Репозитории ALT
| S: | 9.4p1-alt1 |
| 5.1: | 5.3p1-alt1 |
| 4.1: | 5.0p1-alt3 |
| 4.0: | 5.0p1-alt3 |
| +updates: | 4.7p1-alt1 |
| 3.0: | 3.6.1p2-alt6 |
Группа :: Сети/Удалённый доступ
Пакет: openssh
навигация по пакетам
Главная Изменения Спек Патчи Исходники Загрузить Gear Bugs and FR Repocop
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>OpenSSH FAQ</title>
<link rev= "made" href= "mailto:www@openbsd.org">
<meta name= "resource-type" content= "document">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name= "description" content= "the OpenSSH FAQ page">
<meta name= "keywords" content= "openbsd,faq">
<meta name= "distribution" content= "global">
<meta name= "copyright" content= "This document copyright 1999-2002 OpenBSD.">
</head>
<body bgcolor= "#ffffff" text= "#000000" link= "#23238E">
<img alt="[OpenSSH]" height=30 width=141 src="images/smalltitle.gif">
<p>
<h1>OpenSSH FAQ (Frequently asked questions)</h1>
<strong>Date: 2002/04/03</strong>
<hr>
<blockquote>
<h3><a href= "#1.0">1.0 - What Is OpenSSH and Where Can I Get It?</a></h3>
<ul>
<li><a href= "#1.1">1.1 - What is OpenSSH?</a>
<li><a href= "#1.2">1.2 - Why should it be used?</a>
<li><a href= "#1.3">1.3 - What Operating Systems are supported?</a>
<li><a href= "#1.4">1.4 - What about copyright, usage and patents?</a>
<li><a href= "#1.5">1.5 - Where should I ask for help?</a>
</ul>
<h3><a href= "#2.0">2.0 - General Questions</a></h3>
<ul>
<li><a href= "#2.1">2.1 - Why does ssh/scp make connections from low-numbered ports. My firewall blocks these.</a>
<li><a href= "#2.2">2.2 - Why is the ssh client setuid root?</a>
<li><a href= "#2.3">2.3 - Why does SSH 2.3 have problems interoperating with OpenSSH 2.1.1?</a>
<li><a href= "#2.4">2.4 - Why does OpenSSH print: Dispatch protocol error: type 20</a>
<li><a href= "#2.5">2.5 - Old versions of commercial SSH encrypt host keys with IDEA.</a>
<li><a href= "#2.6">2.6 - What are these warning messages about key lengths?</a>
<li><a href= "#2.7">2.7 - X11 and/or agent forwarding does not work.</a>
<li><a href= "#2.8">2.8 - After upgrading OpenSSH I lost SSH2 support.</a>
<li><a href= "#2.9">2.9 - sftp/scp fails at connection, but ssh is OK.</a>
</ul>
<h3><a href= "#3.0">3.0 - Portable OpenSSH Questions</a></h3>
<ul>
<li><a href= "#3.1">3.1 - Spurious PAM authentication messages in logfiles.</a>
<li><a href= "#3.2">3.2 - Empty passwords not allowed with PAM authentication.</a>
<li><a href= "#3.3">3.3 - ssh(1) takes a long time to connect with Linux/glibc 2.1</a>
<li><a href= "#3.4">3.4 - "Can't locate module net-pf-10" messages in log under Linux.</a>
<li><a href= "#3.5">3.5 - Password authentication doesn't work on Slackware 7.0</a>
<li><a href= "#3.6">3.6 - Configure or sshd(8) complain about lack of RSA support</a>
<li><a href= "#3.7">3.7 - "scp: command not found" errors</a>
<li><a href= "#3.8">3.8 - Unable to read passphrase</a>
<li><a href= "#3.9">3.9 - 'configure' missing or make fails</a>
<li><a href= "#3.10">3.10 - Hangs when exiting ssh</a>
<li><a href= "#3.11">3.11 - Why does ssh hang on exit?</a>
<li><a href= "#3.12">3.12 - I upgraded to OpenSSH 3.1 and X11 forwarding stopped working.</a>
</ul>
</blockquote>
<hr>
<h2><u><a name= "1.0">1.0 - What Is OpenSSH and Where Can I Get It?</a></u></h2>
<h2><a name= "1.1">1.1 - What is OpenSSH?</a></h2>
<p>
OpenSSH is a <b>FREE</b> version of the SSH suite of network connectivity
tools that increasing numbers of people on the Internet are coming to
rely on. Many users of telnet, rlogin, ftp, and other such programs might
not realize that their password is transmitted across the Internet
unencrypted, but it is. OpenSSH encrypts all traffic (including passwords)
to effectively eliminate eavesdropping, connection hijacking,
and other network-level attacks.
