1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
4 <title>OpenSSH FAQ</title>
5 <link rev= "made" href= "mailto:www@openbsd.org">
6 <meta name= "resource-type" content= "document">
7 <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
8 <meta name= "description" content= "the OpenSSH FAQ page">
9 <meta name= "keywords" content= "OpenSSH,SSH,Secure Shell,faq">
10 <meta name= "distribution" content= "global">
11 <meta name= "copyright" content= "This document copyright 1999-2010 OpenBSD.">
14 <body bgcolor= "#ffffff" text= "#000000" link= "#23238E">
15 <a href="http://www.openssh.org/index.html"><img alt="[OpenSSH]" height="30" width="141" src="images/smalltitle.gif" border="0"></a>
18 <h1>OpenSSH FAQ (Frequently asked questions)</h1>
23 <h3><a href= "#1.0">1.0 - What Is OpenSSH and Where Can I Get It?</a></h3>
25 <li><a href= "#1.1">1.1 - What is OpenSSH and where can I download it?</a>
26 <li><a href= "#1.2">1.2 - Why should it be used?</a>
27 <li><a href= "#1.3">1.3 - What Operating Systems are supported?</a>
28 <li><a href= "#1.4">1.4 - What about copyright, usage and patents?</a>
29 <li><a href= "#1.5">1.5 - Where should I ask for help?</a>
30 <li><a href= "#1.6">1.6 - I have found a bug. Where do I report it?</a>
33 <h3><a href= "#2.0">2.0 - General Questions</a></h3>
35 <li><a href= "#2.1">2.1 - Why does ssh/scp make connections from low-numbered ports. My firewall blocks these.</a>
36 <li><a href= "#2.2">2.2 - Why is the ssh client setuid root?</a>
37 <li><a href= "#2.3">2.3 - Why does SSH 2.3 have problems interoperating with OpenSSH 2.1.1?</a>
38 <li><a href= "#2.4">2.4 - Why does OpenSSH print: Dispatch protocol error: type 20</a>
39 <li><a href= "#2.5">2.5 - Old versions of commercial SSH encrypt host keys with IDEA.</a>
40 <li><a href= "#2.6">2.6 - What are these warning messages about key lengths?</a>
41 <li><a href= "#2.7">2.7 - X11 and/or agent forwarding does not work.</a>
42 <li><a href= "#2.8">2.8 - After upgrading OpenSSH I lost SSH2 support.</a>
43 <li><a href= "#2.9">2.9 - sftp/scp fails at connection, but ssh is OK.</a>
44 <li><a href= "#2.10">2.10 - Will you add [foo] to scp?</a>
45 <li><a href= "#2.11">2.11 - How do I use port forwarding?</a>
46 <li><a href= "#2.12">2.12 - My ssh connection freezes or drops out after N minutes of inactivity.</a>
47 <li><a href= "#2.13">2.13 - How do I use scp to copy a file with a colon in it?</a>
48 <li><a href= "#2.14">2.14 - Why does OpenSSH report its version to clients?</a>
51 <h3><a href= "#3.0">3.0 - Portable OpenSSH Questions</a></h3>
53 <li><a href= "#3.1">3.1 - Spurious PAM authentication messages in logfiles.</a>
54 <li><a href= "#3.2">3.2 - Empty passwords not allowed with PAM authentication.</a>
55 <li><a href= "#3.3">3.3 - ssh(1) takes a long time to connect or log in</a>
56 <li><a href= "#3.4">3.4 - "Can't locate module net-pf-10" messages in log under Linux.</a>
57 <li><a href= "#3.5">3.5 - Password authentication doesn't work (eg on Slackware 7.0 or Red Hat Linux 6.x)</a>
58 <li><a href= "#3.6">3.6 - Configure or sshd(8) complain about lack of RSA support</a>
59 <li><a href= "#3.7">3.7 - "scp: command not found" errors</a>
60 <li><a href= "#3.8">3.8 - Unable to read passphrase</a>
61 <li><a href= "#3.9">3.9 - 'configure' missing or make fails</a>
62 <li><a href= "#3.10">3.10 - Hangs when exiting ssh</a>
63 <li><a href= "#3.11">3.11 - Why does ssh hang on exit?</a>
64 <li><a href= "#3.12">3.12 - I upgraded to OpenSSH 3.1 and X11 forwarding stopped working.</a>
65 <li><a href= "#3.13">3.13 - I upgraded to OpenSSH 3.8 and some X11 programs stopped working.</a>
66 <li><a href= "#3.14">3.14 - I copied my public key to authorized_keys but public-key authentication still doesn't work.</a>
67 <li><a href= "#3.15">3.15 - OpenSSH versions and PAM behaviour.</a>
68 <li><a href= "#3.16">3.16 - Why doesn't "w" or "who" on AIX 5.x show users logged in via ssh?</a>
75 <h2><u><a name= "1.0">1.0 - What Is OpenSSH and Where Can I Get It?</a></u></h2>
77 <h2><a name= "1.1">1.1 - What is OpenSSH and where can I download it?</a></h2>
79 OpenSSH provides end-to-end encrypted replacement of applications such as
80 telnet, rlogin, and ftp.
81 Unlike these legacy applications, OpenSSH never passes anything
82 (including username and password) over the wire in unencrypted form, and
83 provides host authentication, to verify that you really are talking to
84 the system that you think you are and that no one else can take over
88 The OpenSSH suite includes the
89 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>
90 program which replaces rlogin and telnet, and
91 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1">scp(1)</a>
93 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=rcp&sektion=1">rcp(1)</a> and
94 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftp&sektion=1">ftp(1)</a>.
