1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
4 <title>OpenSSH FAQ</title>
5 <link rev= "made" href= "mailto:www@openbsd.org">
6 <meta name= "resource-type" content= "document">
7 <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
8 <meta name= "description" content= "the OpenSSH FAQ page">
9 <meta name= "keywords" content= "OpenSSH,SSH,Secure Shell,faq">
10 <meta name= "distribution" content= "global">
11 <meta name= "copyright" content= "This document copyright 1999-2005 OpenBSD.">
14 <body bgcolor= "#ffffff" text= "#000000" link= "#23238E">
15 <a href="http://www.openssh.org/index.html"><img alt="[OpenSSH]" height="30" width="141" src="images/smalltitle.gif" border="0"></a>
18 <h1>OpenSSH FAQ (Frequently asked questions)</h1>
20 <strong>Date: 2005/09/20</strong>
25 <h3><a href= "#1.0">1.0 - What Is OpenSSH and Where Can I Get It?</a></h3>
27 <li><a href= "#1.1">1.1 - What is OpenSSH and where can I download it?</a>
28 <li><a href= "#1.2">1.2 - Why should it be used?</a>
29 <li><a href= "#1.3">1.3 - What Operating Systems are supported?</a>
30 <li><a href= "#1.4">1.4 - What about copyright, usage and patents?</a>
31 <li><a href= "#1.5">1.5 - Where should I ask for help?</a>
32 <li><a href= "#1.6">1.6 - I have found a bug. Where do I report it?</a>
35 <h3><a href= "#2.0">2.0 - General Questions</a></h3>
37 <li><a href= "#2.1">2.1 - Why does ssh/scp make connections from low-numbered ports. My firewall blocks these.</a>
38 <li><a href= "#2.2">2.2 - Why is the ssh client setuid root?</a>
39 <li><a href= "#2.3">2.3 - Why does SSH 2.3 have problems interoperating with OpenSSH 2.1.1?</a>
40 <li><a href= "#2.4">2.4 - Why does OpenSSH print: Dispatch protocol error: type 20</a>
41 <li><a href= "#2.5">2.5 - Old versions of commercial SSH encrypt host keys with IDEA.</a>
42 <li><a href= "#2.6">2.6 - What are these warning messages about key lengths?</a>
43 <li><a href= "#2.7">2.7 - X11 and/or agent forwarding does not work.</a>
44 <li><a href= "#2.8">2.8 - After upgrading OpenSSH I lost SSH2 support.</a>
45 <li><a href= "#2.9">2.9 - sftp/scp fails at connection, but ssh is OK.</a>
46 <li><a href= "#2.10">2.10 - Will you add [foo] to scp?</a>
47 <li><a href= "#2.11">2.11 - How do I use port forwarding?</a>
48 <li><a href= "#2.12">2.12 - My ssh connection freezes or drops out after N minutes of inactivity.</a>
49 <li><a href= "#2.13">2.13 - How do I use scp to copy a file with a colon in it?</a>
50 <li><a href= "#2.14">2.14 - Why does OpenSSH report its version to clients?</a>
53 <h3><a href= "#3.0">3.0 - Portable OpenSSH Questions</a></h3>
55 <li><a href= "#3.1">3.1 - Spurious PAM authentication messages in logfiles.</a>
56 <li><a href= "#3.2">3.2 - Empty passwords not allowed with PAM authentication.</a>
57 <li><a href= "#3.3">3.3 - ssh(1) takes a long time to connect or log in</a>
58 <li><a href= "#3.4">3.4 - "Can't locate module net-pf-10" messages in log under Linux.</a>
59 <li><a href= "#3.5">3.5 - Password authentication doesn't work (eg on Slackware 7.0 or Red Hat Linux 6.x)</a>
60 <li><a href= "#3.6">3.6 - Configure or sshd(8) complain about lack of RSA support</a>
61 <li><a href= "#3.7">3.7 - "scp: command not found" errors</a>
62 <li><a href= "#3.8">3.8 - Unable to read passphrase</a>
63 <li><a href= "#3.9">3.9 - 'configure' missing or make fails</a>
64 <li><a href= "#3.10">3.10 - Hangs when exiting ssh</a>
65 <li><a href= "#3.11">3.11 - Why does ssh hang on exit?</a>
66 <li><a href= "#3.12">3.12 - I upgraded to OpenSSH 3.1 and X11 forwarding stopped working.</a>
67 <li><a href= "#3.13">3.13 - I upgraded to OpenSSH 3.8 and some X11 programs stopped working.</a>
68 <li><a href= "#3.14">3.14 - I copied my public key to authorized_keys but public-key authentication still doesn't work.</a>
69 <li><a href= "#3.15">3.15 - OpenSSH versions and PAM behaviour.</a>
70 <li><a href= "#3.16">3.16 - Why doesn't "w" or "who" on AIX 5.x show users logged in via ssh?</a>
77 <h2><u><a name= "1.0">1.0 - What Is OpenSSH and Where Can I Get It?</a></u></h2>
79 <h2><a name= "1.1">1.1 - What is OpenSSH and where can I download it?</a></h2>
82 OpenSSH is a <b>FREE</b> version of the SSH suite of network connectivity
83 tools that increasing numbers of people on the Internet are coming to
84 rely on. Many users of telnet, rlogin, ftp, and other such programs might
85 not realize that their password is transmitted across the Internet
86 unencrypted, but it is. OpenSSH encrypts all traffic (including passwords)
87 to effectively eliminate eavesdropping, connection hijacking,
88 and other network-level attacks.
