of the policy specified by
	81	"PermitEmptyPasswords". For this reason, it is recommended that you do
	82	not add the "nullok" directive to your PAM configuration file unless
	83	you specifically wish to allow empty passwords.
	84
6b1f3fdb	85	7. X11 and/or agent forwarding does not work
47f9a56a	86
	87	Check your ssh_config and sshd_config. The default configuration files
	88	disable authentication agent and X11 forwarding.
	89
6b1f3fdb	90	8. ssh takes a long time to connect with Linux/glibc 2.1
47f9a56a	91
	92	The glibc shipped with Redhat 6.1 appears to take a long time to resolve
	93	"IPv6 or IPv4" addresses from domain names. This can be kludged around
	94	with the --with-ipv4-default configure option. This instructs OpenSSH to
	95	use IPv4-only address resolution. (IPv6 lookups may still be made by
	96	specifying the -6 option).
	97
6b1f3fdb	98	9. Logins from commercial ssh generate the error "Selected cipher type
587120ad	99	idea not supported by server"
	100
	101	This error is generated when a commercial ssh which has been configured to
	102	use the 'idea' cipher attempts to connect to an OpenSSH server. To rectify
	103	this, select a different cipher in ssh_config or ~/.ssh/config (3des for
	104	security or blowfish for speed).
	105
3276571c	106	10. "can't locate module net-pf-10" messages in log under Linux
	107
	108	The Linux kernel is looking (via modprobe) for protocol family 10 (IPv6).
	109	Either 1. load the appropriate kernel module, 2. enter the correct alias
	110	in /etc/modules.conf or 3. disable IPv6 in /etc/modules.conf.
	111
	112	For some silly reason /etc/modules.conf may also be named /etc/conf.modules
	113
	114	11. Password authentication doesn't work on Slackware 7.0
	115
	116	Configure OpenSSH with --with-md5-passwords
	117
	118	12. ./configure or sshd complain about lack of RSA support
	119
	120	Ensure that your OpenSSL libraries have been built to include RSA support
	121	either internally or through RSAref.
	122
2ba2a610	123	13. "scp: command not found" errors
	124
	125	scp must be in the default PATH on both the client and the server. You may
	126	need to use the --with-default-path option to specify a custom path to
bd499f9e	127	search on the server. This option replaces the default path, so you need
	128	to specify all the current directories on your path as well as where you
	129	have installed scp. For example:
	130
	131	./configure --with-default-path=/bin:/usr/bin:/usr/local/bin:/path/to/scp
2ba2a610	132