<p>
The OpenSSH suite includes the
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>
program which replaces rlogin and telnet, and
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1">scp(1)</a>
which replaces
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=rcp&sektion=1">rcp(1)</a> and
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftp&sektion=1">ftp(1)</a>.
OpenSSH has also, recently, added
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a> and
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8">sftp-server(8)</a>
which implement an easier solution for file-transfer. This is based upon the
<a href="txt/draft-ietf-secsh-filexfer-02.txt">secsh-filexfer</a> IETF draft.
<p><strong>OpenSSH consists of a number of programs.</strong>
<ul>
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> - Server program run on the server machine. This listens for connections from client machines, and whenever it receives a connection, it performs authentication and starts serving the client.
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> - This is the client program used to log into another machine or to execute commands on the other machine. <i>slogin</i> is another name for this program.
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1">scp(1)</a> - Securely copies files from one machine to another.
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a> - Used to create Pubkey Authentication (RSA or DSA) keys (host keys and user authentication keys).
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a> - Authentication agent. This can be used to hold RSA keys for authentication.
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-add&sektion=1">ssh-add(1)</a> - Used to register new keys with the agent.
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8">sftp-server(8)</a> - SFTP server subsystem.
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a> - Secure file transfer program.
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keyscan&sektion=1">ssh-keyscan(1)</a> - gather ssh public keys.
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keysign&sektion=8">ssh-keysign(8)</a> - ssh helper program for hostbased authentication.
</ul>
<h2><a name= "1.2">1.2 - Why should it be used?</a></h2>
<p>
OpenSSH is a suite of tools to help secure your network
connections. Here is a list of features:
<ul>
<li>Strong authentication. Closes several security holes (e.g., IP, routing, and DNS spoofing).
<li>Improved privacy. All communications are automatically and transparently encrypted.
<li>Secure X11 sessions. The program automatically sets DISPLAY on the server machine, and forwards any X11 connections over the secure channel.
<li>Arbitrary TCP/IP ports can be redirected through the encrypted channel in both directions (e.g., for e-cash transactions).
<li>No retraining needed for normal users.
<li>Never trusts the network. Minimal trust on the remote side of the connection. Minimal trust on domain name servers. Pure RSA authentication never trusts anything but the private key.
<li>Client RSA-authenticates the server machine in the beginning of every connection to prevent trojan horses (by routing or DNS spoofing) and man-in-the-middle attacks, and the server RSA-authenticates the client machine before accepting <i>.rhosts</i> or <i>/etc/hosts.equiv</i> authentication (to prevent DNS, routing, or IP-spoofing).
<li>Host authentication key distribution can be centrally by the administration, automatically when the first connection is made to a machine.
<li>Any user can create any number of user authentication RSA keys for his/her own use.
<li>The server program has its own server RSA key which is automatically regenerated every hour.
<li>An authentication agent, running in the user's laptop or local workstation, can be used to hold the user's RSA authentication keys.
<li>The software can be installed and used (with restricted functionality) even without root privileges.
<li>The client is customizable in system-wide and per-user configuration files.
<li>Optional compression of all data with gzip (including forwarded X11 and TCP/IP port data), which may result in significant speedups on slow connections.
<li>Complete replacement for rlogin, rsh, and rcp.
</ul>
<p>
Currently, almost all communications in computer networks are done
without encryption. As a consequence, anyone who has access to any
machine connected to the network can listen in on any communication.
This is being done by hackers, curious administrators, employers,
criminals, industrial spies, and governments. Some networks leak off
enough electromagnetic radiation that data may be captured even from a
distance.
<p>
When you log in, your password goes in the network in plain
text. Thus, any listener can then use your account to do any evil he
likes. Many incidents have been encountered worldwide where crackers
have started programs on workstations without the owner's knowledge
just to listen to the network and collect passwords. Programs for
doing this are available on the Internet, or can be built by a
competent programmer in a few hours.
<p>
Businesses have trade secrets, patent applications in preparation,
pricing information, subcontractor information, client data, personnel
data, financial information, etc. Currently, anyone with access to
the network (any machine on the network) can listen to anything that
goes in the network, without any regard to normal access restrictions.
