This file is indexed.

/usr/share/doc/openssh-client/faq.html is in openssh-client 1:5.9p1-5ubuntu1.10.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

   1
   2
   3
   4
   5
   6
   7
   8
   9
  10
  11
  12
  13
  14
  15
  16
  17
  18
  19
  20
  21
  22
  23
  24
  25
  26
  27
  28
  29
  30
  31
  32
  33
  34
  35
  36
  37
  38
  39
  40
  41
  42
  43
  44
  45
  46
  47
  48
  49
  50
  51
  52
  53
  54
  55
  56
  57
  58
  59
  60
  61
  62
  63
  64
  65
  66
  67
  68
  69
  70
  71
  72
  73
  74
  75
  76
  77
  78
  79
  80
  81
  82
  83
  84
  85
  86
  87
  88
  89
  90
  91
  92
  93
  94
  95
  96
  97
  98
  99
 100
 101
 102
 103
 104
 105
 106
 107
 108
 109
 110
 111
 112
 113
 114
 115
 116
 117
 118
 119
 120
 121
 122
 123
 124
 125
 126
 127
 128
 129
 130
 131
 132
 133
 134
 135
 136
 137
 138
 139
 140
 141
 142
 143
 144
 145
 146
 147
 148
 149
 150
 151
 152
 153
 154
 155
 156
 157
 158
 159
 160
 161
 162
 163
 164
 165
 166
 167
 168
 169
 170
 171
 172
 173
 174
 175
 176
 177
 178
 179
 180
 181
 182
 183
 184
 185
 186
 187
 188
 189
 190
 191
 192
 193
 194
 195
 196
 197
 198
 199
 200
 201
 202
 203
 204
 205
 206
 207
 208
 209
 210
 211
 212
 213
 214
 215
 216
 217
 218
 219
 220
 221
 222
 223
 224
 225
 226
 227
 228
 229
 230
 231
 232
 233
 234
 235
 236
 237
 238
 239
 240
 241
 242
 243
 244
 245
 246
 247
 248
 249
 250
 251
 252
 253
 254
 255
 256
 257
 258
 259
 260
 261
 262
 263
 264
 265
 266
 267
 268
 269
 270
 271
 272
 273
 274
 275
 276
 277
 278
 279
 280
 281
 282
 283
 284
 285
 286
 287
 288
 289
 290
 291
 292
 293
 294
 295
 296
 297
 298
 299
 300
 301
 302
 303
 304
 305
 306
 307
 308
 309
 310
 311
 312
 313
 314
 315
 316
 317
 318
 319
 320
 321
 322
 323
 324
 325
 326
 327
 328
 329
 330
 331
 332
 333
 334
 335
 336
 337
 338
 339
 340
 341
 342
 343
 344
 345
 346
 347
 348
 349
 350
 351
 352
 353
 354
 355
 356
 357
 358
 359
 360
 361
 362
 363
 364
 365
 366
 367
 368
 369
 370
 371
 372
 373
 374
 375
 376
 377
 378
 379
 380
 381
 382
 383
 384
 385
 386
 387
 388
 389
 390
 391
 392
 393
 394
 395
 396
 397
 398
 399
 400
 401
 402
 403
 404
 405
 406
 407
 408
 409
 410
 411
 412
 413
 414
 415
 416
 417
 418
 419
 420
 421
 422
 423
 424
 425
 426
 427
 428
 429
 430
 431
 432
 433
 434
 435
 436
 437
 438
 439
 440
 441
 442
 443
 444
 445
 446
 447
 448
 449
 450
 451
 452
 453
 454
 455
 456
 457
 458
 459
 460
 461
 462
 463
 464
 465
 466
 467
 468
 469
 470
 471
 472
 473
 474
 475
 476
 477
 478
 479
 480
 481
 482
 483
 484
 485
 486
 487
 488
 489
 490
 491
 492
 493
 494
 495
 496
 497
 498
 499
 500
 501
 502
 503
 504
 505
 506
 507
 508
 509
 510
 511
 512
 513
 514
 515
 516
 517
 518
 519
 520
 521
 522
 523
 524
 525
 526
 527
 528
 529
 530
 531
 532
 533
 534
 535
 536
 537
 538
 539
 540
 541
 542
 543
 544
 545
 546
 547
 548
 549
 550
 551
 552
 553
 554
 555
 556
 557
 558
 559
 560
 561
 562
 563
 564
 565
 566
 567
 568
 569
 570
 571
 572
 573
 574
 575
 576
 577
 578
 579
 580
 581
 582
 583
 584
 585
 586
 587
 588
 589
 590
 591
 592
 593
 594
 595
 596
 597
 598
 599
 600
 601
 602
 603
 604
 605
 606
 607
 608
 609
 610
 611
 612
 613
 614
 615
 616
 617
 618
 619
 620
 621
 622
 623
 624
 625
 626
 627
 628
 629
 630
 631
 632
 633
 634
 635
 636
 637
 638
 639
 640
 641
 642
 643
 644
 645
 646
 647
 648
 649
 650
 651
 652
 653
 654
 655
 656
 657
 658
 659
 660
 661
 662
 663
 664
 665
 666
 667
 668
 669
 670
 671
 672
 673
 674
 675
 676
 677
 678
 679
 680
 681
 682
 683
 684
 685
 686
 687
 688
 689
 690
 691
 692
 693
 694
 695
 696
 697
 698
 699
 700
 701
 702
 703
 704
 705
 706
 707
 708
 709
 710
 711
 712
 713
 714
 715
 716
 717
 718
 719
 720
 721
 722
 723
 724
 725
 726
 727
 728
 729
 730
 731
 732
 733
 734
 735
 736
 737
 738
 739
 740
 741
 742
 743
 744
 745
 746
 747
 748
 749
 750
 751
 752
 753
 754
 755
 756
 757
 758
 759
 760
 761
 762
 763
 764
 765
 766
 767
 768
 769
 770
 771
 772
 773
 774
 775
 776
 777
 778
 779
 780
 781
 782
 783
 784
 785
 786
 787
 788
 789
 790
 791
 792
 793
 794
 795
 796
 797
 798
 799
 800
 801
 802
 803
 804
 805
 806
 807
 808
 809
 810
 811
 812
 813
 814
 815
 816
 817
 818
 819
 820
 821
 822
 823
 824
 825
 826
 827
 828
 829
 830
 831
 832
 833
 834
 835
 836
 837
 838
 839
 840
 841
 842
 843
 844
 845
 846
 847
 848
 849
 850
 851
 852
 853
 854
 855
 856
 857
 858
 859
 860
 861
 862
 863
 864
 865
 866
 867
 868
 869
 870
 871
 872
 873
 874
 875
 876
 877
 878
 879
 880
 881
 882
 883
 884
 885
 886
 887
 888
 889
 890
 891
 892
 893
 894
 895
 896
 897
 898
 899
 900
 901
 902
 903
 904
 905
 906
 907
 908
 909
 910
 911
 912
 913
 914
 915
 916
 917
 918
 919
 920
 921
 922
 923
 924
 925
 926
 927
 928
 929
 930
 931
 932
 933
 934
 935
 936
 937
 938
 939
 940
 941
 942
 943
 944
 945
 946
 947
 948
 949
 950
 951
 952
 953
 954
 955
 956
 957
 958
 959
 960
 961
 962
 963
 964
 965
 966
 967
 968
 969
 970
 971
 972
 973
 974
 975
 976
 977
 978
 979
 980
 981
 982
 983
 984
 985
 986
 987
 988
 989
 990
 991
 992
 993
 994
 995
 996
 997
 998
 999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>OpenSSH FAQ</title>
<link rev= "made" href= "mailto:www@openbsd.org">
<meta name= "resource-type" content= "document">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name= "description"   content= "the OpenSSH FAQ page">
<meta name= "keywords"      content= "OpenSSH,SSH,Secure Shell,faq">
<meta name= "distribution"  content= "global">
<meta name= "copyright"     content= "This document copyright 1999-2010 OpenBSD.">
</head>

