BACK
SSH 2.4 READMEThis page has excerpts from the README file for ssh-2.4.0, you can find the complete file in the ssh source directory.
SSH 2.4.0 README
================
What is Secure Shell?
---------------------
Secure Shell is a program to log into another computer over a
network, to execute commands in a remote machine, and to move files
from one machine to another. It provides strong authentication and
secure communications over insecure channels. It is intended as a
replacement for rlogin, rsh, rcp, and rdist.
What has changed since SSH1?
----------------------------
- SSH has been 98% rewritten.
- SSH now supports other key-exchange methods besides double-
encrypting RSA key exchange. The current distribution comes with
Diffie-Hellman key exchange.
- SSH now has support for DSA and other public key algorithms
besides RSA.
- The protocol is more secure and allows future integration into
public key infrastructures.
- The protocol complies with the upcoming 'secsh' internet standard.
- SSH now supports "subsystems", platform-independent modules that
implement particular functions such as file transfers.
- SSH now has built-in SOCKS support.
- A new feature has been added: sftp, the secure file transfer
protocol.
SSH2 Binaries
=============
ssh2 The SSH2 client.
sshd2 The SSH2 daemon.
sftp2 The SFTP client (needs ssh2). Type "?" in the
command line for help.
sftp-server2 The SFTP server (executed by sshd2).
scp2 The SCP client.
ssh-keygen2 The utility for generating keys. Use -h for help.
ssh-add2 Add identities to the authentication agent.
ssh-agent2 The authentication agent.
ssh-askpass2 X11 utility for querying passwords.
ssh-signer2 A small program that signs "hostbased" authentication
packets. Executed by ssh2, and for proper function,
must be suid root. (This is done by 'make install'.)
ssh-pam-client Helper program, that the server uses with PAM
authentication.
ssh-probe2 Program to probe a given network for ssh2
servers. See ssh-probe(1) and sshd2_config(5)
for MaxBroadcastsPerSecond.
ssh-pubkeymgr Utility script for generating user public keys and
uploading them and setting up the ~/.ssh2/authorization
and ~/.ssh2/identification files.
ssh-chrootmgr Utility to ease setting up chrooted environment
for users.
ssh 2 files
===========
Public keys have a .pub suffix, private keys have no suffix.
For example:
id_dsa_1024_a A 1024-bit DSA private key
id_dsa_1024_a.pub The corresponding public key
There is no "known_hosts", as in ssh1. The host keys are stored
in separate files in ~/.ssh2/hostkeys .
[ '~' denotes the user's home directory ]
~/.ssh2/hostkeys/key_xxxx_yyyy.pub
-----------------------------
This would be the public host key of the ssh2 daemon running in
port xxxx of the host yyyy.
/etc/ssh2/hostkey.pub and /etc/ssh2/hostkey
-----------------------------------------
Public and private hostkeys for sshd2. Created by "make install".
If this is not created by "make install" or you need to recreate
your host keypair, run
# rm /etc/ssh2/hostkey*
# ssh-keygen2 -P /etc/ssh2/hostkey
~/.ssh2/identification
----------------------
Lists the private keys that can be used for authentication.
# identification
IdKey id_dsa_1024_a
This means that the private key in the file ~/.ssh2/id_dsa_1024_a
is used for public key authentication. This is created by running
the ssh-pubkeymgr script, or you can create it by hand.
~/.ssh2/authorization
---------------------
Lists the public keys that are accepted for authentication on
this host.
# authorization
Key id_dsa_1024_a.pub
This means that anyone who holds the matching private key to the
public key in the file $USER/.ssh2/id_dsa_1024_a.pub can log in
as $USER. This is also created by running the ssh-pubkeymgr script,
or you can create it by hand.
/etc/ssh2/sshd2_config
--------------------
The server configuration file, copied here by "make install".
See the man page for details.
The line:
subsystem-sftp sftp-server
means that when the subsystem "sftp" is requested, the
command "sftp-server" is started. For example, if our sshd2_config
read:
subsystem-quux echo "fim fam foo"
the command "ssh2 host -s quux" would simply print the text
"fim fam foo".
~/.ssh2/ssh2_config
-------------------
The client configuration file. See the global client config file
ssh2_config in /etc/ssh2.
~/.ssh2/knownhosts/xxxxyyyy.pub
-------------------------------
These are the public host keys of the hosts that a user wants to
log from using host based authentication (equivalent with SSH1's
RhostsRSAAuthentication).
Also, a user has to set up her/his ~/.shosts (which only SSH uses)
or ~/.rhosts file (insecure, as it is also used by the r*-commands).