95 OpenSSH has also added
96 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a> and
97 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8">sftp-server(8)</a>
98 which implement an easier solution for file-transfer. This is based upon the
99 <a href="http://www.openssh.org/txt/draft-ietf-secsh-filexfer-02.txt">secsh-filexfer</a> IETF draft.
102 <p><strong>OpenSSH consists of a number of programs.</strong>
105 <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> - Server program run on the server machine. This listens for connections from client machines, and whenever it receives a connection, it performs authentication and starts serving the client.
106 Its behaviour is controlled by the config file <i><a
107 href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">
108 sshd_config(5)</a></i>.
109 <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> - This is the client program used to log into another machine or to execute commands on the other machine. <i>slogin</i> is another name for this program.
110 Its behaviour is controlled by the global config file <i><a
111 href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">
112 ssh_config(5)</a></i> and individual users' <i>$HOME/.ssh/config</i> files.
113 <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1">scp(1)</a> - Securely copies files from one machine to another.
114 <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a> - Used to create Pubkey Authentication (RSA or DSA) keys (host keys and user authentication keys).
115 <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a> - Authentication agent. This can be used to hold RSA keys for authentication.
116 <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-add&sektion=1">ssh-add(1)</a> - Used to register new keys with the agent.
117 <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8">sftp-server(8)</a> - SFTP server subsystem.
118 <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a> - Secure file transfer program.
119 <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keyscan&sektion=1">ssh-keyscan(1)</a> - gather ssh public keys.
120 <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keysign&sektion=8">ssh-keysign(8)</a> - ssh helper program for hostbased authentication.
126 The most recent version of OpenSSH is included with the current
127 distribution of <a href="http://www.openbsd.org/">OpenBSD</a>, and
128 installed as part of a basic install.
131 Today, most other operating systems include some version of OpenSSH
132 (often re-badged or privately labeled), so most users can immediately
134 However, sometimes the included versions are quite old, and missing
135 features of the current release of OpenSSH, and you may wish to install
136 the current version, or install it on one of the few OSs that lacked it,
137 and where the OS publisher does not make a modern version available.
138 You may also wish to use OpenSSH on your embedded application.
141 Non-OpenBSD users will want to download, compile and install the
142 multi-platform <a href="http://www.openssh.org/portable.html">Portable</a> distribution from a
143 <a href="http://www.openssh.org/portable.html#mirrors">mirror</a> near you.
146 <h2><a name= "1.2">1.2 - Why should it be used?</a></h2>
149 OpenSSH is a suite of tools to help secure your network
150 connections. Here is a list of features:
154 <li>Strong authentication. Closes several security holes (e.g., IP, routing, and DNS spoofing).
155 <li>Improved privacy. All communications are automatically and transparently encrypted.
156 <li>Secure X11 sessions. The program automatically sets DISPLAY on the server machine, and forwards any X11 connections over the secure channel.
157 <li>Arbitrary TCP/IP ports can be redirected through the encrypted channel in both directions (e.g., for e-cash transactions).
158 <li>No retraining needed for normal users.
159 <li>Never trusts the network. Minimal trust on the remote side of the connection. Minimal trust on domain name servers. Pure RSA authentication never trusts anything but the private key.
160 <li>Client RSA-authenticates the server machine in the beginning of every connection to prevent trojan horses (by routing or DNS spoofing) and man-in-the-middle attacks, and the server RSA-authenticates the client machine before accepting <i>.rhosts</i> or <i>/etc/hosts.equiv</i> authentication (to prevent DNS, routing, or IP-spoofing).
161 <li>Host authentication key distribution can be centrally by the administration, automatically when the first connection is made to a machine.
162 <li>Any user can create any number of user authentication RSA keys for his/her own use.
163 <li>The server program has its own server RSA key which is automatically regenerated every hour.
164 <li>An authentication agent, running in the user's laptop or local workstation, can be used to hold the user's RSA authentication keys.
165 <li>The software can be installed and used (with restricted functionality) even without root privileges.
166 <li>The client is customizable in system-wide and per-user configuration files.
167 <li>Optional compression of all data with gzip (including forwarded X11 and TCP/IP port data), which may result in significant speedups on slow connections.
168 <li>Complete replacement for rlogin, rsh, and rcp.
172 Currently, almost all communications in computer networks are done
173 without encryption. As a consequence, anyone who has access to any
174 machine connected to the network can listen in on any communication.
175 This is being done by hackers, curious administrators, employers,
176 criminals, industrial spies, and governments. Some networks leak off
177 enough electromagnetic radiation that data may be captured even from a
182 When you log in, your password goes in the network in plain
183 text. Thus, any listener can then use your account to do any evil he
184 likes. Many incidents have been encountered worldwide where crackers
185 have started programs on workstations without the owner's knowledge
186 just to listen to the network and collect passwords. Programs for
187 doing this are available on the Internet, or can be built by a
188 competent programmer in a few hours.
192 Businesses have trade secrets, patent applications in preparation,
193 pricing information, subcontractor information, client data, personnel
194 data, financial information, etc. Currently, anyone with access to
195 the network (any machine on the network) can listen to anything that
196 goes in the network, without any regard to normal access restrictions.
200 Many companies are not aware that information can so easily be
201 recovered from the network. They trust that their data is safe
202 since nobody is supposed to know that there is sensitive information
203 in the network, or because so much other data is transferred in the
204 network. This is not a safe policy.
