This page serves as unofficial SunSSH FAQ. The main purpose of this page is to highlight the differences of SunSSH compared to other SSH protocol implementations and also to provide information about Solaris specific SSH features.
Folks outside Sun who are interested in contributing to this page please add a comment with your contact info to this page and we will get in touch with you.
* *why not to replace our SSH with recent OpenSSH?*
{quote}
TBD
{quote}
* *how to run ssh with kerberos (see blog entry)*
{quote}
TBD
{quote}
* *how to run SSH/SSHD in debug mode*
{quote}
Run the following commands (in the order they are listed):
* run the following command on the server:
{{/usr/lib/ssh/sshd -ddd -p 2222 2>/tmp/sshd_debug}}
* run the following command on the client:
{{ssh -p 2222 -vvv INSERT_YOUR_USERNAME_HERE@INSERT_HOSTNAME_OF_THE_SERVER_HERE 2>/tmp/ssh_debug}}
* send the contents of files {{/tmp/sshd_debug}} and {{/tmp/ssh_debug}} to the person working on the bug
NOTE: The sshd process terminates after ssh process ends.
NOTE: If more debug information is needed then the sshd command can be run via truss. (just prepend {{truss -f}} to the command)
NOTE: Please do check really carefully that the 2 files contain meaningful data. (e.g. there is visible connection attempt in {{/tmp/sshd_debug}}) Passing debug files missing requested information just wastes the time of the engineer working on a bug.
If for some reason it is not possible to run sshd process separately (e.g. SMF debugging) it is possible to use (for S10 and later) the following:
* stop ssh service via {{svcadm disable network/ssh}}
* start sshd in debug mode via {{/usr/lib/ssh/sshd -d -d -d}}
* NOTE: note this only allow one forked connection in, then dies
* start ssh service again by running {{svcadm enable network/ssh}}
{quote}
* *Disconnecting: Corrupted MAC on input*
{quote}
TBD
{quote}
* *motd/banner questions - motd is in /etc/profile, PrintMotd, Banner*
{quote}
TBD
{quote}
* *user-to-role. Why it works only with hostbased? Why not pubkey?*
{quote}
TBD
{quote}
* *why role-to-role does not work ?*
{quote}
TBD
{quote}
* *SecureID & SunSSH*
{quote}
TBD
{quote}
* *sshd closing connections, see "SSH timing out"*
{quote}
TBD
{quote}
* *MaxStartups vers MaxSessions; the difference*
{quote}
TBD
http://marc.info/?l=openssh-unix-dev&m=108617416001799&w=4
{quote}
* *I copied client's public key to authorized_keys in my .ssh on the server. Pubkey auth still not working. Why?*
{quote}
check permissions on authorized_keys file
{quote}
* *When using pubkey authentication, I don't see warnings about upcoming password expiration*
{quote}
That's correct, it doesn't work with public key authentication. Such message is provided by PAM and pubkey authentication method doesn't have a way how to transfer it over to the client side.
{quote}
* *Why SunSSH doesn't support AES modes for 192/256 bits key lengths?*
{quote}
It does, in OpenSolaris only though. See 6617424 in bug database on opensolaris.org for more information.
{quote}
Folks outside Sun who are interested in contributing to this page please add a comment with your contact info to this page and we will get in touch with you.
* *why not to replace our SSH with recent OpenSSH?*
{quote}
TBD
{quote}
* *how to run ssh with kerberos (see blog entry)*
{quote}
TBD
{quote}
* *how to run SSH/SSHD in debug mode*
{quote}
Run the following commands (in the order they are listed):
* run the following command on the server:
{{/usr/lib/ssh/sshd -ddd -p 2222 2>/tmp/sshd_debug}}
* run the following command on the client:
{{ssh -p 2222 -vvv INSERT_YOUR_USERNAME_HERE@INSERT_HOSTNAME_OF_THE_SERVER_HERE 2>/tmp/ssh_debug}}
* send the contents of files {{/tmp/sshd_debug}} and {{/tmp/ssh_debug}} to the person working on the bug
NOTE: The sshd process terminates after ssh process ends.
NOTE: If more debug information is needed then the sshd command can be run via truss. (just prepend {{truss -f}} to the command)
NOTE: Please do check really carefully that the 2 files contain meaningful data. (e.g. there is visible connection attempt in {{/tmp/sshd_debug}}) Passing debug files missing requested information just wastes the time of the engineer working on a bug.
If for some reason it is not possible to run sshd process separately (e.g. SMF debugging) it is possible to use (for S10 and later) the following:
* stop ssh service via {{svcadm disable network/ssh}}
* start sshd in debug mode via {{/usr/lib/ssh/sshd -d -d -d}}
* NOTE: note this only allow one forked connection in, then dies
* start ssh service again by running {{svcadm enable network/ssh}}
{quote}
* *Disconnecting: Corrupted MAC on input*
{quote}
TBD
{quote}
* *motd/banner questions - motd is in /etc/profile, PrintMotd, Banner*
{quote}
TBD
{quote}
* *user-to-role. Why it works only with hostbased? Why not pubkey?*
{quote}
TBD
{quote}
* *why role-to-role does not work ?*
{quote}
TBD
{quote}
* *SecureID & SunSSH*
{quote}
TBD
{quote}
* *sshd closing connections, see "SSH timing out"*
{quote}
TBD
{quote}
* *MaxStartups vers MaxSessions; the difference*
{quote}
TBD
http://marc.info/?l=openssh-unix-dev&m=108617416001799&w=4
{quote}
* *I copied client's public key to authorized_keys in my .ssh on the server. Pubkey auth still not working. Why?*
{quote}
check permissions on authorized_keys file
{quote}
* *When using pubkey authentication, I don't see warnings about upcoming password expiration*
{quote}
That's correct, it doesn't work with public key authentication. Such message is provided by PAM and pubkey authentication method doesn't have a way how to transfer it over to the client side.
{quote}
* *Why SunSSH doesn't support AES modes for 192/256 bits key lengths?*
{quote}
It does, in OpenSolaris only though. See 6617424 in bug database on opensolaris.org for more information.
{quote}