BACK

SSH 2.4 README

This page has excerpts from the README file for ssh-2.4.0, you can find the complete file in the ssh source directory.

SSH 2.4.0 README
================

   What is Secure Shell?
   ---------------------

   Secure Shell is a program to log into another computer over a
   network, to execute commands in a remote machine, and to move files
   from one machine to another.  It provides strong authentication and
   secure communications over insecure channels.  It is intended as a
   replacement for rlogin, rsh, rcp, and rdist.


   What has changed since SSH1?
   ----------------------------

      - SSH has been 98% rewritten.

      - SSH now supports other key-exchange methods besides double-
        encrypting RSA key exchange. The current distribution comes with 
        Diffie-Hellman key exchange.

      - SSH now has support for DSA and other public key algorithms 
        besides RSA.

      - The protocol is more secure and allows future integration into
        public key infrastructures.

      - The protocol complies with the upcoming 'secsh' internet standard.

      - SSH now supports "subsystems", platform-independent modules that
        implement particular functions such as file transfers.

      - SSH now has built-in SOCKS support.

      - A new feature has been added: sftp, the secure file transfer 
        protocol.

SSH2 Binaries
=============

      ssh2            The SSH2 client.

      sshd2           The SSH2 daemon.

      sftp2           The SFTP client (needs ssh2). Type "?" in the 
                      command line for help.

      sftp-server2    The SFTP server (executed by sshd2).

      scp2            The SCP client.

      ssh-keygen2     The utility for generating keys. Use -h for help.

      ssh-add2        Add identities to the authentication agent.

      ssh-agent2      The authentication agent.

      ssh-askpass2    X11 utility for querying passwords.

      ssh-signer2     A small program that signs "hostbased" authentication 
                      packets. Executed by ssh2, and for proper function, 
                      must be suid root. (This is done by 'make install'.)
      
      ssh-pam-client  Helper program, that the server uses with PAM
                      authentication.

      ssh-probe2      Program to probe a given network for ssh2
                      servers. See ssh-probe(1) and sshd2_config(5) 
                      for MaxBroadcastsPerSecond.

      ssh-pubkeymgr   Utility script for generating user public keys and
                      uploading them and setting up the ~/.ssh2/authorization
                      and ~/.ssh2/identification files.

      ssh-chrootmgr   Utility to ease setting up chrooted environment
                      for users.

ssh 2 files
===========

      Public keys have a .pub suffix, private keys have no suffix. 
      For example:

         id_dsa_1024_a        A 1024-bit DSA private key
         id_dsa_1024_a.pub    The corresponding public key

      There is no "known_hosts", as in ssh1. The host keys are stored
      in separate files in ~/.ssh2/hostkeys .


   [ '~' denotes the user's home directory ]  
	  
   ~/.ssh2/hostkeys/key_xxxx_yyyy.pub
   -----------------------------

      This would be the public host key of the ssh2 daemon running in 
      port xxxx of the host yyyy.


   /etc/ssh2/hostkey.pub  and  /etc/ssh2/hostkey
   -----------------------------------------

      Public and private hostkeys for sshd2. Created by "make install".
      If this is not created by "make install" or you need to recreate
      your host keypair, run
  
      # rm /etc/ssh2/hostkey*
      # ssh-keygen2 -P /etc/ssh2/hostkey


   ~/.ssh2/identification
   ----------------------

      Lists the private keys that can be used for authentication.

         # identification
         IdKey  id_dsa_1024_a

      This means that the private key in the file ~/.ssh2/id_dsa_1024_a
      is used for public key authentication. This is created by running
      the ssh-pubkeymgr script, or you can create it by hand.


   ~/.ssh2/authorization
   ---------------------

      Lists the public keys that are accepted for authentication on 
      this host.

         # authorization
         Key     id_dsa_1024_a.pub

      This means that anyone who holds the matching private key to the
      public key in the file $USER/.ssh2/id_dsa_1024_a.pub can log in 
      as $USER. This is also created by running the ssh-pubkeymgr script, 
      or you can create it by hand.


   /etc/ssh2/sshd2_config
   --------------------

      The server configuration file, copied here by "make install". 
      See the man page for details.

      The line:

         subsystem-sftp                  sftp-server

      means that when the subsystem "sftp" is requested, the
      command "sftp-server" is started. For example, if our sshd2_config
      read:

         subsystem-quux                  echo "fim fam foo"

      the command "ssh2 host -s quux" would simply print the text
      "fim fam foo".


   ~/.ssh2/ssh2_config
   -------------------

       The client configuration file. See the global client config file
       ssh2_config in /etc/ssh2.


   ~/.ssh2/knownhosts/xxxxyyyy.pub
   -------------------------------

      These are the public host keys of the hosts that a user wants to 
      log from using host based authentication (equivalent with SSH1's
      RhostsRSAAuthentication). 
      
