NameDateSize

..01-Nov-20134 KiB

aclocal.m401-Nov-20132.8 KiB

acss.c01-Nov-20138.8 KiB

acss.h01-Nov-20131.6 KiB

addrmatch.c01-Nov-201310.9 KiB

Android.mk01-Nov-20134.9 KiB

atomicio.c01-Nov-20134.3 KiB

atomicio.h01-Nov-20132.1 KiB

audit-bsm.c01-Nov-201310 KiB

audit-linux.c01-Nov-20133.5 KiB

audit.c01-Nov-20135.7 KiB

audit.h01-Nov-20132.3 KiB

auth-bsdauth.c01-Nov-20133.5 KiB

auth-chall.c01-Nov-20133.5 KiB

auth-krb5.c01-Nov-20136.5 KiB

auth-options.c01-Nov-201316.4 KiB

auth-options.h01-Nov-20131.2 KiB

auth-pam.c01-Nov-201330.9 KiB

auth-pam.h01-Nov-20132 KiB

auth-passwd.c01-Nov-20136.1 KiB

auth-rh-rsa.c01-Nov-20133 KiB

auth-rhosts.c01-Nov-20139 KiB

auth-rsa.c01-Nov-20138.6 KiB

auth-shadow.c01-Nov-20134.2 KiB

auth-sia.c01-Nov-20133.1 KiB

auth-sia.h01-Nov-20131.4 KiB

auth-skey.c01-Nov-20132.8 KiB

auth.c01-Nov-201317.7 KiB

auth.h01-Nov-20136.4 KiB

auth1.c01-Nov-201310.4 KiB

auth2-chall.c01-Nov-20138.9 KiB

auth2-gss.c01-Nov-20138.2 KiB

auth2-hostbased.c01-Nov-20136.3 KiB

auth2-jpake.c01-Nov-201315.4 KiB

auth2-kbdint.c01-Nov-20132.1 KiB

auth2-none.c01-Nov-20132.3 KiB

auth2-passwd.c01-Nov-20132.4 KiB

auth2-pubkey.c01-Nov-201312.2 KiB

auth2.c01-Nov-201310 KiB

authfd.c01-Nov-201318 KiB

authfd.h01-Nov-20133.1 KiB

authfile.c01-Nov-201324.1 KiB

authfile.h01-Nov-20131.3 KiB

bufaux.c01-Nov-20137.2 KiB

bufbn.c01-Nov-20135.9 KiB

bufec.c01-Nov-20133.9 KiB

buffer.c01-Nov-20135.6 KiB

buffer.h01-Nov-20133.2 KiB

buildpkg.sh.in01-Nov-201317.6 KiB

canohost.c01-Nov-201311 KiB

canohost.h01-Nov-20131,000

ChangeLog01-Nov-201374.3 KiB

channels.c01-Nov-201394.9 KiB

channels.h01-Nov-201310.8 KiB

cipher-3des1.c01-Nov-20135.1 KiB

cipher-acss.c01-Nov-20132.2 KiB

cipher-aes.c01-Nov-20134.6 KiB

cipher-bf1.c01-Nov-20133 KiB

cipher-ctr.c01-Nov-20133.6 KiB

cipher.c01-Nov-201311.1 KiB

cipher.h01-Nov-20133.7 KiB

cleanup.c01-Nov-20131 KiB

clientloop.c01-Nov-201357.9 KiB

clientloop.h01-Nov-20133.4 KiB

compat.c01-Nov-20136.6 KiB

compat.h01-Nov-20132.7 KiB

compress.c01-Nov-20135 KiB

compress.h01-Nov-2013885

config.guess01-Nov-201344.2 KiB

config.h01-Nov-201341.9 KiB

config.h.in01-Nov-201339.2 KiB

config.sub01-Nov-201334.3 KiB

configure01-Nov-2013445.1 KiB

configure.ac01-Nov-2013116.4 KiB

contrib/01-Nov-20134 KiB

crc32.c01-Nov-20134.9 KiB

crc32.h01-Nov-20131.4 KiB

CREDITS01-Nov-20135.4 KiB

deattack.c01-Nov-20133.9 KiB

deattack.h01-Nov-2013917

defines.h01-Nov-201319.8 KiB

dh.c01-Nov-20139 KiB

dh.h01-Nov-20132.4 KiB

dispatch.c01-Nov-20132.8 KiB

dispatch.h01-Nov-20131.8 KiB

dns.c01-Nov-20137.9 KiB

dns.h01-Nov-20131.9 KiB

entropy.c01-Nov-20136.1 KiB

entropy.h01-Nov-20131.5 KiB

fatal.c01-Nov-20131.6 KiB

fixpaths01-Nov-2013499

fixprogs01-Nov-20131.6 KiB

groupaccess.c01-Nov-20133.4 KiB

groupaccess.h01-Nov-20131.5 KiB

