Elizabeth Howell. This edition replaces SA Contents Figures. Migration information for OpenSSH. For system administrators. Starting sshd as a stand-alone daemon. Getting ready to use OpenSSH.
OpenSSH command descriptions. OpenSSH files. Administrator-generated user files. OpenSSH vulnerabilities. OpenSSH messages. Xvfb messages. Accessing MVS data sets within sftp. OpenSSH - port forwarding examples. Internet drafts. Figures 1. How to set up an authorized keys file. The ssh client is listening on port for a connection. The application is connecting to port on the local host Host A. Tables 1. Keywords for enabling protocol version 2 host-based authentication.
Generating the host keys for the SSH server. Setup and configuration problems that can prevent users from logging in using ssh. Using SSH protocol version 1 and 2. List of vulnerabilities reported against SSH applications. List of vulnerabilities reported against zlib. List of vulnerabilities reported against OpenSSL. About this document This document presents the information you need to set up and use the OpenSSH client. Who should use this document? On other open systems, some system programmer tasks may be done by an administrator.
There is also a toll-free customer support number available Monday through Friday from a. Mountain Time. You can use this number to: v Order or inquire about IBM publications v Resolve any software manufacturing or delivery concerns v Activate the program reorder form to provide faster and more convenient ordering of software updates.
Customers can report problems found with this product through their normal support structure. It contains instructions on subscribing to the OpenSSH mailing list. How to send your comments to IBM We appreciate your input on this publication.
Feel free to comment on the clarity, accuracy, and completeness of the information or give us any other feedback that you might have. Use one of the following methods to send us your comments: 1. Send an e-mail to mhvrcfs us. When you send comments to IBM, you grant IBM a nonexclusive right to use or distribute your comments in any way it believes appropriate without incurring any obligation to you. IBM or any other organizations will only use the personal information that you supply to contact you about the issues that you submit.
If you have a technical problem Do not use the feedback methods listed above. The hardcopy mail-in form has been replaced with a page that provides information appropriate for submitting comments to IBM. Technical changes or additions to the text and illustrations are indicated by a vertical line to the left of the change. The ascii subcommand is valid only for file transfers between UNIX platforms.
New information Summary of changes xix Support for Xvfb has been added. Part 1. Chapter 1. OpenSSH provides secure encryption for both remote login and file transfer. It is an alternative to rlogin. It is an alternative to rcp. It is an interactive file transfer program similar to ftp. The default sshd configuration runs only Protocol Version 2. Other basic utilities such as ssh-add, ssh-agent, ssh-keysign, ssh-keyscan, ssh-keygen and sftp-server are also included.
In addition, multilevel security is supported. It is a security policy that allows the classification of data and users based on a system of hierarchical security levels combined with a system of non-hierarchical security categories.
Xvfb Xvfb is an X server that can run on machines with no display hardware and no physical input devices. It emulates a dumb framebuffer using virtual memory.
Part 2. Chapter 2. The following is new for OpenSSH 3. For OpenSSH 3. The keywords that were used in OpenSSH 3. After all systems that share a configuration file have been upgraded to OpenSSH 3.
File OpenSSH 3. Chapter 3. By default, sftp assumes that files are binary. If you share OpenSSH configuration files among platforms, then you should be aware of these differences. Compression is disabled by default. User-defined subsystems treat data as binary. Subsystems are a feature of SSH protocol version 2 which facilitate the use of ssh as a secure transport for other applications such as sftp.
The subsystem is then invoked as a remote command. Chapter 4. Migrating from OpenSSH With OpenSSH 3. While OpenSSH 3. Instead, the HostbasedAuthentication keyword can be specified from command line, global client configuration file or user-defined configuration file.
Table 1. Coexistence considerations when migrating from OpenSSH 3. For a list of new sshd configuration keywords that were introduced in OpenSSH 3. Compatibility considerations when migrating from OpenSSH 3.
Steps for migrating from an unsupported version Before you begin: You need to determine if you have an unsupported version on your system. Compare configuration files to IBM-provided samples, which may have different default values, and modify, if necessary. Keep existing host key files, known hosts files, authorized key files, and user files.
Some of the steps may not be applicable to your particular situation. This update is required to prevent a security vulnerability.
Is the migration action required? Yes, if you rely on the scp command doing an extra shell expansion for local-to-local or remote-to-remote copies. What is the migration action? Change your scp command invocations so they do not rely on an extra shell expansion for local-to-local or remote-to-remote copies. Migration information for OpenSSH 13 Chapter 5.
For system administrators Overview of what the system administrator does This chapter describes the various tasks that the system administrator handles. Restriction: OpenSSH does not run in multibyte locales.