207 <h2><a name= "1.3">1.3 - What operating systems are supported?</a></h2>
210 Even though OpenSSH is developed on
211 <a href="http://www.openbsd.org/">OpenBSD</a> a wide variety of
212 ports to other operating systems exist. The portable version of OpenSSH
213 is headed by <a href="mailto:djm@openbsd.org">Damien Miller</a>.
214 For a quick overview of the portable version of OpenSSH see
215 <a href="http://www.openssh.org/portable.html">OpenSSH Portable Release</a>.
216 Currently, the supported operating systems are:
231 <li>Digital Unix/Tru64/OSF
237 A list of vendors that include OpenSSH in their distributions
238 is located in the <a href="http://www.openssh.org/users.html">OpenSSH Users page</a>.
240 <h2><a name= "1.4">1.4 - What about copyrights, usage and patents?</a></h2>
242 The OpenSSH developers have tried very hard to keep OpenSSH free of any
243 patent or copyright problems. To do this, some options had to be
244 stripped from OpenSSH. Namely support for patented algorithms.
247 OpenSSH does not support any patented transport algorithms. In SSH1 mode,
248 only 3DES and Blowfish are available options. In SSH2 mode, only 3DES,
249 Blowfish, CAST128, Arcfour and AES can be selected.
250 The patented IDEA algorithm is not supported.
253 OpenSSH provides support for both SSH1 and SSH2 protocols.
256 Since the RSA patent has expired, there are no restrictions on the use
257 of RSA algorithm using software, including OpenBSD.
259 <h2><a name= "1.5">1.5 - Where should I ask for help?</a></h2>
261 There are many places to turn to for help. In addition to the main
262 <a href="http://www.openssh.org/index.html">OpenSSH website</a>,
263 there are many mailing lists to try. Before trying any mailing lists,
264 please search through all mailing list archives to see if your question
265 has already been answered. The OpenSSH Mailing List has been archived and
266 put in searchable form and can be found at
267 <a href="http://marc.info/?l=openssh-unix-dev&r=1&w=2">marc.info</a>.
270 For more information on subscribing to OpenSSH related mailing lists,
271 please see <a href="http://www.openssh.org/list.html">OpenSSH Mailing lists</a>.
273 <h2><a name= "1.6">1.6 - I have found a bug. Where do I report it?</a></h2>
275 Information about submitting bug reports can be found at the OpenSSH
276 <a href="http://www.openssh.org/report.html">Reporting bugs</a> page.
278 If you wish to report a security bug, please contact the private developers
279 list <<a href="mailto:openssh@openssh.com">openssh@openssh.com</a>>.
281 <h2><u><a name= "2.0">2.0 - General Questions</a></u></h2>
283 <h2><a name= "2.1">2.1 - Why does ssh/scp make connections from low-numbered ports.</a></h2>
285 The OpenSSH client uses low numbered ports for rhosts and rhosts-rsa
286 authentication because the server needs to trust the username provided by
287 the client. To get around this, you can add the below example to your
288 <i>ssh_config</i> or <i>~/.ssh/config</i> file.
292 <table border=0 width="800">
294 <td nowrap bgcolor="#EEEEEE">
295 <b>UsePrivilegedPort no</b>
302 Or you can specify this option on the command line, using the <b>-o</b>
304 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> command.
307 <table border=0 width="800">
309 <td nowrap bgcolor="#EEEEEE">
310 $ <b>ssh -o "UsePrivilegedPort no" host.com</b>
316 <h2><a name= "2.2">2.2 - Why is the ssh client setuid root?</a></h2>
319 In conjunction with the previous question, (<a href="#2.1">2.1</a>)
320 OpenSSH needs root authority to be able to bind to low-numbered ports to
321 facilitate <i>rhosts authentication</i>.
322 A privileged port is also required for rhosts-rsa authentication to older
326 Additionally, for both <i>rhosts-rsa authentication</i> (in protocol
327 version 1) and <i>hostbased authentication</i> (in protocol version 2)
328 the ssh client needs to access the <i>private host key</i> in order to
329 authenticate the client machine to the server.
330 OpenSSH versions prior to 3.3 required the <code>ssh</code> binary to be
331 setuid root to enable this, and you may safely remove it if you don't
332 want to use these authentication methods.
335 Starting in OpenSSH 3.3, <code>ssh</code> is not setuid by default. <a
336 href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keysign">ssh-keysign</a>,
337 is used for access to the private hosts keys, and ssh does not use privileged
338 source ports by default. If you wish to use a privileged source port, you must
339 manually set the setuid bit on <code>ssh</code>.
341 <h2><a name= "2.3">2.3 - Why does SSH 2.3 have problems interoperating with OpenSSH 2.1.1?</a></h2>
344 SSH 2.3 and earlier versions contain a flaw in their HMAC implementation.
345 Their code was not supplying the full data block output from the digest,
346 and instead always provided 128 bits. For longer digests, this caused
347 SSH 2.3 to not interoperate with OpenSSH.
350 OpenSSH 2.2.0 detects that SSH 2.3 has this flaw. Recent versions of SSH
351 will have this bug fixed. Or you can add the following to
352 SSH 2.3 <i>sshd2_config</i>.
356 <table border=0 width="800">
358 <td nowrap bgcolor="#EEEEEE">
365 <h2><a name= "2.4">2.4 - Why does OpenSSH print: Dispatch protocol error: type 20</a></h2>
368 Problems in interoperation have been seen because older versions of
369 OpenSSH did not support session rekeying. However the commercial SSH 2.3
370 tries to negotiate this feature, and you might experience connection
371 freezes or see the error message "<b>Dispatch protocol error:
373 To solve this problem, either upgrade to a recent OpenSSH release or
374 disable rekeying by adding the following to your commercial SSH 2.3's
375 <i>ssh2_config</i> or <i>sshd2_config</i>.
