[openssh.git] / UPGRADING

OpenSSH is almost completely compatible with the commercial SSH 1.2.x.
There are, however, a few exceptions that you will need to bear in
mind while upgrading:

1. OpenSSH does not support any patented transport algorithms.

Only 3DES and Blowfish can be selected. This difference may manifest
itself in the ssh command refusing to read its config files.

Solution: Edit /etc/ssh/ssh_config and select a different "Cipher"
option ("3des" or "blowfish").

2. Old versions of commercial SSH encrypt host keys with IDEA

The old versions of SSH used a patented algorithm to encrypt their
/etc/ssh/ssh_host_key

This problem will manifest as sshd not being able to read its host
key.

Solution: You will need to run the *commercial* version of ssh-keygen
on the host's private key:

ssh-keygen -u /etc/ssh/ssh_host_key

3. Incompatible changes to sshd_config format.

OpenSSH extends the sshd_config file format in a number of ways. There
is currently one change which is incompatible with the old.

Commercial SSH controlled logging using the "QuietMode" and
"FascistLogging" directives. OpenSSH introduces a more general set of
logging options "SyslogFacility" and "LogLevel". See the sshd manual
page for details.

4. Warning messages about key lengths

Commercial SSH's ssh-keygen program contained a bug which caused it to
occasionally generate RSA keys which had their Most Significant Bit
(MSB) unset. Such keys were advertised as being full-length, but are
actually only half as secure.

OpenSSH will print warning messages when it encounters such keys. To
rid yourself of these message, edit you known_hosts files and replace
the incorrect key length (usually "1024") with the correct key length
(usually "1023").

5. Spurious PAM authentication messages in logfiles

OpenSSH will generate spurious authentication failures at every login, 
similar to "authentication failure; (uid=0) -> root for sshd service".
These are generated because OpenSSH first tries to determine whether a
user needs authentication to login (e.g. empty password). Unfortunatly
PAM likes to log all authentication events, this one included.

If it annoys you too much, set "PermitEmptyPasswords no" in 
sshd_config. This will quiet the error message at the expense of
disabling logins to accounts with no password set. This is the 
default if you use the supplied sshd_config file.

6. Empty passwords not allowed with PAM authentication

To enable empty passwords with a version of OpenSSH built with PAM you
must add the flag "nullok" to the end of the password checking module
in the /etc/pam.d/sshd file. For example:

auth required/lib/security/pam_unix.so shadow nodelay nullok

This must be done in addtion to setting "PermitEmptyPasswords yes"
in the sshd_config file.

There is one caveat when using empty passwords with PAM
authentication: PAM will allow _any_ password when authenticating
an account with an empty password. This breaks the check that sshd
uses to determined whether an account has no password set and grant
users access to the account regardless of the policy specified by
"PermitEmptyPasswords". For this reason, it is recommended that you do
not add the "nullok" directive to your PAM configuration file unless
you specifically wish to allow empty passwords.

7. Rhosts authentication does not work

Make sure that ssh is installed with the setuid bit set. Note that the 
Makefile does not do this by default.

8. X11 and/or agent forwarding does not work

Check your ssh_config and sshd_config. The default configuration files
disable authentication agent and X11 forwarding.

