|
||||||
|
||||||
ncsa |
||||||
|
User Information Home
 NCSA's Help Desk is available 24 hours a day, seven days a week, 365 days a year: NCSA: Changes in OpenSSH since v3.8There are several changes in OpenSSH 3.8 that you need to be aware of when migrating from an earlier version. As new things are discovered, they will be added to this page.
OpenSSH now checks for locked accounts by default. On Linux systems, locked accounts are defined as those that have !! in the password field of /etc/shadow. This is the default entry for accounts created with the useradd command. Even if you are using Kerberos authentication and do not need local passwords, sshd won't let the user login with this message: Too many authentication failures for usernameIn the sshd debugging info it will indicate that the account is locked: User username not allowed because account is lockedWe suggest replacing !! with * or something similar.
After installing, make sure you have Kerberos authentication enabled in your sshd_config file. KerberosAuthentication yes
The new versions of OpenSSH use a new security model for X11 forwarding. If you have an X application that reports BadWindow errors you'll want to specify this additional option with the client: ssh -X -o "ForwardX11Trusted yes" hostnameIt appears that this is only needed when you are using the new client to connect to servers running an older version of sshd.
There is a new UsePAM option than can be specified in sshd_config. We've found that while PAM will let a user login with their kerberos password it doesn't handle setting up kerberos tickets and AFS tokens correctly. At this time, we recommend not enabling the UsePAM option when using the NCSA version of OpenSSH. OpenSSH seems to handle Kerberos authentication on it's own just fine. |
||||||
|
|
||||||