<body bgcolor= "#ffffff" text= "#000000" link= "#23238E">
<a href="http://www.openssh.org/index.html"><img alt="[OpenSSH]" height="30" width="141" src="images/smalltitle.gif" border="0"></a>
<p>

<h1>OpenSSH FAQ (Frequently asked questions)</h1>

<hr>

<blockquote>
<h3><a href= "#1.0">1.0 - What Is OpenSSH and Where Can I Get It?</a></h3>
<ul>
<li><a href= "#1.1">1.1 - What is OpenSSH and where can I download it?</a>
<li><a href= "#1.2">1.2 - Why should it be used?</a>
<li><a href= "#1.3">1.3 - What Operating Systems are supported?</a>
<li><a href= "#1.4">1.4 - What about copyright, usage and patents?</a>
<li><a href= "#1.5">1.5 - Where should I ask for help?</a>
<li><a href= "#1.6">1.6 - I have found a bug. Where do I report it?</a>
</ul>

<h3><a href= "#2.0">2.0 - General Questions</a></h3>
<ul>
<li><a href= "#2.1">2.1 - Why does ssh/scp make connections from low-numbered ports. My firewall blocks these.</a>
<li><a href= "#2.2">2.2 - Why is the ssh client setuid root?</a>
<li><a href= "#2.3">2.3 - Why does SSH 2.3 have problems interoperating with OpenSSH 2.1.1?</a>
<li><a href= "#2.4">2.4 - Why does OpenSSH print: Dispatch protocol error: type 20</a>
<li><a href= "#2.5">2.5 - Old versions of commercial SSH encrypt host keys with IDEA.</a>
<li><a href= "#2.6">2.6 - What are these warning messages about key lengths?</a>
<li><a href= "#2.7">2.7 - X11 and/or agent forwarding does not work.</a>
<li><a href= "#2.8">2.8 - After upgrading OpenSSH I lost SSH2 support.</a>
<li><a href= "#2.9">2.9 - sftp/scp fails at connection, but ssh is OK.</a>
<li><a href= "#2.10">2.10 - Will you add [foo] to scp?</a>
<li><a href= "#2.11">2.11 - How do I use port forwarding?</a>
<li><a href= "#2.12">2.12 - My ssh connection freezes or drops out after N minutes of inactivity.</a>
<li><a href= "#2.13">2.13 - How do I use scp to copy a file with a colon in it?</a>
<li><a href= "#2.14">2.14 - Why does OpenSSH report its version to clients?</a>
</ul>

<h3><a href= "#3.0">3.0 - Portable OpenSSH Questions</a></h3>
<ul>
<li><a href= "#3.1">3.1 - Spurious PAM authentication messages in logfiles.</a>
<li><a href= "#3.2">3.2 - Empty passwords not allowed with PAM authentication.</a>
<li><a href= "#3.3">3.3 - ssh(1) takes a long time to connect or log in</a>
<li><a href= "#3.4">3.4 - "Can't locate module net-pf-10" messages in log under Linux.</a>
<li><a href= "#3.5">3.5 - Password authentication doesn't work (eg on Slackware 7.0 or Red Hat Linux 6.x)</a>
<li><a href= "#3.6">3.6 - Configure or sshd(8) complain about lack of RSA support</a>
<li><a href= "#3.7">3.7 - "scp: command not found" errors</a>
<li><a href= "#3.8">3.8 - Unable to read passphrase</a>
<li><a href= "#3.9">3.9 - 'configure' missing or make fails</a>
<li><a href= "#3.10">3.10 - Hangs when exiting ssh</a>
<li><a href= "#3.11">3.11 - Why does ssh hang on exit?</a>
<li><a href= "#3.12">3.12 - I upgraded to OpenSSH 3.1 and X11 forwarding stopped working.</a>
<li><a href= "#3.13">3.13 - I upgraded to OpenSSH 3.8 and some X11 programs stopped working.</a>
<li><a href= "#3.14">3.14 - I copied my public key to authorized_keys but public-key authentication still doesn't work.</a>
<li><a href= "#3.15">3.15 - OpenSSH versions and PAM behaviour.</a>
<li><a href= "#3.16">3.16 - Why doesn't "w" or "who" on AIX 5.x show users logged in via ssh?</a>
</ul>

</blockquote>

<hr>

<h2><u><a name= "1.0">1.0 - What Is OpenSSH and Where Can I Get It?</a></u></h2>

<h2><a name= "1.1">1.1 - What is OpenSSH and where can I download it?</a></h2>

OpenSSH provides end-to-end encrypted replacement of applications such as
telnet, rlogin, and ftp.
Unlike these legacy applications, OpenSSH never passes anything
(including username and password) over the wire in unencrypted form, and
provides host authentication, to verify that you really are talking to
the system that you think you are and that no one else can take over
that session.

<p>
The OpenSSH suite includes the 
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&amp;sektion=1">ssh(1)</a> 
program which replaces rlogin and telnet, and 
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&amp;sektion=1">scp(1)</a> 
which replaces 
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=rcp&amp;sektion=1">rcp(1)</a> and 
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftp&amp;sektion=1">ftp(1)</a>. 
OpenSSH has also added 
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&amp;sektion=1">sftp(1)</a> and 
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&amp;sektion=8">sftp-server(8)</a> 
which implement an easier solution for file-transfer. This is based upon the 
<a href="http://www.openssh.org/txt/draft-ietf-secsh-filexfer-02.txt">secsh-filexfer</a> IETF draft.