91 The OpenSSH suite includes the
92 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>
93 program which replaces rlogin and telnet, and
94 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1">scp(1)</a>
96 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=rcp&sektion=1">rcp(1)</a> and
97 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftp&sektion=1">ftp(1)</a>.
98 OpenSSH has also added
99 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a> and
100 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8">sftp-server(8)</a>
101 which implement an easier solution for file-transfer. This is based upon the
102 <a href="http://www.openssh.org/txt/draft-ietf-secsh-filexfer-02.txt">secsh-filexfer</a> IETF draft.
105 <p><strong>OpenSSH consists of a number of programs.</strong>
108 <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> - Server program run on the server machine. This listens for connections from client machines, and whenever it receives a connection, it performs authentication and starts serving the client.
109 Its behaviour is controlled by the config file <i><a
110 href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">
111 sshd_config(5)</a></i>.
112 <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> - This is the client program used to log into another machine or to execute commands on the other machine. <i>slogin</i> is another name for this program.
113 Its behaviour is controlled by the global config file <i><a
114 href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">
115 ssh_config(5)</a></i> and individual users' <i>$HOME/.ssh/config</i> files.
116 <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1">scp(1)</a> - Securely copies files from one machine to another.
117 <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a> - Used to create Pubkey Authentication (RSA or DSA) keys (host keys and user authentication keys).
118 <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a> - Authentication agent. This can be used to hold RSA keys for authentication.
119 <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-add&sektion=1">ssh-add(1)</a> - Used to register new keys with the agent.
120 <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8">sftp-server(8)</a> - SFTP server subsystem.
121 <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a> - Secure file transfer program.
122 <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keyscan&sektion=1">ssh-keyscan(1)</a> - gather ssh public keys.
123 <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keysign&sektion=8">ssh-keysign(8)</a> - ssh helper program for hostbased authentication.
129 OpenSSH comes in two downloadable distributions: the native <a
130 href="http://www.openssh.org/openbsd.html">OpenBSD</a> distribution and the multi-platform
131 <a href="http://www.openssh.org/portable.html">Portable</a> distribution. If you want
132 OpenSSH for a recent OpenBSD or integration into a product, you
133 probably want the <a href="http://www.openssh.org/openbsd.html">OpenBSD</a> distribution.
134 If you want OpenSSH for another platform, or an older OpenBSD, you
135 probably want the <a href="http://www.openssh.org/portable.html">Portable</a> distribution.
138 When downloading, please use a <a href="http://www.openssh.org/portable.html#mirrors">mirror</a>
141 <h2><a name= "1.2">1.2 - Why should it be used?</a></h2>
144 OpenSSH is a suite of tools to help secure your network
145 connections. Here is a list of features:
149 <li>Strong authentication. Closes several security holes (e.g., IP, routing, and DNS spoofing).
150 <li>Improved privacy. All communications are automatically and transparently encrypted.
151 <li>Secure X11 sessions. The program automatically sets DISPLAY on the server machine, and forwards any X11 connections over the secure channel.
152 <li>Arbitrary TCP/IP ports can be redirected through the encrypted channel in both directions (e.g., for e-cash transactions).
153 <li>No retraining needed for normal users.
154 <li>Never trusts the network. Minimal trust on the remote side of the connection. Minimal trust on domain name servers. Pure RSA authentication never trusts anything but the private key.
155 <li>Client RSA-authenticates the server machine in the beginning of every connection to prevent trojan horses (by routing or DNS spoofing) and man-in-the-middle attacks, and the server RSA-authenticates the client machine before accepting <i>.rhosts</i> or <i>/etc/hosts.equiv</i> authentication (to prevent DNS, routing, or IP-spoofing).
156 <li>Host authentication key distribution can be centrally by the administration, automatically when the first connection is made to a machine.
157 <li>Any user can create any number of user authentication RSA keys for his/her own use.
158 <li>The server program has its own server RSA key which is automatically regenerated every hour.
159 <li>An authentication agent, running in the user's laptop or local workstation, can be used to hold the user's RSA authentication keys.
160 <li>The software can be installed and used (with restricted functionality) even without root privileges.
161 <li>The client is customizable in system-wide and per-user configuration files.
162 <li>Optional compression of all data with gzip (including forwarded X11 and TCP/IP port data), which may result in significant speedups on slow connections.
163 <li>Complete replacement for rlogin, rsh, and rcp.
167 Currently, almost all communications in computer networks are done
168 without encryption. As a consequence, anyone who has access to any
169 machine connected to the network can listen in on any communication.
170 This is being done by hackers, curious administrators, employers,
171 criminals, industrial spies, and governments. Some networks leak off
172 enough electromagnetic radiation that data may be captured even from a
177 When you log in, your password goes in the network in plain
178 text. Thus, any listener can then use your account to do any evil he
179 likes. Many incidents have been encountered worldwide where crackers
180 have started programs on workstations without the owner's knowledge
181 just to listen to the network and collect passwords. Programs for
182 doing this are available on the Internet, or can be built by a
183 competent programmer in a few hours.
187 Businesses have trade secrets, patent applications in preparation,
188 pricing information, subcontractor information, client data, personnel
189 data, financial information, etc. Currently, anyone with access to
190 the network (any machine on the network) can listen to anything that
191 goes in the network, without any regard to normal access restrictions.
195 Many companies are not aware that information can so easily be
196 recovered from the network. They trust that their data is safe
197 since nobody is supposed to know that there is sensitive information
198 in the network, or because so much other data is transferred in the
199 network. This is not a safe policy.
