OpenSSH FAQ (Frequently asked questions)

1.0 - What Is OpenSSH and Where Can I Get It?

• 1.1 - What is OpenSSH and where can I download it?
• 1.2 - Why should it be used?
• 1.3 - What Operating Systems are supported?
• 1.4 - What about copyright, usage and patents?
• 1.5 - Where should I ask for help?
• 1.6 - I have found a bug. Where do I report it?

2.0 - General Questions

• 2.1 - Why does ssh/scp make connections from low-numbered ports. My firewall blocks these.
• 2.2 - Why is the ssh client setuid root?
• 2.3 - Why does SSH 2.3 have problems interoperating with OpenSSH 2.1.1?
• 2.4 - Why does OpenSSH print: Dispatch protocol error: type 20
• 2.5 - Old versions of commercial SSH encrypt host keys with IDEA.
• 2.6 - What are these warning messages about key lengths?
• 2.7 - X11 and/or agent forwarding does not work.
• 2.8 - After upgrading OpenSSH I lost SSH2 support.
• 2.9 - sftp/scp fails at connection, but ssh is OK.
• 2.10 - Will you add [foo] to scp?
• 2.11 - How do I use port forwarding?
• 2.12 - My ssh connection freezes or drops out after N minutes of inactivity.
• 2.13 - How do I use scp to copy a file with a colon in it?
• 2.14 - Why does OpenSSH report its version to clients?

3.0 - Portable OpenSSH Questions

• 3.1 - Spurious PAM authentication messages in logfiles.
• 3.2 - Empty passwords not allowed with PAM authentication.
• 3.3 - ssh(1) takes a long time to connect or log in
• 3.4 - "Can't locate module net-pf-10" messages in log under Linux.
• 3.5 - Password authentication doesn't work (eg on Slackware 7.0 or Red Hat Linux 6.x)
• 3.6 - Configure or sshd(8) complain about lack of RSA support
• 3.7 - "scp: command not found" errors
• 3.8 - Unable to read passphrase
• 3.9 - 'configure' missing or make fails
• 3.10 - Hangs when exiting ssh
• 3.11 - Why does ssh hang on exit?
• 3.12 - I upgraded to OpenSSH 3.1 and X11 forwarding stopped working.
• 3.13 - I upgraded to OpenSSH 3.8 and some X11 programs stopped working.
• 3.14 - I copied my public key to authorized_keys but public-key authentication still doesn't work.
• 3.15 - OpenSSH versions and PAM behaviour.
• 3.16 - Why doesn't "w" or "who" on AIX 5.x show users logged in via ssh?

1.0 - What Is OpenSSH and Where Can I Get It?

1.1 - What is OpenSSH and where can I download it?

The OpenSSH suite includes the ssh(1) program which replaces rlogin and telnet, and scp(1) which replaces rcp(1) and ftp(1). OpenSSH has also added sftp(1) and sftp-server(8) which implement an easier solution for file-transfer. This is based upon the secsh-filexfer IETF draft.

OpenSSH consists of a number of programs.

• sshd(8) - Server program run on the server machine. This listens for connections from client machines, and whenever it receives a connection, it performs authentication and starts serving the client. Its behaviour is controlled by the config file sshd_config(5).
• ssh(1) - This is the client program used to log into another machine or to execute commands on the other machine. slogin is another name for this program. Its behaviour is controlled by the global config file ssh_config(5) and individual users' $HOME/.ssh/config files.
• scp(1) - Securely copies files from one machine to another.
• ssh-keygen(1) - Used to create Pubkey Authentication (RSA or DSA) keys (host keys and user authentication keys).
• ssh-agent(1) - Authentication agent. This can be used to hold RSA keys for authentication.
• ssh-add(1) - Used to register new keys with the agent.
• sftp-server(8) - SFTP server subsystem.
• sftp(1) - Secure file transfer program.
• ssh-keyscan(1) - gather ssh public keys.
• ssh-keysign(8) - ssh helper program for hostbased authentication.

Downloading

The most recent version of OpenSSH is included with the current distribution of OpenBSD, and installed as part of a basic install.

Today, most other operating systems include some version of OpenSSH (often re-badged or privately labeled), so most users can immediately use it. However, sometimes the included versions are quite old, and missing features of the current release of OpenSSH, and you may wish to install the current version, or install it on one of the few OSs that lacked it, and where the OS publisher does not make a modern version available. You may also wish to use OpenSSH on your embedded application.