gss-genr.c01-Nov-20137.3 KiB

gss-serv-krb5.c01-Nov-20135.1 KiB

gss-serv.c01-Nov-20139.4 KiB

hostfile.c01-Nov-201312.7 KiB

hostfile.h01-Nov-20131.5 KiB

includes.h01-Nov-20133.9 KiB

INSTALL01-Nov-20138.9 KiB

install-sh01-Nov-20135.5 KiB

jpake.c01-Nov-201313.8 KiB

jpake.h01-Nov-20133.5 KiB

kex.c01-Nov-201315.1 KiB

kex.h01-Nov-20134.7 KiB

kexdh.c01-Nov-20132.8 KiB

kexdhc.c01-Nov-20134.8 KiB

kexdhs.c01-Nov-20134.9 KiB

kexecdh.c01-Nov-20133.6 KiB

kexecdhc.c01-Nov-20135.2 KiB

kexecdhs.c01-Nov-20135.4 KiB

kexgex.c01-Nov-20133.1 KiB

kexgexc.c01-Nov-20135.9 KiB

kexgexs.c01-Nov-20136.3 KiB

key.c01-Nov-201355 KiB

key.h01-Nov-20134.7 KiB

LICENCE01-Nov-201315.6 KiB

log.c01-Nov-20139.8 KiB

log.h01-Nov-20132.4 KiB

loginrec.c01-Nov-201341.9 KiB

loginrec.h01-Nov-20134.6 KiB

logintest.c01-Nov-20138.6 KiB

mac.c01-Nov-20135.1 KiB

mac.h01-Nov-20131.5 KiB

Makefile.in01-Nov-201317.2 KiB

match.c01-Nov-20137.2 KiB

match.h01-Nov-20131.1 KiB

md-sha256.c01-Nov-20132.2 KiB

md5crypt.c01-Nov-20134 KiB

md5crypt.h01-Nov-2013803

mdoc2man.awk01-Nov-20138.4 KiB

misc.c01-Nov-201320.9 KiB

misc.h01-Nov-20133.2 KiB

mkinstalldirs01-Nov-2013691

moduli01-Nov-2013122.9 KiB

moduli.001-Nov-20133.3 KiB

moduli.501-Nov-20133.5 KiB

moduli.c01-Nov-201316.5 KiB

monitor.c01-Nov-201356.4 KiB

monitor.h01-Nov-20133.9 KiB

monitor_fdpass.c01-Nov-20134.6 KiB

monitor_fdpass.h01-Nov-20131.5 KiB

monitor_mm.c01-Nov-20138.5 KiB

monitor_mm.h01-Nov-20132.2 KiB

monitor_wrap.c01-Nov-201334.8 KiB

monitor_wrap.h01-Nov-20134.9 KiB

msg.c01-Nov-20132.6 KiB

msg.h01-Nov-20131.5 KiB

mux.c01-Nov-201352.8 KiB

myproposal.h01-Nov-20133.4 KiB

nchan.c01-Nov-201312.8 KiB

nchan.ms01-Nov-20133.9 KiB

nchan2.ms01-Nov-20133.4 KiB

openbsd-compat/01-Nov-20134 KiB

openssh.xml.in01-Nov-20132.8 KiB

opensshd.init.in01-Nov-20131.8 KiB

OVERVIEW01-Nov-20136.6 KiB

packet.c01-Nov-201351 KiB

packet.h01-Nov-20134.2 KiB

pathnames.h01-Nov-20135.7 KiB

pkcs11.h01-Nov-201341.5 KiB

platform.c01-Nov-20134.7 KiB

platform.h01-Nov-20131.3 KiB

progressmeter.c01-Nov-20137.3 KiB

progressmeter.h01-Nov-20131.4 KiB

PROTOCOL01-Nov-201310.6 KiB

PROTOCOL.agent01-Nov-201317.6 KiB

PROTOCOL.certkeys01-Nov-201310 KiB

PROTOCOL.mux01-Nov-20135.9 KiB

readconf.c01-Nov-201342.2 KiB

readconf.h01-Nov-20136 KiB

README01-Nov-20132.7 KiB

README.dns01-Nov-20131.6 KiB

README.platform01-Nov-20133.9 KiB

README.privsep01-Nov-20132.6 KiB

README.tun01-Nov-20134.8 KiB

readpass.c01-Nov-20135 KiB

regress/01-Nov-20134 KiB

rijndael.c01-Nov-201357.3 KiB

rijndael.h01-Nov-20131.8 KiB

roaming.h01-Nov-20131.7 KiB

roaming_client.c01-Nov-20137.1 KiB

roaming_common.c01-Nov-20135.4 KiB

roaming_dummy.c01-Nov-20131.4 KiB

roaming_serv.c01-Nov-20131 KiB

rsa.c01-Nov-20134.6 KiB

rsa.h01-Nov-2013866

sandbox-darwin.c01-Nov-20132.5 KiB

