The errata list is a list of errors and their corrections that were found after the product was released.
The following errata were submitted by our customers and have not yet been approved or disproved by the author or editor. They solely represent the opinion of the customer.
| Version |
Location |
Description |
Submitted By |
| Printed |
Page xii
2nd from top line |
In First Edition - [5/01] printing:
"and servers. serverwide configuration..."
should read
"and servers, serverwide configuration..."
|
Anonymous |
| Printed |
Page xiii
3rd line from bottom |
In First Edition - [5/01] printing:
"labled K."
should read
"labeled K."
|
Anonymous |
| Printed |
Page 28
2nd paragraph |
I believe the text
"The OpenSSH version of ssh-keygen also can produce either RSA or DSA keys,
defaulting to RSA. Its operation is similar to ssh-keygen1."
does not adequately explain how to generate OpenSSH keys and therefore succeed
with OpenSSH public key authentication. In fact the entire tract dealing with
OpenSSH authentication by cryptographic key seems too short and inaccurate.
Newer versions of OpenSSH default to protocol 2, and the default key format is
RSA. They seem to be looking for this file in the client:
~/.ssh/id_rsa (the private key)
and
~/.ssh/id_rsa.pub (the public key)
which you generate with the command
ssh-keygen -t rsa
You then copy the contents of ~/.ssh/id_rsa.pub to the ~/.ssh/authorized_keys2
file on the remote account that you wish to log in to.
Make sure the file permissions are set to -rw------- on the id_rsa file. Check
file permissions for other files as well.
You then log out of the client
re-login to the client
log out of the server account
and finally try to run ssh -v -l accountname server.example.com
OpenSSH public key authentication should succeed at this point.
|
Anonymous |
| Printed |
Page 43
last paragraph |
Change "should it be distinguish" to
"should it be able to distinguish"
|
Anonymous |
| Printed |
Page 75
bullet list |
In the bullet list at the top of the page (and the bottom of the
preceeding page) there are 6 items. The last two are "stronger
integrity checking ..." and "periodic replacement of the session
key". For each of these items, there is a section giving details
in the next several pages. There is, however, an extra section
on page 78 (3.5.1.6 in my copy) between the two sections on integrity
checking and session rekeying. This talks about Hostbased authenti-
cation, a topic which does not appear on the bullet list. This is
hardly a big deal, but maybe in the interests of completeness there
should be an additional bulleted item about hostbased authentication
on the list on page 75.
|
Anonymous |
| Printed |
Page 82
third paragraph, fourth sentence |
Text reads: "The following example shows the public keys for one SSH server running
on wynken, port 22, and two running on blynken, ports 22 and 220."
The example actually shows one SSH server running on blynken and two running on
wynken.
|
Anonymous |
| Printed |
Page 84
first sentence, fifth paragraph |
Text reads: "Since ssh-signer2 is a relatively small and simple, ..."
Should read: "Since ssh-signer2 is relatively small and simple, ..."
or
"Since ssh-signer2 is a realatively small and simple program, ..."
|
Anonymous |
| Printed |
Page 88
paragraph 5 |
Shouldn't the sentence
"If existing FTP implementations could easily be made to operate
over SSH, there would be no need for ssh, ...."
read
"... there would be no need for scp, ..."
Surely the ability of FTP to do something doesn't influence the need
for ssh in a more general context, even it it does have a bearing on
the file transfer situation. At the very least, this is confusing
wording.
|
Anonymous |
| Printed |
Page 96
I believe there is an error on page 96 of the SSH, the Secure Shell |
book, printing date February 2001. In section 3.9.2.3, the description of the
action of 3DES says the algorithm encrypts plaintext with three iterations
of the DES algorithm, using three separate keys. In truth, only two keys
are used -- the first key is used twice, during the first and third iterations.
|
Anonymous |
| Printed |
Page 153
5.4.2.2, example |
cf. the box on p. 155 and p. 363:
Umask 022
sould read
Umask 0022
|
Anonymous |
| Printed |
Page 155
|
Editing /etc/services:
Line reads
"ssh tcp/22"
should read
"ssh 22/tcp"
|
Anonymous |
| Printed |
Page 178,179
Second paragraph on 178 and Second paragraph on 179 |
On 178 the indication is that only SSH1 & SSH2 support the '@host' construct
for AllowUsers.
On 179, the wildcard example uses the '@' construct and is labeled as being
valid for SSH1, SSH2, OpenSSH.
These cannot both be true - either OpenSSH supports host-address
restrictions or it does not, regardless of wildcards.
I believe that p178 is correct, and OpenSSH does NOT support hostnames in
the sshd config file.
OpenSSH does support host restrictions in the individuals authorised_keys
file, using the "from=the.host.name" construct.
|
Anonymous |
| Printed |
Page 179
mid-page |
Section 5.5.2.1 addresses Account access control, specifically use of AllowUsers and
DenyUsers. On page 179 at mid-page, the examples go from using AllowUsers to
AllowHosts with the sytax for AllowUsers and then back to using AllowUsers at the
bottom of the page. AllowHosts and DenyHosts is not discussed until Section 5.5.2.3.
All examples on page 179 should read AllowUsers.
|
Anonymous |
| Printed |
Page 179
Last line of code before last paragraph |
Line reads: "AllowUsers "*@10.1.1.[:isdigit:]##"
Should read: "AllowUsers "*@10.1.1.[:digit:]##"
|
Anonymous |
| Printed |
Page 182
second line of second paragraph of 5.5.2.3 |
sentence reads:
... access by s host more concisely, getting rid of the unnecessary account-name ...
probably mean, "... access by a host ..."?
|
Anonymous |
| Printed |
Page 183
Last line before bulleted list |
The title of the bulleted list reads: "As for AllowHosts and DenyHosts:".