379 <table border=0 width="800">
381 <td nowrap bgcolor="#EEEEEE">
382 <b>RekeyIntervalSeconds 0</b>
388 <h2><a name= "2.5">2.5 - Old versions of commercial SSH encrypt host keys with IDEA.</a></h2>
391 The old versions of SSH used a patented algorithm to encrypt their
392 <i>/etc/ssh/ssh_host_key</i>. This problem will manifest as
393 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>
394 not being able to read its host key. To solve this, use the command below
395 to convert your ssh_host_key to use 3DES.
397 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>
398 program from the Commercial SSH product, *NOT* OpenSSH for the example
403 <table border=0 width="800">
405 <td nowrap bgcolor="#EEEEEE">
406 # <b>ssh-keygen -u -f /etc/ssh/ssh_host_key</b>
412 <h2><a name= "2.6">2.6 - What are these warning messages about key lengths</a></h2>
416 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>
417 program contained a bug which caused it to occasionally generate Pubkey
418 Authentication (RSA or DSA) keys which had their Most Significant Bit
419 (MSB) unset. Such keys were advertised as being full-length, but are
420 actually, half the time, smaller than advertised.
423 OpenSSH will print warning messages when it encounters such keys. To rid
424 yourself of these message, edit your <i>known_hosts</i> files and replace the
425 incorrect key length (usually "1024") with the correct key length
428 <h2><a name= "2.7">2.7 - X11 and/or agent forwarding does not work.</a></h2>
431 Check your <i>ssh_config</i> and <i>sshd_config</i>. The default
432 configuration files disable authentication agent and X11 forwarding. To
433 enable it, put the line below in <i>sshd_config</i>:
436 <table border=0 width="800">
438 <td nowrap bgcolor="#EEEEEE">
439 <b>X11Forwarding yes</b>
446 and put the following lines in <i>ssh_config</i>:
449 <table border=0 width="800">
451 <td nowrap bgcolor="#EEEEEE">
452 <b>ForwardAgent yes</b><br>
453 <b>ForwardX11 yes</b>
460 X11 forwarding requires a working <a
461 href="http://www.openbsd.org/cgi-bin/man.cgi?query=xauth&sektion=1"
462 >xauth(1)</a> binary. On OpenBSD this is in the <i>xbase</i> file
463 set but will probably be different on other platforms. For OpenSSH
464 Portable, xauth must be either found at configure time or specified
465 via <b>XAuthLocation</b> in sshd_config(5) and ssh_config(5).
468 Note on agent interoperability: There are two different and
469 incompatible agent forwarding mechanisms within the SSH2 protocol.
470 OpenSSH has always used an extension of the original SSH1 agent
471 requests, however some commercial products use a different, non-free
472 agent forwarding protocol. This means that agent forwarding cannot
473 be used between OpenSSH and those products.
476 <b>NOTE:</b> For users of Linux Mandrake 7.2, Mandrake modifies the
477 <i>XAUTHORITY</i> environment variable in <i>/etc/skel/.bashrc</i>,
478 and thus any bash user's home directory. This variable is set by OpenSSH
479 and for either of the above options to work, you need to comment out
484 <table border=0 width="800">
486 <td nowrap bgcolor="#EEEEEE">
487 <b># export XAUTHORITY=$HOME/.Xauthority</b>
493 <h2><a name= "2.8">2.8 - After upgrading OpenSSH I lost SSH2 support.</a></h2>
496 Between versions changes can be made to <i>sshd_config</i> or
497 <i>ssh_config</i>. You should always check on these changes when upgrading
498 versions of OpenSSH. After OpenSSH Version 2.3.0 you need to add the
499 following to your <i>sshd_config</i>:
503 <table border=0 width="800">
505 <td nowrap bgcolor="#EEEEEE">
506 <b>HostKey /etc/ssh_host_dsa_key</b><br>
507 <b>HostKey /etc/ssh_host_rsa_key</b>
513 <h2><a name= "2.9">2.9 - sftp/scp fails at connection, but ssh is OK.</a></h2>
516 sftp and/or scp may fail at connection time if you have shell
517 initialization (.profile, .bashrc, .cshrc, etc) which produces output
518 for non-interactive sessions. This output confuses the sftp/scp client.
519 You can verify if your shell is doing this by executing:
522 <table border=0 width="800">
524 <td nowrap bgcolor="#EEEEEE">
525 <b>ssh yourhost /usr/bin/true</b>
532 If the above command produces any output, then you need to modify your
533 shell initialization.
535 <h2><a name= "2.10">2.10 - Will you add [foo] to scp?</a></h2>
541 Long Answer: scp is not standardized. The closest thing it has to a
542 specification is "what rcp does". Since the same command is used on both ends
543 of the connection, adding features or options risks breaking interoperability with other
547 New features are more likely in sftp, since the protocol is standardized
548 (well, a <a href="http://www.ietf.org/html.charters/OLD/secsh-charter.html">
549 draft standard</a>), extensible, and the client and server are decoupled.