sandbox-null.c01-Nov-20131.6 KiB

sandbox-rlimit.c01-Nov-20132.3 KiB

sandbox-systrace.c01-Nov-20135.8 KiB

schnorr.c01-Nov-201316.7 KiB

schnorr.h01-Nov-20132.3 KiB

scp.001-Nov-20135.6 KiB

scp.101-Nov-20134.8 KiB

scp.c01-Nov-201330.6 KiB

servconf.c01-Nov-201353.2 KiB

servconf.h01-Nov-20137.8 KiB

serverloop.c01-Nov-201334.5 KiB

serverloop.h01-Nov-20131,016

session.c01-Nov-201365.1 KiB

session.h01-Nov-20132.5 KiB

sftp-client.c01-Nov-201338.1 KiB

sftp-client.h01-Nov-20134 KiB

sftp-common.c01-Nov-20136.1 KiB

sftp-common.h01-Nov-20132 KiB

sftp-glob.c01-Nov-20133.4 KiB

sftp-server-main.c01-Nov-20131.4 KiB

sftp-server.001-Nov-20132.5 KiB

sftp-server.801-Nov-20133.5 KiB

sftp-server.c01-Nov-201332.9 KiB

sftp.001-Nov-201312.9 KiB

sftp.101-Nov-201312.6 KiB

sftp.c01-Nov-201352.8 KiB

sftp.h01-Nov-20133.3 KiB

ssh-add.001-Nov-20134.6 KiB

ssh-add.101-Nov-20136.1 KiB

ssh-add.c01-Nov-201311.9 KiB

ssh-agent.001-Nov-20135.4 KiB

ssh-agent.101-Nov-20137 KiB

ssh-agent.c01-Nov-201333.7 KiB

ssh-dss.c01-Nov-20135.2 KiB

ssh-ecdsa.c01-Nov-20134.6 KiB

ssh-gss.h01-Nov-20134.4 KiB

ssh-keygen.001-Nov-201321 KiB

ssh-keygen.101-Nov-201320.7 KiB

ssh-keygen.c01-Nov-201359.9 KiB

ssh-keyscan.001-Nov-20134.1 KiB

ssh-keyscan.101-Nov-20134.1 KiB

ssh-keyscan.c01-Nov-201316.4 KiB

ssh-keysign.001-Nov-20131.7 KiB

ssh-keysign.801-Nov-20132.9 KiB

ssh-keysign.c01-Nov-20136.3 KiB

ssh-pkcs11-client.c01-Nov-20135.2 KiB

ssh-pkcs11-helper.001-Nov-2013632

ssh-pkcs11-helper.801-Nov-20131.3 KiB

ssh-pkcs11-helper.c01-Nov-20137.9 KiB

ssh-pkcs11.c01-Nov-201316 KiB

ssh-pkcs11.h01-Nov-2013994

ssh-rsa.c01-Nov-20137.2 KiB

ssh-sandbox.h01-Nov-20131.1 KiB

ssh.001-Nov-201344.2 KiB

ssh.101-Nov-201341.1 KiB

ssh.c01-Nov-201343.8 KiB

ssh.h01-Nov-20132.7 KiB

ssh1.h01-Nov-20134.1 KiB

ssh2.h01-Nov-20136.1 KiB

ssh_config01-Nov-20131.5 KiB

ssh_config.001-Nov-201339.8 KiB

ssh_config.501-Nov-201335.9 KiB

sshconnect.c01-Nov-201335.8 KiB

sshconnect.h01-Nov-20132.6 KiB

sshconnect1.c01-Nov-201321.5 KiB

sshconnect2.c01-Nov-201349.7 KiB

sshd.001-Nov-201332.2 KiB

sshd.801-Nov-201330.6 KiB

sshd.c01-Nov-201362.2 KiB

sshd_config01-Nov-20133.3 KiB

sshd_config.001-Nov-201336.9 KiB

sshd_config.501-Nov-201333.8 KiB

sshd_config.android01-Nov-20133.3 KiB

sshlogin.c01-Nov-20135.1 KiB

sshlogin.h01-Nov-2013934

sshpty.c01-Nov-20136.3 KiB

sshpty.h01-Nov-20131,009

sshtty.c01-Nov-20132.9 KiB

start-ssh01-Nov-2013986

survey.sh.in01-Nov-20131.7 KiB

TODO01-Nov-20132.7 KiB

ttymodes.c01-Nov-201310.4 KiB

ttymodes.h01-Nov-20135.2 KiB

uidswap.c01-Nov-201310.1 KiB

uidswap.h01-Nov-2013716

umac.c01-Nov-201345.4 KiB

umac.h01-Nov-20134.3 KiB

uuencode.c01-Nov-20132.9 KiB

uuencode.h01-Nov-20131.5 KiB

version.h01-Nov-2013170

xmalloc.c01-Nov-20132.3 KiB

xmalloc.h01-Nov-20131 KiB