You should consider new configuration options that were added with APAR OA, and update your configuration files as appropriate. In this chapter This chapter covers the following subtasks. The ssh client is listening on port for a connection. The application is connecting to port on the local host Host A. The ssh client accepts the connection on port , forwards the application's data to sshd on Host B, sshd then forwards the data to the application's server, listening on Port Tables 1. Summary of changes to SYS1.
Changes to the sftp command that might require a migration action. Changes to the ssh command that might require a migration action. Changes to the sshd command that might require a migration action. Changes to the ssh-keygen command that might require a migration action.
Changes to the ssh-rand-helper command that might require a migration action. List of directories and needed permissions 22 Setup and configuration problems that can prevent users from logging in using ssh, scp, or sftp. Program-generated files including permissions. Administrator-generated files including permissions. User-generated files including permissions Records types and subtype information Common security section.
Server transfer completion record self-defining section. Server transfer completion record specific section. Server transfer completion record section: Host name. Server transfer completion record section: First associated path name. Server transfer completion record section: Second associated path name.
Client transfer completion record self-defining section. Client transfer completion record specific section. Client transfer completion host name section Client transfer completion user name section Client transfer completion associated path name section. Login failure record self-defining section Login failure specific section.
List of vulnerabilities reported against OpenSSH applications. List of vulnerabilities reported against OpenSSL applications. Who should use this document?
Customers can report problems found with this product through their normal support structure. It contains instructions on subscribing to the OpenSSH mailing list. How to send your comments to IBM We appreciate your input on this publication. Feel free to comment on the clarity, accuracy, and completeness of the information or give us any other feedback that you might have. Use one of the following methods to send us your comments: 1. Send an email to mhvrcfs us.
When you send comments to IBM, you grant IBM a nonexclusive right to use or distribute your comments in any way it believes appropriate without incurring any obligation to you. IBM or any other organizations will only use the personal information that you supply to contact you about the issues that you submit.
If you have a technical problem Do not use the feedback methods listed above. Summary of changes This document contains terminology, maintenance, and editorial changes to improve consistency and retrievability.
Technical changes or additions to the text and illustrations are indicated by a vertical line to the left of the change. The new term has been added to the glossary. Summary of changes xvii Chapter 1.
What is OpenSSH? OpenSSH provides secure encryption for both remote login and file transfer. It can also be used to log into other platform's UNIX shells. It is an alternative to rlogin. It is an alternative to rcp. It is an interactive file transfer program similar to ftp. The default sshd configuration only runs protocol version 2.
Other basic utilities such as ssh-add, ssh-agent, ssh-keysign, ssh-keyscan, ssh-keygen and sftp-server are also included. It is a security policy that allows the classification of data and users based on a system of hierarchical security levels combined with a system of non-hierarchical security categories.
Chapter 2. Table 1. This extension enables scp via ssh to use hardware support when applicable. Some of the keywords for the -o option have changed. See Table 3 on page 9 for more information. The scp executable is shipped as an APF-authorized program. This extension enables sftp via ssh to use hardware support when applicable.
New options were added for ls: -a -f -n -r -S -t OpenSSH can be configured to collect SMF client transfer completion records that are associated with sftp. The sftp executable is shipped as an APF-authorized program. This extension enables sftp-server via sshd to use hardware support when applicable.
The sftp-server executable is shipped as an APF-authorized program. This extension enables ssh to use hardware support when applicable. Two new ciphers "arcfour" and "arcfour" were added for the -c option. A new MAC "umac64 openssh. New escape command-line options were added: -KR -h! Reference: v ssh-rand-helper Chapter 2.
This extension enables sshd to use hardware support when applicable. OpenSSH can be configured to collect SMF login failure records for sshd as well as server transfer completion records that are associated with "internal-sftp".
The sshd executable is shipped as an APF-authorized program. Table 2. A new value "clientspecified" was added for the GatewayPorts keyword. A new value "internal-sftp" was added for the Subsystem keyword. Two new ciphers "arcfour" and "arcfour" were added for the Ciphers keyword. Table 3. It is only used internally and is not for external specification. Table 4. Table 5.
Chapter 3. By default, sftp assumes that files are binary. The sftp binary subcommand can be used to disable this conversion and return to performing binary file transfers. If you share OpenSSH configuration files among platforms, then you should be aware of these differences.
Subsystems are a feature of SSH protocol version 2 which facilitate the use of ssh as a secure transport for other applications such as sftp. The subsystem is then invoked as a remote command. Chapter 4. For information about migrating to 3. Coexistence considerations In a sysplex environment, some systems might share the same configuration.