<p>
Many companies are not aware that information can so easily be
recovered from the network. They trust that their data is safe
since nobody is supposed to know that there is sensitive information
in the network, or because so much other data is transferred in the
network. This is not a safe policy.
<h2><a name= "1.3">1.3 - What operating systems are supported?</a></h2>
<p>
Even though OpenSSH is developed on
<a href="http://www.openbsd.org/">OpenBSD</a> a wide variety of
ports to other operating systems exist. The portable version of OpenSSH
is headed by <a href="mailto:djm@openbsd.org">Damien Miller</a>.
For a quick overview of the portable version of OpenSSH see:
<a href="./portable.html">http://www.openssh.com/portable.html</a>.
A quick view of other OS's that are supported is below.
<ul>
<li>OpenBSD
<li>NetBSD
<li>FreeBSD
<li>AIX
<li>HP-UX
<li>IRIX
<li>Linux
<li>NeXT
<li>SCO
<li>SNI/Reliant Unix
<li>Solaris
<li>Digital Unix/Tru64/OSF
<li>MacOS X
</ul>
<p>
A list of vendors that include OpenSSH in their distributions
is located at <a href="./users.html">www.openssh.com/users.html</a>.
:
<h2><a name= "1.4">1.4 - What about copyrights, usage and patents?</a></h2>
<p>
The OpenSSH developers have tried very hard to keep OpenSSH free of any
patent or copyright problems. To do this, some options had to be
stripped from OpenSSH. Namely support for patented algorithms.
<p>
OpenSSH does not support any patented transport algorithms. In SSH1 mode,
only 3DES and Blowfish are available options. In SSH2 mode, only 3DES,
Blowfish, CAST128, Arcfour and AES can be selected.
The patented IDEA algorithm is not supported.
<p>
OpenSSH provides support for both SSH1 and SSH2 protocols.
<p>
Since the RSA patent has expired, there are no restrictions on the use
of RSA algorithm using software, including OpenBSD.
<h2><a name= "1.5">1.5 - Where should I ask for help?</a></h2>
<p>
There are many places to turn to for help. In addition to the main OpenSSH
website: <a href="http://www.openssh.com/">http://www.openssh.com</a>,
there are many mailing lists to try. But before trying any mailing lists,
please search through all mailing list archives to see if your question
has already been answered. The OpenSSH Mailing List has been archived and
put in searchable form and can be found at
<a href="http://marc.theaimsgroup.com/?l=openssh-unix-dev&r=1&w=2">theaimsgroup.com</a>.
<p>
For more information on subscribing to OpenSSH related mailing lists,
please see: <a href="./list.html">www.openssh.com/list.html</a>.
<h2><u><a name= "2.0">2.0 - General Questions</a></u></h2>
<h2><a name= "2.1">2.1 - Why does ssh/scp make connections from low-numbered ports.</a></h2>
<p>
The OpenSSH client uses low numbered ports for rhosts and rhosts-rsa
authentication because the server needs to trust the username provided by
the client. To get around this, you can add the below example to your
<i>ssh_config</i> or <i>~/.ssh/config</i> file.
<blockquote>
<table border=0 width="800">
<tr>
<td nowrap bgcolor="#EEEEEE">
<b>UsePrivilegedPort no</b>
</td>
</tr>
</table>
</blockquote>
<p>
Or you can specify this option on the command line, using the <b>-o</b>
option to
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> command.
<blockquote>
<table border=0 width="800">
<tr>
<td nowrap bgcolor="#EEEEEE">
$ <b>ssh -o "UsePrivilegedPort no" host.com</b>
</td>
</tr>
</table>
</blockquote>
<h2><a name= "2.2">2.2 - Why is the ssh client setuid root?</a></h2>
<p>
In conjunction with the previous question, (<a href="#2.1">2.1</a>)
OpenSSH needs root authority to be able to bind to low-numbered ports to
facilitate <i>rhosts authentication</i>.
A privileged port is also required for rhosts-rsa authentication to older
SSH releases.
<p>
Additionally, for both <i>rhosts-rsa authentication</i> (in protocol
version 1) and <i>hostbased authentication</i> (in protocol version 2)
the ssh client needs to access the <i>private host key</i> in order to
authenticate the client machine to the server.
So the setuid root bit is needed for these authentication methods, too.