README

1See http://www.openssh.com/txt/release-5.9 for the release notes.
2
3- A Japanese translation of this document and of the OpenSSH FAQ is
4- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
5- Thanks to HARUYAMA Seigo <haruyama@unixuser.org>
6
7This is the port of OpenBSD's excellent OpenSSH[0] to Linux and other
8Unices.
9
10OpenSSH is based on the last free version of Tatu Ylonen's sample
11implementation with all patent-encumbered algorithms removed (to
12external libraries), all known security bugs fixed, new features
13reintroduced and many other clean-ups.  OpenSSH has been created by
14Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt,
15and Dug Song. It has a homepage at http://www.openssh.com/
16
17This port consists of the re-introduction of autoconf support, PAM
18support, EGD[1]/PRNGD[2] support and replacements for OpenBSD library
19functions that are (regrettably) absent from other unices. This port
20has been best tested on AIX, Cygwin, HP-UX, Linux, MacOS/X,
21NetBSD, OpenBSD, OpenServer, Solaris, Unicos, and UnixWare.
22
23This version actively tracks changes in the OpenBSD CVS repository.
24
25The PAM support is now more functional than the popular packages of
26commercial ssh-1.2.x. It checks "account" and "session" modules for
27all logins, not just when using password authentication.
28
29OpenSSH depends on Zlib[3], OpenSSL[4] and optionally PAM[5].
30
31There is now several mailing lists for this port of OpenSSH. Please
32refer to http://www.openssh.com/list.html for details on how to join.
33
34Please send bug reports and patches to the mailing list
35openssh-unix-dev@mindrot.org. The list is open to posting by
36unsubscribed users.Code contribution are welcomed, but please follow the 
37OpenBSD style guidelines[6].
38
39Please refer to the INSTALL document for information on how to install
40OpenSSH on your system. There are a number of differences between this
41port of OpenSSH and F-Secure SSH 1.x, please refer to the OpenSSH FAQ[7]
42for details and general tips.
43
44Damien Miller <djm@mindrot.org>
45
46Miscellania -
47
48This version of OpenSSH is based upon code retrieved from the OpenBSD
49CVS repository which in turn was based on the last free sample
50implementation released by Tatu Ylonen.
51
52References -
53
54[0] http://www.openssh.com/faq.html
55[1] http://www.lothar.com/tech/crypto/
56[2] http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
57[3] http://www.gzip.org/zlib/
58[4] http://www.openssl.org/
59[5] http://www.openpam.org
60    http://www.kernel.org/pub/linux/libs/pam/ 
61    (PAM also is standard on Solaris and HP-UX 11)
62[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
63[7] http://www.openssh.com/faq.html
64
65$Id: README,v 1.77.2.2 2011/09/06 23:11:20 djm Exp $
66

