SSH 3.1.0 README
================

        Timo J. Rinne <tri@ssh.com>
	Sami Lehtinen <sjl@ssh.com>
	Anne Carasik  <anne@ssh.com>
        April 4, 2001.
	
	See the file LICENSE for licensing terms.

   What is Secure Shell?
   ---------------------

   Secure Shell is a program to log into another computer over a
   network, to execute commands in a remote machine, and to move files
   from one machine to another.  It provides strong authentication and
   secure communications over insecure channels.  It is intended as a
   replacement for rlogin, rsh, rcp, and rdist.


   What has changed since SSH1?
   ----------------------------

      - SSH has been 98% rewritten.

      - SSH now supports other key-exchange methods besides double-
        encrypting RSA key exchange. The current distribution comes with 
        Diffie-Hellman key exchange.

      - SSH now has support for DSA and other public key algorithms 
        besides RSA.

      - The protocol is more secure and allows future integration into
        public key infrastructures.

      - The protocol complies with the upcoming 'secsh' internet standard.

      - SSH now supports "subsystems", platform-independent modules that
        implement particular functions such as file transfers.

      - SSH now has built-in SOCKS support.

      - A new feature has been added: sftp, the secure file transfer 
        protocol.


   Feedback
   --------

      You can report any bugs either by a web form or by email.
      Web form: http://www.ssh.com/support/bug-report.html
      Email:    ssh2-bugs@ssh.com

      Feature requests can also be submitted via
      http://www.ssh.com/support/feature-request.html

      Be sure to check the FAQ (included in the distribution) and
      KNOWN BUGS (see below) first! See also online documentation
      at http://www.ssh.com/support/ssh.

   Commercial Inquiries
   -------------------

      For any queries concerning commercial use (such as availability 
      and different versions), please email ssh-sales@ssh.com.


SSH2 Binaries
=============

      ssh2            The SSH2 client.

      sshd2           The SSH2 daemon.

      sftp2           The SFTP client (needs ssh2). Type "?" in the 
                      command line for help.

      sftp-server2    The SFTP server (executed by sshd2).

      scp2            The SCP client.

      ssh-keygen2     The utility for generating keys. Use -h for help.

      ssh-add2        Add identities to the authentication agent.

      ssh-agent2      The authentication agent.

      ssh-askpass2    X11 utility for querying passwords.

      ssh-signer2     A small program that signs "hostbased" authentication 
                      packets. Executed by ssh2, and for proper function, 
                      must be suid root. (This is done by 'make install'.)
      
      ssh-pam-client  Helper program, that the server uses with PAM
                      authentication.

      ssh-probe2      Program to probe a given network for ssh2
                      servers. See ssh-probe(1) and sshd2_config(5) 
                      for MaxBroadcastsPerSecond.

      ssh-pubkeymgr   Utility script for generating user public keys and
                      uploading them and setting up the ~/.ssh2/authorization
                      and ~/.ssh2/identification files.

      ssh-chrootmgr   Utility to ease setting up chrooted environment
                      for users.

      ssh-dummy-shell Provides access to systems where only file transfer 
                      functionality is permitted. 

      ssh-certenroll2 A certificate enrollment client (only in
                      commercial distribution)

      sshd-check-conf A configuration checker utility for use with
                      sshd2	

Installation
============

   1. uncompress the distribution
   ------------------------------

      % zcat ssh-3.x.y.tar.gz | tar xvf -

      or

      % tar zxvf ssh-3.x.y.tar.gz

      or

      % gunzip -c ssh-3.x.y.tar.gz | tar zvf -

      This should create a subdirectory ssh-3.x.y.

      % cd ssh-3.x.y


   2. compile ssh2
   ---------------

      Read the NOTES-section found in the end of this file.

      % ./configure
      % make

      If this fails, find and fix the problem. Report it to 
      ssh2-bugs@ssh.com. Then try again. :-) Please see the 
      section REPORTING BUGS for more information before submitting 
      a bug report. 

   3. run the install script
   -------------------------

      Get a root shell and change to the ssh-3.x.y directory.

      # make install

      This should set everything up and create the host key.

      The old files are moved to *.old files. If you don't want them
      around, goto apps/ssh and run 

      # make clean-up-old

      which will delete them.

      NOTE: This host key has relatively little entropy. We'll have
            to actually stir in more randomness to create strong
            keys (this is a problem, if your system doesn't have
	    /dev/random). If your system doesn't have /dev/random, you
            might want to generate a couple of keys with ssh-keygen,
            and after that install a new hostkey. We'll fix this later.


   4. configure sshd2
   ------------------

      Set up the following files:


ssh 2 files
===========

      Public keys have a .pub suffix, private keys have no suffix. 
      For example:

         id_dsa_1024_a        A 1024-bit DSA private key
         id_dsa_1024_a.pub    The corresponding public key

      There is no "known_hosts", as in ssh1. The host keys are stored
      in separate files in ~/.ssh2/hostkeys .


   ~/.ssh2/hostkeys/key_xxxx_yyyy.pub
   -----------------------------

      This would be the public host key of the ssh2 daemon running in 
      port xxxx of the host yyyy.