551 <h2><a name= "2.11">2.11 - How do I use port forwarding?</a></h2>
554 If the remote server is running sshd(8), it may be possible to
555 ``tunnel'' certain services via ssh. This may be desirable, for
556 example, to encrypt POP or SMTP connections, even though the software
557 does not directly support encrypted communications. Tunnelling uses
558 port forwarding to create a connection between the client and server.
559 The client software must be able to specify a non-standard port to
560 connect to for this to work.
563 The idea is that the user connects to the remote host using ssh,
564 and specifies which port on the client's machine should be used to
565 forward connections to the remote server. After that it is possible
566 to start the service which is to be encrypted (e.g. fetchmail, irc)
567 on the client machine, specifying the same local port passed to
568 ssh, and the connection will be tunnelled through ssh. By default,
569 the system running the forward will only accept connections from
573 The options most relevant to tunnelling are the -L and -R options,
574 which allow the user to forward connections, the -D option, which
575 permits dynamic port forwarding, the -g option, which permits other
576 hosts to use port forwards, and the -f option, which instructs ssh
577 to put itself in the background after authentication. See the <a
578 href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1"
579 >ssh(1)</a> man page for further details.
582 This is an example of tunnelling an IRC session from client machine
583 ``127.0.0.1'' (localhost) to remote server ``server.example.com'':
586 <table border=0 width="800">
588 <td nowrap bgcolor="#EEEEEE">
589 <b>ssh -f -L 1234:server.example.com:6667 server.example.com sleep 10<br>
590 irc -c '#users' -p 1234 pinky 127.0.0.1</b>
597 This tunnels a connection to IRC server server.example.com, joining
598 channel ``#users'', using the nickname ``pinky''. The local port used
599 in this example is 1234. It does not matter which port is used, as
600 long as it's greater than 1023 (remember, only root can open sockets on
601 privileged ports) and doesn't conflict with any ports already in use.
602 The connection is forwarded to port 6667 on the remote server, since
603 that's the standard port for IRC services.
606 The remote command ``sleep 10'' was specified to allow an amount
607 of time (10 seconds, in the example) to start the service which is to
608 be tunnelled. If no connections are made within the time specified,
609 ssh will exit. If more time is required, the sleep(1) value can be
610 increased appropriately or, alternatively, the example above could
611 be added as a function to the user's shell. See ksh(1) and csh(1)
612 for more details about user-defined functions.
615 ssh also has an -N option, convenient for use with port forwarding:
616 if -N is specified, it is not necessary to specify a remote command
617 (``sleep 10'' in the example above). However, use of this option
618 causes ssh to wait around for ever (as opposed to exiting after a
619 remote command has completed), and the user must take care to manually
620 kill(1) the process afterwards.
622 <h2><a name= "2.12">2.12 - My ssh connection freezes or drops out after N minutes of inactivity.</a></h2>
625 This is usually the result of a packet filter or NAT device
626 timing out your TCP connection due to inactivity. You can enable
627 <b>ClientAliveInterval</b> in the server's <i><a
628 href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">
629 sshd_config</a></i>, or enable <b>ServerAliveInterval</b> in the
631 href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">
632 ssh_config</a></i> (the latter is available in OpenSSH 3.8 and newer).
635 Enabling either option and setting the interval for less than the time
636 it takes to time out your session will ensure that the connection is
637 kept "fresh" in the device's connection table.
639 <h2><a name= "2.13">2.13 - How do I use scp to copy a file with a colon in it?</a></h2>
642 href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1">
643 scp</a></b> will interpret the component before the colon to be a remote
644 server name and attempt to connect to it. To prevent this, refer to
645 the file by a relative or absolute path, eg:
648 <table border=0 width="800">
650 <td nowrap bgcolor="#EEEEEE">
651 $ scp ./source:file sshserver:
657 <h2><a name= "2.14">2.14 - Why does OpenSSH report its version to clients?</a></h2>
660 OpenSSH, like most SSH implementations, reports its name and version to clients
661 when they connect, e.g.
669 This information is used by clients and servers to enable protocol
670 compatibility tweaks to work around changed, buggy or missing features in
671 the implementation they are talking to. This protocol feature checking is
672 still required at present because versions with incompatibilities are still
676 <h2><u><a name= "3.0">3.0 - Portable OpenSSH Questions</a></u></h2>
678 <h2><a name= "3.1">3.1 - Spurious PAM authentication messages in logfiles.</a></h2>
681 The portable version of OpenSSH will generate spurious authentication
682 failures at every login, similar to:
686 <table border=0 width="800">
688 <td nowrap bgcolor="#EEEEEE">
689 "<b>authentication failure; (uid=0) -> root for sshd service</b>"
696 These are generated because OpenSSH first tries to determine whether a
697 user needs authentication to login (e.g. empty password). Unfortunately
698 PAM likes to log all authentication events, this one included.
701 If it annoys you too much, set "<b>PermitEmptyPasswords no</b>"
702 in <i>sshd_config</i>. This will quiet the error message at the expense
703 of disabling logins to accounts with no password set.
704 This is the default if you use the supplied <i>sshd_config</i> file.
706 <h2><a name= "3.2">3.2 - Empty passwords not allowed with PAM authentication.</a></h2>
709 To enable empty passwords with a version of OpenSSH built with PAM you
710 must add the flag nullok to the end of the password checking module
711 in the <i>/etc/pam.d/sshd</i> file. For example:
714 <table border=0 width="800">
716 <td nowrap bgcolor="#EEEEEE">
717 auth required/lib/security/pam_unix.so shadow nodelay nullok
724 This must be done in addition to setting "<b>PermitEmptyPasswords
725 yes</b>" in the <i>sshd_config</i> file.
