SSH2 FREQUENTLY ASKED QUESTIONS
===============================

Author: Sami Lehtinen <sjl@ssh.fi>
Copyright (C) 1997-1999 SSH Communications Security Oy, Espoo, Finland

Last modified: $Date: 2000/03/01 21:08:51 $

Note: this FAQ is very, very incomplete. I will add questions and
answers to this FAQ, as questions of importance roll in.

Note2: this is the first faq I've written, so excuse me about the
style.

1. Setup
========
1.1: 
Q: How do I setup sshd2 to support tcp-wrappers?

A: First, ./configure --with-libwrap and whatever flags you need. Make
   sure that configure finds your libwrap.a and tcpd.h files. Recompile.
   (Note that if you don't have your tcp-wrappers in a standard place, 
    you can give the path as argument to configure;
    --with-libwrap=/path/to/libwrap/)

   After this you can edit your /etc/hosts.allow and /etc/hosts.deny
   files. These "daemon" strings are in use by sshd2:
   
   sshd, sshd2           (The name sshd2 was called with (usually "sshd"))
   sshdfwd-X11           (if you want to allow/deny X11-forwarding)
   sshdfwd-<port-number> (for tcp-forwarding)
   sshdfwd-<port-name>   (port-name defined in /etc/services. Used in
   			   tcp-forwarding.) 

1.2:
Q: How do I make sshd2 start at boot time?

A: This varies greatly from system to system. In systems using System
   V initialization, you can put the "sshd2.startup" script, which came
   with this distribution, to /etc/rc.d/init.d (or equivalent; consult
   your system manual), and name it to your liking. Then, go to
   rc.$number directory (where $number is your default runlevel), and
   symlink the startup script to a name like "S90sshd2". After that go to 
   matching directories for runlevels halt and shutdown, and symlink the
   startup script to name like "K90sshd2" (the "S" means start, and "K"
   means kill). Now, during initialization process, the system calls the
   script with arguments "start" or "stop", depending on the situation.
   
   There is no need to reboot after these steps! You can start sshd2
   simply by typing
   
      # /etc/rc.d/init.d/sshd2 start

   If your system doesn't support this kind of initialization, you can 
   add a "/usr/local/sbin/sshd2" call somewhere to your rc.local script.

2. User Setup
=============
2.1:
Q: How do I setup public key authentication to a remote host?

A: In remote_host (this is the host where you want to connect to):
   Add the following line to file ~/.ssh2/authorization:
   
	key id_dsa_1024_a.pub #or whatever is your pub keys name

   In local_host (this is the host you want to connect from):
   Add the following line to ~/.ssh2/identification:
     
	idkey id_dsa_1024_a #or whatever is your private keys name

   You have to create your keypair in local_host, and transfer
   the .pub-part to remote_host to your $HOME/.ssh2/ there. Generate
   the keys using ssh-keygen (see 'man ssh-keygen' for details).

2.2:
Q: How can I log into remote host xxx from host yyy without supplying
   a password/passphrase? 

A: Use ssh-agent. You can also use null-passphrases, however this is
   NOT RECOMMENDED. You can setup ssh-agent in the following way (Note
   that these depend on your shell and X-config), for example:

   In file $HOME/.xsession (or equivalent) add the following line (and
   move the rest of the relevant stuff to .xsession.real):

	exec ssh-agent2 ./.xsession.real

   In file $HOME/.xsession.real do the real stuff (like spawning
   xterms, etc.) and add keys to the agent like this:

	ssh-add2 $HOME/.ssh2/id_dsa_1024_a </dev/null > /dev/null 2>&1

   Or, if you only have a shell account, you could add similar
   statements to your shell's startup file, like this (example
   is for zsh and .zshrc (should work also for sh and .profile)):

   In $HOME/.zshrc:

	if [ -z "$SSH2_AGENT_PID" ] then
	  eval `ssh-agent2`
	  ssh-add2 $HOME/.ssh2/id_dsa_1024_a
	fi

   With csh (or tcsh):

   In $HOME/.cshrc:

	if ( $?SSH2_AGENT_PID == 0 ) then
          eval `ssh-agent2 -c`
          ssh-add2 $HOME/.ssh2/id_dsa_1024_a
	endif


3. SSH2 Features
================
3.1:
Q: Is <insert feature here>, which is supported in ssh1 supported in
   ssh2? If not, when will it be implemented?

A: RhostsAuthentication:
	probably will not be implemented.
   UseRsh:
	probably will not be implemented.
   PAM:
	not decided.
   Kerberos & SecurID:
	will be in a future version.
   UseLogin:
	will be in a future version.


4. Troubleshooting
==================
4.1:
Q: When running sshd2 from inetd, it fails with a "Packet too long"
   error. What's wrong?

A: Make sure you run sshd2 as "sshd2 -i" when starting it via inetd
   (without any debug parameters). Also, don't compile in tcp_wrapper
   support in this case (--with-libwrap=no). In almost every case this
   error manifests, it is because sshd2's stdin and stdout (given by
   inetd) are the stream that sshd2 handles, and if any debug messages
   etc. are put to that stream, the protocol gets messed up.

4.2:
Q: When connecting to a host, where I know I have an account, ssh2
   says "Disconnected; authentication error (No further authentication 
   methods available.)." (for ssh-2.0.13 server), or
   doesn't let me in, even when I type the correct password (for newer 
   servers). What's wrong?

A: The server is probably trying to check, that the hostname you gave
   it has a valid DNS record. This is not case with most dialups etc. In
   older ssh2-versions, the default /etc/sshd2_config file had a
   statement "RequireReverseMapping yes", when, in fact, it should
   default to "no". Ask your sysadmin to change this, and see if the
   situation improves. If you still have problems, consult your sysadmin
   about the situation.