<p><strong>OpenSSH consists of a number of programs.</strong>

<ul>
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&amp;sektion=8">sshd(8)</a> - Server program run on the server machine. This listens for connections from client machines, and whenever it receives a connection, it performs authentication and starts serving the client.
Its behaviour is controlled by the config file <i><a
href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&amp;sektion=5">
sshd_config(5)</a></i>.
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&amp;sektion=1">ssh(1)</a> - This is the client program used to log into another machine or to execute commands on the other machine. <i>slogin</i> is another name for this program.
Its behaviour is controlled by the global config file <i><a
href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&amp;sektion=5">
ssh_config(5)</a></i> and individual users' <i>$HOME/.ssh/config</i> files.
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&amp;sektion=1">scp(1)</a> - Securely copies files from one machine to another.
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&amp;sektion=1">ssh-keygen(1)</a> - Used to create Pubkey Authentication (RSA or DSA) keys (host keys and user authentication keys).
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&amp;sektion=1">ssh-agent(1)</a> - Authentication agent.  This can be used to hold RSA keys for authentication.
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-add&amp;sektion=1">ssh-add(1)</a> - Used to register new keys with the agent.
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&amp;sektion=8">sftp-server(8)</a> - SFTP server subsystem.
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&amp;sektion=1">sftp(1)</a> - Secure file transfer program.
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keyscan&amp;sektion=1">ssh-keyscan(1)</a> - gather ssh public keys.
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keysign&amp;sektion=8">ssh-keysign(8)</a> - ssh helper program for hostbased authentication.
</ul>

<h3>Downloading</h3>

<p>
The most recent version of OpenSSH is included with the current
distribution of <a href="http://www.openbsd.org/">OpenBSD</a>, and
installed as part of a basic install.

<p>
Today, most other operating systems include some version of OpenSSH
(often re-badged or privately labeled), so most users can immediately
use it.
However, sometimes the included versions are quite old, and missing
features of the current release of OpenSSH, and you may wish to install
the current version, or install it on one of the few OSs that lacked it,
and where the OS publisher does not make a modern version available.
You may also wish to use OpenSSH on your embedded application.

<p>
Non-OpenBSD users will want to download, compile and install the
multi-platform <a href="http://www.openssh.org/portable.html">Portable</a> distribution from a
<a href="http://www.openssh.org/portable.html#mirrors">mirror</a> near you.


<h2><a name= "1.2">1.2 - Why should it be used?</a></h2>

<p>
OpenSSH is a suite of tools to help secure your network 
connections. Here is a list of features:


<ul>
	<li>Strong authentication.  Closes several security holes (e.g., IP, routing, and DNS spoofing).
	<li>Improved privacy.  All communications are automatically and transparently encrypted.
	<li>Secure X11 sessions.  The program automatically sets DISPLAY on the server machine, and forwards any X11 connections over the secure channel.
	<li>Arbitrary TCP/IP ports can be redirected through the encrypted channel in both directions (e.g., for e-cash transactions).
	<li>No retraining needed for normal users.
	<li>Never trusts the network. Minimal trust on the remote side of the connection. Minimal trust on domain name servers. Pure RSA authentication never trusts anything but the private key.
	<li>Client RSA-authenticates the server machine in the beginning of every connection to prevent trojan horses (by routing or DNS spoofing) and man-in-the-middle attacks, and the server RSA-authenticates the client machine before accepting <i>.rhosts</i> or <i>/etc/hosts.equiv</i> authentication (to prevent DNS, routing, or IP-spoofing).
	<li>Host authentication key distribution can be centrally by the administration, automatically when the first connection is made to a machine.
	<li>Any user can create any number of user authentication RSA keys for his/her own use.
	<li>The server program has its own server RSA key which is automatically regenerated every hour.
	<li>An authentication agent, running in the user's laptop or local workstation, can be used to hold the user's RSA authentication keys.
	<li>The software can be installed and used (with restricted functionality) even without root privileges.
	<li>The client is customizable in system-wide and per-user configuration files.
	<li>Optional compression of all data with gzip (including forwarded X11 and TCP/IP port data), which may result in significant speedups on slow connections.
	<li>Complete replacement for rlogin, rsh, and rcp.
</ul>

<p>
Currently, almost all communications in computer networks are done
without encryption.  As a consequence, anyone who has access to any
machine connected to the network can listen in on any communication.
This is being done by hackers, curious administrators, employers,
criminals, industrial spies, and governments.  Some networks leak off
enough electromagnetic radiation that data may be captured even from a
distance.


<p>
When you log in, your password goes in the network in plain
text.  Thus, any listener can then use your account to do any evil he
likes.  Many incidents have been encountered worldwide where crackers
have started programs on workstations without the owner's knowledge
just to listen to the network and collect passwords.  Programs for
doing this are available on the Internet, or can be built by a
competent programmer in a few hours.


<p>
Businesses have trade secrets, patent applications in preparation,
pricing information, subcontractor information, client data, personnel
data, financial information, etc.  Currently, anyone with access to
the network (any machine on the network) can listen to anything that
goes in the network, without any regard to normal access restrictions.


<p>
Many companies are not aware that information can so easily be
recovered from the network.  They trust that their data is safe
since nobody is supposed to know that there is sensitive information
in the network, or because so much other data is transferred in the
network.  This is not a safe policy.


<h2><a name= "1.3">1.3 - What operating systems are supported?</a></h2>

<p>
Even though OpenSSH is developed on 
<a href="http://www.openbsd.org/">OpenBSD</a> a wide variety of 
ports to other operating systems exist. The portable version of OpenSSH 
is headed by <a href="mailto:djm@openbsd.org">Damien Miller</a>. 
For a quick overview of the portable version of OpenSSH see 
<a href="http://www.openssh.org/portable.html">OpenSSH Portable Release</a>.
Currently, the supported operating systems are:


<ul>
	<li>OpenBSD
	<li>NetBSD
	<li>FreeBSD
	<li>AIX 
	<li>HP-UX 
	<li>IRIX 
	<li>Linux 
	<li>NeXT 
	<li>SCO 
	<li>SNI/Reliant Unix 
	<li>Solaris 
	<li>Digital Unix/Tru64/OSF 
	<li>Mac OS X 
	<li>Cygwin
</ul>

<p>
A list of vendors that include OpenSSH in their distributions 
is located in the <a href="http://www.openssh.org/users.html">OpenSSH Users page</a>.

<h2><a name= "1.4">1.4 - What about copyrights, usage and patents?</a></h2>
<p>
The OpenSSH developers have tried very hard to keep OpenSSH free of any 
patent or copyright problems. To do this, some options had to be 
stripped from OpenSSH. Namely support for patented algorithms.