202 <h2><a name= "1.3">1.3 - What operating systems are supported?</a></h2>
205 Even though OpenSSH is developed on
206 <a href="http://www.openbsd.org/">OpenBSD</a> a wide variety of
207 ports to other operating systems exist. The portable version of OpenSSH
208 is headed by <a href="mailto:djm@openbsd.org">Damien Miller</a>.
209 For a quick overview of the portable version of OpenSSH see
210 <a href="http://www.openssh.org/portable.html">OpenSSH Portable Release</a>.
211 Currently, the supported operating systems are:
226 <li>Digital Unix/Tru64/OSF
232 A list of vendors that include OpenSSH in their distributions
233 is located in the <a href="http://www.openssh.org/users.html">OpenSSH Users page</a>.
235 <h2><a name= "1.4">1.4 - What about copyrights, usage and patents?</a></h2>
237 The OpenSSH developers have tried very hard to keep OpenSSH free of any
238 patent or copyright problems. To do this, some options had to be
239 stripped from OpenSSH. Namely support for patented algorithms.
242 OpenSSH does not support any patented transport algorithms. In SSH1 mode,
243 only 3DES and Blowfish are available options. In SSH2 mode, only 3DES,
244 Blowfish, CAST128, Arcfour and AES can be selected.
245 The patented IDEA algorithm is not supported.
248 OpenSSH provides support for both SSH1 and SSH2 protocols.
251 Since the RSA patent has expired, there are no restrictions on the use
252 of RSA algorithm using software, including OpenBSD.
254 <h2><a name= "1.5">1.5 - Where should I ask for help?</a></h2>
256 There are many places to turn to for help. In addition to the main
257 <a href="http://www.openssh.org/index.html">OpenSSH website</a>,
258 there are many mailing lists to try. Before trying any mailing lists,
259 please search through all mailing list archives to see if your question
260 has already been answered. The OpenSSH Mailing List has been archived and
261 put in searchable form and can be found at
262 <a href="http://marc.info/?l=openssh-unix-dev&r=1&w=2">marc.info</a>.
265 For more information on subscribing to OpenSSH related mailing lists,
266 please see <a href="http://www.openssh.org/list.html">OpenSSH Mailing lists</a>.
268 <h2><a name= "1.6">1.6 - I have found a bug. Where do I report it?</a></h2>
270 Information about submitting bug reports can be found at the OpenSSH
271 <a href="http://www.openssh.org/report.html">Reporting bugs</a> page.
273 If you wish to report a security bug, please contact the private developers
274 list <<a href="mailto:openssh@openssh.com">openssh@openssh.com</a>>.
276 <h2><u><a name= "2.0">2.0 - General Questions</a></u></h2>
278 <h2><a name= "2.1">2.1 - Why does ssh/scp make connections from low-numbered ports.</a></h2>
280 The OpenSSH client uses low numbered ports for rhosts and rhosts-rsa
281 authentication because the server needs to trust the username provided by
282 the client. To get around this, you can add the below example to your
283 <i>ssh_config</i> or <i>~/.ssh/config</i> file.
287 <table border=0 width="800">
289 <td nowrap bgcolor="#EEEEEE">
290 <b>UsePrivilegedPort no</b>
297 Or you can specify this option on the command line, using the <b>-o</b>
299 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> command.
302 <table border=0 width="800">
304 <td nowrap bgcolor="#EEEEEE">
305 $ <b>ssh -o "UsePrivilegedPort no" host.com</b>
311 <h2><a name= "2.2">2.2 - Why is the ssh client setuid root?</a></h2>
314 In conjunction with the previous question, (<a href="#2.1">2.1</a>)
315 OpenSSH needs root authority to be able to bind to low-numbered ports to
316 facilitate <i>rhosts authentication</i>.
317 A privileged port is also required for rhosts-rsa authentication to older
321 Additionally, for both <i>rhosts-rsa authentication</i> (in protocol
322 version 1) and <i>hostbased authentication</i> (in protocol version 2)
323 the ssh client needs to access the <i>private host key</i> in order to
324 authenticate the client machine to the server.
325 OpenSSH versions prior to 3.3 required the <code>ssh</code> binary to be
326 setuid root to enable this, and you may safely remove it if you don't
327 want to use these authentication methods.
330 Starting in OpenSSH 3.3, <code>ssh</code> is not setuid by default. <a
331 href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keysign">ssh-keysign</a>,
332 is used for access to the private hosts keys, and ssh does not use privileged
333 source ports by default. If you wish to use a privileged source port, you must
334 manually set the setuid bit on <code>ssh</code>.
336 <h2><a name= "2.3">2.3 - Why does SSH 2.3 have problems interoperating with OpenSSH 2.1.1?</a></h2>
339 SSH 2.3 and earlier versions contain a flaw in their HMAC implementation.
340 Their code was not supplying the full data block output from the digest,
341 and instead always provided 128 bits. For longer digests, this caused
342 SSH 2.3 to not interoperate with OpenSSH.
345 OpenSSH 2.2.0 detects that SSH 2.3 has this flaw. Recent versions of SSH
346 will have this bug fixed. Or you can add the following to
347 SSH 2.3 <i>sshd2_config</i>.
351 <table border=0 width="800">
353 <td nowrap bgcolor="#EEEEEE">
360 <h2><a name= "2.4">2.4 - Why does OpenSSH print: Dispatch protocol error: type 20</a></h2>
363 Problems in interoperation have been seen because older versions of
364 OpenSSH did not support session rekeying. However the commercial SSH 2.3
365 tries to negotiate this feature, and you might experience connection
366 freezes or see the error message "<b>Dispatch protocol error:
368 To solve this problem, either upgrade to a recent OpenSSH release or
369 disable rekeying by adding the following to your commercial SSH 2.3's
370 <i>ssh2_config</i> or <i>sshd2_config</i>.