However, the bulleted list for AllowHosts and DenyHosts is on the middle of page 182.
This line should read "As for AllowShosts and DenySHosts". This is perfectly clear
from the last bullet point which is on page 184.
|
Anonymous |
| Printed |
Page 213
1st paragraph |
The end of the sentence should be corrected to "... your public
key file:"
Losing one's private key file is in my opinion a major problem...
|
Anonymous |
| Printed |
Page 215
In last sentence of #3 |
Last sentence of number three reads: "Therefore, keys are a quick and convenient
method for checking that a key is unaltered."
Should read: "Therefore, fingerprints are a quick and . . ."
|
Anonymous |
| Printed |
Page 229
On the 2001-02 printing, in the first shell fragment on the |
page, a pretty major error.
I'm no Bourne shell expert, but it seems to me that the fragment
test -n "SSH_AUTH_SOCK" && exec ssh-agent $SHELL
is busted; if the agent's not running, the variable's empty, hence the
test failes, so the exec doesn't get fired off! At any rate, I wasn't
able to get this to work as printed, so, after a side-trip to
``Learning the Bash Shell'' I ended up using:
if [ -n "$SSH_AUTH_SOCK" ]
then
echo "ssh-agent already running, PID $SSH_AGENT_PID"
else
echo "starting ssh-agent..."
exec ssh-agent $SHELL
fi
|
Anonymous |
| Printed |
Page 233
-N description |
On p233, you describe how to use -N, and on the next page, you warn people not to.
The warning should at least be on the same page, if not referenced directly in the
description of -N usage.
|
Anonymous |
| Printed |
Page 241
Figure 7-1 |
In the right-hand column ("Files" for the SSH server), there are some typos.
The word "environment" is misspelled as "enviroment" (twice) and near the
bottom you see "/~.k5login" which should be "~/.k5login".
|
Anonymous |
| Printed |
Page 282
The example for the -v command-line option at the bottom of the page |
looks like it isn't available for SSH2:
# SSH1, OpenSSH
SSH2 is missing because of the following output ("SSH Version 1.2.27") but it
might be misleading.
|
Anonymous |
| Printed |
Page 300
8.2.4.1, 2nd sentence |
... at least as secure a ...
should read
... at least as secure as a ...
|
Anonymous |
| Printed |
Page 311
First sentence on page |
First sentence reads: "Timeouts are set in with the idle-timeout option."
Should remove the word 'in' so the sentence reads: "Timeouts are set with the idle-
timeout option."
|
Anonymous |
| Printed |
Page 330
first sentence of last paragraph |
First sentence reads: "In addition to any physical network interfaces it may have, a
host running IP has also has a virtual one called, the loopback interface."
One of the "has" words should be deleted.
|
Anonymous |
| Printed |
Page 341
Third sentence of second paragraph |
Sentence reads: "You log into one of these machines using SSH, and want to run an
graphical performance-monitoring tool,"
Should read: "... and want to run a graphical ..."
|
Anonymous |
| Printed |
Page 344
Figure 9-10 X forwarding |
Currently, the dotted circle on the left is labelled "X client"
and the dotted circle on the right "X server".
The labels should be the other way around, "X server" on the left
and "X client" on the right.
|
Anonymous |
| Printed |
Page 361
--without-rsh |
The book says "... or at runtime in the server-wide configuration file."
This is not correct as there is no sshd option for this. This belongs to the
client specific configuration, cf. p. 125 (4.1.5.12) and p. 269.
|
Anonymous |
| Printed |
Page 390
3rd full para |
Last sentence: /decisions based on the their contents
should be
/decisions based on their contents/
|
Anonymous |
| Printed |
Page 392
Note (footprints) |
s/port -orwarding/port forwarding/
|
Anonymous |
| Printed |
Page 406
fourth typed code (constant width) example |
the third constant width code example cites the -q argument to ssh (for
supressed output), while the fourth expands it to -w, a non-existent option.
|
Anonymous |
| Printed |
Page 461
nowhere in chapter |
This isn't really a technical mistake,
but I think future editions of the book should make
mention of Kermit-95 2.X, certainly a major implimentation
of SSH, in the chapter summarizing various instantiations
of SSH. Details at
http://www.kermit-project.org/http://www.columbia.edu/kermit
|
Anonymous |
| Printed |
Page 509
keyword Macs |
keyword Macs should be MAC (according to p. 165)
|
Anonymous |
| Printed |
Page 509
keyword IgnoreRootRhosts |
p. 169 says the meaning of the keyword IgnoreRootRhosts is to ignore /.rhosts
and /.shosts and not just "Ignore /.rhosts files"
|
Anonymous |
| Printed |
Page 509
keyword IgnoreUserKnownHosts |
keyword IgnoreUserKnownHosts is valid for OpenSSH only (according to p. 171)
|
Anonymous |
| Printed |
Page 512
keyword Host |
keyword Host does not mark the beginning of a section for SSH2; for SSH2 it defines a host's real name (cf. 244 + 248)
|
Anonymous |
| Printed |
Page 512
keyword FallBackToRsh |
keyword FallBackToRsh applies to SSH2 as well (according to p. 269)
|
Anonymous |
| Printed |
Page 514
keyword PGPSecretKeyFile |
keyword PGPSecretKeyFile is not a ssh keyword (cf. p. 172)
|
Anonymous |
| Printed |
Page 514
keyword UseRsh |
keyword UseRsh applies to SSH2 as well (according to p. 269)
|
Anonymous |
| Printed |
Page 515
option -g |
option -g applies to SSH1 and OpenSSH only (according to p. 323)
|
Anonymous |