<p>
OpenSSH does not support any patented transport algorithms. In SSH1 mode, 
only 3DES and Blowfish are available options. In SSH2 mode, only 3DES, 
Blowfish, CAST128, Arcfour and AES can be selected. 
The patented IDEA algorithm is not supported.

<p>
OpenSSH provides support for both SSH1 and SSH2 protocols. 

<p>
Since the RSA patent has expired, there are no restrictions on the use 
of RSA algorithm using software, including OpenBSD.

<h2><a name= "1.5">1.5 - Where should I ask for help?</a></h2>
<p>
There are many places to turn to for help. In addition to the main
<a href="http://www.openssh.org/index.html">OpenSSH website</a>, 
there are many mailing lists to try. Before trying any mailing lists, 
please search through all mailing list archives to see if your question 
has already been answered. The OpenSSH Mailing List has been archived and 
put in searchable form and can be found at 
<a href="http://marc.info/?l=openssh-unix-dev&amp;r=1&amp;w=2">marc.info</a>.

<p>
For more information on subscribing to OpenSSH related mailing lists, 
please see <a href="http://www.openssh.org/list.html">OpenSSH Mailing lists</a>.

<h2><a name= "1.6">1.6 - I have found a bug. Where do I report it?</a></h2>
<p>
Information about submitting bug reports can be found at the OpenSSH
<a href="http://www.openssh.org/report.html">Reporting bugs</a> page.
<p>
If you wish to report a security bug, please contact the private developers
list &lt;<a href="mailto:openssh@openssh.com">openssh@openssh.com</a>&gt;.

<h2><u><a name= "2.0">2.0 - General Questions</a></u></h2>

<h2><a name= "2.1">2.1 - Why does ssh/scp make connections from low-numbered ports.</a></h2>
<p>
The OpenSSH client uses low numbered ports for rhosts and rhosts-rsa 
authentication because the server needs to trust the username provided by 
the client. To get around this, you can add the below example to your 
<i>ssh_config</i> or <i>~/.ssh/config</i> file.


<blockquote>
<table border=0 width="800">
        <tr>
                <td nowrap bgcolor="#EEEEEE">
<b>UsePrivilegedPort no</b>
                </td>
        </tr>
</table>
</blockquote>

<p>
Or you can specify this option on the command line, using the <b>-o</b> 
option to 
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&amp;sektion=1">ssh(1)</a> command.

<blockquote>
<table border=0 width="800">
        <tr>
                <td nowrap bgcolor="#EEEEEE">
$ <b>ssh -o "UsePrivilegedPort no" host.com</b>
                </td>
        </tr>
</table>
</blockquote>

<h2><a name= "2.2">2.2 - Why is the ssh client setuid root?</a></h2>

<p>
In conjunction with the previous question, (<a href="#2.1">2.1</a>)
OpenSSH needs root authority to be able to bind to low-numbered ports to 
facilitate <i>rhosts authentication</i>.
A privileged port is also required for rhosts-rsa authentication to older
SSH releases.

<p>
Additionally, for both <i>rhosts-rsa authentication</i> (in protocol 
version 1) and <i>hostbased authentication</i> (in protocol version 2) 
the ssh client needs to access the <i>private host key</i> in order to 
authenticate the client machine to the server.
OpenSSH versions prior to 3.3 required the <code>ssh</code> binary to be
setuid root to enable this, and you may safely remove it if you don't
want to use these authentication methods.

<p>
Starting in OpenSSH 3.3, <code>ssh</code> is not setuid by default.  <a
href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keysign">ssh-keysign</a>,
is used for access to the private hosts keys, and ssh does not use privileged
source ports by default.  If you wish to use a privileged source port, you must
manually set the setuid bit on <code>ssh</code>.

<h2><a name= "2.3">2.3 - Why does SSH 2.3 have problems interoperating with OpenSSH 2.1.1?</a></h2>

<p>
SSH 2.3 and earlier versions contain a flaw in their HMAC implementation. 
Their code was not supplying the full data block output from the digest, 
and instead always provided 128 bits. For longer digests, this caused 
SSH 2.3 to not interoperate with OpenSSH.

<p>
OpenSSH 2.2.0 detects that SSH 2.3 has this flaw. Recent versions of SSH 
will have this bug fixed. Or you can add the following to 
SSH 2.3 <i>sshd2_config</i>.


<blockquote>
<table border=0 width="800">
        <tr>
                <td nowrap bgcolor="#EEEEEE">
<b>Mac hmac-md5</b>
               </td>
        </tr>
</table>
</blockquote>

<h2><a name= "2.4">2.4 - Why does OpenSSH print: Dispatch protocol error: type 20</a></h2>

<p>
Problems in interoperation have been seen because older versions of 
OpenSSH did not support session rekeying. However the commercial SSH 2.3 
tries to negotiate this feature, and you might experience connection 
freezes or see the error message &quot;<b>Dispatch protocol error: 
type 20 </b>&quot;. 
To solve this problem, either upgrade to a recent OpenSSH release or 
disable rekeying by adding the following to your commercial SSH 2.3's
<i>ssh2_config</i> or <i>sshd2_config</i>.


<blockquote>
<table border=0 width="800">
        <tr>
                <td nowrap bgcolor="#EEEEEE">
<b>RekeyIntervalSeconds 0</b>
                </td>
        </tr>
</table>
</blockquote>

<h2><a name= "2.5">2.5 - Old versions of commercial SSH encrypt host keys with IDEA.</a></h2>

<p>
The old versions of SSH used a patented algorithm to encrypt their 
<i>/etc/ssh/ssh_host_key</i>. This problem will manifest as 
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&amp;sektion=8">sshd(8)</a> 
not being able to read its host key. To solve this, use the command below 
to convert your ssh_host_key to use 3DES. 
<b>NOTE:</b> Use the 
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&amp;sektion=1">ssh-keygen(1)</a> 
program from the Commercial SSH product, *NOT* OpenSSH for the example 
below.


<blockquote>
<table border=0 width="800">
        <tr>
                <td nowrap bgcolor="#EEEEEE">
# <b>ssh-keygen -u -f /etc/ssh/ssh_host_key</b>
                </td>
        </tr>
</table>
</blockquote>

<h2><a name= "2.6">2.6 - What are these warning messages about key lengths</a></h2>

<p>
Commercial SSH's 
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&amp;sektion=1">ssh-keygen(1)</a> 
program contained a bug which caused it to occasionally generate Pubkey 
Authentication (RSA or DSA) keys which had their Most Significant Bit 
(MSB) unset. Such keys were advertised as being full-length, but are 
actually, half the time, smaller than advertised.

<p>
OpenSSH will print warning messages when it encounters such keys. To rid 
yourself of these message, edit your <i>known_hosts</i> files and replace the 
incorrect key length (usually "1024") with the correct key length 
(usually "1023").