374 <table border=0 width="800">
376 <td nowrap bgcolor="#EEEEEE">
377 <b>RekeyIntervalSeconds 0</b>
383 <h2><a name= "2.5">2.5 - Old versions of commercial SSH encrypt host keys with IDEA.</a></h2>
386 The old versions of SSH used a patented algorithm to encrypt their
387 <i>/etc/ssh/ssh_host_key</i>. This problem will manifest as
388 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>
389 not being able to read its host key. To solve this, use the command below
390 to convert your ssh_host_key to use 3DES.
392 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>
393 program from the Commercial SSH product, *NOT* OpenSSH for the example
398 <table border=0 width="800">
400 <td nowrap bgcolor="#EEEEEE">
401 # <b>ssh-keygen -u -f /etc/ssh/ssh_host_key</b>
407 <h2><a name= "2.6">2.6 - What are these warning messages about key lengths</a></h2>
411 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>
412 program contained a bug which caused it to occasionally generate Pubkey
413 Authentication (RSA or DSA) keys which had their Most Significant Bit
414 (MSB) unset. Such keys were advertised as being full-length, but are
415 actually, half the time, smaller than advertised.
418 OpenSSH will print warning messages when it encounters such keys. To rid
419 yourself of these message, edit your <i>known_hosts</i> files and replace the
420 incorrect key length (usually "1024") with the correct key length
423 <h2><a name= "2.7">2.7 - X11 and/or agent forwarding does not work.</a></h2>
426 Check your <i>ssh_config</i> and <i>sshd_config</i>. The default
427 configuration files disable authentication agent and X11 forwarding. To
428 enable it, put the line below in <i>sshd_config</i>:
431 <table border=0 width="800">
433 <td nowrap bgcolor="#EEEEEE">
434 <b>X11Forwarding yes</b>
441 and put the following lines in <i>ssh_config</i>:
444 <table border=0 width="800">
446 <td nowrap bgcolor="#EEEEEE">
447 <b>ForwardAgent yes</b><br>
448 <b>ForwardX11 yes</b>
455 X11 forwarding requires a working <a
456 href="http://www.openbsd.org/cgi-bin/man.cgi?query=xauth&sektion=1"
457 >xauth(1)</a> binary. On OpenBSD this is in the <i>xbase</i> file
458 set but will probably be different on other platforms. For OpenSSH
459 Portable, xauth must be either found at configure time or specified
460 via <b>XAuthLocation</b> in sshd_config(5) and ssh_config(5).
463 Note on agent interoperability: There are two different and
464 incompatible agent forwarding mechanisms within the SSH2 protocol.
465 OpenSSH has always used an extension of the original SSH1 agent
466 requests, however some commercial products use a different, non-free
467 agent forwarding protocol. This means that agent forwarding cannot
468 be used between OpenSSH and those products.
471 <b>NOTE:</b> For users of Linux Mandrake 7.2, Mandrake modifies the
472 <i>XAUTHORITY</i> environment variable in <i>/etc/skel/.bashrc</i>,
473 and thus any bash user's home directory. This variable is set by OpenSSH
474 and for either of the above options to work, you need to comment out
479 <table border=0 width="800">
481 <td nowrap bgcolor="#EEEEEE">
482 <b># export XAUTHORITY=$HOME/.Xauthority</b>
488 <h2><a name= "2.8">2.8 - After upgrading OpenSSH I lost SSH2 support.</a></h2>
491 Between versions changes can be made to <i>sshd_config</i> or
492 <i>ssh_config</i>. You should always check on these changes when upgrading
493 versions of OpenSSH. After OpenSSH Version 2.3.0 you need to add the
494 following to your <i>sshd_config</i>:
498 <table border=0 width="800">
500 <td nowrap bgcolor="#EEEEEE">
501 <b>HostKey /etc/ssh_host_dsa_key</b><br>
502 <b>HostKey /etc/ssh_host_rsa_key</b>
508 <h2><a name= "2.9">2.9 - sftp/scp fails at connection, but ssh is OK.</a></h2>
511 sftp and/or scp may fail at connection time if you have shell
512 initialization (.profile, .bashrc, .cshrc, etc) which produces output
513 for non-interactive sessions. This output confuses the sftp/scp client.
514 You can verify if your shell is doing this by executing:
517 <table border=0 width="800">
519 <td nowrap bgcolor="#EEEEEE">
520 <b>ssh yourhost /usr/bin/true</b>
527 If the above command produces any output, then you need to modify your
528 shell initialization.
530 <h2><a name= "2.10">2.10 - Will you add [foo] to scp?</a></h2>
536 Long Answer: scp is not standardized. The closest thing it has to a
537 specification is "what rcp does". Since the same command is used on both ends
538 of the connection, adding features or options risks breaking interoperability with other
542 New features are more likely in sftp, since the protocol is standardized
543 (well, a <a href="http://www.ietf.org/html.charters/OLD/secsh-charter.html">
544 draft standard</a>), extensible, and the client and server are decoupled.