You can safely remove the setuid bit from the ssh executable if you
don't want to use these authentication methods.
<h2><a name= "2.3">2.3 - Why does SSH 2.3 have problems interoperating with OpenSSH 2.1.1?</a></h2>
<p>
SSH 2.3 and earlier versions contain a flaw in their HMAC implementation.
Their code was not supplying the full data block output from the digest,
and instead always provided 128 bits. For longer digests, this caused
SSH 2.3 to not interoperate with OpenSSH.
<p>
OpenSSH 2.2.0 detects that SSH 2.3 has this flaw. Recent versions of SSH
will have this bug fixed. Or you can add the following to
SSH 2.3 <i>sshd2_config</i>.
<blockquote>
<table border=0 width="800">
<tr>
<td nowrap bgcolor="#EEEEEE">
<b>Mac hmac-md5</b>
</td>
</tr>
</table>
</blockquote>
<h2><a name= "2.4">2.4 - Why does OpenSSH print: Dispatch protocol error: type 20</a></h2>
<p>
Problems in interoperation have been seen because older versions of
OpenSSH did not support session rekeying. However the commercial SSH 2.3
tries to negotiate this feature, and you might experience connection
freezes or see the error message "<b>Dispatch protocol error:
type 20 </b>".
To solve this problem, either upgrade to a recent OpenSSH release or
disable rekeying by adding the following to your commercial SSH 2.3's
<i>ssh2_config</i> or <i>sshd2_config</i>.
<blockquote>
<table border=0 width="800">
<tr>
<td nowrap bgcolor="#EEEEEE">
<b>RekeyIntervalSeconds 0</b>
</td>
</tr>
</table>
</blockquote>
<h2><a name= "2.5">2.5 - Old versions of commercial SSH encrypt host keys with IDEA.</a></h2>
<p>
The old versions of SSH used a patented algorithm to encrypt their
<i>/etc/ssh/ssh_host_key</i>. This problem will manifest as
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>
not being able to read its host key. To solve this, use the command below
to convert your ssh_host_key to use 3DES.
<b>NOTE:</b> Use the
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>
program from the Commercial SSH product, *NOT* OpenSSH for the example
below.
<blockquote>
<table border=0 width="800">
<tr>
<td nowrap bgcolor="#EEEEEE">
# <b>ssh-keygen -u -f /etc/ssh/ssh_host_key</b>
</td>
</tr>
</table>
</blockquote>
<h2><a name= "2.6">2.6 - What are these warning messages about key lengths</a></h2>
<p>
Commercial SSH's
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>
program contained a bug which caused it to occasionally generate Pubkey
Authentication (RSA or DSA) keys which had their Most Significant Bit
(MSB) unset. Such keys were advertised as being full-length, but are
actually, half the time, smaller than advertised.
<p>
OpenSSH will print warning messages when it encounters such keys. To rid
yourself of these message, edit you known_hosts files and replace the
incorrect key length (usually "1024") with the correct key length
(usually "1023").
<h2><a name= "2.7">2.7 - X11 and/or agent forwarding does not work.</a></h2>
<p>
Check your <i>ssh_config</i> and <i>sshd_config</i>. The default
configuration files disable authentication agent and X11 forwarding. To
enable it, put the line below in <i>sshd_config</i>:
<blockquote>
<table border=0 width="800">
<tr>
<td nowrap bgcolor="#EEEEEE">
<b>X11Forwarding yes</b>
</td>
</tr>
</table>
</blockquote>
<p>
and put the following lines in <i>ssh_config</i>:
<blockquote>
<table border=0 width="800">
<tr>
<td nowrap bgcolor="#EEEEEE">
<b>ForwardAgent yes</b><br>
<b>ForwardX11 yes</b>
</td>
</tr>
</table>
</blockquote>
<p>
<b>NOTE:</b> For users of Linux Mandrake 7.2, Mandrake modifies the
<i>XAUTHORITY</i> environment variable in <i>/etc/skel/.bashrc</i>,
and thus any bash user's home directory. This variable is set by OpenSSH
and for either of the above options to work, you need to comment out
the line:
<blockquote>
<table border=0 width="800">
<tr>
<td nowrap bgcolor="#EEEEEE">
<b># export XAUTHORITY=$HOME/.Xauthority</b>
</td>
</tr>
</table>
</blockquote>
<h2><a name= "2.8">2.8 - After upgrading OpenSSH I lost SSH2 support.</a></h2>
<p>
Between versions changes can be made to <i>sshd_config</i> or
<i>ssh_config</i>. You should always check on these changes when upgrading
versions of OpenSSH. After OpenSSH Version 2.3.0 you need to add the
following to your <i>sshd_config</i>
<blockquote>
<table border=0 width="800">
<tr>
<td nowrap bgcolor="#EEEEEE">
<b>HostKey /etc/ssh_host_dsa_key</b><br>
<b>HostKey /etc/ssh_host_rsa_key</b>
</td>
</tr>
</table>
</blockquote>
<h2><a name= "2.9">2.9 - sftp/scp fails at connection, but ssh is OK.</a></h2>
<p>
sftp and/or scp may fail at connection time if you have shell
initialization (.profile, .bashrc, .cshrc, etc) which produces output
for non-interactive sessions. This output confuses the sftp/scp client.