However, those systems might have different versions of ssh or sshd. In that situation, the previous version of the command might exit with an error message because it does not support the new features. Compatibility considerations When a newer version of the SSH client is trying to connect to a previous version of the sshd daemon, connection might not be established due to incompatibility of the new configuration options.
Is the migration action required? Yes, if you limit the amount of storage available to the processes that are running OpenSSH commands. Reference information: None. Yes, to ensure optimal performance. Reference information: The following list provides reference information that might be helpful.
Changes to the sftp command that might require a migration action Table 6 lists the changes to the sftp command that might require a migration action and the accompanying actions.
Table 6. Changes to the sftp command that might require a migration action What changed Migration action needed? For more information, see -b option. Yes, if you use the sftp command with the -b option and require password, passphrase or host key prompts during authentication. Previously, sftp subcommand parsing handled certain special characters for example, and glob characters differently.
Now sftp subcommand parsing is more consistent with shell command parsing. Yes, if you use special characters on sftp subcommands. Action: Escape special characters with the backslash character. Previously the sftp ls subcommand displayed files beginning with a dot. And if the -l option was used, numeric user and group information was displayed with the files. Now, by default, the sftp ls subcommand does not display files beginning with a dot.
And if the -l option is used, user and group name information is displayed with the files. Yes, if you parse the sftp ls subcommand output and expect files beginning with a dot. Action: Run the sftp ls subcommand with the -a option to display files beginning with a dot.
Changes to the ssh command that might require a migration action Table 7 on page 16 lists the changes to the ssh command that might require a migration action and the accompanying actions. Table 7. Changes to the ssh command that might require a migration action What changed Migration action needed?
Now ssh issues an error message and exits if the file is not owned by the user or if the file is writable by the world or the file's group. Yes, if your file has incorrect owner or permissions. More information about the requirements for those can be found in Table 20 on page Action: Correct the settings so they adhere to the new requirements.
The -c option Previously, the default cipher list did not contain arcfour and arcfour Now the default cipher list contains arcfour and arcfour The order was also changed to prefer ciphers that are not susceptible to security vulnerability CVE Most customers will not be affected by the changed default.
Yes, if you use the previous default list and do not want to allow the new ciphers or the new order of the preferred ciphers. The previous default list was aescbc,3des-cbc,blowfish-cbc,cast cbc,arcfour,aescbc,aescbc,aesctr,aes ctr,aesctr. Typically the ciphers are one long unbroken line; in the preceding example, the ciphers are not shown as one unbroken line due to space limitations. Action: Specify the previous default list. For more information, see: v -L option v -R option Yes, if you use an address that contains delimiter characters.
Action: Enclose the address in square brackets. The -m option Previously, the default MACs list did not contain umac64 openssh. Now the default MACs list contains umac64 openssh. Yes, if you use the previous default list and do not want to allow the new MAC. The previous default list was hmac-md5,hmac-sha1,hmac-ripemd,hmac- ripemd openssh. Typically the MACs are one long unbroken line; in the preceding example, the MACs are not shown as one unbroken line due to space limitations.
The -o option Some of the keywords have had changes. Yes, if you use one of the keywords that has changed. Table 8. The Ciphers keyword Previously, the default cipher list did not contain arcfour and arcfour For more information, see: v LocalForward v RemoteForward Yes, if you use an address that contains delimiter characters.
Specify the previous default list. Action: Make sure that ProxyCommand conforms to your shell's syntax. The RekeyLimit keyword Previously, the minimum value was 0.
Now the minimum value is Yes, if you use a RekeyLimit value that is less than Action: Change the value so that the RekeyLimit value is greater than or equal to Changes to the sshd command that might require a migration action Table 9 on page 18 lists the changes to the sshd command that might require a migration action and the accompanying actions. Table 9. Changes to the sshd command that might require a migration action What changed Migration action needed?
Previously, the sshd daemon could be started using a relative path name for example,. Now a full path name must be used instead of the relative path name. Yes, if you use a relative path name when starting the sshd daemon. Otherwise, sshd issues an error message and exits. Action: Change the startup process to use the full path name instead of a relative path name.
Yes, if you use an address that contains delimiter characters. Table Now it is "no". Yes, if you want to continue to allow port forwarding. This default was changed to reduce exposure to a vulnerability reported as CVE The keyword is described in AllowTcpForwarding.
The ChallengeResponseAuthentication keyword Previously, the default value was "yes". The keyword is described in ChallengeResponseAuthentication. The PrintLastLog keyword Previously, the default value was "yes". The keyword is described in PrintLastLog. Changes to the ssh-keygen command that might require a migration action Table 11 lists the changes to the ssh-keygen command that might require a migration action and the accompanying actions.
0コメント