README.dns

1How to verify host keys using OpenSSH and DNS
2---------------------------------------------
3
4OpenSSH contains support for verifying host keys using DNS as described in
5draft-ietf-secsh-dns-05.txt. The document contains very brief instructions
6on how to use this feature. Configuring DNS is out of the scope of this
7document.
8
9
10(1) Server: Generate and publish the DNS RR
11
12To create a DNS resource record (RR) containing a fingerprint of the
13public host key, use the following command:
14
15	ssh-keygen -r hostname -f keyfile -g
16
17where "hostname" is your fully qualified hostname and "keyfile" is the
18file containing the public host key file. If you have multiple keys,
19you should generate one RR for each key.
20
21In the example above, ssh-keygen will print the fingerprint in a
22generic DNS RR format parsable by most modern name server
23implementations. If your nameserver has support for the SSHFP RR
24you can omit the -g flag and ssh-keygen will print a standard SSHFP RR.
25
26To publish the fingerprint using the DNS you must add the generated RR
27to your DNS zone file and sign your zone.
28
29
30(2) Client: Enable ssh to verify host keys using DNS
31
32To enable the ssh client to verify host keys using DNS, you have to
33add the following option to the ssh configuration file
34($HOME/.ssh/config or /etc/ssh/ssh_config):
35
36    VerifyHostKeyDNS yes
37
38Upon connection the client will try to look up the fingerprint RR
39using DNS. If the fingerprint received from the DNS server matches
40the remote host key, the user will be notified.
41
42
43	Jakob Schlyter
44	Wesley Griffin
45
46
47$OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $
48

README.platform

1This file contains notes about OpenSSH on specific platforms.
2
3AIX
4---
5As of OpenSSH 3.8p1, sshd will now honour an accounts password expiry
6settings, where previously it did not.  Because of this, it's possible for
7sites that have used OpenSSH's sshd exclusively to have accounts which
8have passwords expired longer than the inactive time (ie the "Weeks between
9password EXPIRATION and LOCKOUT" setting in SMIT or the maxexpired
10chuser attribute).
11
12Accounts in this state must have their passwords reset manually by the
13administrator.  As a precaution, it is recommended that the administrative
14passwords be reset before upgrading from OpenSSH <3.8.
15
16As of OpenSSH 4.0, configure will attempt to detect if your version
17and maintenance level of AIX has a working getaddrinfo, and will use it
18if found.  This will enable IPv6 support.  If for some reason configure
19gets it wrong, or if you want to build binaries to work on earlier MLs
20than the build host then you can add "-DBROKEN_GETADDRINFO" to CFLAGS
21to force the previous IPv4-only behaviour.
22
23IPv6 known to work: 5.1ML7 5.2ML2 5.2ML5
24IPv6 known broken: 4.3.3ML11 5.1ML4
25
26If you wish to use dynamic libraries that aren't in the normal system
27locations (eg IBM's OpenSSL and zlib packages) then you will need to
28define the environment variable blibpath before running configure, eg
29
30blibpath=/lib:/usr/lib:/opt/freeware/lib ./configure \
31  --with-ssl-dir=/opt/freeware --with-zlib=/opt/freeware
32
33If sshd is built with the WITH_AIXAUTHENTICATE option (which is enabled
34by default) then sshd checks that users are permitted via the
35loginrestrictions() function, in particular that the user has the
36"rlogin" attribute set.  This check is not done for the root account,
37instead the PermitRootLogin setting in sshd_config is used.
38
39
40Cygwin
41------
42To build on Cygwin, OpenSSH requires the following packages:
43gcc, gcc-mingw-core, mingw-runtime, binutils, make, openssl,
44openssl-devel, zlib, minres, minires-devel.
45
46
47Darwin and MacOS X
48------------------
49Darwin does not provide a tun(4) driver required for OpenSSH-based
50virtual private networks. The BSD manpage still exists, but the driver
51has been removed in recent releases of Darwin and MacOS X.
52
53Nevertheless, tunnel support is known to work with Darwin 8 and
54MacOS X 10.4 in Point-to-Point (Layer 3) and Ethernet (Layer 2) mode
55using a third party driver. More information is available at:
56	http://www-user.rhrk.uni-kl.de/~nissler/tuntap/
57
58
59Linux
60-----
61
62Some Linux distributions (including Red Hat/Fedora/CentOS) include
63headers and library links in the -devel RPMs rather than the main
64binary RPMs. If you get an error about headers, or complaining about a
65missing prerequisite then you may need to install the equivalent
66development packages.  On Redhat based distros these may be openssl-devel,
67zlib-devel and pam-devel, on Debian based distros these may be
68libssl-dev, libz-dev and libpam-dev.
69
70
71Solaris
72-------
73If you enable BSM auditing on Solaris, you need to update audit_event(4)
74for praudit(1m) to give sensible output.  The following line needs to be
75added to /etc/security/audit_event:
76
77	32800:AUE_openssh:OpenSSH login:lo
78
79The BSM audit event range available for third party TCB applications is
8032768 - 65535.  Event number 32800 has been choosen for AUE_openssh.
81There is no official registry of 3rd party event numbers, so if this
82number is already in use on your system, you may change it at build time
83by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.
84
85
86Platforms using PAM
87-------------------
88As of OpenSSH 4.3p1, sshd will no longer check /etc/nologin itself when
89PAM is enabled.  To maintain existing behaviour, pam_nologin should be
90added to sshd's session stack which will prevent users from starting shell
91sessions.  Alternatively, pam_nologin can be added to either the auth or
92account stacks which will prevent authentication entirely, but will still
93return the output from pam_nologin to the client.
94
95
96$Id: README.platform,v 1.10 2009/08/28 23:14:48 dtucker Exp $
97