546 <h2><a name= "2.11">2.11 - How do I use port forwarding?</a></h2>
549 If the remote server is running sshd(8), it may be possible to
550 ``tunnel'' certain services via ssh. This may be desirable, for
551 example, to encrypt POP or SMTP connections, even though the software
552 does not directly support encrypted communications. Tunnelling uses
553 port forwarding to create a connection between the client and server.
554 The client software must be able to specify a non-standard port to
555 connect to for this to work.
558 The idea is that the user connects to the remote host using ssh,
559 and specifies which port on the client's machine should be used to
560 forward connections to the remote server. After that it is possible
561 to start the service which is to be encrypted (e.g. fetchmail, irc)
562 on the client machine, specifying the same local port passed to
563 ssh, and the connection will be tunnelled through ssh. By default,
564 the system running the forward will only accept connections from
568 The options most relevant to tunnelling are the -L and -R options,
569 which allow the user to forward connections, the -D option, which
570 permits dynamic port forwarding, the -g option, which permits other
571 hosts to use port forwards, and the -f option, which instructs ssh
572 to put itself in the background after authentication. See the <a
573 href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1"
574 >ssh(1)</a> man page for further details.
577 This is an example of tunnelling an IRC session from client machine
578 ``127.0.0.1'' (localhost) to remote server ``server.example.com'':
581 <table border=0 width="800">
583 <td nowrap bgcolor="#EEEEEE">
584 <b>ssh -f -L 1234:server.example.com:6667 server.example.com sleep 10<br>
585 irc -c '#users' -p 1234 pinky 127.0.0.1</b>
592 This tunnels a connection to IRC server server.example.com, joining
593 channel ``#users'', using the nickname ``pinky''. The local port used
594 in this example is 1234. It does not matter which port is used, as
595 long as it's greater than 1023 (remember, only root can open sockets on
596 privileged ports) and doesn't conflict with any ports already in use.
597 The connection is forwarded to port 6667 on the remote server, since
598 that's the standard port for IRC services.
601 The remote command ``sleep 10'' was specified to allow an amount
602 of time (10 seconds, in the example) to start the service which is to
603 be tunnelled. If no connections are made within the time specified,
604 ssh will exit. If more time is required, the sleep(1) value can be
605 increased appropriately or, alternatively, the example above could
606 be added as a function to the user's shell. See ksh(1) and csh(1)
607 for more details about user-defined functions.
610 ssh also has an -N option, convenient for use with port forwarding:
611 if -N is specified, it is not necessary to specify a remote command
612 (``sleep 10'' in the example above). However, use of this option
613 causes ssh to wait around for ever (as opposed to exiting after a
614 remote command has completed), and the user must take care to manually
615 kill(1) the process afterwards.
617 <h2><a name= "2.12">2.12 - My ssh connection freezes or drops out after N minutes of inactivity.</a></h2>
620 This is usually the result of a packet filter or NAT device
621 timing out your TCP connection due to inactivity. You can enable
622 <b>ClientAliveInterval</b> in the server's <i><a
623 href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">
624 sshd_config</a></i>, or enable <b>ServerAliveInterval</b> in the
626 href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">
627 ssh_config</a></i> (the latter is available in OpenSSH 3.8 and newer).
630 Enabling either option and setting the interval for less than the time
631 it takes to time out your session will ensure that the connection is
632 kept "fresh" in the device's connection table.
634 <h2><a name= "2.13">2.13 - How do I use scp to copy a file with a colon in it?</a></h2>
637 href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1">
638 scp</a></b> will interpret the component before the colon to be a remote
639 server name and attempt to connect to it. To prevent this, refer to
640 the file by a relative or absolute path, eg:
643 <table border=0 width="800">
645 <td nowrap bgcolor="#EEEEEE">
646 $ scp ./source:file sshserver:
652 <h2><a name= "2.14">2.14 - Why does OpenSSH report its version to clients?</a></h2>
655 OpenSSH, like most SSH implementations, reports its name and version to clients
656 when they connect, e.g.
664 This information is used by clients and servers to enable protocol
665 compatibility tweaks to work around changed, buggy or missing features in
666 the implementation they are talking to. This protocol feature checking is
667 still required at present because versions with incompatibilities are still
671 <h2><u><a name= "3.0">3.0 - Portable OpenSSH Questions</a></u></h2>
673 <h2><a name= "3.1">3.1 - Spurious PAM authentication messages in logfiles.</a></h2>
676 The portable version of OpenSSH will generate spurious authentication
677 failures at every login, similar to:
681 <table border=0 width="800">
683 <td nowrap bgcolor="#EEEEEE">
684 "<b>authentication failure; (uid=0) -> root for sshd service</b>"
691 These are generated because OpenSSH first tries to determine whether a
692 user needs authentication to login (e.g. empty password). Unfortunately
693 PAM likes to log all authentication events, this one included.
696 If it annoys you too much, set "<b>PermitEmptyPasswords no</b>"
697 in <i>sshd_config</i>. This will quiet the error message at the expense
698 of disabling logins to accounts with no password set.
699 This is the default if you use the supplied <i>sshd_config</i> file.
701 <h2><a name= "3.2">3.2 - Empty passwords not allowed with PAM authentication.</a></h2>
704 To enable empty passwords with a version of OpenSSH built with PAM you
705 must add the flag nullok to the end of the password checking module
706 in the <i>/etc/pam.d/sshd</i> file. For example:
709 <table border=0 width="800">
711 <td nowrap bgcolor="#EEEEEE">
712 auth required/lib/security/pam_unix.so shadow nodelay nullok
719 This must be done in addition to setting "<b>PermitEmptyPasswords
720 yes</b>" in the <i>sshd_config</i> file.