Non-OpenBSD users will want to download, compile and install the multi-platform Portable distribution from a mirror near you.

1.2 - Why should it be used?

OpenSSH is a suite of tools to help secure your network connections. Here is a list of features:

• Strong authentication. Closes several security holes (e.g., IP, routing, and DNS spoofing).
• Improved privacy. All communications are automatically and transparently encrypted.
• Secure X11 sessions. The program automatically sets DISPLAY on the server machine, and forwards any X11 connections over the secure channel.
• Arbitrary TCP/IP ports can be redirected through the encrypted channel in both directions (e.g., for e-cash transactions).
• No retraining needed for normal users.
• Never trusts the network. Minimal trust on the remote side of the connection. Minimal trust on domain name servers. Pure RSA authentication never trusts anything but the private key.
• Client RSA-authenticates the server machine in the beginning of every connection to prevent trojan horses (by routing or DNS spoofing) and man-in-the-middle attacks, and the server RSA-authenticates the client machine before accepting .rhosts or /etc/hosts.equiv authentication (to prevent DNS, routing, or IP-spoofing).
• Host authentication key distribution can be centrally by the administration, automatically when the first connection is made to a machine.
• Any user can create any number of user authentication RSA keys for his/her own use.
• The server program has its own server RSA key which is automatically regenerated every hour.
• An authentication agent, running in the user's laptop or local workstation, can be used to hold the user's RSA authentication keys.
• The software can be installed and used (with restricted functionality) even without root privileges.
• The client is customizable in system-wide and per-user configuration files.
• Optional compression of all data with gzip (including forwarded X11 and TCP/IP port data), which may result in significant speedups on slow connections.
• Complete replacement for rlogin, rsh, and rcp.

Currently, almost all communications in computer networks are done without encryption. As a consequence, anyone who has access to any machine connected to the network can listen in on any communication. This is being done by hackers, curious administrators, employers, criminals, industrial spies, and governments. Some networks leak off enough electromagnetic radiation that data may be captured even from a distance.

When you log in, your password goes in the network in plain text. Thus, any listener can then use your account to do any evil he likes. Many incidents have been encountered worldwide where crackers have started programs on workstations without the owner's knowledge just to listen to the network and collect passwords. Programs for doing this are available on the Internet, or can be built by a competent programmer in a few hours.

Businesses have trade secrets, patent applications in preparation, pricing information, subcontractor information, client data, personnel data, financial information, etc. Currently, anyone with access to the network (any machine on the network) can listen to anything that goes in the network, without any regard to normal access restrictions.

Many companies are not aware that information can so easily be recovered from the network. They trust that their data is safe since nobody is supposed to know that there is sensitive information in the network, or because so much other data is transferred in the network. This is not a safe policy.

1.3 - What operating systems are supported?

Even though OpenSSH is developed on OpenBSD a wide variety of ports to other operating systems exist. The portable version of OpenSSH is headed by Damien Miller. For a quick overview of the portable version of OpenSSH see OpenSSH Portable Release. Currently, the supported operating systems are:

• OpenBSD
• NetBSD
• FreeBSD
• AIX
• HP-UX
• IRIX
• Linux
• NeXT
• SCO
• SNI/Reliant Unix
• Solaris
• Digital Unix/Tru64/OSF
• Mac OS X
• Cygwin

A list of vendors that include OpenSSH in their distributions is located in the OpenSSH Users page.

1.4 - What about copyrights, usage and patents?

The OpenSSH developers have tried very hard to keep OpenSSH free of any patent or copyright problems. To do this, some options had to be stripped from OpenSSH. Namely support for patented algorithms.

OpenSSH does not support any patented transport algorithms. In SSH1 mode, only 3DES and Blowfish are available options. In SSH2 mode, only 3DES, Blowfish, CAST128, Arcfour and AES can be selected. The patented IDEA algorithm is not supported.

OpenSSH provides support for both SSH1 and SSH2 protocols.

Since the RSA patent has expired, there are no restrictions on the use of RSA algorithm using software, including OpenBSD.

1.5 - Where should I ask for help?

There are many places to turn to for help. In addition to the main OpenSSH website, there are many mailing list