<h2><a name= "2.7">2.7 - X11 and/or agent forwarding does not work.</a></h2>

<p>
Check your <i>ssh_config</i> and <i>sshd_config</i>. The default 
configuration files disable authentication agent and X11 forwarding. To 
enable it, put the line below in <i>sshd_config</i>:

<blockquote>
<table border=0 width="800">
        <tr>
                <td nowrap bgcolor="#EEEEEE">
<b>X11Forwarding yes</b>
                </td>
        </tr>
</table>
</blockquote>

<p>
and put the following lines in <i>ssh_config</i>:

<blockquote>
<table border=0 width="800">
	<tr>
		<td nowrap bgcolor="#EEEEEE">
<b>ForwardAgent yes</b><br>
<b>ForwardX11 yes</b>
		</td>
	</tr>
</table>
</blockquote>

<p>
X11 forwarding requires a working <a
href="http://www.openbsd.org/cgi-bin/man.cgi?query=xauth&amp;sektion=1"
>xauth(1)</a> binary.  On OpenBSD this is in the <i>xbase</i> file
set but will probably be different on other platforms.  For OpenSSH
Portable, xauth must be either found at configure time or specified
via <b>XAuthLocation</b> in sshd_config(5) and ssh_config(5).

<p>
Note on agent interoperability: There are two different and
incompatible agent forwarding mechanisms within the SSH2 protocol.
OpenSSH has always used an extension of the original SSH1 agent
requests, however some commercial products use a different, non-free
agent forwarding protocol.  This means that agent forwarding cannot
be used between OpenSSH and those products.

<p>
<b>NOTE:</b> For users of Linux Mandrake 7.2, Mandrake modifies the 
<i>XAUTHORITY</i> environment variable in <i>/etc/skel/.bashrc</i>, 
and thus any bash user's home directory. This variable is set by OpenSSH 
and for either of the above options to work, you need to comment out 
the line:


<blockquote>
<table border=0 width="800">
        <tr>
                <td nowrap bgcolor="#EEEEEE">
<b># export XAUTHORITY=$HOME/.Xauthority</b>
                </td>
        </tr>
</table>
</blockquote>

<h2><a name= "2.8">2.8 - After upgrading OpenSSH I lost SSH2 support.</a></h2>

<p>
Between versions changes can be made to <i>sshd_config</i> or 
<i>ssh_config</i>. You should always check on these changes when upgrading 
versions of OpenSSH. After OpenSSH Version 2.3.0 you need to add the 
following to your <i>sshd_config</i>:


<blockquote>
<table border=0 width="800">
        <tr>
                <td nowrap bgcolor="#EEEEEE">
<b>HostKey /etc/ssh_host_dsa_key</b><br>
<b>HostKey /etc/ssh_host_rsa_key</b>
                </td>
        </tr>
</table>
</blockquote>

<h2><a name= "2.9">2.9 - sftp/scp fails at connection, but ssh is OK.</a></h2>

<p>
sftp and/or scp may fail at connection time if you have shell 
initialization (.profile, .bashrc, .cshrc, etc) which produces output 
for non-interactive sessions. This output confuses the sftp/scp client.  
You can verify if your shell is doing this by executing:

<blockquote>
<table border=0 width="800">
        <tr>
                <td nowrap bgcolor="#EEEEEE">
<b>ssh yourhost /usr/bin/true</b>
                </td>
        </tr>
</table>
</blockquote>

<p>
If the above command produces any output, then you need to modify your 
shell initialization.

<h2><a name= "2.10">2.10 - Will you add [foo] to scp?</a></h2>

<p>
Short Answer: no.

<p>
Long Answer: scp is not standardized. The closest thing it has to a
specification is "what rcp does".  Since the same command is used on both ends
of the connection, adding features or options risks breaking interoperability with other
implementations.

<p>
New features are more likely in sftp, since the protocol is standardized
(well, a <a href="http://www.ietf.org/html.charters/OLD/secsh-charter.html">
draft standard</a>), extensible, and the client and server are decoupled.

<h2><a name= "2.11">2.11 - How do I use port forwarding?</a></h2>

<p>
If the remote server is running sshd(8), it may be possible to
``tunnel'' certain services via ssh.  This may be desirable, for
example, to encrypt POP or SMTP connections, even though the software
does not directly support encrypted communications.  Tunnelling uses
port forwarding to create a connection between the client and server.
The client software must be able to specify a non-standard port to
connect to for this to work.

<p>
The idea is that the user connects to the remote host using ssh,
and specifies which port on the client's machine should be used to
forward connections to the remote server.  After that it is possible
to start the service which is to be encrypted (e.g. fetchmail, irc)
on the client machine, specifying the same local port passed to
ssh, and the connection will be tunnelled through ssh.  By default,
the system running the forward will only accept connections from
itself.

<p>
The options most relevant to tunnelling are the -L and -R options,
which allow the user to forward connections, the -D option, which
permits dynamic port forwarding, the -g option, which permits other
hosts to use port forwards, and the -f option, which instructs ssh
to put itself in the background after authentication.  See the <a
href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&amp;sektion=1"
>ssh(1)</a> man page for further details.

<p>
This is an example of tunnelling an IRC session from client machine
``127.0.0.1'' (localhost) to remote server ``server.example.com'':

<blockquote>
<table border=0 width="800">
	<tr>
		<td nowrap bgcolor="#EEEEEE">
<b>ssh -f -L 1234:server.example.com:6667 server.example.com sleep 10<br>
irc -c '#users' -p 1234 pinky 127.0.0.1</b>
	</td>
	</tr>
</table>
</blockquote>

<p>
This tunnels a connection to IRC server server.example.com, joining
channel ``#users'', using the nickname ``pinky''.  The local port used
in this example is 1234.  It does not matter which port is used, as
long as it's greater than 1023 (remember, only root can open sockets on
privileged ports) and doesn't conflict with any ports already in use.
The connection is forwarded to port 6667 on the remote server, since
that's the standard port for IRC services.

<p>
The remote command ``sleep 10'' was specified to allow an amount
of time (10 seconds, in the example) to start the service which is to
be tunnelled.  If no connections are made within the time specified,
ssh will exit.  If more time is required, the sleep(1) value can be
increased appropriately or, alternatively, the example above could
be added as a function to the user's shell.  See ksh(1) and csh(1)
for more details about user-defined functions.

<p>
ssh also has an -N option, convenient for use with port forwarding:
if -N is specified, it is not necessary to specify a remote command
(``sleep 10'' in the example above).  However, use of this option
causes ssh to wait around for ever (as opposed to exiting after a
remote command has completed), and the user must take care to manually
kill(1) the process afterwards.