9. ssh takes a long time to connect with Linux/glibc 2.1

The glibc shipped with Redhat 6.1 appears to take a long time to resolve
"IPv6 or IPv4" addresses from domain names. This can be kludged around 
with the --with-ipv4-default configure option. This instructs OpenSSH to
use IPv4-only address resolution. (IPv6 lookups may still be made by 
specifying the -6 option).
Commit	Line	Data
43ac0186	1	OpenSSH is almost completely compatible with the commercial SSH 1.2.x.
	2	There are, however, a few exceptions that you will need to bear in
	3	mind while upgrading:
	4
	5	1. OpenSSH does not support any patented transport algorithms.
	6
	7	Only 3DES and Blowfish can be selected. This difference may manifest
	8	itself in the ssh command refusing to read its config files.
	9
	10	Solution: Edit /etc/ssh/ssh_config and select a different "Cipher"
	11	option ("3des" or "blowfish").
	12
	13	2. Old versions of commercial SSH encrypt host keys with IDEA
	14
	15	The old versions of SSH used a patented algorithm to encrypt their
	16	/etc/ssh/ssh_host_key
	17
	18	This problem will manifest as sshd not being able to read its host
	19	key.
	20
	21	Solution: You will need to run the commercial version of ssh-keygen
	22	on the host's private key:
	23
	24	ssh-keygen -u /etc/ssh/ssh_host_key
	25
	26	3. Incompatible changes to sshd_config format.
	27
	28	OpenSSH extends the sshd_config file format in a number of ways. There
	29	is currently one change which is incompatible with the old.
	30
	31	Commercial SSH controlled logging using the "QuietMode" and
	32	"FascistLogging" directives. OpenSSH introduces a more general set of
	33	logging options "SyslogFacility" and "LogLevel". See the sshd manual
	34	page for details.
	35
3dbefdb8	36	4. Warning messages about key lengths
	37
	38	Commercial SSH's ssh-keygen program contained a bug which caused it to
	39	occasionally generate RSA keys which had their Most Significant Bit
	40	(MSB) unset. Such keys were advertised as being full-length, but are
	41	actually only half as secure.
	42
	43	OpenSSH will print warning messages when it encounters such keys. To
	44	rid yourself of these message, edit you known_hosts files and replace
	45	the incorrect key length (usually "1024") with the correct key length
	46	(usually "1023").
	47
20c43d8c	48	5. Spurious PAM authentication messages in logfiles
	49
	50	OpenSSH will generate spurious authentication failures at every login,
	51	similar to "authentication failure; (uid=0) -> root for sshd service".
	52	These are generated because OpenSSH first tries to determine whether a
	53	user needs authentication to login (e.g. empty password). Unfortunatly
	54	PAM likes to log all authentication events, this one included.
	55
36a5b38e	56	If it annoys you too much, set "PermitEmptyPasswords no" in
36a5b38e	57	sshd_config. This will quiet the error message at the expense of
6fe60c5e	58	disabling logins to accounts with no password set. This is the
6fe60c5e	59	default if you use the supplied sshd_config file.
607d73e6	60
	61	6. Empty passwords not allowed with PAM authentication
	62
	63	To enable empty passwords with a version of OpenSSH built with PAM you
	64	must add the flag "nullok" to the end of the password checking module
	65	in the /etc/pam.d/sshd file. For example:
	66
	67	auth required/lib/security/pam_unix.so shadow nodelay nullok
	68
	69	This must be done in addtion to setting "PermitEmptyPasswords yes"
	70	in the sshd_config file.
	71
	72	There is one caveat when using empty passwords with PAM
	73	authentication: PAM will allow _any_ password when authenticating
	74	an account with an empty password. This breaks the check that sshd
	75	uses to determined whether an account has no password set and grant
	76	users access to the account regardless of the policy specified by
	77	"PermitEmptyPasswords". For this reason, it is recommended that you do
	78	not add the "nullok" directive to your PAM configuration file unless
	79	you specifically wish to allow empty passwords.
	80
47f9a56a	81	7. Rhosts authentication does not work
	82
	83	Make sure that ssh is installed with the setuid bit set. Note that the
	84	Makefile does not do this by default.
	85
	86	8. X11 and/or agent forwarding does not work
	87
	88	Check your ssh_config and sshd_config. The default configuration files
	89	disable authentication agent and X11 forwarding.
	90
	91	9. ssh takes a long time to connect with Linux/glibc 2.1
	92
	93	The glibc shipped with Redhat 6.1 appears to take a long time to resolve
	94	"IPv6 or IPv4" addresses from domain names. This can be kludged around
	95	with the --with-ipv4-default configure option. This instructs OpenSSH to
	96	use IPv4-only address resolution. (IPv6 lookups may still be made by
	97	specifying the -6 option).
	98