728 There is one caveat when using empty passwords with PAM authentication:
729 PAM will allow any password when authenticating an account with an empty
730 password. This breaks the check that
731 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>
732 uses to determine whether an account has no password set and grant
733 users access to the account regardless of the policy specified by
734 <b>PermitEmptyPasswords</b>. For this reason, it is recommended that you
735 do not add the <b>nullok</b> directive to your PAM configuration file
736 unless you specifically wish to allow empty passwords.
739 <h2><a name= "3.3">3.3 - ssh(1) takes a long time to connect or log
743 Large delays (more than 10 seconds) are typically caused by a problem with
746 <li>Some versions of glibc (notably glibc 2.1 shipped with Red Hat 6.1)
747 can take a long time to resolve "IPv6 or IPv4" addresses from domain
748 names. This can be worked around with by specifying <b>AddressFamily
749 inet</b> option in <i>ssh_config</i>.</li>
751 <li>There may be a DNS lookup problem, either at the client or server.
752 You can use the <code>nslookup</code> command to check this on both client
753 and server by looking up the other end's name and IP address. In
754 addition, on the server look up the name returned by the client's
755 IP-name lookup. You can disable most of the server-side lookups by
756 setting <b>UseDNS no</b> in <i>sshd_config</i>.</li>
760 Delays less than 10 seconds can have other causes.
764 <li>OpenSSH releases prior to 3.8 had an <i>moduli</i> file with
765 moduli that were just smaller than what sshd would look for, and
766 as a result, sshd would end up using moduli significantly larger
767 than requested, which resulted in a speed penalty. Replacing the
768 <i>moduli</i> file will resolve this (note that in most cases this
769 file will not be replaced during an upgrade and must be replaced
772 <li>OpenSSH releases prior to 3.8 had a flaw in <code>ssh</code> that
773 would cause it to request moduli larger than intended (which when
774 combined with the above resulted in significant slowdowns).
775 Upgrading the client to 3.8 or higher will resolve this issue.</li>
777 <li>If either the client or server lack a kernel-based random number
778 device (eg Solaris < 9, AIX < 5.2, HP-UX < 11.11) and no
779 substitute is available (eg <a href=
780 "ftp://ftp.ayamura.org/pub/prngd/">prngd</a>) it's possible that
781 one of the programs called by <code>ssh-rand-helper</code> to
782 generate entropy is hanging. This can be investigated by running
786 <table border=0 width="800">
788 <td nowrap bgcolor="#EEEEEE">
789 /usr/local/libexec/ssh-rand-helper -vvv
795 Any significant delays should be investigated and rectified, or the
796 corresponding commands should be removed from <i>ssh_prng_cmds</i>.
801 <h3>How slow is "slow"?</h3>
802 Under normal conditions, the speed of SSH logins is dependant on
803 CPU speed of client and server. For comparison the following are
804 typical connect times for <code>time ssh localhost true</code>
805 with a 1024-bit RSA key on otherwise unloaded hosts. OpenSSH and
806 OpenSSL were compiled with gcc 3.3.x.
810 <tr><th>CPU</th><th>Time (SSHv1)<a href="#3.3fn1">[1]</a></th>
811 <th>Time (SSHv2)</th></tr>
812 <tr><td>170MHz SPARC/sun4m</td><td>0.74 sec</td><td>1.25 sec</td></tr>
813 <tr><td>236MHz HPPA/8200<a href="#3.3fn2">[2]</a></td><td>0.44 sec</td>
814 <td>0.79 sec</td></tr>
815 <tr><td>375MHz PowerPC/604e</td><td>0.38 sec</td><td>0.51 sec</td></tr>
816 <tr><td>933MHz VIA Ezra</td><td>0.34 sec</td><td>0.44 sec</td></tr>
817 <tr><td>2.1GHz Athlon XP 2600+</td><td>0.14 sec</td><td>0.22 sec</td></tr>
822 <a name="3.3fn1">[1]</a> The SSHv1 protocol is faster but is
823 cryptographically weaker than SSHv2.<br>
825 <a name="3.3fn2">[2]</a> At the time of writing, gcc generates
826 relatively slow code on HPPA for RSA and Diffie-Hellman operations
827 (see <a href= "http://gcc.gnu.org/bugzilla/show_bug.cgi?id=7625">gcc
829 href="http://marc.info/?l=openssh-unix-dev&m=102646106016694">
830 discussion on openssh-unix-dev</a>).
832 <h2><a name= "3.4">3.4 - "Can't locate module net-pf-10" messages in log under Linux.</a></h2>
835 The Linux kernel is looking (via modprobe) for protocol family 10 (IPv6).
836 Either load the appropriate kernel module, enter the correct alias in
837 <i>/etc/modules.conf</i> or disable IPv6 in <i>/etc/modules.conf</i>.
841 For some silly reason <i>/etc/modules.conf</i> may also be named
842 <i>/etc/conf.modules</i>.
845 <h2><a name= "3.5">3.5 - Password authentication doesn't work (eg on Slackware 7.0 or Red Hat 6.x)</a></h2>
848 If the password is correct password the login is still denied, the
849 usual cause is that the system is configured to use MD5-type passwords
851 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=crypt&sektion=3"
852 >crypt(3)</a> function used by sshd doesn't understand them.
855 Affected accounts will have password strings in <i>/etc/passwd</i>
856 or <i>/etc/shadow</i> that start with <b>$1$</b>.