723 There is one caveat when using empty passwords with PAM authentication:
724 PAM will allow any password when authenticating an account with an empty
725 password. This breaks the check that
726 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>
727 uses to determine whether an account has no password set and grant
728 users access to the account regardless of the policy specified by
729 <b>PermitEmptyPasswords</b>. For this reason, it is recommended that you
730 do not add the <b>nullok</b> directive to your PAM configuration file
731 unless you specifically wish to allow empty passwords.
734 <h2><a name= "3.3">3.3 - ssh(1) takes a long time to connect or log
738 Large delays (more that 10 seconds) are typically caused a problem with
741 <li>Some versions of glibc (notably glibc 2.1 shipped with Red Hat 6.1)
742 can take a long time to resolve "IPv6 or IPv4" addresses from domain
743 names. This can be worked around with by specifying <b>AddressFamily
744 inet</b> option in <i>ssh_config</i>.</li>
746 <li>There may be a DNS lookup problem, either at the client or server.
747 You can use the <code>nslookup</code> command to check this on both client
748 and server by looking up the other end's name and IP address. In
749 addition, on the server look up the name returned by the client's
750 IP-name lookup. You can disable most of the server-side lookups by
751 setting <b>UseDNS no</b> in <i>sshd_config</i>.</li>
755 Delays less than 10 seconds can have other causes.
759 <li>OpenSSH releases prior to 3.8 had an <i>moduli</i> file with
760 moduli that were just smaller than what sshd would look for, and
761 as a result, sshd would end up using moduli significantly larger
762 than requested, which resulted in a speed penalty. Replacing the
763 <i>moduli</i> file will resolve this (note that in most cases this
764 file will not be replaced during an upgrade and must be replaced
767 <li>OpenSSH releases prior to 3.8 had a flaw in <code>ssh</code> that
768 would cause it to request moduli larger than intended (which when
769 combined with the above resulted in significant slowdowns).
770 Upgrading the client to 3.8 or higher will resolve this issue.</li>
772 <li>If either the client or server lack a kernel-based random number
773 device (eg Solaris < 9, AIX < 5.2, HP-UX < 11.11) and no
774 substitute is available (eg <a href=
775 "ftp://ftp.ayamura.org/pub/prngd/">prngd</a>) it's possible that
776 one of the programs called by <code>ssh-rand-helper</code> to
777 generate entropy is hanging. This can be investigated by running
781 <table border=0 width="800">
783 <td nowrap bgcolor="#EEEEEE">
784 /usr/local/libexec/ssh-rand-helper -vvv
790 Any significant delays should be investigated and rectified, or the
791 corresponding commands should be removed from <i>ssh_prng_cmds</i>.
796 <h3>How slow is "slow"?</h3>
797 Under normal conditions, the speed of SSH logins is dependant on
798 CPU speed of client and server. For comparison the following are
799 typical connect times for <code>time ssh localhost true</code>
800 with a 1024-bit RSA key on otherwise unloaded hosts. OpenSSH and
801 OpenSSL were compiled with gcc 3.3.x.
805 <tr><th>CPU</th><th>Time (SSHv1)<a href="#3.3fn1">[1]</a></th>
806 <th>Time (SSHv2)</th></tr>
807 <tr><td>170MHz SPARC/sun4m</td><td>0.74 sec</td><td>1.25 sec</td></tr>
808 <tr><td>236MHz HPPA/8200<a href="#3.3fn2">[2]</a></td><td>0.44 sec</td>
809 <td>0.79 sec</td></tr>
810 <tr><td>375MHz PowerPC/604e</td><td>0.38 sec</td><td>0.51 sec</td></tr>
811 <tr><td>933MHz VIA Ezra</td><td>0.34 sec</td><td>0.44 sec</td></tr>
812 <tr><td>2.1GHz Athlon XP 2600+</td><td>0.14 sec</td><td>0.22 sec</td></tr>
817 <a name="3.3fn1">[1]</a> The SSHv1 protocol is faster but is
818 cryptographically weaker than SSHv2.<br>
820 <a name="3.3fn2">[2]</a> At the time of writing, gcc generates
821 relatively slow code on HPPA for RSA and Diffie-Hellman operations
822 (see <a href= "http://gcc.gnu.org/bugzilla/show_bug.cgi?id=7625">gcc
824 href="http://marc.info/?l=openssh-unix-dev&m=102646106016694">
825 discussion on openssh-unix-dev</a>).
827 <h2><a name= "3.4">3.4 - "Can't locate module net-pf-10" messages in log under Linux.</a></h2>
830 The Linux kernel is looking (via modprobe) for protocol family 10 (IPv6).
831 Either load the appropriate kernel module, enter the correct alias in
832 <i>/etc/modules.conf</i> or disable IPv6 in <i>/etc/modules.conf</i>.
836 For some silly reason <i>/etc/modules.conf</i> may also be named
837 <i>/etc/conf.modules</i>.
840 <h2><a name= "3.5">3.5 - Password authentication doesn't work (eg on Slackware 7.0 or Red Hat 6.x)</a></h2>
843 If the password is correct password the login is still denied, the
844 usual cause is that the system is configured to use MD5-type passwords
846 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=crypt&sektion=3"
847 >crypt(3)</a> function used by sshd doesn't understand them.
850 Affected accounts will have password strings in <i>/etc/passwd</i>
851 or <i>/etc/shadow</i> that start with <b>$1$</b>.