<h2><a name= "2.12">2.12 - My ssh connection freezes or drops out after N minutes of inactivity.</a></h2>

<p>
This is usually the result of a packet filter or NAT device
timing out your TCP connection due to inactivity.  You can enable
<b>ClientAliveInterval</b> in the server's <i><a
href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&amp;sektion=5">
sshd_config</a></i>, or enable <b>ServerAliveInterval</b> in the
client's <i><a
href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&amp;sektion=5">
ssh_config</a></i> (the latter is available in OpenSSH 3.8 and newer).

<p>
Enabling either option and setting the interval for less than the time
it takes to time out your session will ensure that the connection is
kept "fresh" in the device's connection table.

<h2><a name= "2.13">2.13 - How do I use scp to copy a file with a colon in it?</a></h2>

<b><a
href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&amp;sektion=1">
scp</a></b> will interpret the component before the colon to be a remote
server name and attempt to connect to it.  To prevent this, refer to
the file by a relative or absolute path, eg:

<blockquote>
<table border=0 width="800">
        <tr>
                <td nowrap bgcolor="#EEEEEE">
$ scp ./source:file sshserver:
                </td>
        </tr>
</table>
</blockquote>

<h2><a name= "2.14">2.14 - Why does OpenSSH report its version to clients?</a></h2>

<p>
OpenSSH, like most SSH implementations, reports its name and version to clients
when they connect, e.g.
</p>

<blockquote>
SSH-2.0-OpenSSH_3.9
</blockquote>

<p>
This information is used by clients and servers to enable protocol 
compatibility tweaks to work around changed, buggy or missing features in 
the implementation they are talking to. This protocol feature checking is 
still required at present because versions with incompatibilities are still
in wide use.
</p>

<h2><u><a name= "3.0">3.0 - Portable OpenSSH Questions</a></u></h2>

<h2><a name= "3.1">3.1 - Spurious PAM authentication messages in logfiles.</a></h2>

<p>
The portable version of OpenSSH will generate spurious authentication 
failures at every login, similar to:


<blockquote>
<table border=0 width="800">
        <tr>
                <td nowrap bgcolor="#EEEEEE">
&quot;<b>authentication failure; (uid=0) -&gt; root for sshd service</b>&quot;
                </td>
        </tr>
</table>
</blockquote>

<p>
These are generated because OpenSSH first tries to determine whether a 
user needs authentication to login (e.g. empty password). Unfortunately 
PAM likes to log all authentication events, this one included.

<p>
If it annoys you too much, set &quot;<b>PermitEmptyPasswords no</b>&quot; 
in <i>sshd_config</i>. This will quiet the error message at the expense 
of disabling logins to accounts with no password set. 
This is the default if you use the supplied <i>sshd_config</i> file.

<h2><a name= "3.2">3.2 - Empty passwords not allowed with PAM authentication.</a></h2>

<p>
To enable empty passwords with a version of OpenSSH built with PAM you 
must add the flag nullok to the end of the password checking module 
in the <i>/etc/pam.d/sshd</i> file. For example:

<blockquote>
<table border=0 width="800">
        <tr>
                <td nowrap bgcolor="#EEEEEE">
auth required/lib/security/pam_unix.so shadow nodelay nullok
                </td>
        </tr>
</table>
</blockquote>

<p>
This must be done in addition to setting &quot;<b>PermitEmptyPasswords 
yes</b>&quot; in the <i>sshd_config</i> file. 

<p>
There is one caveat when using empty passwords with PAM authentication: 
PAM will allow any password when authenticating an account with an empty 
password. This breaks the check that 
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&amp;sektion=8">sshd(8)</a> 
uses to determine whether an account has no password set and grant 
users access to the account regardless of the policy specified by 
<b>PermitEmptyPasswords</b>. For this reason, it is recommended that you 
do not add the <b>nullok</b> directive to your PAM configuration file 
unless you specifically wish to allow empty passwords.


<h2><a name= "3.3">3.3 - ssh(1) takes a long time to connect or log
in</a></h2>

<p>
Large delays (more than 10 seconds) are typically caused by a problem with
name resolution:
<ul>
<li>Some versions of glibc (notably glibc 2.1 shipped with Red Hat 6.1)
can take a long time to resolve "IPv6 or IPv4" addresses from domain
names. This can be worked around with by specifying <b>AddressFamily
inet</b> option in <i>ssh_config</i>.</li>

<li>There may be a DNS lookup problem, either at the client or server.
You can use the <code>nslookup</code> command to check this on both client
and server by looking up the other end's name and IP address.  In
addition, on the server look up the name returned by the client's
IP-name lookup.  You can disable most of the server-side lookups by
setting <b>UseDNS no</b> in <i>sshd_config</i>.</li>
</ul>

<p>
Delays less than 10 seconds can have other causes.

<ul>

<li>OpenSSH releases prior to 3.8 had an <i>moduli</i> file with
moduli that were just smaller than what sshd would look for, and
as a result, sshd would end up using moduli significantly larger
than requested, which resulted in a speed penalty.  Replacing the
<i>moduli</i> file will resolve this (note that in most cases this
file will not be replaced during an upgrade and must be replaced
manually).</li>

<li>OpenSSH releases prior to 3.8 had a flaw in <code>ssh</code> that
would cause it to request moduli larger than intended (which when
combined with the above resulted in significant slowdowns).
Upgrading the client to 3.8 or higher will resolve this issue.</li>

<li>If either the client or server lack a kernel-based random number
device (eg Solaris &lt; 9, AIX &lt; 5.2, HP-UX &lt; 11.11) and no
substitute is available (eg <a href=
"ftp://ftp.ayamura.org/pub/prngd/">prngd</a>) it's possible that
one of the programs called by <code>ssh-rand-helper</code> to
generate entropy is hanging.  This can be investigated by running
it in debug mode:

<blockquote>
<table border=0 width="800">
        <tr>
                <td nowrap bgcolor="#EEEEEE">
/usr/local/libexec/ssh-rand-helper -vvv
                </td>
        </tr>
</table>
</blockquote>

Any significant delays should be investigated and rectified, or the
corresponding commands should be removed from <i>ssh_prng_cmds</i>.
</li>

</ul>

<h3>How slow is "slow"?</h3>
Under normal conditions, the speed of SSH logins is dependant on
CPU speed of client and server.  For comparison the following are
typical connect times for <code>time ssh localhost true</code>
with a 1024-bit RSA key on otherwise unloaded hosts.  OpenSSH and
OpenSSL were compiled with gcc 3.3.x.

