File README.SuSE of Package openssh
This is OpenSSH version 5.1p1.
There is a change in default settings of ssh client: accepting and sending of
locale environment variables in protocol 2 is enabled.
There is a very important change in sshd with SuSE Linux 9.1:
The "gssapi" support has been replaced with the "gssapi-with-mic" to fix
possible MITM attacks (to enable support for the deprecated 'gssapi'
authentication set GSSAPIEnableMITMAttack to 'yes'). These two versions
are not compatible. The option GSSAPICleanupCreds is obsoleted, use
We disabled the new feature 'untrusted cookies' by default because it brings a
lot of problems. If you like to enable it, set ForwardX11Trusted to 'no' in
The option UsePrivilegeSeparation was reverted to 'yes' because the problematic
calling of PAM modules in this mode was fixed.
The option KeepAlive has been obsoleted, use TCPKeepAlive instead.
There is an important change in sshd with SuSE Linux 9.0:
The value of option ChallengeResponseAuthentication is reverted to default
value yes, which is necessary for PAM authentication.
I this OpenSSH version is removed kerberos support from protocol SSH1,
since it has been replaced with GSSAPI, but keeps kerberos password
authentication for protocols SSH1 and SSH2. To enable Kerberos authentication
read README.kerberos file.
Important change in sshd with SuSE Linux 8.1 is that sshd X11 forwarding listens
on localhost by default. See sshd X11UseLocalhost option to revert to prior
behaviour if your older X11 clients do not function with this configuration.
The package openssh was splitted to openssh and the new package askpass.
OpenSSH supports two protocol versions (SSH1 and SSH2) which need to be
Protocol version 1 is the old protocol and protocol version 2 is the new
protocol that has several advantages from the security point of view.
Please note that the default ssh protocol version has been changed to
version 2 with SuSE Linux 8.0.
The change of the default protocol version brings one important change for
users who use identity keys for remote login with passphrases.
(Please note the difference: 'password' means a system password on a
given machine. The term 'passphrase', however, is usually used for the
string that an ssh private key is protected (encrypted) with.)
Protocol version 1 uses the key from file ~/.ssh/identity and compares
it with keys from file ~/.ssh/authorized_keys on the remote machine.
Protocol version 2 uses keys from files ~/.ssh/id_rsa or ~/.ssh/id_dsa
and they are compared with keys from file ~/.ssh/authorized_keys.
Note: Servers with OpenSSH < 2.9.9p1 use ~/.ssh/authorized_keys2 instead.
If you don't want to switch to protocol version 2 now, add a line saying
"Protocol 1,2" to /etc/ssh/ssh_config of the SuSE Linux 8.0 system to
retain the old ssh behaviour.
How to convert your environment to protocol version 2:
1) Creating the necessary identity keys for protocol version 2:
There are two ways:
A) You can use your old keys for protocol 1, but you have to convert them
to the format of protocol 2.
This can be done with the tool ssh-keyconverter:
Every user that will use protocol version 2 needs to do this:
ssh-keyconverter -k identity
- at this point you will be asked for the passphrase of ~/.ssh/identity
ssh-keyconverter -a authorized_keys
If OpenSSH < 2.9.9p1 is used on the server:
grep ssh- authorized_keys >>authorized_keys2
To enable login to other users with the converted protocol version 2 keys,
the other user has to add the new ~/.ssh/id_rsa.pub to his authorized keys.
You can do this by script by forcing version 1 with the -1 switch:
for host in .... ; do
ssh -1 user@$host 'cat >> .ssh/authorized_keys' < ~/.ssh/id_rsa.pub
ssh -1 user@$host 'cat >> .ssh/authorized_keys2' < ~/.ssh/id_rsa.pub
B) You can generate new keys for protocol 2 by "ssh-keygen -t rsa" or
"ssh-keygen -t dsa", then add id_rsa.pub (or id_dsa.pub) to
authorized_keys2 and copy authorized_keys2 to the remote machine. See
"man ssh" and "man ssh-keygen" for more info.
2) Handling of protocol version 2 with ssh-agent and ssh-add:
If you continue to use protocol version 1, there is nothing to do because
the default identity is still ~/.ssh/identity.
For protocol version 2, you have to pass the correct file (~/.ssh/id_rsa or
~/.ssh/id_dsa) to ssh-add. To support the version 1 key and the version 2
key you have to add both keys. Example:
eval `ssh-agent -s`
ssh-add ~/.ssh/identity ~/.ssh/id_rsa
This will add your version 1 and version 2 keys and if they have the same
passphrase, you only have to type it once.
The OpenSSH handling of ssh-add/ssh-askpass is solved different as
with OpenSSH 2.x You don't need to call ssh-askpass any longer. If
ssh-add is called and doesn't have a real TTY, it will launch
/usr/lib/ssh/ssh-askpass itself. Make sure that the DISPLAY variable
is always set correctly.
If you want to use ssh-agent under X windows, just edit the file .xsession
in your home directory and change usessh="no" to usessh="yes". After
logining in you only need to start ssh-add by hand, click or startup script.
If you want to use ssh-agent with startx, add the example above to your
~/.xinitrc before the window manager is started.
Your SuSE Team