852 If password authentication fails for new accounts or accounts with
853 recently changed passwords, but works for old accounts, this is the
857 The underlying cause is that some versions of OpenSSL have a crypt(3)
858 function that does not understand MD5 passwords, and the link order of
859 sshd means that OpenSSL's crypt(3) is used instead of the system's.
860 OpensSSH's configure attempts to correct for this but is not always
864 There are several possible solutions:
869 Enable sshd's built-in support for MD5 passwords at build time.
872 <table border=0 width="800">
874 <td nowrap bgcolor="#EEEEEE">
875 ./configure --with-md5-passwords [options]
881 This is safe even if you have both types of encryption as sshd will
882 select the correct algorithm for each account automatically.
886 If your system has a separate libcrypt library (eg Slackware 7) then you
887 can manually add -lcrypt to the LIBS list so it's used instead of
891 <table border=0 width="800">
893 <td nowrap bgcolor="#EEEEEE">
894 LIBS=-lcrypt ./configure [options]
902 If your platforms supports PAM, you may configure sshd to use it
903 (see <a href= "#3.15" >section 3.15</a>). This will mean that sshd will
904 not verify passwords itself but will defer to the configured PAM modules.
907 <h2><a name= "3.6">3.6 - Configure or sshd(8) complain about lack of RSA or DSA support</a></h2>
910 Ensure that your OpenSSL libraries have been built to include RSA or DSA
911 support either internally or through RSAref.
914 <h2><a name= "3.7">3.7 - "scp: command not found" errors</a></h2>
917 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1">scp(1)</a>
918 must be in the default PATH on both the client and the server. You may
919 need to use the <b>--with-default-path</b> option to specify a custom
920 path to search on the server. This option replaces the default path,
921 so you need to specify all the current directories on your path as well
922 as where you have installed scp. For example:
925 <table border=0 width="800">
927 <td nowrap bgcolor="#EEEEEE">
928 $ <b>./configure --with-default-path=/bin:/usr/bin:/usr/local/bin:/path/to/scp</b>
935 Note that configuration by the server's admin will take precedence over the
936 setting of <b>--with-default-path</b>. This includes resetting PATH in
937 <i>/etc/profile</i>, PATH in <i>/etc/environment</i> on AIX, or (for 3.7p1 and
938 above) setting PATH or SUPATH in <i>/etc/default/login</i> on Solaris or
941 <h2><a name= "3.8">3.8 - Unable to read passphrase</a></h2>
944 Some operating systems set <i>/dev/tty</i> with incorrect modes, causing
945 the reading of passwords to fail with the following error:
948 <table border=0 width="800">
950 <td nowrap bgcolor="#EEEEEE">
951 You have no controlling tty. Cannot read passphrase.
958 The solution to this is to reset the permissions on <i>/dev/tty</i>
959 to mode 0666 and report the error as a bug to your OS vendor.
962 <h2><a name= "3.9">3.9 - 'configure' missing or make fails</a></h2>
965 If there is no 'configure' file in the tar.gz file that you downloaded
966 or make fails with "missing separator" errors, you have probably
967 downloaded the OpenBSD distribution of OpenSSH and are attempting to
968 compile it on another platform. Please refer to the information on the
969 <a href="http://www.openssh.org/portable.html">portable version</a>.
972 <h2><a name= "3.10">3.10 - Hangs when exiting ssh</a></h2>
975 OpenSSH may hang when exiting. This can occur when there is an active
976 background process. This is known to occur on Linux and HP-UX.
977 The problem can be verified by doing the following:
980 <table border=0 width="800">
982 <td nowrap bgcolor="#EEEEEE">
983 $ <b>sleep 20 & exit</b>
989 Try to use this instead:
991 <table border=0 width="800">
993 <td nowrap bgcolor="#EEEEEE">
994 $ <b>sleep 20 < /dev/null > /dev/null 2>&1 &</b>
1001 A work around for bash users is to place <b>"shopt -s huponexit"</b>
1002 in either /etc/bashrc or ~/.bashrc. Otherwise, consult your shell's
1003 man page for an option to enable it to send a HUP signal to active
1004 jobs when exiting. See <a
1005 href="http://bugzilla.mindrot.org/show_bug.cgi?id=52">bug #52</a>
1006 for other workarounds.
1008 <h2><a name= "3.11">3.11 - Why does ssh hang on exit?</a></h2>
1013 <table border=0 width="800">
1015 <td nowrap bgcolor="#EEEEEE">
1016 $ <b>ssh host command</b>
1021 ssh <b>needs</b> to hang, because it needs to wait:
1024 until it can be sure that <code>command</code> does not need
1027 until it can be sure that <code>command</code> does not produce
1030 until <code>command</code> exits because sshd needs to tell
1031 the exit status from <code>command</code> to ssh.
1035 <h2><a name= "3.12">3.12 - I upgraded to OpenSSH 3.1 and X11
1036 forwarding stopped working.</a></h2>
1038 Starting with OpenSSH 3.1, the sshd x11 forwarding server listens on
1039 localhost by default; see the sshd <b>X11UseLocalhost</b> option to
1040 revert to prior behaviour if your older X11 clients do not function
1041 with this configuration.<p>
1043 In general, X11 clients using X11 R6 should work with the default
1044 setting. Some vendors, including HP, ship X11 clients with R6
1045 and R5 libs, so some clients will work, and others will not work.