You can verify if your shell is doing this by executing:
<blockquote>
<table border=0 width="800">
<tr>
<td nowrap bgcolor="#EEEEEE">
<b>ssh yourhost /usr/bin/true</b>
</td>
</tr>
</table>
</blockquote>
<p>
If the above command produces any output, then you need to modify your
shell initialization.
<h2><u><a name= "3.0">3.0 - Portable OpenSSH Questions</a></u></h2>
<h2><a name= "3.1">3.1 - Spurious PAM authentication messages in logfiles.</a></h2>
<p>
The portable version of OpenSSH will generate spurious authentication
failures at every login, similar to:
<blockquote>
<table border=0 width="800">
<tr>
<td nowrap bgcolor="#EEEEEE">
"<b>authentication failure; (uid=0) -> root for sshd service</b>"
</td>
</tr>
</table>
</blockquote>
<p>
These are generated because OpenSSH first tries to determine whether a
user needs authentication to login (e.g. empty password). Unfortunately
PAM likes to log all authentication events, this one included.
<p>
If it annoys you too much, set "<b>PermitEmptyPasswords no</b>"
in <i>sshd_config</i>. This will quiet the error message at the expense
of disabling logins to accounts with no password set.
This is the default if you use the supplied <i>sshd_config</i> file.
<h2><a name= "3.2">3.2 - Empty passwords not allowed with PAM authentication.</a></h2>
<p>
To enable empty passwords with a version of OpenSSH built with PAM you
must add the flag nullok to the end of the password checking module
in the <i>/etc/pam.d/sshd</i> file. For example:
<blockquote>
<table border=0 width="800">
<tr>
<td nowrap bgcolor="#EEEEEE">
auth required/lib/security/pam_unix.so shadow nodelay nullok
</td>
</tr>
</table>
</blockquote>
<p>
This must be done in addition to setting "<b>PermitEmptyPasswords
yes</b>" in the <i>sshd_config</i> file.
<p>
There is one caveat when using empty passwords with PAM authentication:
PAM will allow any password when authenticating an account with an empty
password. This breaks the check that
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>
uses to determine whether an account has no password set and grant
users access to the account regardless of the policy specified by
<b>PermitEmptyPasswords</b>. For this reason, it is recommended that you
do not add the <b>nullok</b> directive to your PAM configuration file
unless you specifically wish to allow empty passwords.
<h2><a name= "3.3">3.3 - ssh(1) takes a long time to connect with Linux/glibc 2.1</a></h2>
<p>
The glibc shipped with Redhat 6.1 appears to take a long time to resolve
"IPv6 or IPv4" addresses from domain names. This can be kludged around
with the --with-ipv4-default configure option. This instructs OpenSSH
to use IPv4-only address resolution. (IPv6 lookups may still be made
by specifying the -6 option).
<h2><a name= "3.4">3.4 - "Can't locate module net-pf-10" messages in log under Linux.</a></h2>
<p>
The Linux kernel is looking (via modprobe) for protocol family 10 (IPv6).
Either load the appropriate kernel module, enter the correct alias in
<i>/etc/modules.conf</i> or disable IPv6 in <i>/etc/modules.conf</i>.
<p>
For some silly reason <i>/etc/modules.conf</i> may also be named
<i>/etc/conf.modules</i>.
<h2><a name= "3.5">3.5 - Password authentication doesn't work on Slackware 7.0</a></h2>
<p>
For Slackware 7.0, you need to link OpenSSH with libcrypt.