<p>
<table>
<tr><th>CPU</th><th>Time (SSHv1)<a href="#3.3fn1">[1]</a></th>
	<th>Time (SSHv2)</th></tr>
<tr><td>170MHz SPARC/sun4m</td><td>0.74 sec</td><td>1.25 sec</td></tr>
<tr><td>236MHz HPPA/8200<a href="#3.3fn2">[2]</a></td><td>0.44 sec</td>
	<td>0.79 sec</td></tr>
<tr><td>375MHz PowerPC/604e</td><td>0.38 sec</td><td>0.51 sec</td></tr>
<tr><td>933MHz VIA Ezra</td><td>0.34 sec</td><td>0.44 sec</td></tr>
<tr><td>2.1GHz Athlon XP 2600+</td><td>0.14 sec</td><td>0.22 sec</td></tr>
</table>

<br>

<a name="3.3fn1">[1]</a> The SSHv1 protocol is faster but is
cryptographically weaker than SSHv2.<br>

<a name="3.3fn2">[2]</a> At the time of writing, gcc generates
relatively slow code on HPPA for RSA and Diffie-Hellman operations
(see <a href= "http://gcc.gnu.org/bugzilla/show_bug.cgi?id=7625">gcc
bug #7625</a> and <a
href="http://marc.info/?l=openssh-unix-dev&amp;m=102646106016694">
discussion on openssh-unix-dev</a>).

<h2><a name= "3.4">3.4 - "Can't locate module net-pf-10" messages in log under Linux.</a></h2>

<p>
The Linux kernel is looking (via modprobe) for protocol family 10 (IPv6). 
Either load the appropriate kernel module, enter the correct alias in 
<i>/etc/modules.conf</i> or disable IPv6 in <i>/etc/modules.conf</i>.


<p>
For some silly reason <i>/etc/modules.conf</i> may also be named 
<i>/etc/conf.modules</i>.


<h2><a name= "3.5">3.5 - Password authentication doesn't work (eg on Slackware 7.0 or Red Hat 6.x)</a></h2>

<p>
If the password is correct password the login is still denied, the
usual cause is that the system is configured to use MD5-type passwords
but the
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=crypt&amp;sektion=3"
>crypt(3)</a> function used by sshd doesn't understand them.

<p>
Affected accounts will have password strings in <i>/etc/passwd</i>
or <i>/etc/shadow</i> that start with <b>$1$</b>.
If password authentication fails for new accounts or accounts with
recently changed passwords, but works for old accounts, this is the
likely culprit.

<p>
The underlying cause is that some versions of OpenSSL have a crypt(3)
function that does not understand MD5 passwords, and the link order of
sshd means that OpenSSL's crypt(3) is used instead of the system's.
OpensSSH's configure attempts to correct for this but is not always
successful.

<p>
There are several possible solutions:

<ul>
<li>
<p>
Enable sshd's built-in support for MD5 passwords at build time.

<blockquote>
<table border=0 width="800">
        <tr>
                <td nowrap bgcolor="#EEEEEE">
./configure --with-md5-passwords [options]
                </td>
        </tr>
</table>
</blockquote>

This is safe even if you have both types of encryption as sshd will
select the correct algorithm for each account automatically.

<li>
<p>
If your system has a separate libcrypt library (eg Slackware 7) then you
can manually add -lcrypt to the LIBS list so it's used instead of
OpenSSL's:

<blockquote>
<table border=0 width="800">
        <tr>
                <td nowrap bgcolor="#EEEEEE">
LIBS=-lcrypt ./configure [options]
                </td>
        </tr>
</table>
</blockquote>

<li>
<p>
If your platforms supports PAM, you may configure sshd to use it
(see <a href= "#3.15" >section 3.15</a>).  This will mean that sshd will
not verify passwords itself but will defer to the configured PAM modules.
</ul>

<h2><a name= "3.6">3.6 - Configure or sshd(8) complain about lack of RSA or DSA support</a></h2>

<p>
Ensure that your OpenSSL libraries have been built to include RSA or DSA 
support either internally or through RSAref.


<h2><a name= "3.7">3.7 - "scp: command not found" errors</a></h2>

<p>
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&amp;sektion=1">scp(1)</a> 
must be in the default PATH on both the client and the server. You may 
need to use the <b>--with-default-path</b> option to specify a custom 
path to search on the server. This option replaces the default path, 
so you need to specify all the current directories on your path as well 
as where you have installed scp. For example:

<blockquote>
<table border=0 width="800">
        <tr>
                <td nowrap bgcolor="#EEEEEE">
$ <b>./configure --with-default-path=/bin:/usr/bin:/usr/local/bin:/path/to/scp</b>
                </td>
        </tr>
</table>
</blockquote>

<p>
Note that configuration by the server's admin will take precedence over the
setting of <b>--with-default-path</b>.  This includes resetting PATH in
<i>/etc/profile</i>, PATH in <i>/etc/environment</i> on AIX, or (for 3.7p1 and
above) setting PATH or SUPATH in <i>/etc/default/login</i> on Solaris or
Reliant Unix.

<h2><a name= "3.8">3.8 - Unable to read passphrase</a></h2>

<p>
Some operating systems set <i>/dev/tty</i> with incorrect modes, causing 
the reading of passwords to fail with the following error:

<blockquote>
<table border=0 width="800">
        <tr>
                <td nowrap bgcolor="#EEEEEE">
You have no controlling tty.  Cannot read passphrase.
                </td>
        </tr>
</table>
</blockquote>

<p>
The solution to this is to reset the permissions on <i>/dev/tty</i> 
to mode 0666 and report the error as a bug to your OS vendor. 


<h2><a name= "3.9">3.9 - 'configure' missing or make fails</a></h2>

<p>
If there is no 'configure' file in the tar.gz file that you downloaded 
or make fails with "missing separator" errors, you have probably 
downloaded the OpenBSD distribution of OpenSSH and are attempting to 
compile it on another platform. Please refer to the information on the 
<a href="http://www.openssh.org/portable.html">portable version</a>.


<h2><a name= "3.10">3.10 - Hangs when exiting ssh</a></h2>

<p>
OpenSSH may hang when exiting.  This can occur when there is an active 
background process.  This is known to occur on Linux and HP-UX.  
The problem can be verified by doing the following:

<blockquote>
<table border=0 width="800">
        <tr>
                <td nowrap bgcolor="#EEEEEE">
$ <b>sleep 20 &amp; exit</b>
                </td>
        </tr>
</table>
</blockquote>

Try to use this instead:
<blockquote>
<table border=0 width="800">
        <tr>
                <td nowrap bgcolor="#EEEEEE">
$ <b>sleep 20 &lt; /dev/null &gt; /dev/null 2&gt;&amp;1 &amp;</b>
                </td>
        </tr>
</table>
</blockquote>

<p>
A work around for bash users is to place <b>"shopt -s huponexit"</b> 
in either /etc/bashrc  or ~/.bashrc.  Otherwise, consult your shell's 
man page for an option to enable it to send a HUP signal to active 
jobs when exiting.  See <a
href="http://bugzilla.mindrot.org/show_bug.cgi?id=52">bug #52</a>
for other workarounds.