      Also, a user has to set up her/his ~/.shosts (which only SSH uses)
      or ~/.rhosts file (insecure, as it is also used by the r*-commands).
      If the username is the same in both hosts, it is adequate to put
      the public hostkey to /etc/ssh2/knownhosts and add the host's name to
      /etc/shosts.equiv (or /etc/hosts.equiv). 

      xxxx denotes the hostname (FQDN) and yyyy the public key algorithm 
      of the key.

      For example, zappa.foo.fi's hostkey algorithm is ssh-dss. The
      hostkey would be named 

          zappa.foo.fi.ssh-dss.pub

      in the knownhosts directory.

      Possible values for publickey-algorithms are "ssh-dss" and
      "ssh-rsa" (without the quotes).


   /etc/ssh2/knownhosts/xxxxyyyy.pub
   ---------------------------------

      As above, but system-wide. These can be overridden by the user
      by putting a file with the same name to her/his ~/.ssh2/knownhosts
      directory. 


   /etc/hosts.equiv and /etc/shosts.equiv
   --------------------------------------

      Used to check whether authentication from host is allowed using
      host based authentication. In its simplest form, the file contains
      host names, one per line.

      For more information, see 'man sshd2'.


   ~/.rhosts and ~/.shosts
   -----------------------

      This file contains host-username-pairs, separated by spaces, one
      per line. The given user from the specified host is allowed to
      log in without a password. 

      For more information, see 'man ssh2' and 'man sshd2'.


Platforms
=========

        Ssh 2.x has been reportedly successfully compiled and
        run on for example the following platforms (there are more):

        Processor       OS              OS-Versions
        -------------------------------------------------------------
        ix86,m68k       NetBSD          1.2, 1.3.x
        ix86            FreeBSD         2.2.x, 3.0-current
        ix86            Linux           2.0.3x, 2.2.x
        sparc           Solaris         2.6, 2.5.1
        PowerPC         AIX             4.1, 4.2.x
        hppa1.1         HPUX            10.20, 11.00
        mips            IRIX            6.5, 6.3, 6.2, 5.3 (with SGI cc)
        alpha           OSF1            4.0D, 4.0E
        ix86            SCO Openserver  5.0.4


NOTES ON INSTALLATION AND USE
=============================

        * As of ssh-2.2.0, configuration file format and parameters
          for ssh2 and sshd2 are documented in ssh2_config(5) and
          sshd2_config(5), respectively. The split was done to make the
          man-pages more readable.

        * For detailed info on how to set up chrooted accounts, see
          the FAQ (included in this distribution).

        * Use 'scp2 -1' to enable compatibility with scp1.

        * If your system doesn't support, or has a broken version of
          non-blocking connect, run ./configure with
          --enable-blocking-connect .

        * If you get errors when compiling assembler files, configure
          with --disable-asm and recompile.

        * compatibility with SSH1 works correctly ONLY IF your SSH1 version
          is 1.2.26 or better (1.2.30 is the latest). So be sure you have
          that!

        * If your Sun boots during a connect to sshd2, do the following: 
          Fetch the latest patches from Sun, generate a new host key with 
          the patched version, and try again. (Also, you might want to try
          --enable-blocking-connect etc.)

        * If configure complains 'configure: error: configuring with X
          but xauth not found - aborting', try 

                ./configure --without-x

          or, add path of xauth to your PATH before running
          configure. You can find xauth's location like this:

                find / -name xauth

        * Use 'ssh-keygen -P' to create keys without passphrases 
          (for use with rsync etc).

        * Configure option --disable-crypt-asm no longer exists 
          (use --disable-asm instead).

        * If your sftp2 complains something like this: "Need basic
          cursor movement capability, using vt100", then no library
          containing tgetent() function was found when you ran
          ./configure . If you have a Linux system, then that is
          probably because you don't have either termcap-devel or
          ncurses-devel packages installed. If you want to get rid of
          the message, and/or to use some more exotic terminals
          capabilities, you should install either package. (A good 
          place to look for those is your distribution's web-page.)


KNOWN BUGS
==========

        * Assembler-optimizations don't compile on BSDI. Configure
          with --disable-asm. (as of 2.3.0, this is autodetected)

        * static building of sftp-server and ssh-dummy-shell is
          EXPERIMENTAL. If you use the static binaries, please try
          them before real use.

        * If you connect to a host whose hostkey has changed and you
          have rekeys on, ssh2 will assert in the key check. Same
          thing happens, if hostkey changes during the
          connection. This will be fixed in the next release.


LEGAL ISSUES
============

See the file LICENSE for licensing and distribution conditions.
THERE IS NO WARRANTY FOR THIS PROGRAM.

In some countries, particularly Russia, Iraq, Pakistan, and France, 
it may be illegal to use any encryption at all without a special permit.

This software may be freely imported into the United States; however,
the United States Government may consider re-exporting it a criminal
offense. Thus, if you are outside the US, please retrieve this
software from outside the US.

Note that any information and cryptographic algorithms used in this
software are publicly available on the Internet and at any major
bookstore, scientific library, or patent office worldwide.

SSH, SSH2 and Secure shell are registered trademarks or trademarks
of SSH Communications Security.

BACK