4
Although this package is widely referred to as OpenSSH, it is actually
5
a branch of an early version of ssh which has been tidied up by the
8
It has been decided that this version should have the privilege of
9
carrying the ``ssh'' name in Debian, since it is the only version of
10
ssh that is going to make it into Debian proper, being the only one
11
that complies with the Debian Free Software Guidelines.
13
If you were expecting to get the non-free version of ssh (1.2.27 or
14
whatever) when you installed this package, then you're out of luck, as
17
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
22
To build the openssh package for woody, set DEB_BUILD_SSH_WOODY=1 in
23
your environment. This is necessary due to non-backward-compatible
24
changes in PAM support.
26
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
34
As of 3.3, openssh has employed privilege separation to reduce the
35
quantity of code that runs as root, thereby reducing the impact of
36
some security holes in sshd. This now also works properly with PAM.
38
Privilege separation is turned on by default, so, if you decide you
39
want it turned off, you need to add "UsePrivilegeSeparation no" to
42
PermitRootLogin set to yes
43
--------------------------
45
This is now the default setting (in line with upstream), and people
46
who asked for an automatically-generated configuration file when
47
upgrading from potato (or on a new install) will have this setting in
48
their /etc/ssh/sshd_config file.
50
Should you wish to change this setting, edit /etc/ssh/sshd_config, and
56
Having PermitRootLogin set to yes means that an attacker that knows
57
the root password can ssh in directly (without having to go via a user
58
account). If you set it to no, then they must compromise a normal user
59
account. In the vast majority of cases, this does not give added
60
security; remember that any account you su to root from is equivalent
61
to root - compromising this account gives an attacker access to root
62
easily. If you only ever log in as root from the physical console,
63
then you probably want to set this value to no.
65
As an aside, PermitRootLogin can also be set to "without-password" or
66
"forced-commands-only" - see sshd(8) for more details.
68
DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS INCORRECT!
70
The argument above is somewhat condensed; I have had this discussion
71
at great length with many people. If you think the default is
72
incorrect, and feel strongly enough to want to argue with me about it,
73
then send me email to matthew@debian.org. I will close bug reports
74
claiming the default is incorrect.
76
SSH now uses protocol 2 by default
77
----------------------------------
79
This means all your keyfiles you used for protocol version 1 need to
80
be re-generated. The server keys are done automatically, but for RSA
81
authentication, please read the ssh-keygen manpage.
83
If you have an automatically generated configuration file, and decide
84
at a later stage that you do want to support protocol version 1 (not
85
recommended, but note that the ssh client shipped with Debian potato
86
only supported protocol version 1), then you need to do the following:
88
Change /etc/ssh/sshd_config such that:
93
HostKey /etc/ssh/ssh_host_key
95
If you do not already have an RSA1 host key in /etc/ssh/ssh_host_key,
96
you will need to generate one. To do so, run this command as root:
98
ssh-keygen -f /etc/ssh/ssh_host_key -N '' -t rsa1
103
ssh's default for ForwardX11 has been changed to ``no'' because it has
104
been pointed out that logging into remote systems administered by
105
untrusted people is likely to open you up to X11 attacks, so you
106
should have to actively decide that you trust the remote machine's
107
root, before enabling X11. I strongly recommend that you do this on a
108
machine-by-machine basis, rather than just enabling it in the default
111
In order for X11 forwarding to work, you need to install xauth on the
112
server. In Debian this is in the xbase-clients package.
114
As of OpenSSH 3.1, the remote $DISPLAY uses localhost by default to reduce
115
the security risks of X11 forwarding. Look up X11UseLocalhost in
116
sshd_config(8) if this is a problem.