857 If password authentication fails for new accounts or accounts with
858 recently changed passwords, but works for old accounts, this is the
862 The underlying cause is that some versions of OpenSSL have a crypt(3)
863 function that does not understand MD5 passwords, and the link order of
864 sshd means that OpenSSL's crypt(3) is used instead of the system's.
865 OpensSSH's configure attempts to correct for this but is not always
869 There are several possible solutions:
874 Enable sshd's built-in support for MD5 passwords at build time.
877 <table border=0 width="800">
879 <td nowrap bgcolor="#EEEEEE">
880 ./configure --with-md5-passwords [options]
886 This is safe even if you have both types of encryption as sshd will
887 select the correct algorithm for each account automatically.
891 If your system has a separate libcrypt library (eg Slackware 7) then you
892 can manually add -lcrypt to the LIBS list so it's used instead of
896 <table border=0 width="800">
898 <td nowrap bgcolor="#EEEEEE">
899 LIBS=-lcrypt ./configure [options]
907 If your platforms supports PAM, you may configure sshd to use it
908 (see <a href= "#3.15" >section 3.15</a>). This will mean that sshd will
909 not verify passwords itself but will defer to the configured PAM modules.
912 <h2><a name= "3.6">3.6 - Configure or sshd(8) complain about lack of RSA or DSA support</a></h2>
915 Ensure that your OpenSSL libraries have been built to include RSA or DSA
916 support either internally or through RSAref.
919 <h2><a name= "3.7">3.7 - "scp: command not found" errors</a></h2>
922 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1">scp(1)</a>
923 must be in the default PATH on both the client and the server. You may
924 need to use the <b>--with-default-path</b> option to specify a custom
925 path to search on the server. This option replaces the default path,
926 so you need to specify all the current directories on your path as well
927 as where you have installed scp. For example:
930 <table border=0 width="800">
932 <td nowrap bgcolor="#EEEEEE">
933 $ <b>./configure --with-default-path=/bin:/usr/bin:/usr/local/bin:/path/to/scp</b>
940 Note that configuration by the server's admin will take precedence over the
941 setting of <b>--with-default-path</b>. This includes resetting PATH in
942 <i>/etc/profile</i>, PATH in <i>/etc/environment</i> on AIX, or (for 3.7p1 and
943 above) setting PATH or SUPATH in <i>/etc/default/login</i> on Solaris or
946 <h2><a name= "3.8">3.8 - Unable to read passphrase</a></h2>
949 Some operating systems set <i>/dev/tty</i> with incorrect modes, causing
950 the reading of passwords to fail with the following error:
953 <table border=0 width="800">
955 <td nowrap bgcolor="#EEEEEE">
956 You have no controlling tty. Cannot read passphrase.
963 The solution to this is to reset the permissions on <i>/dev/tty</i>
964 to mode 0666 and report the error as a bug to your OS vendor.
967 <h2><a name= "3.9">3.9 - 'configure' missing or make fails</a></h2>
970 If there is no 'configure' file in the tar.gz file that you downloaded
971 or make fails with "missing separator" errors, you have probably
972 downloaded the OpenBSD distribution of OpenSSH and are attempting to
973 compile it on another platform. Please refer to the information on the
974 <a href="http://www.openssh.org/portable.html">portable version</a>.
977 <h2><a name= "3.10">3.10 - Hangs when exiting ssh</a></h2>
980 OpenSSH may hang when exiting. This can occur when there is an active
981 background process. This is known to occur on Linux and HP-UX.
982 The problem can be verified by doing the following:
985 <table border=0 width="800">
987 <td nowrap bgcolor="#EEEEEE">
988 $ <b>sleep 20 & exit</b>
994 Try to use this instead:
996 <table border=0 width="800">
998 <td nowrap bgcolor="#EEEEEE">
999 $ <b>sleep 20 < /dev/null > /dev/null 2>&1 &</b>
1006 A work around for bash users is to place <b>"shopt -s huponexit"</b>
1007 in either /etc/bashrc or ~/.bashrc. Otherwise, consult your shell's
1008 man page for an option to enable it to send a HUP signal to active
1009 jobs when exiting. See <a
1010 href="http://bugzilla.mindrot.org/show_bug.cgi?id=52">bug #52</a>
1011 for other workarounds.
1013 <h2><a name= "3.11">3.11 - Why does ssh hang on exit?</a></h2>
1018 <table border=0 width="800">
1020 <td nowrap bgcolor="#EEEEEE">
1021 $ <b>ssh host command</b>
1026 ssh <b>needs</b> to hang, because it needs to wait:
1029 until it can be sure that <code>command</code> does not need
1032 until it can be sure that <code>command</code> does not produce
1035 until <code>command</code> exits because sshd needs to tell
1036 the exit status from <code>command</code> to ssh.
1040 <h2><a name= "3.12">3.12 - I upgraded to OpenSSH 3.1 and X11
1041 forwarding stopped working.</a></h2>
1043 Starting with OpenSSH 3.1, the sshd x11 forwarding server listens on
1044 localhost by default; see the sshd <b>X11UseLocalhost</b> option to
1045 revert to prior behaviour if your older X11 clients do not function
1046 with this configuration.<p>
1048 In general, X11 clients using X11 R6 should work with the default
1049 setting. Some vendors, including HP, ship X11 clients with R6
1050 and R5 libs, so some clients will work, and others will not work.