If the username is the same in both hosts, it is adequate to put
the public hostkey to /etc/ssh2/knownhosts and add the host's name to
/etc/shosts.equiv (or /etc/hosts.equiv).
xxxx denotes the hostname (FQDN) and yyyy the public key algorithm
of the key.
For example, zappa.foo.fi's hostkey algorithm is ssh-dss. The
hostkey would be named
zappa.foo.fi.ssh-dss.pub
in the knownhosts directory.
Possible values for publickey-algorithms are "ssh-dss" and
"ssh-rsa" (without the quotes).
/etc/ssh2/knownhosts/xxxxyyyy.pub
---------------------------------
As above, but system-wide. These can be overridden by the user
by putting a file with the same name to her/his ~/.ssh2/knownhosts
directory.
/etc/hosts.equiv and /etc/shosts.equiv
--------------------------------------
Used to check whether authentication from host is allowed using
host based authentication. In its simplest form, the file contains
host names, one per line.
For more information, see 'man sshd2'.
~/.rhosts and ~/.shosts
-----------------------
This file contains host-username-pairs, separated by spaces, one
per line. The given user from the specified host is allowed to
log in without a password.
For more information, see 'man ssh2' and 'man sshd2'.
Platforms
=========
Ssh 2.x has been reportedly successfully compiled and
run on for example the following platforms (there are more):
Processor OS OS-Versions
-------------------------------------------------------------
ix86,m68k NetBSD 1.2, 1.3.x
ix86 FreeBSD 2.2.x, 3.0-current
ix86 Linux 2.0.3x, 2.2.x
sparc Solaris 2.6, 2.5.1
PowerPC AIX 4.1, 4.2.x
hppa1.1 HPUX 10.20, 11.00
mips IRIX 6.5, 6.3, 6.2, 5.3 (with SGI cc)
alpha OSF1 4.0D, 4.0E
ix86 SCO Openserver 5.0.4
NOTES ON INSTALLATION AND USE
=============================
* As of ssh-2.2.0, configuration file format and parameters
for ssh2 and sshd2 are documented in ssh2_config(5) and
sshd2_config(5), respectively. The split was done to make the
man-pages more readable.
* For detailed info on how to set up chrooted accounts, see
the FAQ (included in this distribution).
* Use 'scp2 -1' to enable compatibility with scp1.
* If your system doesn't support, or has a broken version of
non-blocking connect, run ./configure with
--enable-blocking-connect .
* If you get errors when compiling assembler files, configure
with --disable-asm and recompile.
* compatibility with SSH1 works correctly ONLY IF your SSH1 version
is 1.2.26 or better (1.2.30 is the latest). So be sure you have
that!
* If your Sun boots during a connect to sshd2, do the following:
Fetch the latest patches from Sun, generate a new host key with
the patched version, and try again. (Also, you might want to try
--enable-blocking-connect etc.)
* If configure complains 'configure: error: configuring with X
but xauth not found - aborting', try
./configure --without-x
or, add path of xauth to your PATH before running
configure. You can find xauth's location like this:
find / -name xauth
* Use 'ssh-keygen -P' to create keys without passphrases
(for use with rsync etc).
* Configure option --disable-crypt-asm no longer exists
(use --disable-asm instead).
* If your sftp2 complains something like this: "Need basic
cursor movement capability, using vt100", then no library
containing tgetent() function was found when you ran
./configure . If you have a Linux system, then that is
probably because you don't have either termcap-devel or
ncurses-devel packages installed. If you want to get rid of
the message, and/or to use some more exotic terminals
capabilities, you should install either package. (A good
place to look for those is your distribution's web-page.)
KNOWN BUGS
==========
* Assembler-optimizations don't compile on BSDI. Configure
with --disable-asm. (as of 2.3.0, this is autodetected)
* static building of sftp-server and ssh-dummy-shell is
EXPERIMENTAL. If you use the static binaries, please try
them before real use.
* If you connect to a host whose hostkey has changed and you
have rekeys on, ssh2 will assert in the key check. Same
thing happens, if hostkey changes during the
connection. This will be fixed in the next release.
LEGAL ISSUES
============
See the file LICENSE for licensing and distribution conditions.
THERE IS NO WARRANTY FOR THIS PROGRAM.
In some countries, particularly Russia, Iraq, Pakistan, and France,
it may be illegal to use any encryption at all without a special permit.
This software may be freely imported into the United States; however,
the United States Government may consider re-exporting it a criminal
offense. Thus, if you are outside the US, please retrieve this
software from outside the US.
Note that any information and cryptographic algorithms used in this
software are publicly available on the Internet and at any major
bookstore, scientific library, or patent office worldwide.
SSH, SSH2 and Secure shell are registered trademarks or trademarks
of SSH Communications Security.
BACK |
