openssh-portable/UPGRADING

OpenSSH is almost completely compatible with the commercial SSH 1.2.x.
There are, however, a few exceptions that you will need to bear in
mind while upgrading:

1. OpenSSH does not support any patented transport algorithms.

Only 3DES and Blowfish can be selected. This difference may manifest
itself in the ssh command refusing to read its config files.

Solution: Edit /etc/ssh/ssh_config and select a different "Cipher"
option ("3des" or "blowfish").

2. Old versions of commercial SSH encrypt host keys with IDEA

The old versions of SSH used a patented algorithm to encrypt their
/etc/ssh/ssh_host_key

This problem will manifest as sshd not being able to read its host
key.

Solution: You will need to run the *commercial* version of ssh-keygen
on the host's private key:

ssh-keygen -u /etc/ssh/ssh_host_key

3. Incompatible changes to sshd_config format.

OpenSSH extends the sshd_config file format in a number of ways. There
is currently one change which is incompatible with the old.

Commercial SSH controlled logging using the "QuietMode" and
"FascistLogging" directives. OpenSSH introduces a more general set of
logging options "SyslogFacility" and "LogLevel". See the sshd manual
page for details.

4. Warning messages about key lengths

Commercial SSH's ssh-keygen program contained a bug which caused it to
occasionally generate RSA keys which had their Most Significant Bit
(MSB) unset. Such keys were advertised as being full-length, but are
actually only half as secure.

OpenSSH will print warning messages when it encounters such keys. To
rid yourself of these message, edit you known_hosts files and replace
the incorrect key length (usually "1024") with the correct key length
(usually "1023").

5. Spurious PAM authentication messages in logfiles

OpenSSH will generate spurious authentication failures at every login, 
similar to "authentication failure; (uid=0) -> root for sshd service".
These are generated because OpenSSH first tries to determine whether a
user needs authentication to login (e.g. empty password). Unfortunatly
PAM likes to log all authentication events, this one included.
Added upgrade instructions 1999-11-15 22:02:27 +01:00			`OpenSSH is almost completely compatible with the commercial SSH 1.2.x.`
			`There are, however, a few exceptions that you will need to bear in`
			`mind while upgrading:`

			`1. OpenSSH does not support any patented transport algorithms.`

			`Only 3DES and Blowfish can be selected. This difference may manifest`
			`itself in the ssh command refusing to read its config files.`

			`Solution: Edit /etc/ssh/ssh_config and select a different "Cipher"`
			`option ("3des" or "blowfish").`

			`2. Old versions of commercial SSH encrypt host keys with IDEA`

			`The old versions of SSH used a patented algorithm to encrypt their`
			`/etc/ssh/ssh_host_key`

			`This problem will manifest as sshd not being able to read its host`
			`key.`

			`Solution: You will need to run the commercial version of ssh-keygen`
			`on the host's private key:`

			`ssh-keygen -u /etc/ssh/ssh_host_key`

			`3. Incompatible changes to sshd_config format.`

			`OpenSSH extends the sshd_config file format in a number of ways. There`
			`is currently one change which is incompatible with the old.`

			`Commercial SSH controlled logging using the "QuietMode" and`
			`"FascistLogging" directives. OpenSSH introduces a more general set of`
			`logging options "SyslogFacility" and "LogLevel". See the sshd manual`
			`page for details.`

Doc updates 1999-11-25 03:50:10 +01:00			`4. Warning messages about key lengths`

			`Commercial SSH's ssh-keygen program contained a bug which caused it to`
			`occasionally generate RSA keys which had their Most Significant Bit`
			`(MSB) unset. Such keys were advertised as being full-length, but are`
			`actually only half as secure.`

			`OpenSSH will print warning messages when it encounters such keys. To`
			`rid yourself of these message, edit you known_hosts files and replace`
			`the incorrect key length (usually "1024") with the correct key length`
			`(usually "1023").`

- Disable logging of PAM success and failures, PAM is verbose enough. Unfortunatly there is currently no way to disable auth failure messages. Mention this in UPGRADING file and sent message to PAM developers 1999-12-26 04:04:33 +01:00			`5. Spurious PAM authentication messages in logfiles`

			`OpenSSH will generate spurious authentication failures at every login,`
			`similar to "authentication failure; (uid=0) -> root for sshd service".`
			`These are generated because OpenSSH first tries to determine whether a`
			`user needs authentication to login (e.g. empty password). Unfortunatly`
			`PAM likes to log all authentication events, this one included.`