1051 This is true for HP-UX 11.X.<p>
1053 <h2><a name= "3.13">3.13 - I upgraded to OpenSSH 3.8 and some
1054 X11 programs stopped working.</a></h2>
1057 As documented in the <a href="http://www.openssh.org/txt/release-3.8">3.8 release notes</a>,
1058 <code>ssh</code> will now use untrusted X11 cookies by
1059 default. The previous behaviour can be restored by setting
1060 <b>ForwardX11Trusted yes</b> in <i>ssh_config</i>.
1063 Possible symptoms include:<br>
1064 <code>BadWindow (invalid Window parameter)<br>
1065 BadAccess (attempt to access private resource denied)<br>
1066 X Error of failed request: BadAtom (invalid Atom parameter)<br>
1067 Major opcode of failed request: 20 (X_GetProperty)<br></code>
1069 <h2><a name= "3.14">3.14 - I copied my public key to authorized_keys
1070 but public-key authentication still doesn't work.</a></h2>
1073 Typically this is caused by the file permissions on $HOME, $HOME/.ssh or
1074 $HOME/.ssh/authorized_keys being more permissive than sshd allows by default.
1077 In this case, it can be solved by executing the following on the server.
1079 <table border=0 width="800">
1081 <td nowrap bgcolor="#EEEEEE">
1082 $ <b>chmod go-w $HOME $HOME/.ssh</b><br>
1083 $ <b>chmod 600 $HOME/.ssh/authorized_keys</b>
1084 $ <b>chown `whoami` $HOME/.ssh/authorized_keys</b><br>
1091 If this is not possible for some reason, an alternative is to set
1092 <b>StrictModes no</b> in <i>sshd_config</i>, however this is not
1095 <h2><a name= "3.15">3.15 - OpenSSH versions and PAM behaviour.</a></h2>
1097 Portable OpenSSH has a configure-time option to enable sshd's use of the
1098 <a href="http://www.opengroup.org/onlinepubs/008329799/">PAM</a>
1099 (Pluggable Authentication Modules) interface.
1102 <table border=0 width="800">
1104 <td nowrap bgcolor="#EEEEEE">
1105 ./configure --with-pam [options]
1111 To use PAM at all, this option must be provided at build time.
1112 The run-time behaviour when PAM is built in varies with the version of
1113 Portable OpenSSH, and on later versions it must also be enabled by setting
1114 <b>UsePAM</b> to <b>yes</b> in <i>sshd_config</i>.
1117 The behaviour of the relevant authentications options when PAM support is built
1118 in is summarised by the following table.
1122 <tr> <th>Version</th> <th>UsePAM</th> <th>PasswordAuthentication</th> <th>ChallengeResponseAuthentication</th> </tr>
1124 <td><=3.6.1p2</td>
1125 <td>Not applicable</td>
1127 <td>Uses PAM if <b>PAMAuthenticationViaKbdInt</b> is enabled</td>
1130 <td>3.7p1 - 3.7.1p1</td>
1131 <td>Defaults to <b>yes</b></td>
1132 <td>Does not use PAM</td>
1133 <td>Uses PAM if <b>UsePAM</b> is enabled</td>
1136 <td>3.7.1p2 - 3.8.1p1</td>
1137 <td>Defaults to <b>no</b></td>
1138 <td>Does not use PAM <a href="#3.15fn1">[1]</a></td>
1139 <td>Uses PAM if <b>UsePAM</b> is enabled</td>
1143 <td>Defaults to <b>no</b></td>
1144 <td>Uses PAM if <b>UsePAM</b> is enabled</td>
1145 <td>Uses PAM if <b>UsePAM</b> is enabled</td>
1150 <a name= "3.15fn1">[1]</a> Some vendors, notably Redhat/Fedora, have
1151 backported the PasswordAuthentication from 3.9p1 to their 3.8x based
1152 packages. If you're using a vendor-supplied package then consult their
1156 OpenSSH Portable's PAM interface still has problems with a few modules,
1157 however we hope that this number will reduce in the future. As at the
1158 3.9p1 release, the known problems are:
1161 <li>Modules relying on module-private data (eg pam_dhkeys, pam_krb5, AFS)
1162 may fail to correctly establish credentials (bug <a
1163 href="http://bugzilla.mindrot.org/show_bug.cgi?id=688">#688</a>) when
1164 authenticating via <b>ChallengeResponseAuthentication</b>.
1165 <b>PasswordAuthentication</b> with 3.9p1 and above should work.
1168 You can also check <a
1169 href="http://bugzilla.mindrot.org/buglist.cgi?product=Portable+OpenSSH&bug_status=RESOLVED&bug_status=NEW&bug_status=ACCEPTED&component=PAM+support"
1170 >bugzilla for current PAM issues</a>.
1172 <h2><a name= "3.16">3.16 - Why doesn't "w" or "who" on AIX 5.x show users
1173 logged in via ssh?</a></h2>
1175 Between AIX 4.3.3 and AIX 5.x, the format of the wtmp struct changed. This
1176 means that sshd binaries built on AIX 4.x will not correctly write wtmp
1177 entries when run on AIX 5.x. This can be fixed by simply recompiling
1178 sshd on an AIX 5.x system and using that.
1181 <a href="http://www.openssh.org/index.html"><img height=24 width=24 src="back.gif" border=0 alt=OpenSSH></a>
1182 <a href="mailto:www@openbsd.org">www@openbsd.org</a>
1184 <small>$OpenBSD: faq.html,v 1.112 2010/09/15 02:41:42 nick Exp $</small>