This page serves as unofficial SunSSH FAQ. The main purpose of this page is to highlight the differences of SunSSH compared to other SSH protocol implementations and also to provide information about Solaris specific SSH features.
Folks outside Sun who are interested in contributing to this page please add a comment with your contact info to this page and we will get in touch with you.
- why not to replace our SSH with recent OpenSSH?
TBD
- how to run ssh with kerberos (see blog entry)
TBD
- how to run SSH/SSHD in debug mode
Run the following commands (in the order they are listed):
- run the following command on the server:
/usr/lib/ssh/sshd -ddd -p 2222 2>/tmp/sshd_debug - run the following command on the client:
ssh -p 2222 -vvv INSERT_YOUR_USERNAME_HERE@INSERT_HOSTNAME_OF_THE_SERVER_HERE 2>/tmp/ssh_debug - send the contents of files /tmp/sshd_debug and /tmp/ssh_debug to the person working on the bug
NOTE: The sshd process terminates after ssh process ends.
NOTE: If more debug information is needed then the sshd command can be run via truss. (just prepend truss -f to the command)
NOTE: Please do check really carefully that the 2 files contain meaningful data. (e.g. there is visible connection attempt in /tmp/sshd_debug) Passing debug files missing requested information just wastes the time of the engineer working on a bug.
If for some reason it is not possible to run sshd process separately (e.g. SMF debugging) it is possible to use (for S10 and later) the following:
- stop ssh service via svcadm disable network/ssh
- start sshd in debug mode via /usr/lib/ssh/sshd -d -d -d
- NOTE: note this only allow one forked connection in, then dies
- start ssh service again by running svcadm enable network/ssh
- run the following command on the server:
- Disconnecting: Corrupted MAC on input
TBD
- motd/banner questions - motd is in /etc/profile, PrintMotd, Banner
TBD
- user-to-role. Why it works only with hostbased? Why not pubkey?
TBD
- why role-to-role does not work ?
TBD
- SecureID & SunSSH
TBD
- sshd closing connections, see "SSH timing out"
TBD
- MaxStartups vers MaxSessions; the difference
TBD
http://marc.info/?l=openssh-unix-dev&m=108617416001799&w=4
- I copied client's public key to authorized_keys in my .ssh on the server. Pubkey auth still not working. Why?
check permissions on authorized_keys file
- When using pubkey authentication, I don't see warnings about upcoming password expiration
That's correct, it doesn't work with public key authentication. Such message is provided by PAM and pubkey authentication method doesn't have a way how to transfer it over to the client side.
- Why SunSSH doesn't support AES modes for 192/256 bits key lengths?
It does, in OpenSolaris only though. See 6617424 in bug database on opensolaris.org for more information.
Comments (6)
Feb 12, 2008
WVUSYS says:
I'm wondering when SunSSH will support "Match User username" and "ForceCommand" ...I'm wondering when SunSSH will support "Match User username" and "ForceCommand" as OpenSSH v 4.2+ does. Is there any talks of adding this soon or is this already implemented? If it is, what patch/package do I download to upgrade SunSSH to support these features.
William Aucremanne
Jan 26, 2008
janp says:
hi William, I filed two CRs: 6655613 resync server's conditional Match block fr...hi William, I filed two CRs:
6655613 resync server's conditional Match block from OpenSSH
6655614 resync server's ForceCommand from OpenSSH
I can't promise anything but both keywords are very useful and personally I would like to see them in SunSSH. Feel free to ask more questions on security-discuss@opensolaris.org.
Jan.
Jun 23, 2008
nikiwaibel says:
any reason, why sunssh is limited to aes-128? openssh supports aes-256, and a so...any reason, why sunssh is limited to aes-128? openssh supports aes-256, and a solaris crypto kernel module for aes256 is available as well ...
Sep 22, 2008
vladimir.kotal says:
In Nevada, aes-256 et al. are there so you must mean Solaris 10 update release. ...In Nevada, aes-256 et al. are there so you must mean Solaris 10 update release.
What is missing are the changes done by
6617424 aes192/aes256 support is missing from ssh/sshd
To get this fix done in Solaris 10 update release contact your support channel
and raise an escalation for it.
The reason for the missing ciphers is historical - strong crypto had to be
shipped in separate packages (which is no longer true).
Sep 18, 2008
skrueger says:
I'd love to see some benchmarks on SunSSH vs. HPN-SSH[1] on CMT-hardwar...I'd love to see some benchmarks on
SunSSH vs. HPN-SSH[1] on CMT-hardware
if HPN is really that fast it should find it's way into SunSSH...
1: http://www.psc.edu/networking/projects/hpn-ssh/
Sep 22, 2008
vladimir.kotal says:
Yeah, it should be interesting to see the combination of SunSSH+PKCS#11 changes ...Yeah, it should be interesting to see the combination of SunSSH+PKCS#11 changes
(http://blogs.sun.com/janp/entry/sunssh_with_hw_crypto_support)
combined with the multi-threaded patch. It should be definitely faster than
the default for large file transfers even on Niagara 1.