   /etc/ssh2/hostkey.pub  and  /etc/ssh2/hostkey
   -----------------------------------------

      Public and private hostkeys for sshd2. Created by "make install".
      If this is not created by "make install" or you need to recreate
      your host keypair, run
  
      # rm /etc/ssh2/hostkey*
      # ssh-keygen2 -P /etc/ssh2/hostkey


   ~/.ssh2/identification
   ----------------------

      Lists the private keys that can be used for authentication.

         # identification
         IdKey  id_dsa_1024_a

      This means that the private key in the file ~/.ssh2/id_dsa_1024_a
      is used for public key authentication. This is created by running
      the ssh-pubkeymgr script, or you can create it by hand.


   ~/.ssh2/authorization
   ---------------------

      Lists the public keys that are accepted for authentication on 
      this host.

         # authorization
         Key     id_dsa_1024_a.pub

      This means that anyone who holds the matching private key to the
      public key in the file $USER/.ssh2/id_dsa_1024_a.pub can log in 
      as $USER. This is also created by running the ssh-pubkeymgr script, 
      or you can create it by hand.


   /etc/ssh2/sshd2_config
   --------------------

      The server configuration file, copied here by "make install". 
      See the man page for details.

      The line:

         subsystem-sftp                  sftp-server

      means that when the subsystem "sftp" is requested, the
      command "sftp-server" is started. For example, if our sshd2_config
      read:

         subsystem-quux                  echo "fim fam foo"

      the command "ssh2 host -s quux" would simply print the text
      "fim fam foo".


   ~/.ssh2/ssh2_config
   -------------------

       The client configuration file. See the global client config file
       ssh2_config in /etc/ssh2.


   ~/.ssh2/knownhosts/xxxxyyyy.pub
   -------------------------------

      These are the public host keys of the hosts that a user wants to 
      log from using host based authentication (equivalent with SSH1's
      RhostsRSAAuthentication). 
      
      Also, a user has to set up her/his ~/.shosts (which only SSH uses)
      or ~/.rhosts file (insecure, as it is also used by the r*-commands).
      If the username is the same in both hosts, it is adequate to put
      the public hostkey to /etc/ssh2/knownhosts and add the host's name to
      /etc/shosts.equiv (or /etc/hosts.equiv). 

      xxxx denotes the hostname (FQDN) and yyyy the public key algorithm 
      of the key.

      For example, zappa.foo.fi's hostkey algorithm is ssh-dss. The
      hostkey would be named 

          zappa.foo.fi.ssh-dss.pub

      in the knownhosts directory.

      Possible values for publickey-algorithms are "ssh-dss" and
      "ssh-rsa" (without the quotes).


   /etc/ssh2/knownhosts/xxxxyyyy.pub
   ---------------------------------

      As above, but system-wide. These can be overridden by the user
      by putting a file with the same name to her/his ~/.ssh2/knownhosts
      directory. 


   /etc/hosts.equiv and /etc/shosts.equiv
   --------------------------------------

      Used to check whether authentication from host is allowed using
      host based authentication. In its simplest form, the file contains
      host names, one per line.

      For more information, see 'man sshd2'.


   ~/.rhosts and ~/.shosts
   -----------------------

      This file contains host-username-pairs, separated by spaces, one
      per line. The given user from the specified host is allowed to
      log in without a password. 

      For more information, see 'man ssh2' and 'man sshd2'.


Platforms
=========

	ssh 3.x has been reportedly successfully compiled and
	run on for example the following platforms (there are more):

	Processor	OS		OS-Versions
	-------------------------------------------------------------
	ix86,m68k	NetBSD		1.2, 1.3.x
	ix86		FreeBSD		2.2.x, 3.0-current
	ix86		Linux		2.0.3x, 2.2.x
	sparc		Solaris		2.6, 2.5.1
	PowerPC		AIX		4.1, 4.2.x
	hppa1.1		HPUX		10.20, 11.00
	mips		IRIX		6.5, 6.3, 6.2, 5.3 (with SGI cc)
	alpha		OSF1		4.0D, 4.0E
	ix86		SCO Openserver	5.0.4

        Officially supported platforms are listed at
        http://www.ssh.com/products/ssh/portability.html


NOTES ON INSTALLATION AND USE
=============================

	* As of ssh-2.2.0, configuration file format and parameters
	  for ssh2 and sshd2 are documented in ssh2_config(5) and
	  sshd2_config(5), respectively. The split was done to make the
	  man-pages more readable.

	* For detailed info on how to set up chrooted accounts, see
	  the FAQ (included in this distribution).

	* Use 'scp2 -1' to enable compatibility with scp1.

	* If your system doesn't support, or has a broken version of
	  non-blocking connect, run ./configure with
	  --enable-blocking-connect .

	* If you get errors when compiling assembler files, configure
	  with --disable-asm and recompile.

	* compatibility with SSH1 works correctly ONLY IF your SSH1 version
	  is 1.2.26 or better (1.2.32 is the latest). So be sure you have
	  that!