118
OpenSSH 3.8 invented ForwardX11Trusted, which when set to no causes the
119
ssh client to create an untrusted X cookie so that attacks on the
120
forwarded X11 connection can't become attacks on X clients on the remote
121
machine. However, this has some problems in implementation - notably a
122
very short timeout of the untrusted cookie - breaks large numbers of
123
existing setups, and generally seems immature. The Debian package
124
therefore sets the default for this option to "no" (in ssh itself,
125
rather than in ssh_config).
130
The default for this setting has been changed from Yes to No, for
131
security reasons, and to stop the delay attempting to rsh to machines
132
that don't offer the service. Simply switch it back on in either
133
/etc/ssh/ssh_config or ~/.ssh/config for those machines that you need
136
Setgid ssh-agent and environment variables
137
------------------------------------------
139
As of version 1:3.5p1-1, ssh-agent is installed setgid to prevent ptrace()
140
attacks retrieving private key material. This has the side-effect of causing
141
glibc to remove certain environment variables which might have security
142
implications for set-id programs, including LD_PRELOAD, LD_LIBRARY_PATH, and
145
If you need to set any of these environment variables, you will need to do
146
so in the program exec()ed by ssh-agent. This may involve creating a small
149
Symlink Hostname invocation
150
---------------------------
152
This version of ssh no longer includes support for invoking ssh with the
153
hostname as the name of the file run. People wanting this support should
154
use the ssh-argv0 script.
156
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
161
/usr/bin/ssh not SUID
162
---------------------
164
Due to Debian bug #164325, RhostsRSAAuthentication can only be used if ssh
165
is SUID. Until this is fixed, if that is a problem, use:
169
or if that's also missing, use this:
171
chown root.root /usr/bin/ssh
172
chmod 04755 /usr/bin/ssh
174
Authorization Forwarding
175
------------------------
177
Similarly, root on a remote server could make use of your ssh-agent
178
(while you're logged into their machine) to obtain access to machines
179
which trust your keys. This feature is therefore disabled by default.
180
You should only re-enable it for those hosts (in your ~/.ssh/config or
181
/etc/ssh/ssh_config) where you are confident that the remote machine
184
Problems logging in with RSA authentication
185
-------------------------------------------
187
If you have trouble logging in with RSA authentication then the
188
problem is probably caused by the fact that you have your home
189
directory writable by group, as well as user (this is the default on
192
Depending upon other settings on your system (i.e. other users being
193
in your group) this could open a security hole, so you will need to
194
make your home directory writable only by yourself. Run this command,
199
to remove group write permissions. If you use ssh-copy-id to install your
200
keys, it does this for you.
202
-L option of ssh nonfree
203
------------------------
205
non-free ssh supported the usage of the option -L to use a non privileged
206
port for scp. This option will not be supported by scp from openssh.
208
Please use instead scp -o "UsePrivilegedPort=no" as documented in the
209
manpage to scp itself.
211
Problem logging in because of TCP-Wrappers
212
------------------------------------------
214
ssh is compiled with support for tcp-wrappers. So if you can no longer
215
log into your system, please check that /etc/hosts.allow and /etc/hosts.deny
216
are configured so that ssh is not blocked.
218
Kerberos Authentication
219
-----------------------
221
ssh is compiled without support for kerberos authentication, and there are
222
no current plans to support this. Thus the KerberosAuthentication and
223
KerberosTgtPassing options will not be recognised.
225
Interoperability between scp and the ssh.com SSH server
226
-------------------------------------------------------
228
In version 2 and greater of the commercial SSH server produced by SSH
229
Communications Security, scp was changed to use SFTP (SSH2's file transfer
230
protocol) instead of the traditional rcp-over-ssh, thereby breaking
231
compatibility. The OpenSSH developers regard this as a bug in the ssh.com
232
server, and do not currently intend to change OpenSSH's scp to match.
234
Workarounds for this problem are to install scp1 on the server (scp2 will
235
fall back to it), to use sftp, or to use some other transfer mechanism such
236
as rsync-over-ssh or tar-over-ssh.
243
<cjwatson@debian.org>