README.privsep

1Privilege separation, or privsep, is method in OpenSSH by which
2operations that require root privilege are performed by a separate
3privileged monitor process.  Its purpose is to prevent privilege
4escalation by containing corruption to an unprivileged process.
5More information is available at:
6	http://www.citi.umich.edu/u/provos/ssh/privsep.html
7
8Privilege separation is now enabled by default; see the
9UsePrivilegeSeparation option in sshd_config(5).
10
11On systems which lack mmap or anonymous (MAP_ANON) memory mapping,
12compression must be disabled in order for privilege separation to
13function.
14
15When privsep is enabled, during the pre-authentication phase sshd will
16chroot(2) to "/var/empty" and change its privileges to the "sshd" user
17and its primary group.  sshd is a pseudo-account that should not be
18used by other daemons, and must be locked and should contain a
19"nologin" or invalid shell.
20
21You should do something like the following to prepare the privsep
22preauth environment:
23
24	# mkdir /var/empty
25	# chown root:sys /var/empty
26	# chmod 755 /var/empty
27	# groupadd sshd
28	# useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
29
30/var/empty should not contain any files.
31
32configure supports the following options to change the default
33privsep user and chroot directory:
34
35  --with-privsep-path=xxx Path for privilege separation chroot
36  --with-privsep-user=user Specify non-privileged user for privilege separation
37
38Privsep requires operating system support for file descriptor passing.
39Compression will be disabled on systems without a working mmap MAP_ANON.
40
41PAM-enabled OpenSSH is known to function with privsep on AIX, FreeBSD, 
42HP-UX (including Trusted Mode), Linux, NetBSD and Solaris.
43
44On Cygwin, Tru64 Unix, OpenServer, and Unicos only the pre-authentication
45part of privsep is supported.  Post-authentication privsep is disabled
46automatically (so you won't see the additional process mentioned below).
47
48Note that for a normal interactive login with a shell, enabling privsep
49will require 1 additional process per login session.
50
51Given the following process listing (from HP-UX):
52
53     UID   PID  PPID  C    STIME TTY       TIME COMMAND
54    root  1005     1  0 10:45:17 ?         0:08 /opt/openssh/sbin/sshd -u0
55    root  6917  1005  0 15:19:16 ?         0:00 sshd: stevesk [priv]
56 stevesk  6919  6917  0 15:19:17 ?         0:03 sshd: stevesk@2
57 stevesk  6921  6919  0 15:19:17 pts/2     0:00 -bash
58
59process 1005 is the sshd process listening for new connections.
60process 6917 is the privileged monitor process, 6919 is the user owned
61sshd process and 6921 is the shell process.
62
63$Id: README.privsep,v 1.16 2005/06/04 23:21:41 djm Exp $
64