<h2><a name= "3.11">3.11 - Why does ssh hang on exit?</a></h2>

<p>
When executing
<blockquote>
<table border=0 width="800">
        <tr>
                <td nowrap bgcolor="#EEEEEE">
$ <b>ssh host command</b>
                </td>
        </tr>
</table>
</blockquote>
ssh <b>needs</b> to hang, because it needs to wait:
<ul>
<li>
until it can be sure that <code>command</code> does not need
more input.
<li>
until it can be sure that <code>command</code> does not produce
more output. 
<li>
until <code>command</code> exits because sshd needs to tell
the exit status from <code>command</code> to ssh.
</ul>
<p>

<h2><a name= "3.12">3.12 - I upgraded to OpenSSH 3.1 and X11
forwarding stopped working.</a></h2>

Starting with OpenSSH 3.1, the sshd x11 forwarding server listens on
localhost by default; see the sshd <b>X11UseLocalhost</b> option to
revert to prior behaviour if your older X11 clients do not function
with this configuration.<p>

In general, X11 clients using X11 R6 should work with the default
setting.  Some vendors, including HP, ship X11 clients with R6
and R5 libs, so some clients will work, and others will not work.
This is true for HP-UX 11.X.<p>

<h2><a name= "3.13">3.13 - I upgraded to OpenSSH 3.8 and some
X11 programs stopped working.</a></h2>

<p>
As documented in the <a href="http://www.openssh.org/txt/release-3.8">3.8 release notes</a>,
<code>ssh</code> will now use untrusted X11 cookies by 
default.  The previous behaviour can be restored by setting
<b>ForwardX11Trusted yes</b> in <i>ssh_config</i>.

<p>
Possible symptoms include:<br>
<code>BadWindow (invalid Window parameter)<br>
BadAccess (attempt to access private resource denied)<br>
X Error of failed request:  BadAtom (invalid Atom parameter)<br>
Major opcode of failed request:  20 (X_GetProperty)<br></code>

<h2><a name= "3.14">3.14 - I copied my public key to authorized_keys
but public-key authentication still doesn't work.</a></h2>

<p>
Typically this is caused by the file permissions on $HOME, $HOME/.ssh or
$HOME/.ssh/authorized_keys being more permissive than sshd allows by default.

<p>
In this case, it can be solved by executing the following on the server.
<blockquote>
<table border=0 width="800">
<tr>
  <td nowrap bgcolor="#EEEEEE">
$ <b>chmod go-w $HOME $HOME/.ssh</b><br>
$ <b>chmod 600 $HOME/.ssh/authorized_keys</b>
$ <b>chown `whoami` $HOME/.ssh/authorized_keys</b><br>
  </td>
</tr>
</table>
</blockquote>

<p>
If this is not possible for some reason, an alternative is to set
<b>StrictModes no</b> in <i>sshd_config</i>, however this is not
recommended.

<h2><a name= "3.15">3.15 - OpenSSH versions and PAM behaviour.</a></h2>

Portable OpenSSH has a configure-time option to enable sshd's use of the
<a href="http://www.opengroup.org/onlinepubs/008329799/">PAM</a>
(Pluggable Authentication Modules) interface.

<blockquote>
<table border=0 width="800">
        <tr>
                <td nowrap bgcolor="#EEEEEE">
./configure --with-pam [options]
                </td>
        </tr>
</table>
</blockquote>

To use PAM at all, this option must be provided at build time.
The run-time behaviour when PAM is built in varies with the version of
Portable OpenSSH, and on later versions it must also be enabled by setting
<b>UsePAM</b> to <b>yes</b> in <i>sshd_config</i>.

<p>
The behaviour of the relevant authentications options when PAM support is built
in is summarised by the following table.

<p>
<table border="1">
  <tr> <th>Version</th> <th>UsePAM</th> <th>PasswordAuthentication</th> <th>ChallengeResponseAuthentication</th> </tr>
  <tr>
    <td>&lt;=3.6.1p2</td>
    <td>Not applicable</td>
    <td>Uses PAM</td>
    <td>Uses PAM if <b>PAMAuthenticationViaKbdInt</b> is enabled</td>
  </tr>
  <tr>
    <td>3.7p1 - 3.7.1p1</td>
    <td>Defaults to <b>yes</b></td>
    <td>Does not use PAM</td>
    <td>Uses PAM if <b>UsePAM</b> is enabled</td>
  </tr>
  <tr>
    <td>3.7.1p2 - 3.8.1p1</td>
    <td>Defaults to <b>no</b></td>
    <td>Does not use PAM <a href="#3.15fn1">[1]</a></td>
    <td>Uses PAM if <b>UsePAM</b> is enabled</td>
  </tr>
  <tr>
    <td>3.9p1</td>
    <td>Defaults to <b>no</b></td>
    <td>Uses PAM if <b>UsePAM</b> is enabled</td>
    <td>Uses PAM if <b>UsePAM</b> is enabled</td>
  </tr>
</table>
<p>

<a name= "3.15fn1">[1]</a> Some vendors, notably Redhat/Fedora, have
backported the PasswordAuthentication from 3.9p1 to their 3.8x based
packages.  If you're using a vendor-supplied package then consult their
documentation.

<p>
OpenSSH Portable's PAM interface still has problems with a few modules,
however we hope that this number will reduce in the future.  As at the
3.9p1 release, the known problems are:

<ul>
  <li>Modules relying on module-private data (eg pam_dhkeys, pam_krb5, AFS)
  may fail to correctly establish credentials (bug <a
  href="http://bugzilla.mindrot.org/show_bug.cgi?id=688">#688</a>) when
  authenticating via <b>ChallengeResponseAuthentication</b>.
  <b>PasswordAuthentication</b> with 3.9p1 and above should work.
</ul>

You can also check <a
href="http://bugzilla.mindrot.org/buglist.cgi?product=Portable+OpenSSH&amp;bug_status=RESOLVED&amp;bug_status=NEW&amp;bug_status=ACCEPTED&amp;component=PAM+support"
>bugzilla for current PAM issues</a>.

<h2><a name= "3.16">3.16 - Why doesn't "w" or "who" on AIX 5.x show users
logged in via ssh?</a></h2>

Between AIX 4.3.3 and AIX 5.x, the format of the wtmp struct changed.  This
means that sshd binaries built on AIX 4.x will not correctly write wtmp
entries when run on AIX 5.x.  This can be fixed by simply recompiling 
sshd on an AIX 5.x system and using that.

<hr>
<a href="http://www.openssh.org/index.html"><img height=24 width=24 src="back.gif" border=0 alt=OpenSSH></a>
<a href="mailto:www@openbsd.org">www@openbsd.org</a>
<br>
<small>$OpenBSD: faq.html,v 1.112 2010/09/15 02:41:42 nick Exp $</small>

</body>
</html>