1046 This is true for HP-UX 11.X.<p>
1048 <h2><a name= "3.13">3.13 - I upgraded to OpenSSH 3.8 and some
1049 X11 programs stopped working.</a></h2>
1052 As documented in the <a href="http://www.openssh.org/txt/release-3.8">3.8 release notes</a>,
1053 <code>ssh</code> will now use untrusted X11 cookies by
1054 default. The previous behaviour can be restored by setting
1055 <b>ForwardX11Trusted yes</b> in <i>ssh_config</i>.
1058 Possible symptoms include:<br>
1059 <code>BadWindow (invalid Window parameter)<br>
1060 BadAccess (attempt to access private resource denied)<br>
1061 X Error of failed request: BadAtom (invalid Atom parameter)<br>
1062 Major opcode of failed request: 20 (X_GetProperty)<br></code>
1064 <h2><a name= "3.14">3.14 - I copied my public key to authorized_keys
1065 but public-key authentication still doesn't work.</a></h2>
1068 Typically this is caused by the file permissions on $HOME, $HOME/.ssh or
1069 $HOME/.ssh/authorized_keys being more permissive than sshd allows by default.
1072 In this case, it can be solved by executing the following on the server.
1074 <table border=0 width="800">
1076 <td nowrap bgcolor="#EEEEEE">
1077 $ <b>chmod go-w $HOME $HOME/.ssh</b><br>
1078 $ <b>chmod 600 $HOME/.ssh/authorized_keys</b>
1079 $ <b>chown `whoami` $HOME/.ssh/authorized_keys</b><br>
1086 If this is not possible for some reason, an alternative is to set
1087 <b>StrictModes no</b> in <i>sshd_config</i>, however this is not
1090 <h2><a name= "3.15">3.15 - OpenSSH versions and PAM behaviour.</a></h2>
1092 Portable OpenSSH has a configure-time option to enable sshd's use of the
1093 <a href="http://www.opengroup.org/onlinepubs/008329799/">PAM</a>
1094 (Pluggable Authentication Modules) interface.
1097 <table border=0 width="800">
1099 <td nowrap bgcolor="#EEEEEE">
1100 ./configure --with-pam [options]
1106 To use PAM at all, this option must be provided at build time.
1107 The run-time behaviour when PAM is built in varies with the version of
1108 Portable OpenSSH, and on later versions it must also be enabled by setting
1109 <b>UsePAM</b> to <b>yes</b> in <i>sshd_config</i>.
1112 The behaviour of the relevant authentications options when PAM support is built
1113 in is summarised by the following table.
1117 <tr> <th>Version</th> <th>UsePAM</th> <th>PasswordAuthentication</th> <th>ChallengeResponseAuthentication</th> </tr>
1119 <td><=3.6.1p2</td>
1120 <td>Not applicable</td>
1122 <td>Uses PAM if <b>PAMAuthenticationViaKbdInt</b> is enabled</td>
1125 <td>3.7p1 - 3.7.1p1</td>
1126 <td>Defaults to <b>yes</b></td>
1127 <td>Does not use PAM</td>
1128 <td>Uses PAM if <b>UsePAM</b> is enabled</td>
1131 <td>3.7.1p2 - 3.8.1p1</td>
1132 <td>Defaults to <b>no</b></td>
1133 <td>Does not use PAM <a href="#3.15fn1">[1]</a></td>
1134 <td>Uses PAM if <b>UsePAM</b> is enabled</td>
1138 <td>Defaults to <b>no</b></td>
1139 <td>Uses PAM if <b>UsePAM</b> is enabled</td>
1140 <td>Uses PAM if <b>UsePAM</b> is enabled</td>
1145 <a name= "3.15fn1">[1]</a> Some vendors, notably Redhat/Fedora, have
1146 backported the PasswordAuthentication from 3.9p1 to their 3.8x based
1147 packages. If you're using a vendor-supplied package then consult their
1151 OpenSSH Portable's PAM interface still has problems with a few modules,
1152 however we hope that this number will reduce in the future. As at the
1153 3.9p1 release, the known problems are:
1156 <li>Modules relying on module-private data (eg pam_dhkeys, pam_krb5, AFS)
1157 may fail to correctly establish credentials (bug <a
1158 href="http://bugzilla.mindrot.org/show_bug.cgi?id=688">#688</a>) when
1159 authenticating via <b>ChallengeResponseAuthentication</b>.
1160 <b>PasswordAuthentication</b> with 3.9p1 and above should work.
1163 You can also check <a
1164 href="http://bugzilla.mindrot.org/buglist.cgi?product=Portable+OpenSSH&bug_status=RESOLVED&bug_status=NEW&bug_status=ACCEPTED&component=PAM+support"
1165 >bugzilla for current PAM issues</a>.
1167 <h2><a name= "3.16">3.16 - Why doesn't "w" or "who" on AIX 5.x show users
1168 logged in via ssh?</a></h2>
1170 Between AIX 4.3.3 and AIX 5.x, the format of the wtmp struct changed. This
1171 means that sshd binaries built on AIX 4.x will not correctly write wtmp
1172 entries when run on AIX 5.x. This can be fixed by simply recompiling
1173 sshd on an AIX 5.x system and using that.
1176 <a href="http://www.openssh.org/index.html"><img height=24 width=24 src="back.gif" border=0 alt=OpenSSH></a>
1177 <a href="mailto:www@openbsd.org">www@openbsd.org</a>
1179 <small>$OpenBSD: faq.html,v 1.110 2009/11/23 23:38:17 dtucker Exp $</small>