README.tun

1How to use OpenSSH-based virtual private networks
2-------------------------------------------------
3
4OpenSSH contains support for VPN tunneling using the tun(4) network
5tunnel pseudo-device which is available on most platforms, either for
6layer 2 or 3 traffic.
7
8The following brief instructions on how to use this feature use
9a network configuration specific to the OpenBSD operating system.
10
11(1) Server: Enable support for SSH tunneling
12
13To enable the ssh server to accept tunnel requests from the client, you
14have to add the following option to the ssh server configuration file
15(/etc/ssh/sshd_config):
16
17	PermitTunnel yes
18
19Restart the server or send the hangup signal (SIGHUP) to let the server
20reread it's configuration.
21
22(2) Server: Restrict client access and assign the tunnel
23
24The OpenSSH server simply uses the file /root/.ssh/authorized_keys to
25restrict the client to connect to a specified tunnel and to
26automatically start the related interface configuration command. These
27settings are optional but recommended:
28
29	tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... reyk@openbsd.org
30
31(3) Client: Configure the local network tunnel interface
32
33Use the hostname.if(5) interface-specific configuration file to set up
34the network tunnel configuration with OpenBSD. For example, use the
35following configuration in /etc/hostname.tun0 to set up the layer 3
36tunnel on the client:
37
38	inet 192.168.5.1 255.255.255.252 192.168.5.2
39
40OpenBSD also supports layer 2 tunneling over the tun device by adding
41the link0 flag:
42
43	inet 192.168.1.78 255.255.255.0 192.168.1.255 link0
44
45Layer 2 tunnels can be used in combination with an Ethernet bridge(4)
46interface, like the following example for /etc/bridgename.bridge0:
47
48	add tun0
49	add sis0
50	up
51
52(4) Client: Configure the OpenSSH client
53
54To establish tunnel forwarding for connections to a specified
55remote host by default, use the following ssh client configuration for
56the privileged user (in /root/.ssh/config):
57
58	Host sshgateway
59		Tunnel yes
60		TunnelDevice 0:any
61		PermitLocalCommand yes
62	        LocalCommand sh /etc/netstart tun0
63
64A more complicated configuration is possible to establish a tunnel to
65a remote host which is not directly accessible by the client.
66The following example describes a client configuration to connect to
67the remote host over two ssh hops in between. It uses the OpenSSH
68ProxyCommand in combination with the nc(1) program to forward the final
69ssh tunnel destination over multiple ssh sessions.
70
71	Host access.somewhere.net
72	        User puffy
73	Host dmzgw
74	        User puffy
75	        ProxyCommand ssh access.somewhere.net nc dmzgw 22
76	Host sshgateway
77	        Tunnel Ethernet
78	        TunnelDevice 0:any
79	        PermitLocalCommand yes
80	        LocalCommand sh /etc/netstart tun0
81	        ProxyCommand ssh dmzgw nc sshgateway 22
82
83The following network plan illustrates the previous configuration in
84combination with layer 2 tunneling and Ethernet bridging.
85
86+--------+       (          )      +----------------------+
87| Client |------(  Internet  )-----| access.somewhere.net |
88+--------+       (          )      +----------------------+
89    : 192.168.1.78                             |
90    :.............................         +-------+
91     Forwarded ssh connection    :         | dmzgw |
92     Layer 2 tunnel              :         +-------+
93                                 :             |
94                                 :             |
95                                 :      +------------+
96                                 :......| sshgateway |
97                                      | +------------+
98--- real connection                 Bridge ->  |          +----------+
99... "virtual connection"                     [ X ]--------| somehost |
100[X] switch                                                +----------+
101                                                          192.168.1.25
102
103(5) Client: Connect to the server and establish the tunnel
104
105Finally connect to the OpenSSH server to establish the tunnel by using
106the following command:
107
108	ssh sshgateway
109
110It is also possible to tell the client to fork into the background after
111the connection has been successfully established:
112
113	ssh -f sshgateway true
114
115Without the ssh configuration done in step (4), it is also possible
116to use the following command lines:
117
118	ssh -fw 0:1 sshgateway true
119	ifconfig tun0 192.168.5.1 192.168.5.2 netmask 255.255.255.252
120
121Using OpenSSH tunnel forwarding is a simple way to establish secure
122and ad hoc virtual private networks. Possible fields of application
123could be wireless networks or administrative VPN tunnels.
124
125Nevertheless, ssh tunneling requires some packet header overhead and
126runs on top of TCP. It is still suggested to use the IP Security
127Protocol (IPSec) for robust and permanent VPN connections and to
128interconnect corporate networks.
129
130	Reyk Floeter
131
132$OpenBSD: README.tun,v 1.4 2006/03/28 00:12:31 deraadt Exp $
133