<blockquote>
<table border=0 width="800">
<tr>
<td nowrap bgcolor="#EEEEEE">
LIBS=-lcrypt ./configure [options]
</td>
</tr>
</table>
</blockquote>
<h2><a name= "3.6">3.6 - Configure or sshd(8) complain about lack of RSA or DSA support</a></h2>
<p>
Ensure that your OpenSSL libraries have been built to include RSA or DSA
support either internally or through RSAref.
<h2><a name= "3.7">3.7 - "scp: command not found" errors</a></h2>
<p>
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1">scp(1)</a>
must be in the default PATH on both the client and the server. You may
need to use the <b>--with-default-path</b> option to specify a custom
path to search on the server. This option replaces the default path,
so you need to specify all the current directories on your path as well
as where you have installed scp. For example:
<blockquote>
<table border=0 width="800">
<tr>
<td nowrap bgcolor="#EEEEEE">
$ <b>./configure --with-default-path=/bin:/usr/bin:/usr/local/bin:/path/to/scp</b>
</td>
</tr>
</table>
</blockquote>
<h2><a name= "3.8">3.8 - Unable to read passphrase</a></h2>
<p>
Some operating systems set <i>/dev/tty</i> with incorrect modes, causing
the reading of passwords to fail with the following error:
<blockquote>
<table border=0 width="800">
<tr>
<td nowrap bgcolor="#EEEEEE">
You have no controlling tty. Cannot read passphrase.
</td>
</tr>
</table>
</blockquote>
<p>
The solution to this is to reset the permissions on <i>/dev/tty</i>
to mode 0666 and report the error as a bug to your OS vendor.
<h2><a name= "3.9">3.9 - 'configure' missing or make fails</a></h2>
<p>
If there is no 'configure' file in the tar.gz file that you downloaded
or make fails with "missing separator" errors, you have probably
downloaded the OpenBSD distribution of OpenSSH and are attempting to
compile it on another platform. Please refer to the information on the
<a href="portable.html">portable version</a>.
<h2><a name= "3.10">3.10 - Hangs when exiting ssh</a></h2>
<p>
OpenSSH may hang when exiting. This can occur when there is an active
background process. This is known to occur on Linux and HP-UX.
The problem can be verified by doing the following:
<blockquote>
<table border=0 width="800">
<tr>
<td nowrap bgcolor="#EEEEEE">
$ <b>sleep 20 & exit</b>
</td>
</tr>
</table>
</blockquote>
Try to use this instead:
<blockquote>
<table border=0 width="800">
<tr>
<td nowrap bgcolor="#EEEEEE">
$ <b>sleep 20 < /dev/null > /dev/null 2>&1 &</b>
</td>
</tr>
</table>
</blockquote>
<p>
A work around for bash users is to place <b>"shopt -s huponexit"</b>
in either /etc/bashrc or ~/.bashrc. Otherwise, consult your shell's
man page for an option to enable it to send a HUP signal to active
jobs when exiting.
<h2><a name= "3.11">3.11 - Why does ssh hang on exit?</a></h2>
<p>
When executing
<blockquote>
<table border=0 width="800">
<tr>
<td nowrap bgcolor="#EEEEEE">
$ <b>ssh host command</b>
</td>
</tr>
</table>
</blockquote>
ssh <b>needs</b> to hang, because it needs to wait:
<ul>
<li>
until it can be sure that <code>command</code> does not need
more input.
<li>
until it can be sure that <code>command</code> does not produce
more output.
<li>
until <code>command</code> exits because sshd needs to tell
the exit status from <code>command</code> to ssh.
</ul>
<p>
<h2><a name= "3.12">3.12 - I upgraded to OpenSSH 3.1 and X11
forwarding stopped working.</a></h2>
Starting with OpenSSH 3.1, the sshd x11 forwarding server listens on
localhost by default; see the sshd <b>X11UseLocalhost</b> option to
revert to prior behaviour if your older X11 clients do not function
with this configuration.<p>
In general, X11 clients using X11 R6 should work with the default
setting. Some vendors, including HP, ship X11 clients with R6
and R5 libs, so some clients will work, and others will not work.
This is true for HP-UX 11.X.<p>
<hr>
<a href="index.html"><img height=24 width=24 src="back.gif" border=0 alt=OpenSSH></a>
<a href="mailto:www@openbsd.org">www@openbsd.org</a>
<br>
<small>$OpenBSD: faq.html,v 1.53 2003/02/26 21:23:48 david Exp $</small>
</body>
</html>