	* If your Sun boots during a connect to sshd2, do the following: 
	  Fetch the latest patches from Sun, generate a new host key with 
	  the patched version, and try again. (Also, you might want to try
	  --enable-blocking-connect etc.)

	* If configure complains 'configure: error: configuring with X
	  but xauth not found - aborting', try 

		./configure --without-x

	  or, add path of xauth to your PATH before running
	  configure. You can find xauth's location like this:

		find / -name xauth

	* Use 'ssh-keygen -P' to create keys without passphrases 
	  (for use with rsync etc).

	* Configure option --disable-crypt-asm no longer exists 
	  (use --disable-asm instead).

	* If your sftp2 complains something like this: "Need basic
	  cursor movement capability, using vt100", then no library
	  containing tgetent() function was found when you ran
	  ./configure . If you have a Linux system, then that is
	  probably because you don't have either termcap-devel or
	  ncurses-devel packages installed. If you want to get rid of
	  the message, and/or to use some more exotic terminals
	  capabilities, you should install either package. (A good 
	  place to look for those is your distribution's web-page.)


KNOWN BUGS
==========

	* Assembler-optimizations don't compile on BSDI. Configure
	  with --disable-asm. (as of 2.3.0, this is autodetected)

        * static building of sftp-server and ssh-dummy-shell is
          EXPERIMENTAL. If you use the static binaries, please try
          them before real use.

REPORTING BUGS
==============

   When reporting bugs, please attach to you mail at least the following 
   information:

	a) your system type (preferably by running config.guess which
           is in the root of ssh2 sourcedir, and running the command 
		% uname -a
		).
        b) compiler and version number (e.g. gcc 2.95.2).

	c) detailed description of the bug

	d) how to repeat it

	e) config.log, which is left to the root of ssh2 sourcedir
	   after running configure.

	f) possibly even make.log, if you've encountered a problem
	   with compilation. You can do this by running the following
	   sequence:

		% script make.log
		% make
		  [.... lots of output ...]
		% exit

	   If your system doesn't have script, use shell redirects etc. 
	   For example, in Bourne shell-variants:

		% make > make.log 2>&1

		  or

		% make |& tee make.log

	   Note that you need to redirect also stderr (2) to stdout (1). 
	   We need those warnings and errors to appear in the log too.

        g) Version number of the Secure Shell release (e.g. 3.0.0) that
           you're using.

   See the template in the file BUG.REPORT .


REMEMBER
========

* The SSH compilation success/failure web page. You can fill in the reply
  form about your compilation at
  <URL:http://www.ssh.com/tech/ssh_form.html>. You can query about the
  success/failure database from
  <URL:http://www.ssh.com/tech/ssh_query.html>.

* Latest news about ssh can be found in
  <URL:http://www.ssh.org/>


LEGAL ISSUES
============

See the file LICENSE for licensing and distribution conditions.
THERE IS NO WARRANTY FOR THIS PROGRAM.

In some countries, particularly Russia, Iraq, Pakistan, and France, 
it may be illegal to use any encryption at all without a special permit.

This software may be freely imported into the United States; however,
the United States Government may consider re-exporting it a criminal
offense. Thus, if you are outside the US, please retrieve this
software from outside the US.

Note that any information and cryptographic algorithms used in this
software are publicly available on the Internet and at any major
bookstore, scientific library, or patent office worldwide.

SSH, SSH2 and Secure Shell are registered trademarks or trademarks
of SSH Communications Security.


THANKS
======	
	...to everyone who contributed to SSH2. If you feel that your
	name should be in this list, please mail to ssh2@ssh.com. The
	following names are in no particular order.

	Dug Song
	Andreas Ley
	Troy Barbee
	Simon Burge
	Luigi Pugnetti
	Youki Kadobayashi
	Georgi Kuzmanov
	Hirotaka Yamamoto
	Martin Buchholz
	John David Anglin
	David Mansfield
	Goran Gajic
	Niko Tyni
	Eugene Krainov
	William C. Ray
	Andrew Libby
	Alexander Savelyev
	Aldo Ramos
	Sigurdur Asgeirsson
	Cedomir Igaly
	Jeremy Buhler
	Per Allansson
	Andre Cornelis van Veen
	Tom Woodburn
	Brian A May
	Horst von Brand
	John Riddoch
	Neil W Rickert
	Marina Buitrago
	Ian Duplisse
	Jeff P. Van Dyke
	Thorsten Schlichting
	Roger Cornelius
	Markus Gyger
	Gregor Mosheh
	Mike Brudenell
	Klaus Gottschalk
	Stephen Harpster
	Tan-Sheng Li
	Tim Rice
	Carl Nobile
	Andy Polyakov
	Robbert Heederik
	Mats Andersson
	Richard E. Silverman
	Bernd Porr
	Markus Germeier
	Doug Neuhauser
	Greg A. Woods
	Ric Anderson
	Andrew G. Morgan
	G. Lehnert
	Valdis Kletnieks

	... and everyone else who submitted bug reports,
	feature-requests and patches.
